Chapter 4

Prospero Redesigns the Milan Island Network

Prospero, Network Architect at Milan Island Telecom, is dismantling the company's twenty-year-old castle-and-moat network. After the pandemic, two-thirds of the workforce became permanent remote, contractors connect from a dozen countries, and the company adopted three SaaS suites — none of which sit behind the corporate firewall.

The legacy design assumes that anyone inside the perimeter VPN is trustworthy. Prospero has been asked to fix this without forcing every remote worker to backhaul traffic through the Milan headquarters, which would crush the WAN links and add 200ms of latency to every Salesforce request.

His plan: collapse networking and security functions into a single cloud-delivered edge service, evaluate every request continuously rather than once at login, break the flat internal network into per-application segments small enough that a single compromised laptop cannot reach the customer billing database, and classify all data so that DLP rules can travel with files even when they leave the network.

Prospero also has to convince the auditors that he can measure whether the new controls work — not just claim they do.

Complete Prospero's architecture brief by selecting the correct concept for each blank.

Prospero will replace the legacy hub-and-spoke VPN with a that delivers SD-WAN, SWG, CASB, ZTNA, and FWaaS from cloud points of presence close to the user. This avoids backhaul while maintaining policy enforcement.

Rather than trusting the network location of a request, every access decision will be made at a , which evaluates identity, device posture, and context. The decision is then enforced at the in front of each application. The guiding principle is that authorization is — re-evaluated on every request, not granted once at login.

To limit blast radius, Prospero will divide the data center into per-workload segments using — far finer-grained than traditional VLAN segmentation. This way, a compromised endpoint can reach only the specific services it has been explicitly authorized for.

All customer data will be assigned a sensitivity at creation, and DLP rules will scan email and SaaS uploads for matching content as it leaves the environment. Files at rest in cloud storage will be inspected by scans to find mislabeled or shadow copies.

Finally, to demonstrate effectiveness to auditors, Prospero will publish a quarterly dashboard of — quantitative evidence that the controls reduce real risk, not just compliance checkboxes.