When Security Architecture Meets Operational Reality

Chapter headingChapter subheadingHow Globalgig redesigned and operates a modern network and security architecture that holds under operational pressure, growth, cloud expansion, and day-to-day changeContents

Thank you for reading test

Trust Was Implicit, Static and Inherited.

Zero Trust isn’t failing because teams don’t understand it. It’s failing because it doesn’t hold under real operating conditions. We rebuilt the architecture and made Zero Trust hold in day-to-day operations.

Broad Access. No Visibility. No Control.

It didn’t start this way, but this is where the environment landed.

In distributed organizations with 10 or more locations, lean IT teams, and growing cloud environments, this is a common outcome: There isn’t a single system. There are layers.

Firewalls, VPNs, endpoint tools, and cloud security all exist, but they don’t operate together. Access becomes broader than it should be, and control is fragmented. Policy changes are slow and tied to whoever has access to the right tools. Incidents take longer to resolve. Meanwhile, the environment keeps expanding across sites and cloud workloads, while users, devices, and access are constantly shifting. In the end, the security model can’t keep up with how the environment actually operates.

Security Built on Perimeter Assumptions

This is exactly what played out in this environment. The customer’s environment was designed around an inside/outside trust model. Access decisions were based on network location, not user identity. Remote users, including contractors, were granted broad network-level access rather than being restricted to specific applications.

No Visibility and No Ability to Act

The internal security team had no meaningful visibility into their own environment and no direct control over it. Policy changes were processed by the managed service provider on its own timeline, with no bypass mechanism for urgent requirements. A routine change could sit in a queue for weeks.

Architecture That Didn't Hold Under Real Conditions

SD-WAN, SSE, and cloud connectivity weren’t designed as a single system. Traffic routing, failover behavior, and security enforcement weren’t aligned, particularly for workloads moving into cloud infrastructure. Under normal conditions, the environment functioned. Under failure or routing changes, traffic didn’t consistently pass through the same control points, making policy enforcement unpredictable.

Hardware Without a Roadmap

They recognized the need for more Palo Alto technology, but their environment lacked a cohesive architecture to support it. Without that, adding more firewalls would have increased complexity, not reduced risk.

Core Constraint

The issue wasn’t just outdated architecture; it was the trust model behind it. Access relied on location, not identity or context. Without rethinking the architecture around Zero Trust principles and ensuring the model could be managed as the environment evolved, any new technology would recreate the same risk.

Zero Trust as a Service.
Designed, Deployed and Operated as One.

Zero Trust wasn’t implemented as a single rollout. It was built around what actually mattered in the environment. We started by identifying protect surfaces, the applications, data and services that represent real business risk and compliance obligations, and shaped the architecture around them.

This was designed and continues to operate as a fully managed service, from architecture through ongoing operations.

We Redesigned the Architecture

The existing VPN-based access model was replaced with a SASE architecture built on Palo Alto Prisma Access. Access is no longer granted at the network level. It is enforced at the application layer, per user and device, with policies applied based on identity, context, and risk.

This required a full redesign of how traffic flows across the environment. SD-WAN and Prisma Access were designed together, ensuring traffic followed consistent, controlled paths, particularly for workloads in the cloud.

Discrete Access for Contractors and Third Parties

The new architecture grants access only to the specific applications a contractor requires, with nothing else reachable from that session. This is one of the clearest practical expressions of Zero Trust in operation: least-privilege access enforced at the user and application level, not as a blanket policy overlay applied after the fact.

Designed for Failure, Not Just Uptime

Network failover paths were designed so traffic stays within the same control points. Inspection, identity verification, and policy enforcement continue even during outages or routing changes.

Built to Expand, Not to Be Renegotiated

Since the initial deployment, the managed security layer has become the standard entry point for any new component added to the environment. Additional firewalls and new virtual machine environments have been handled within this architecture, rather than as a separate scoping exercise each time. The security posture scales with the environment rather than falling behind it.

Architecture We Designed.

Fully Managed Without Being Locked Out

The SOC maintains 24/7 coverage with direct access to the Palo Alto stack, including firewalls and Prisma Access. It doesn’t just observe and escalate. It acts.

Security events and advisories are handled in real time, with changes made directly to policies and controls when required.

At the same time, the customer retains break-glass access. Not for daily use, but for moments where immediate control is required. For a team that was previously locked out of their own environment entirely, this was a non-negotiable design requirement.

How We Operate Without Taking Control Away

Design, deploy and operate the full Palo Alto Networks SASE stack. Own 24/7 policy enforcement, incident response and configuration changes across all six sites. All connectivity, including existing WAN circuits, is managed as part of the service, providing a single, consistent operating model across the environment.

Define business priorities and risk posture. Own users, applications and access requirements. Approve and govern critical access decisions, including break-glass scenarios when needed.

Filters signal from noise and escalates only what requires the customer’s attention. Vendor management and coordination.

Focus on business operations without carrying the operational burden. Access the environment when required, without managing it day to day.

Direct access to firewalls and Prisma Access. Network performance and capacity management. SLA ownership end to end.

Full visibility into security posture, policies, events and logs through the Palo Alto Networks platform. Retains ownership of policy intent and risk decisions. Can audit activity and policy enforcement, review changes, approve exceptions and intervene directly when required.

Responsibility

Day-to-Day Value

Control Point

See the Services Behind This Architecture

Find Out More

Most Providers Manage Security.
We Take Accountability.

Ownership When It Matters Most

Issues happen; what matters is who owns the outcome. The customer experienced instability due to a vendor-side software issue that affected failover and caused downtime. Globalgig stayed fully engaged, working closely with the vendor and the customer until stability was restored. SLA credits and contract extensions were issued because we saw it as our responsibility to ensure the customer didn’t pay for disruption outside their control. We took ownership of the outcome, not just the contract, because that’s what true partnership means in managed security.

A Single and Flexible Commercial Model for Everything

The entire engagement, including hardware, Palo Alto Networks licensing, professional services, implementation, and ongoing managed services, is structured as a single monthly subscription. No separate vendor relationships for the customer to manage, and no hardware refresh cycle to plan for independently.

The commercial model was designed to match the operational model: one provider, one contract, one point of accountability.

A Measurable Way to Track Progress

Each environment is assessed against a Zero Trust maturity model. This isn’t a static assessment. It’s updated as the environment evolves, reflecting real changes in access patterns, policy coverage, and enforcement.

This gives both the security team and leadership a clear view of where risk still exists, what has improved, and what needs to be addressed next, not just as a point-in-time report, but as an ongoing measure of progress.

Security and Network Aligned Under One Roof in This Deployment

In most environments, security and networks are managed by different providers on infrastructure they don’t own. As routing changes, new sites are added, or workloads move to the cloud, policy enforcement can become inconsistent.

In this particular case, Globalgig owns and operates the SD-WAN layer. Network architecture and security policy are designed together and managed together, ensuring consistent enforcement as the environment evolves.

Does Your Security Still Fit How You Operate?

We design, implement, and operate Zero Trust architectures for organizations that need managed security that works on their terms — with full operational coverage, co-management capability, and a single point of accountability for everything underneath it. If your security model does not reflect how your business actually operates, let’s talk.

Let's Talk

globalgig.com

Globalgig

Customer