Case Studies

Hybrid Mesh Firewall Architecture for a Cloud-First Workforce

Client:
 S5 Technology Group

Industry:
System Integrator

Services Rendered:
Security Architecture, Hybrid Mesh Firewall, Cloud Adoption

About S5 Technology Group

Infrastructure lifecycle constraints and a strategic shift to cloud-native delivery created an opportunity to redesign S5’s security architecture around workforce flexibility, scalability and attack surface reduction.

As S5 expanded across multiple offices in NSW and QLD with a fully distributed workforce model, legacy VPN-centric architecture no longer aligned with the organisation’s cloud-first direction. The decision was made to modernise both infrastructure and security simultaneously, adopting a Hybrid Mesh Firewall model to support SaaS prioritisation and Azure-based IaaS workloads.

Browse our services

The Challenge

S5 operates a mixed workforce model across three office locations, hybrid staff and fully remote personnel. The existing architecture was built around:

  • On-premise Cisco server infrastructure approaching end of service life

  • VPN-centric remote access

  • Site-based perimeter enforcement

  • Limited cloud footprint

This model introduced several constraints:

Infrastructure Lifecycle Risk
Core infrastructure was approaching EOSL, creating both operational and security risk.

VPN Dependence
Remote access VPN had become the primary gateway to corporate resources, creating concentration risk and potential performance bottlenecks.

Regional Exposure
On-premise resources were susceptible to localised internet and power disruptions.

Policy Fragmentation Risk
As cloud adoption increased, maintaining consistent policy enforcement across physical, cloud and remote environments would have required duplicated configurations.

The organisation required a modern security architecture aligned to its cloud-first strategy, reducing external attack surface while improving resilience and user experience

The Solution

S5 adopted a Hybrid Mesh Firewall architecture, integrating Check Point Quantum for physical offices, CloudGuard for Azure workloads and Harmony SASE for remote workforce security, alongside Cisco Duo trusted endpoint validation.

Our Approach

Cloud-First Architecture

Where SaaS solutions were available, they were prioritised. Where SaaS was not feasible, IaaS workloads were deployed in Microsoft Azure across Australia East and Australia South East regions to ensure regional redundancy.

Hybrid Mesh Security Model

Harmony SASE became the central enforcement layer for user access, enabling:

  • Identity-driven, fine-grained zero trust policies

  • Uniform security enforcement across remote, office and cloud users

  • Consolidated logging and troubleshooting

  • Centralised policy management

Access to corporate cloud resources was restricted exclusively to S5’s dedicated SASE Cloud Gateway egress IP addresses, materially reducing external attack surface and eliminating direct inbound exposure.

Elimination of VPN Dependency

The traditional VPN-centric remote access model was fully retired. Instead, identity-centric access control through SASE and Duo trusted endpoint validation ensured that only managed, domain-joined devices with authenticated S5 users could access internal systems.

Redundant Cloud Backbone

Azure IaaS workloads were deployed across paired Australian regions to eliminate regional dependency on physical infrastructure and improve resilience.

The Outcome

  • Elimination of remote access VPN dependence

  • Significant reduction in externally exposed services

  • Uniform zero trust policy enforcement across all environments

  • Simplified security policy management and troubleshooting

  • Improved workforce performance and connectivity resilience

The transition delivered measurable improvements across resilience, security posture and operational efficiency.

Attack Surface Reduction

Exposure of internal systems was reduced to controlled SASE gateway IP addresses. Publicly accessible services were limited to those strictly required, such as the corporate website.

Removal of VPN Concentration Risk

Dependence on remote access VPN was eliminated, removing single-point access concentration and improving scalability for a distributed workforce.

Uniform Zero Trust Enforcement

Fine-grained identity policies are now enforced consistently across physical offices, remote users and Azure workloads without policy duplication.

Operational Simplification

Centralised logging and unified policy management simplified troubleshooting and reduced administrative overhead.

Improved End User Experience

Users now connect through the nearest SASE point of presence, improving performance and reducing friction compared to traditional VPN backhaul models.

Infrastructure Resilience

Cloud-based workloads across dual Azure regions reduced susceptibility to localised power or internet outages affecting physical office locations.

More Case Studies

Feb / 2026

Water & Wastewater Utility – Secure SCADA Architecture

Featured image for “Water & Wastewater Utility – Secure SCADA Architecture”
Feb / 2026

Hybrid Mesh Firewall Architecture for a Cloud-First Workforce

Featured image for “Hybrid Mesh Firewall Architecture for a Cloud-First Workforce”
Nov / 2025

Midcoast Council – IT Transformation

Featured image for “Midcoast Council – IT Transformation”
Nov / 2025

Forbes Shire Council – Backup & Resiliency

Featured image for “Forbes Shire Council – Backup & Resiliency”
Nov / 2025

Expressway Spares – Secure Network Transformation

Featured image for “Expressway Spares – Secure Network Transformation”
Nov / 2025

St Stanislaus College – Disaster Recovery

Featured image for “St Stanislaus College – Disaster Recovery”
Nov / 2025

Eire Construction – Security Assessment

Featured image for “Eire Construction – Security Assessment”