pfn-header-logo
pfn-logo-white

CASE STUDY

Worktrips logo

Zero trust infrastructure transformation and security governance

From a fully open, public-by-default architecture to a Zero Trust, private-by-default environment with full network control, governed CI/CD, and enterprise-grade secret management for WorkTrips.

Client:

WorkTrips

Industry:

Business Travel Management / SaaS Platform

Core Services:

Zero Trust Architecture, Network Security, AKS Hardening, Secret Management, CI/CD Governance, DevSecOps

Architecture:

Hub & Spoke, Private-by-Default, Azure Kubernetes Service, Function Apps, Web Apps

Executive Summary

WorkTrips is a SaaS platform supporting the management of business travel and employee mobility. Operating in a B2B environment that processes sensitive corporate data, the platform must meet stringent security and compliance requirements set by its enterprise clients.

The existing infrastructure was built on an open, public-by-default model, which created significant security exposure: public FQDN endpoints, no network segmentation, unrestricted access to the AKS control plane, unmanaged secrets, and no formal CI/CD governance. This architecture was incompatible with the security audit requirements of enterprise customers and represented a broad, poorly controlled attack surface.

Professnet carried out a comprehensive transformation of the entire environment to a Zero Trust, private-by-default model. The engagement covered every layer of the stack: network architecture (Hub & Spoke, Azure Firewall), AKS control plane hardening, application security (WAF, DDoS), centralised secret management with full access audit, CI/CD governance, and OS-level hardening to CIS/NIST standards. The result is an environment that is architecturally secure by design, fully auditable, and ready to meet enterprise compliance requirements.

%

Public Endpoints Eliminate

+

Security Domains Transformed

Isolated Environments Deployed

Technologies Deployed & Configured

The Challenge: An open architecture incompatible with enterprise security requirements

WorkTrips operated on an infrastructure model that prioritised development velocity over security controls. While this approach supported rapid growth in the early stages, it created structural risks that became increasingly difficult to accept as the platform began serving larger enterprise clients with formal security audit requirements. The challenges were systemic and interconnected.

arrow-big-white

01

Broad Attack Surface from Public Exposure

The environment relied on publicly accessible FQDN endpoints with no network segmentation and no centralised traffic inspection. Any service was directly reachable from the internet, with no control over ingress or egress traffic flows.
arrow-big-white

02

Unprotected AKS Control Plane

The Kubernetes control plane (API Server) was publicly accessible, meaning it could be reached from any network without VPN or private connectivity. This created a critical exposure point for the entire container workload, including administrative operations and deployment pipelines.
arrow-big-white

03

Unmanaged Secrets and Dispersed Access

Secrets, API keys, and credentials were managed without a centralised solution. There was no systematic record of which identities had access to which secrets, no rotation policy, and no audit trail, making it impossible to assess the blast radius of a potential credential compromise.
arrow-big-white

04

Absence of CI/CD Governance and Audit Controls

Deployment pipelines lacked formal approval processes, role separation, or access restrictions. Any authorised developer could trigger deployments to production environments, with no change control mechanism and no audit trail of what was deployed, by whom, and when.

The Solution: comprehensive zero trust transformation

Professnet designed and implemented a complete architectural overhaul, transitioning the WorkTrips environment from a public-by-default model to a Zero Trust, private-by-default architecture. The transformation was executed across six distinct workstreams, each addressing a specific layer of the security and governance gap.

Book a Technology Consultation

01 Phase

Phase 01

Zero Trust Network Architecture: Private-by-Default

Elimination of all public endpoints and enforcement of private connectivity as the baseline
  • Full audit of existing publicly exposed resources, endpoints, and communication paths.
  • Elimination of all public FQDN endpoints across the environment.
  • Deployment of Azure Private Endpoints for all platform services (storage, databases, registries, Key Vault).
  • Configuration of Private DNS Zones to ensure correct name resolution for private connectivity.
  • Restriction of all service access exclusively to authorised, private communication paths.
  • Significant reduction of the external attack surface across the entire platform.

02 Phase

Phase 02

Hub & Spoke Network Architecture and Azure Firewall

Centralised traffic control and full environment isolation across TEST, PREP, and PROD
  • Design and implementation of a Hub & Spoke VNet topology as the foundational network model.
  • Separation of environments into isolated spokes: TEST, PREP, and PROD, with independent network boundaries.
  • Deployment of Azure Firewall Premium as the central inspection and filtering point for all traffic flows.
  • Configuration of network security policies: application rules, network rules, and FQDN filtering.
  • Implementation of User-Defined Routes (UDR) and next-hop configuration to enforce traffic routing through the firewall.
  • Full egress traffic control: all outbound communication is inspected and governed.
  • Centralised logging of all traffic flows for audit and threat detection purposes.

03 Phase

Phase 03

AKS Control Plane Hardening

Restricting access to the Kubernetes API Server to trusted, private channels only
  • Conversion of the AKS cluster to private mode, disabling public access to the Kubernetes control plane (API Server).
  • Configuration of VPN-based access as the exclusive path for all administrative and pipeline connectivity to the cluster.
  • Integration of the AKS private cluster with the Hub & Spoke network topology.
  • Implementation of authorised IP range restrictions as an additional access control layer.
  • Restriction of administrative access to the cluster using role-based controls and least-privilege principles.
  • Validation of all deployment pipeline connectivity through private endpoints only.

04 Phase

Phase 04

Application Layer Security: WAF and DDoS Protection

Protecting the application layer against web-based threats and volumetric attacks
  • Deployment of Azure Application Gateway with Web Application Firewall (WAF) in Prevention mode.
  • Configuration of OWASP Core Rule Set (CRS) for protection against common web application vulnerabilities.
  • Implementation of custom WAF rules tailored to WorkTrips application traffic patterns.
  • Enablement of Azure DDoS Protection to defend against volumetric and protocol-level attacks.
  • Centralisation of all HTTP/HTTPS ingress traffic through the Application Gateway.
  • SSL/TLS termination and certificate management at the gateway layer.

05 Phase

Phase 05

Secret Management: Azure Key Vault and Access Inventory

Centralised, auditable secret management with a full inventory of who has access to which secrets
  • Migration of all secrets, API keys, connection strings, and certificates to Azure Key Vault.
  • Configuration of access policies and Azure RBAC to enforce least-privilege access to Key Vault resources.
  • Implementation of automatic secret and key rotation policies to reduce the window of exposure.
  • Full inventory and documentation of secret access: for each secret, a record was established identifying which identities, service principals, and applications hold access permissions.
  • This access register provides immediate visibility into the blast radius of any potential credential compromise and forms the operational baseline for ongoing secret governance.
  • Integration of Key Vault references into application configuration, eliminating hardcoded credentials from code and pipeline definitions.
  • Enablement of Key Vault diagnostic logging for a complete audit trail of all secret access events.

06 Phase

Phase 06

CI/CD Governance, Segregation of Duties and OS Hardening

Controlled deployments, formal role separation, and OS-level security baseline
  • Implementation of a mandatory approval workflow in Jenkins and GitLab CI/CD pipelines for production deployments.
  • Restriction of pipeline execution permissions: only designated roles may trigger deployments to PREP and PROD environments.
  • Segregation of Duties (SoD): formal separation of development, operations, and production administration roles.
  • Elimination of standing administrative access to production environments; access granted on a just-in-time basis.
  • Enforcement of the least-privilege principle across all IAM roles and service identities.
  • Reduction of excess permissions: a comprehensive review and cleanup of redundant role assignments across all environments.
  • OS-level hardening of all Linux (Ubuntu) hosts: SSH configuration, local firewall rules, user account controls.
  • Restriction of open ports and running services to the operational minimum.
  • Application of CIS Benchmark and NIST security standards as the hardening baseline.
  • Implementation of centralised event logging and audit trail for all administrative actions.
  • Database and filesystem hardening in line with security baseline requirements.

Professnet Expert on the Project

The most dangerous moment in a SaaS platform's lifecycle is when it crosses from startup to enterprise. The architecture that served you well during rapid growth can become your biggest liability the moment enterprise clients start asking about your security posture. With WorkTrips, we did not just patch individual vulnerabilities. We rebuilt the entire trust model, starting from the network layer and going all the way up to who can deploy what, and who knows which secret exists where.

Łukasz Tabaczek

CEO & Founder @ Professnet

pfn-logo-white

Key Results & Business Impact

The transformation delivered measurable improvements across security posture, operational governance, and enterprise compliance readiness.

Zero Trust Architecture Achieved

Complete transition from a public-by-default model to a private-by-default, Zero Trust environment. All public endpoints eliminated and replaced with private connectivity.

Full Network Traffic Control

All ingress and egress traffic is routed through Azure Firewall Premium, providing complete visibility, inspection, and enforcement of communication policies across all environments.

Governed CI/CD and Role Separation

Deployment pipelines now enforce mandatory approvals and role-based access controls. Full audit trail of all production changes, with Segregation of Duties applied across development and operations teams.

Enterprise Audit Compliance Readiness

The environment meets the security audit requirements of enterprise clients. Secret access is fully inventoried, access is governed by least-privilege, and all administrative actions are logged.

Unquantified Value

Beyond the measurable security outcomes, the transformation delivered strategic benefits that directly affect the commercial and organisational trajectory of WorkTrips.
arrow-big-white

Enterprise Market Readiness

The ability to pass enterprise security audits is a direct commercial enabler. Clients with formal procurement and security review processes can now proceed without requiring compensating controls or security exceptions.
arrow-big-white

Reduced Incident Blast Radius

Network segmentation, private endpoints, and secret access inventory mean that a compromise in one environment or credential cannot propagate freely. The architecture limits lateral movement by design.
arrow-big-white

Governance as a Foundation for Growth

The implemented controls, documentation, and access model provide a structured foundation for future compliance requirements, such as ISO 27001, SOC 2, or NIS2, without requiring a second architectural overhaul.

Before vs. After

The transformation produced a fundamental change across every dimension of the security architecture. The table below summarises the key state changes.

BEFORE

AFTER

Public FQDN endpoints exposed across all services
All endpoints private; no public exposure by default
No network segmentation; flat environment
Hub & Spoke architecture with isolated TEST / PREP / PROD spokes
No centralised traffic inspection or egress control
Azure Firewall Premium as the single inspection and enforcement point
AKS control plane (API Server) publicly accessible
AKS control plane accessible via VPN and private endpoints only
Secrets and credentials managed without a central solution
All secrets centralised in Azure Key Vault with rotation policies
No inventory of who has access to which secrets
Full access register: every secret mapped to authorised identities and applications
CI/CD pipelines with no approval process or access controls
Mandatory approvals, restricted pipeline permissions, full deployment audit trail
No Segregation of Duties; standing production access
Formal SoD model; least-privilege and just-in-time production access
No OS hardening baseline; open ports and default configurations
CIS / NIST hardening applied; minimal attack surface at host level

Technologies and Solutions

The following Azure services, tools, and standards were deployed and configured as part of the Zero Trust transformation:

Azure Virtual Network (Hub & Spoke)

Core network topology providing environment isolation across TEST, PREP, and PROD, and centralised traffic routing.

Azure Firewall Premium

Central traffic inspection and filtering: application rules, network rules, FQDN filtering, egress control, and full flow logging.

Azure Private Endpoints

Private connectivity for all platform services, eliminating public exposure and binding service access to the private network.

Azure Kubernetes Service (AKS)

Private cluster configuration with control plane access restricted to VPN and private endpoints; integrated with Hub & Spoke topology.

Azure Function Apps / Web Apps

Application compute layer integrated with private networking, VNet injection, and Key Vault references for secure configuration management.

Application Gateway (WAF)

Web Application Firewall in Prevention mode: OWASP CRS, custom rules, SSL termination, and centralised ingress for all HTTP/HTTPS traffic.

Azure DDoS Protection

Protection against volumetric and protocol-level denial-of-service attacks at the network perimeter.

Azure Key Vault

Centralised secret, key, and certificate management with RBAC-based access control, rotation policies, diagnostic logging, and full secret access inventory.

Jenkins / GitLab CI/CD

Deployment pipeline governance: approval workflows, role-based execution permissions, audit logging, and environment-specific access controls.

Linux (Ubuntu)

Host OS hardened to CIS Benchmark standards: SSH configuration, local firewall, user account controls, and minimal service footprint.

CIS Benchmarks / NIST

Security hardening standards applied as the baseline for OS configuration, access controls, and audit logging requirements.

Azure Private DNS Zones

Name resolution for private endpoints across the Hub & Spoke topology, ensuring correct DNS routing without public exposure.

Is your cloud environment ready for enterprise security scrutiny?

If your platform needs to move from open architecture to a Zero Trust model, we can help you design and execute the transformation without disrupting your operations.

Book a Technology Consultation

We are always happy to talk

Reach out to us about a project, consultation, or to explore other collaboration opportunities.

portrait Lukasz Tabaczek 2

Lukasz Tabaczek

CEO
professnet@professnet.pl
+48 516 524 227
Schedule a meeting
pfn-logo-white
Elektronowa 2d (4 floor)
03-219 Warsaw
P O L A N D
VAT ID: PL 5242 793 610
image/svg+xml

Cloud & Infrastructure:

Migration & Repatriation Azure Landing Zone Secure Connectivity Intune & Device Management

Apps, Data & AI:

App Modernization Factory Serverless & Event-Driven Azure DevOps & IaC Private RAG (GenAI)

Security & Compliance:

Managed SOC Identity & Entra ID DevSecOps (SSDLC) Security Consulting

Managed Services:

Managed Infra (24/7) Co-Managed Azure Managed Compute (VMs) Data Lifecycle & Archive

Assessments:

Azure 3D Assessment NIS2 & DORA Audit AI Readiness Check App Mod. Assessment AKS Health Check

Site map:

Case studies Blog About us Career Contact
© 2026 Professnet. All rights reserved.
Privacy policy