Zero Trust Transformation for a Banking Group

Banca Meridiana's network was a flat Layer 2 domain with VPN access for 2,400 remote employees. A penetration test revealed that any compromised endpoint could reach every server in the data centre. The bank's CISO needed to pass PCI-DSS v4.0 audit within 8 months while maintaining uninterrupted banking operations.

We designed a phased zero-trust programme:

• Phase 1 — Visibility: Deployed Illumio Core to map all application communication flows across 1,200 servers
• Phase 2 — Segmentation: Enforced microsegmentation policies isolating PCI CDE, core banking, and DMZ workloads
• Phase 3 — ZTNA: Replaced Cisco AnyConnect VPN with Zscaler Private Access for identity-aware, device-posture-checked access
• Phase 4 — Continuous verification: Integrated CrowdStrike Falcon with conditional access policies in Microsoft Entra ID

The bank passed PCI-DSS v4.0 audit on first attempt. The flat network was replaced by 147 microsegments with default-deny policies. Remote access no longer requires VPN — users connect directly to applications with end-to-end encryption.