Recently I started my Master’s in Cyber Security, and I am taking on projects that mirror the work done by real network security engineers in modern organizations, such as secure network design. One of my most meaningful assignments was designing a secure network merger for two companies that were combining into a single business. Both companies handle financial services and medical software, meaning their data is highly sensitive and must be protected under strict laws like GLBA, SOX, and PCI DSS.
This project gave me the chance to improve a real enterprise architecture: securing remote access, removing legacy risks, strengthening identity controls, and reducing every major security exposure, all while staying under a $50,000 first-year budget. I used Zero Trust principles and key secure network design strategies to deliver a modern, compliant, and resilient hybrid infrastructure.
Project Overview
This project required me to analyze both networks, identify critical vulnerabilities, and create a secure architecture that merged on-premises equipment with cloud identity and applications. I implemented protected remote work solutions, VLAN-based segmentation, cloud-backed redundancy, and improved identity security using MFA and conditional access. The final secure network design reduced high-risk issues while still supporting normal operations and future scaling.
Understanding the Security Problem
Before designing anything new, I studied the current systems used by both companies. It became clear that their environments had been built for convenience, not security and performance. Remote Desktop was open to the internet with no additional authentication, meaning attackers could try logging in all day. End-of-life servers were still in production, long after security patches were available. Passwords were weak and never required to change. Any user could make changes because everyone had local administrator rights.
These risks would only get worse as the companies merged. Without major improvements, the combined network could fall victim to ransomware or unauthorized access that spreads across the environment and shuts down critical systems. My task was to stop that from happening by redesigning the architecture with Zero Trust as the foundation.
Step 1 — Risk Assessment and Prioritization
Company A’s network allowed Remote Desktop access directly from the internet without any second step to verify the user. Attackers target that kind of exposure every day. On top of that, older user accounts that were no longer needed were still active, and servers running Windows Server 2012 were far behind on security updates.
Company B had similar problems but also ran insecure legacy services like rlogin and rexec, which allow access without passwords. They did not enforce Multi-Factor Authentication, leaving accounts completely unprotected. They also only had a single router at the perimeter, which created a single point of failure, if that router went down, the entire network would fall offline.
I created a plan that eliminated the highest-impact vulnerabilities first, while also preparing the organization for long-term growth and cloud adoption. This “fix the most dangerous things first” mindset is core to Zero Trust and modern cyber security programs.
Step 2 — Designing a Zero Trust Hybrid Network
Once I understood the risks, I began designing the secure network merger. My goal was to eliminate blind trust and require constant verification as traffic moved through the environment. That meant segmenting internal resources, verifying identity before any sensitive connection, and using strong perimeter defenses to block external threats.
I redesigned the layout so each building keeps its own core network infrastructure, but all controlled traffic flows through a secure cloud identity provider (Azure AD). Remote work is only allowed through an authenticated VPN connection, and servers that cannot safely remain onsite are moved to cloud services with built-in security controls.
Below is the architecture that brings everything together.
Figure 1 — Merged Zero Trust Network Architecture
Merged hybrid network design featuring secure VPN, VLAN segmentation, and cloud identity enforcement. This is the principles of network security design, and maintains a secure network design through out.
This design improved security in four major ways:
- Traffic Isolation — Only the required systems can talk to each other
- Cloud Identity — Accounts are verified with MFA before access is granted
- Encrypted Remote Access — No direct RDP exposure
- Modern Hardware — Eliminates outdated equipment with security weaknesses
No device — not even one inside the building — automatically gets trust.
Step 3 — Cloud Migration to Remove Legacy Risk
During my assessment, I saw that both companies were relying on outdated servers that could not receive new security patches. These systems were too risky to keep in production. I migrated key business services — including email, file storage, and application servers — to cloud platforms. This removed the physical security concerns and ensured systems were always updated and protected.
Moving identity to Azure AD also created a centralized login system. If a former employee left, their access could be removed instantly everywhere. On-premises logins would be checked against cloud identity requirements, making identity the new security perimeter.
This brought the environment closer to compliance expectations for data encryption, logging, and access protections.
Step 4 — Protecting Remote Access with a Secure VPN
Before this project, remote workers connected through open Remote Desktop sessions. That exposed the network to constant threat-scanning bots and credential-stuffing attacks. I replaced this with a secure VPN solution that requires MFA before users can even reach the internal network. The firewall only accepts connections from the VPN, which protects both internal and cloud-hosted systems.
This update shut down the single most dangerous vulnerability in the combined network.
Step 5 — Implementing VLAN Segmentation
Networks are safer when internal systems are separated from one another. If a workstation becomes infected with malware, segmentation stops it from immediately spreading to servers or other users. I divided the environment into multiple VLANs, grouping similar system types together based on trust requirements.
Workstations, servers, printers, Wi-Fi devices, and administrative systems now exist in separate segments. Access between segments follows the Principle of Least Privilege, every move inside the network must be intentional and authorized.
This is one of the most effective ways to reduce the impact of a cyber attack.
Step 6 — Defense in Depth with Modern Hardware
Finally, I improved the physical infrastructure supporting the network. Old switches and firewalls were replaced with new technology that supports threat prevention, secure Wi-Fi controls, and fast processing speeds. I also introduced redundancy at both buildings so that if one device fails, the network continues running.
Defense in depth ensures that if one security control fails, there are others in place to stop an intrusion.
Security and Regulatory Alignment
Because this organization handles financial data, it must follow rules that protect banking customers, prevent internal fraud, and secure credit card information. My secure network design fulfills those requirements with:
- MFA for access control
- Encryption through cloud services
- Network segmentation to limit data access
- Monitoring and logging for audit trails
Compliance becomes much easier when the right architecture is in place.
Budget Analysis
I delivered all of these improvements within a $49,300 first-year cost, just under the $50,000 allowed. Most of the budget went toward modern hardware and cloud licensing. Replacing outdated systems and moving them to managed cloud environments helps avoid major repair and maintenance costs in future years.
Even though the companies only made a small investment, the upgrade drastically lowered their security risk.
Challenges and What I Learned
This project required me to make decisions that balanced business needs, compliance requirements, and technical limitations. I learned that not every vulnerable device can be replaced immediately, so prioritizing based on risk and impact is necessary. Removing local admin rights also takes communication and training because it changes how people work. Merging networks requires careful planning to avoid downtime.
Most importantly, I learned that Zero Trust is not one tool, it is a way of thinking. It means always checking identity, always verifying access, and always assuming that threats may already exist inside the network. That mindset helped me make stronger design decisions throughout the project.
Key Takeaways
This project gave me real-world experience in secure network design using Zero Trust principles. I practiced evaluating legacy environments, improving identity and access controls, and planning a cloud transition that protects sensitive financial data. I also learned how to stretch a limited budget while still improving security dramatically.
The result is a modern hybrid network best practices that:
- Blocks unauthorized access
- Makes remote workers safer
- Prevents attacks from spreading internally
- Supports growth and stronger future security
These are skills I will continue to build on as I move deeper into cloud and network security engineering.
What Comes Next
To continue improving this environment, I plan to:
- Add more automated monitoring and alerting
- Deploy centralized logging (SIEM)
- Expand conditional access rules for device protection
- Build a disaster recovery plan with cloud failover
- Conduct regular penetration testing and audits
Security is never finished, it always evolves with new threats.
Conclusion
Designing a secure network merger allowed me to apply what I’m learning in my Master’s in Cybersecurity to a real enterprise challenge. By using Zero Trust strategies, cloud identity, secure VPN access, segmentation, and modern hardware, I helped protect two companies that rely on reliable and safe access to critical financial systems.
This project strengthened my skills in practical cybersecurity architecture, risk evaluation, and secure network engineering, exactly the kind of work I am excited to continue in my career.
Stay tuned for my upcoming projects as I continue building expertise in cyber security, AWS, and networking.
