CWS Book a Call
Case Study · Banking & Finance

UAE Bank Migrates 12,000 Users to Prisma SASE

Zero downtime. 14 weeks.

How a UAE retail bank moved 12,000 employees from a legacy MPLS-backhauled VPN to Prisma Access SASE in 14 weeks, eliminating branch backhaul and improving Cortex XDR visibility under CBUAE cyber-resilience expectations.

UAE retail bank, 12,000 employees, multi-emirate footprint

Scope a Similar Engagement
12,000
Users migrated
14 weeks
End-to-end
0
Hours of unplanned downtime
60%
MPLS backhaul reduction
01
The challenge

Legacy VPN at 5x scale and CBUAE pressure

The bank had grown from 4,000 to 12,000 employees over four years through organic growth and acquisitions. Its remote-access VPN was a legacy IPSec deployment that backhauled all internet traffic through two data centers, then out through monitored egress. The architecture was designed for 4,000 users; at 12,000 it was an operational bottleneck. CBUAE cyber-resilience expectations had also tightened. The bank's SOC needed deeper visibility into endpoint and network telemetry than the legacy architecture provided. Branch traffic was particularly hard to monitor because everything routed through a single egress. Something had to give. The bank weighed three options.

"We had outgrown our VPN architecture and the regulator was watching. CWS gave us a path that solved both problems at once and they delivered it without surprises."

CISO, UAE retail bank

Why CWS

Four reasons CWS won the engagement.

  • PCNSE-led delivery

    Senior CWS engineer assigned as lead, reporting weekly to the bank's network architect and CISO. No tier-1 escalation gaps.

  • Bilingual change comms

    End-user comms produced in EN and AR. Branch staff received Arabic-language guides for the GlobalProtect agent rollout.

  • CBUAE-aligned reporting

    Engagement deliverables included CBUAE cyber-resilience mapping and audit artifacts ready for the bank's compliance team.

  • Cortex integration on day one

    Prisma Access logs flowed into Cortex XDR from week one of pilot, giving the SOC visibility before scale rollout.

02
Timeline

Five phases. Defined ownership.

  1. Phase 1

    Discovery

    Two weeks of architecture documentation, user-population analysis, and identity-source audit. Output: target architecture document and pilot scope.

  2. Phase 2

    Pilot (500 users)

    Two weeks of pilot rollout to a single business unit. Identity integration validated. Cortex XDR log-flow validated. Pilot success criteria signed off.

  3. Phase 3

    Wave 1 expansion (3,000 users)

    Three weeks rolling out to corporate-banking, treasury, and retail-banking divisions. End-user comms in EN/AR. Help-desk runbook activated.

  4. Phase 4

    Wave 2 expansion (8,500 users)

    Five weeks rolling out to remaining divisions and 80 branches. Branch IPSec connections to Prisma Access stood up in parallel. Direct-to-internet branch traffic enabled.

  5. Phase 5

    Stabilization

    Two weeks of tuning, MPLS de-provisioning, and handover to bank operations team plus CWS managed services contract.

"The CBUAE mapping deliverable is the kind of thing we usually have to build ourselves after the fact. CWS gave it to us as part of the engagement."

Compliance Lead, UAE retail bank

03
Impact

What changed after the engagement.

  • 12,000
    users migrated
    From legacy IPSec to GlobalProtect on Prisma Access
  • 60%
    MPLS backhaul reduced
    Branch direct-to-internet eliminated 60 percent of traffic that previously routed through DC egress
  • 0
    hours unplanned downtime
    Wave-by-wave rollout with rollback maintained service availability
  • 14 weeks
    end to end
    From kickoff to MPLS de-provisioning
  • Day 1
    Cortex XDR visibility
    Logs flowed into Cortex XDR from pilot through scale, giving SOC continuous visibility
  • CBUAE
    cyber-resilience mapping delivered
    Compliance artifacts produced as engagement deliverable, accepted by bank compliance team
What's next

Where the engagement is heading.

The bank has expanded the engagement to cover Cortex XSIAM SOC modernization. Migration from the legacy SIEM is scheduled to complete within two quarters of the SASE rollout completing. The Prisma Cloud rollout for the bank's AWS workloads is in design.

Keep reading

Related reading

Ready when you are

Ready to scope a SASE migration?

Book a Discovery Call