CWS Book a Call
Case Study · Banking & Finance

Canadian Bank Migrates 15,000 Users to Prisma SASE

Zero downtime. 16 weeks. OSFI B-13 evidence delivered.

How a Canadian retail bank moved 15,000 employees from a legacy MPLS-backhauled VPN to Prisma Access SASE in 16 weeks, eliminating branch backhaul and improving Cortex XDR visibility under OSFI B-13 expectations. Bilingual EN/FR rollout for Quebec-resident operations.

Canadian retail bank, 15,000 employees, multi-province footprint

Scope a Similar Engagement
15,000
Users migrated
16 weeks
End-to-end
OSFI B-13
Evidence delivered
EN/FR
Bilingual rollout
01
The challenge

Legacy VPN at scale and OSFI B-13 pressure

The bank had grown its remote-workforce population through hybrid-work transition. Its legacy IPSec VPN backhauled all internet traffic through two Ontario data centres, then out through monitored egress. The architecture was straining at scale. OSFI Guideline B-13 expectations had also tightened. The bank's SOC needed deeper visibility into endpoint and network telemetry than the legacy architecture provided. Branch traffic was particularly hard to monitor because everything routed through a single egress. Quebec branches added a layer: Law 25 enforcement in 2026 required documented privacy-by-design evidence for any architectural change touching Quebec-resident customer data flows. The bank weighed three options.

"We needed to address the OSFI B-13 expectations and modernize our remote-access architecture at the same time. CWS gave us a path that solved both and they delivered it without surprises. The bilingual rollout for our Quebec branches was handled without us having to manage it."

CISO, Canadian retail bank

Why CWS

Four reasons CWS won the engagement.

  • PCNSE-led delivery

    Senior CWS engineer assigned as lead, reporting weekly to the bank's network architect and CISO.

  • Bilingual EN/FR comms

    End-user comms produced in EN and FR. Quebec branch staff received French-language guides for the GlobalProtect agent rollout.

  • OSFI B-13-aligned reporting

    Engagement deliverables included OSFI B-13 control mapping and evidence artifacts ready for the bank's compliance team.

  • Cortex XDR integration on day one

    Prisma Access logs flowed into Cortex XDR from week one of pilot, giving the SOC visibility before scale rollout.

02
Timeline

Five phases. Defined ownership.

  1. Phase 1

    Discovery

    Two weeks of architecture documentation, user-population analysis, and identity-source audit. Output: target architecture document, OSFI B-13 control-mapping plan, and pilot scope.

  2. Phase 2

    Pilot (500 users)

    Two weeks of pilot rollout to a single business unit. Identity integration validated. Cortex XDR log-flow validated. Pilot success criteria signed off.

  3. Phase 3

    Wave 1 expansion (4,000 users)

    Three weeks rolling out to corporate-banking, treasury, and retail-banking divisions. End-user comms in EN/FR. Help-desk runbook activated.

  4. Phase 4

    Wave 2 expansion (10,500 users)

    Six weeks rolling out to remaining divisions and 100 branches across Ontario, Quebec, BC, and Alberta. Branch IPSec connections to Prisma Access stood up in parallel.

  5. Phase 5

    Stabilization

    Three weeks of tuning, MPLS de-provisioning, and handover to bank operations team plus CWS managed services contract.

"The OSFI mapping deliverable saved our compliance team weeks. CWS produced it as part of the engagement, not as an afterthought."

Compliance Lead, Canadian retail bank

03
Impact

What changed after the engagement.

  • 15,000
    users migrated
    From legacy IPSec to GlobalProtect on Prisma Access
  • 65%
    MPLS backhaul reduced
    Branch direct-to-internet eliminated MPLS routing for the majority of traffic
  • 0
    hours unplanned downtime
    Wave-by-wave rollout with rollback maintained service availability
  • 16 weeks
    end to end
    From kickoff to MPLS de-provisioning
  • Day 1
    Cortex XDR visibility
    Logs flowed into Cortex XDR from pilot through scale
  • OSFI B-13
    evidence delivered
    Control mapping accepted by compliance team
What's next

Where the engagement is heading.

The bank has expanded the engagement to cover Cortex XSIAM SOC modernization. Migration from the legacy SIEM is scheduled to complete within two quarters of the SASE rollout. Prisma Cloud deployment for the bank's AWS Canada Central workloads is in design.

Keep reading

Related reading

Ready when you are

Ready to scope a SASE migration?

Book a Discovery Call