White Paper
10 min

The City of Guelph Reduces Operational Time and Stress with Prisma Access

With our help, the City of Guelph reduced their operational time and stress by implementing Palo Alto Networks Prisma Access. Read our latest customer story to learn more.

What's Inside
  • Small Team, Big Headaches

    David Boyle, manager of IT Infrastructure at the City of Guelph, says, “Historically, security was one guy deploying firewalls all over the organization, blocking and preventing as much as possible.

  • Performance Issues for Remote Access

    Like most organizations during the pandemic, the City of Guelph relied on traditional VPN for secure remote access. Since relatively few municipal employees work remotely, the system was configured to serve a handful of employees.

  • A Managed Firewall Solution in the Cloud

    CDW introduced the city to Palo Alto Networks and as a result, the city moved away from its original security vendor to Palo Alto Networks to consolidate physical firewalls and lower life cycle costs.

  • A More Confident it Department

    Prisma Access completely removes the need to have a person stand next to a physical firewall with a laptop plugged into it to do upgrades.

  • Improved Security Posture at a Lower Cost

    Due to the ubiquitous security that Prisma Access provides — the ability to scan all traffic on the network — the city is less vulnerable to the constant intrusion attempts from outside.

/

While many people take city services for granted, much goes on behind the scenes to keep a municipality running. Besides (literally) fighting fires and dodging cyberattacks, city governments make sure roads are smooth and clear for your morning commute, take your trash to the landfill so you don’t have to and maintain pleasant parks for you and your family to enjoy.

Computer technology supports much of this work—and that technology must be accessible by employees wherever they are working and secure from external threats.

To deliver city services day in and day out to its 140,000 residents, the City of Guelph, Ontario, located about an hour west of Toronto, runs two physical data centres in parallel for instant failover capabilities. Since the city runs 24/7/365, downtime isn’t an option. In addition, the city has a cloud presence with Microsoft Azure—a resource that the city would like to take better advantage of.

Securing one data centre is complex. Securing two can be more than twice as difficult and at least twice as expensive because you need to buy two of everything. 

/

CDW brought the technology forward and provided me with information on why this was the most forward-thinking platform to use. They have a great technical team who were able to discuss firewalls and firewall technology with my security team and show them that the future was cloud-based firewalls.

- David Boyle, Manager of IT Infrastructure, City of Guelph

Small Team, Big Headaches

With only nine IT professionals to serve 2,000 city employees, time is a precious commodity, and some days, so are the necessary skills to keep its data centres running in harmony. Managing redundancy, software version upgrades and security for two data centres was stretching the city’s IT staff thin.

David Boyle, manager of IT Infrastructure at the City of Guelph, says, “Historically, security was one guy deploying firewalls all over the organization, blocking and preventing as much as possible. The issue with that is excessive security
tends to reduce functionality. If people can’t do their jobs, it doesn’t matter if it’s secure.” 

/

CDW has a strong bench of individuals who are extremely familiar with our implementation and our firewall rules. CDW also has strong partnerships with their vendors, so they always have the latest information from their suppliers, which they pass along to my team and help us implement new technology to bring more benefit and functionality to us.

- David Boyle, Manager of IT Infrastructure, City of Guelph

It was a single point of failure for the whole organization when the firewall guy goes on vacation. “It was like, ‘Don’t touch anything, because if it breaks, we’re in big trouble.’ That’s not good,” he says.

The city was also constantly running into code upgrade requirements, mostly to fix software bugs that were causing problems. To make an update, Boyle’s team had to take a firewall down, which can sometimes take up to a month to complete for two data centres. Boyle says, “We were running into a situation where essentially we needed someone doing this full time and I didn’t have anyone to do that.”

In addition, running two data centres means maintaining firewall rules in two places. Sometimes, those rules can get out of sync, which can result in access problems for users. Managing rules for consistency is another time drain for the team.

Physical firewalls are expensive and need to be replaced every five or six years. Boyle says, “It was to the point where I was faced with a cost of close to $200,000 next time I upgraded.” 

Performance Issues for Remote Access

When the pandemic hit in early 2020, the city faced a new problem: scaling remote access. Boyle says, “We had a massive mobilization of people working from home who needed access from anywhere in the world. We struggled to provide that.”

Like most organizations during the pandemic, the City of Guelph relied on traditional VPN for secure remote access. Since relatively few municipal employees work remotely, the system was configured to serve a handful of employees. 

But scaling up quickly to accommodate hundreds of users at once for all day, everyday use, was impossible without introducing performance problems. That’s because with traditional VPN, all traffic is routed through a data centre to be checked for security, sometimes doubling the round-trip time for data to reach its destination. While that’s ok if you have a handful of users who occasionally log in remotely, adding hundreds of users amplifies the latency issues, adding significant friction to the workday. It can make video conferencing unproductive, and if someone forgets they’re on VPN and loads a big YouTube video, bandwidth can suffer further.

Scaling up to accommodate 2,000 employees requires buying and installing more hardware—a painful, time-consuming and expensive process. But what happens when people return to the office? Do you send those boxes back to the manufacturer? Can you collapse the licenses back down? 

A Managed Firewall Solution in the Cloud

Boyle says that moving forward, a big mindset change around security needed to happen, so he approached CDW Canada with his challenges. CDW introduced the city to Palo Alto Networks and as a result, the city moved away from its original security vendor to Palo Alto Networks to consolidate physical firewalls and lower life cycle costs.

While this was successful, it didn’t address Boyle’s need to simplify and streamline firewall management. The city tried using management software from Palo Alto Networks to reduce management overhead, but it still had someone running around managing software versions and trying to configure redundancy.

Boyle says, “I explained this all to CDW and they brought up Prisma Access.” Prisma Access is a cloud-based security platform designed to handle the challenges of securing remote access and hybrid cloud and on-premises environments.

Prisma Access replaces expensive physical firewalls with software firewalls that activate dynamically in the cloud when a user logs in. Rather than routing all traffic through a physical data centre and hair pinning it back to the
user, Prisma Access runs at a physical point that’s much closer to the user than the city’s data centre, dramatically improving performance without degrading security. 

“So, we moved away from our original security vendor to Palo Alto Networks because of Prisma Access and its next- generation firewall,” says Boyle. “CDW brought the technology forward and provided me with information on why this was the most forward-thinking platform to use. They have a great technical team who were able to discuss firewalls and firewall technology with my security team and show them that the future was cloud-based firewalls.”

CDW supported the city in completely replacing its physical firewalls with Prisma Access and provided Boyle’s team with the resources needed to migrate and fine tune firewall rules for efficiency. Because Palo Alto Networks manages the Prisma Access infrastructure, the city doesn’t need to buy and configure new hardware to enable secure remote access across the organization. Palo Alto Networks also handles all software maintenance, including version upgrades.

Boyle’s team can now focus on managing the firewall rules, which will never go out of sync between firewall instances because rules are now centrally managed.

In addition, scalability is a non-issue with cloud-based security. Prisma Access automatically scales up to meet demand. When people return to the office and demand for remote access wanes, it scales back. 

A More Confident IT Department

One of the biggest benefits to the City of Guelph in moving to Prisma Access is that Boyle and his team have more time. For example, Prisma Access completely removes the need to have a person stand next to a physical firewall with a laptop plugged into it to do upgrades. Instead, the IT department can spend time on initiatives such as taking better advantage of innovation in the cloud with its Microsoft Azure presence.

Boyle says, “My security team is now much more relaxed because they realize that it’s not all on them. As good as they are, they can never potentially have the knowledge that Palo Alto Networks and CDW have, and they could never focus enough of their time on perfecting it. I think it makes them way
more confident.” 

Improved Security Posture at a Lower Cost

Due to the ubiquitous security that Prisma Access provides — the ability to scan all traffic on the network — the city is less vulnerable to the constant intrusion attempts from outside. Boyle says, “Each month, we see hundreds of thousands of attempts from all over the world to penetrate our network. The only saving grace is that I have CDW helping me manage that very muddy water, and I have Palo Alto Networks firewalls—which is literally the pinnacle of firewall technology—keeping attackers at bay.”

Palo Alto Networks rolls everything up into one easy-to-digest operational cost. “My support, the technology, the upgrades, the bandwidth, the VPN licensing, everything is packaged very nicely,” Boyle says. “Not only are we saving time and avoiding headaches, but we’re also saving financially. It’s improved our redundancy and increased functionality without compromising on security. It’s created a partnership with CDW and Palo Alto Networks where we have a greater level of support, and it’s reduced operational stress on my team because of the partnership.”

Boyle says that his team relied on CDW throughout the entire project for implementation, support and testing. He says, “CDW has a strong bench of individuals who are extremely familiar with our implementation and our firewall rules. CDW also has strong partnerships with their vendors, so they always have the latest information from their suppliers, which they pass along to my team and help us implement new technology to bring more benefit and functionality to us.”

Boyle adds, “We’re the first municipality in Canada to implement Prisma Access. It’s risky to be the first at something, and we wouldn’t have done it without CDW. Since they’ve been working with Palo Alto Networks for a long time, and because they know how we’ve implemented technology here at the city, we felt confident in moving forward with something that was unproven in Canada.”

Now that the City of Guelph has cloud-based security for its entire computing infrastructure, it’s excited to take the next step, which is to gradually move workloads to Azure, such as its public transit applications. Boyle says, “Eventually we will have an Internet connection from Azure to Prisma access, completing what I like to call kind of a trifecta of redundancy. That will give us a true cloud presence, which will ensure that we can put any server virtually into Azure. In that case, if the entire City of Guelph went dark, city employees could still continue to function remotely.” 


The terms and conditions of product sales are limited to those contained on CDW’s website at CDW.ca. Notice of objection to and rejection of any additional or different terms in any form delivered by customer is hereby given. CDW®, CDW•G® and PEOPLE WHO GET IT® are registered trademarks of CDW LLC. All other trademarks and registered trademarks are the sole property of their respective owners.