A large Canadian municipality

Rescued an enterprise firewall rehaussement after the chosen vendor could not deliver; approved target architecture was completed ahead of schedule.

$3–5M5-year cost savings

$7–10M10-year cost savings

Challenge

Our initial mandate was architecture validation for the contracted vendor. When that vendor proved unable to deliver, we took ownership of producing the target architecture while preserving the project's regulatory deadlines and organizational approval path.

Approach

Identified stakeholders and documented the current technology state.
Built a MySQL data model to query asset data and validate architecture hypotheses with real evidence.
Defined the security strategy: HTTPS inspection, web filtering, application control, threat prevention, identity management.
Target architectures for topology and infrastructure, data flows, ExpressRoute connectivity, VRF/DMZ/landing-zone segmentation, IPSEC VPN (P2S, S2S, split tunnel), management, logging and monitoring.
Obtained organizational approval before the deadline.

Outcome

Architecture approved ahead of schedule and handed to engineering for deployment. The municipality avoided a multi-quarter slippage and its associated contractual penalties.

Technology stack

Checkpoint, Fortinet, Azure NSG, Defender, ExpressRoute, IPSEC VPN, VLAN/VRF, MySQL, Prometheus, Grafana, SharePoint, Azure DevOps

Estimated return on investment

Estimates are directional, based on comparable modernization benchmarks. Actual savings depend on starting baseline, scope and execution discipline.

← All success stories