Network Segmentation
in the Data Centre
A Case Study from the Financial Industry
Project Details
Client
An International Major Bank
Category
Financial Industry
Project Year
2022
Initial Situation
Challenge
In an era where security and compliance are top priorities, a leading financial sector company faced the challenge of optimizing its network segmentation within the data centre.
The result of a preceding external audit did not provide clear guidance—neither from the auditors nor from project management. As a result, my project team, consisting of experienced external specialists, was confronted with a highly demanding task. The objective was not only to meet the security requirements of the audit, but also to integrate existing and newly introduced internal processes and policies.
Background
Best Practice
Drawing on my extensive experience, I applied established best practices to design high-quality solutions. In my role as technical project manager, I held significant decision-making authority, enabling me to coordinate team members efficiently and actively involve stakeholders—a key factor for motivation and overall project success.
Objective
The primary objective was to isolate network segments through the deployment of firewalls. Within an ambitious timeframe of nine months, the projext had to cover both technical implementation and comprehensive documentation of evidence, including segmentation design, migration planning and future operational processes.
Task
Implementation During Live Operations
While the target architecture was defined at an early stage, the detailed implementation approach still had to be developed. In addition, non-technical requirements were highly complex, including the integration of new parent company standards, migration of services during ongoing operations, and coordination of parallel audit activities.
Several additional challenges further increased complexity: a key employee was approaching retirement, firewall hardware had to be procured without full knowledge of future traffic loads, and documentation of existing services was incomplete and outdated. Almost all client services were affected.
The implementation had to be carried out in a brownfield environment; a greenfield redesign was not an option. The entire IT landscape—including non-productive systems—remained in contineous operation. Legacy systems that could not be segmented required individual assessment and tailored solutions. At the same time, overlapping migration projects and conflicting regulatory requirements had to be managed.
The project therefore required simultaneous handling of technical, organizational, and personnel-related challenges, while ensuring uninterrupted IT operations at all times.
Solution & Implementation
Migration Path
The project team developed multiple scenarios and established a clearly defined migration path through detailed planning. Initially, only non-productive systems were migrated into the new security zones, while production systems remained unaffected. In a later phase, production workloads were migrated as part of a coordinated major cutover involving additional teams.
A detailed dependency analysis was required to identify migration groups, including communication relationships between services.
The establishment of the new security zones was achieved through firewall deployment and stepwise service migration. This approach ensured that all systems remained fully operational under new segmentation model. The migration was successful completed after several hundred individual system migrations.
Results
Succeeded
The project was a full success: network segmentation was implemented within the planned timeframe without any service outages. All regulatory requirements were met, including complete and audit-compliant documentation.
-
Delivered on schedule
-
No service outages
-
All requirements fulfilled