A 17-year-old web foundation.
And not a second the water can stand still.
To a cloud web gateway, without downtime
A drinking-water utility, critical infrastructure. Web traffic had run through an on-premise proxy for 17 years: outdated, identity-blind, hard to manage. We lifted it to a cloud secure web gateway with zero trust, without the people keeping the water running noticing a thing.
The challenge
In critical infrastructure, nothing can go down.
Web traffic had run through an on-premise proxy for 17 years. Outdated, identity-blind, with a sprawl of exceptions, and hard to manage. Replacing it was overdue, but every interruption hits a vital process.
- 01
A 17-year-old on-premise proxy. Outdated, hard to manage, and a single point of failure for all web traffic.
- 02
No identity in the traffic. Policy on IP and location, not on who the user is; zero trust was impossible.
- 03
A sprawl of exceptions. Years of bypasses piled up; no one still oversaw what was open and why.
- 04
No downtime allowed. Every interruption hits a vital process; the migration had to go unnoticed.
The question was not whether the proxy had to be replaced. It was how you lift critical-infrastructure web traffic to the cloud, without anyone noticing.
The approach
First understand what runs. Then cut over.
No big bang. A phased cutover on a design that first mapped the existing reality, with the service desk ready to catch every user.
The existing mapped
The full proxy configuration, the years of exceptions and the roaming/on-prem split captured in a low-level design, in seven iterations until it was right.
A zero-trust design
A cloud secure web gateway with identity as the base: policy on who the user is, SSL inspection, content filtering and visibility of cloud services (CASB).
Phased cutover
No big bang but batch by batch, with a rollback path ready. Heightened vigilance at every step, as vital work demands.
Service desk in position
A quick reference card for the service desk: block pages, certificate checks and a direct rollback, so every user could be helped at once.
The solution
Web traffic that knows who is browsing.
What stands now: all web traffic via a cloud secure web gateway, identity-aware and zero-trust, with the on-premise proxy retired. And it stays under our management.
Web traffic cloud-delivered instead of through an on-premise box, no single point of failure anymore.
Policy on who the user is, not on IP or location, zero trust in the web traffic.
SSL inspection, content filtering and visibility of cloud services, shadow IT in view.
With a steering group, fixed agreements and a service-desk safety net, run by us continuously.
“When a vendor fault took down every login, ours was already fixed before the vendor admitted it.”
The result
From a 17-year-old box to a cloud gateway that moves with you.
- -17-year-old on-prem proxy, single point of failure
- -Policy on IP and location, no identity
- -A sprawl of unmanageable exceptions
- -Every change risky for a vital process
- ✓Web traffic via a cloud secure web gateway, the on-prem proxy retired.
- ✓Identity-aware and zero trust, policy on who the user is.
- ✓Migrated without downtime for operations.
- ✓Managed continuously, faster than the vendor itself when it mattered.
A similar challenge?
No pitch. One conversation.
One conversation in which we determine whether, and how, this works for your organisation too.
Schedule a conversation