CASE STUDY
Banque Misr UAE Cloud Infrastructure
End-to-End AWS Landing Zone for a Regulated Banking Institution
Managed Services Program | Cloud & Infrastructure Practice
| Client | Banque Misr UAE |
| Industry | Banking & Financial Services |
| Compliance Requirement | PCI DSS | Central Bank of the UAE (CBUAE) Regulations |
| Services Provided | IT Infrastructure Management, Cloud & DevOps |
| Cloud Platform | Amazon Web Services (AWS) |
| Engagement Duration | Over 12 months (Ongoing) |
| Engagement Type | Managed Services — Build, Operate & Transfer (BOT) |
1. Client Overview
Banque Misr is a regulated banking institution operating within the UAE financial sector. As a financial services provider, Banque Misr is subject to strict regulatory oversight from the Central Bank of the UAE (CBUAE) and must adhere to the Payment Card Industry Data Security Standard (PCI DSS) to safeguard cardholder data and maintain operational integrity.
The organization required a modern, cloud-native infrastructure capable of meeting both its business growth objectives and the demanding compliance, security, and auditability requirements imposed by national and international financial regulators.
2. Challenges & Business Need
Prior to the engagement, Banque Misr faced a combination of regulatory, operational, and technical challenges that necessitated a full-scale cloud infrastructure build:
Regulatory & Compliance Pressure
- Mandatory compliance with PCI DSS standards for the protection of cardholder data environments (CDE).
- Strict adherence to Central Bank of the UAE (CBUAE) Information Security (InfoSec) directives governing cloud adoption, data residency, and security controls.
- Ongoing audit cycles requiring robust, auditable infrastructure with centralized logging and monitoring.
Time-Critical Delivery Deadlines
- Regulatory deadlines imposed by the CBE required the environment to be fully operational and audit-ready within a defined timeframe.
- The compressed timeline demanded rapid infrastructure provisioning without compromising security or compliance standards.
Infrastructure Complexity
- No existing cloud environment — the entire infrastructure needed to be built from the ground up, starting from the AWS Landing Zone.
- Complex network segmentation requirements to isolate the cardholder data environment (CDE) from other workloads.
- Requirement for multi-layered security controls including next-generation firewalls, WAF, and end-to-end encryption.
3. Our Managed Services Engagement
3.1 Scope of Work
Our team was engaged to design, build, and operationalize a fully PCI DSS-compliant cloud environment on AWS — from initial architecture and account structure through to security hardening, network design, and ongoing managed operations. The scope encompassed:
- Full AWS Landing Zone design and multi-account deployment.
- Hub-and-spoke network architecture design and implementation.
- Identity and access management using AWS IAM Identity Center.
- Centralized logging, monitoring, and alerting via Amazon CloudWatch.
- End-to-end encryption across all storage services.
- Network segmentation between application tiers (web, app, database, CDE).
- Deployment and configuration of next-generation firewall solutions.
- Web Application Firewall (WAF) implementation for application-layer protection.
- Container orchestration platform setup for application workloads.
- Cloud Security Posture Management (CSPM) for continuous compliance monitoring.
- VPN and secure connectivity configuration.
- Infrastructure-as-Code (IaC) implementation for repeatable, auditable deployments.
- Cisco WSA (Web Security Appliance) deployment for web traffic inspection and threat protection.
- Cisco SD-WAN implementation for secure, optimized branch and hybrid connectivity.
3.2 Technologies, Tools & Frameworks
The following technologies and platforms were utilized throughout the engagement:
| AWS (Cloud Platform) | Terraform (IaC) | Amazon EKS |
| ROSA (OpenShift) | F5 WAF | Palo Alto Firewall |
| Fortinet FortiGate | Cisco WSA | Cisco SD-WAN |
| AWS Transit Gateway | AWS IAM Identity Center | Amazon CloudWatch |
| Prisma Cloud (CSPM) | VPN / NAT Gateway | AWS KMS (Encryption) |
3.3 Duration & Type of Engagement
| Duration | Over 12 months (Ongoing managed engagement) |
| Engagement Model | Build, Operate & Transfer (BOT) — Managed Services |
| Delivery Approach | Agile delivery (Jira) with milestone-based compliance checkpoints |
| Team | Dedicated managed services team with cloud, security, and DevOps specialists |
4. Actions Taken / Solution Implemented
Phase 1 — Foundation: AWS Landing Zone & Account Structure
The engagement began with the design and deployment of a multi-account AWS Landing Zone, establishing a secure and scalable foundation for all subsequent workloads. This included:
- Defined an AWS Organizations structure with dedicated accounts for production, staging, security, logging, and shared services.
- Configured AWS IAM Identity Center for centralized, role-based access management across all accounts.
Phase 2 — Network Architecture: Hub-and-Spoke Design
A hub-and-spoke network topology was implemented to provide centralized security control and traffic inspection across all workloads:
- A central hub VPC was established to host all shared security services including firewalls, WAF, and egress/ingress inspection.
- Spoke VPCs were connected via AWS Transit Gateway, enabling scalable east-west traffic inspection.
- Network segmentation was enforced between tiers — DMZ, application, database, and the isolated Cardholder Data Environment (CDE).
- Palo Alto and FortiGate next-generation firewalls deployed for deep packet inspection and threat prevention.
- F5 WAF configured to protect web applications against vulnerabilities.
- NAT Gateways and VPN tunnels configured for secure inbound/outbound connectivity.
Phase 3 — Security Hardening & PCI DSS Compliance Controls
Security controls were implemented in alignment with PCI DSS requirements and CBE InfoSec directives:
- End-to-end encryption enforced across all AWS storage services (S3, EBS, RDS) using AWS KMS.
- Centralized logging established via Amazon CloudWatch Logs for all infrastructure events, access logs, and security alerts.
- Prisma Cloud deployed as the CSPM solution for continuous compliance posture monitoring and real-time alerts.
- Vulnerability scanning and compliance reporting integrated into the operational runbooks.
Phase 4 — Cisco Security & Connectivity Stack
Cisco solutions were deployed to extend security coverage and optimize network connectivity:
- Cisco WSA (Web Security Appliance) implemented to inspect and control outbound web traffic, providing URL filtering, malware scanning, and data loss prevention.
- Cisco SD-WAN deployed to provide secure, policy-driven connectivity across branches and hybrid environments with centralized management and visibility.
- SD-WAN policies configured to enforce traffic segmentation, QoS, and encrypted tunneling aligned with PCI DSS network security requirements.
Phase 5 — Container Platform & Application Layer
Container orchestration platforms were deployed to support the client’s application workloads:
- Amazon EKS (Elastic Kubernetes Service) deployed for containerized application workloads.
- ROSA (Red Hat OpenShift Service on AWS) implemented as a secondary container platform for specific workloads.
- Kubernetes network policies and pod security policies configured to enforce workload isolation.
Phase 6 — Infrastructure as Code & Automation
All infrastructure was codified to ensure repeatability, version control, and auditability:
- Terraform used to define and provision all AWS resources as Infrastructure-as-Code.
5. Outcomes & Results
The engagement delivered a production-grade, fully compliant cloud infrastructure within the client’s mandated timeline. Key outcomes include:
| PCI DSS Compliance | Full cardholder data environment (CDE) isolation and security controls in place, enabling successful regulatory audit cycles. |
| CBUAE/InfoSec Compliance | All Central Bank of the UAE and information security directives met across network, access control, encryption, and monitoring domains. |
| Audit Readiness | Continuous audit readiness maintained through Prisma Cloud CSPM, centralized CloudWatch logging and Cloudtrail logging. |
| Zero-Trust Network | Hub-and-spoke architecture with multi-layer firewall enforcement (Palo Alto + FortiGate + F5 WAF) delivering a zero-trust network posture. |
| Infrastructure as Code | 100% of infrastructure codified in Terraform, enabling repeatable deployments and full auditability of all changes. |
| Operational Continuity | Ongoing managed services engagement ensures continuous monitoring, compliance, and operational support beyond initial delivery. |
| Delivery Timeline | All regulatory deadline milestones met despite compressed delivery schedule. |
6. Client Feedback & Testimonials
| “Many Thanks Karim Sadek for your commitment and dedication, Many Thanks Karim Sadek and Abdelrahman Refaat”
— Davy Nazi, Banque Misr’s Representative |
The testimonial reflects the client’s recognition of the professionalism, technical expertise, and dedication demonstrated by the managed services team throughout this complex, high-stakes engagement.
7. Visuals & Supporting Material
The following supporting materials are available as part of the case study documentation package:
- AWS Multi-Account Architecture Diagram — Hub-and-spoke topology with Transit Gateway, security VPC, and spoke account structure.
- Network Segmentation Diagram — Tier-based network zones: DMZ, App Tier, DB Tier, and CDE isolation boundaries.
- Security Stack Overview — Logical diagram of the layered security controls (Palo Alto, FortiGate, F5 WAF, Prisma Cloud).
- Infrastructure-as-Code Repository — Terraform modules available for review (subject to NDA).
Note: Architecture diagrams and supporting visuals can be provided upon request and are subject to client confidentiality agreements.
This document is confidential and prepared for internal use within the Managed Services Program.
