The First Step to SASE: PAG Italy’s Journey Toward a Complete Cloud Security Solution


Growth is good, but expanding business can add complexity to IT needs, creating additional network security and management burdens. Mergers and acquisitions can compound these issues further, requiring integration and standardization of both companies’ infrastructure.

This scenario came true when Penske Automotive Group Italy (PAG Italy) was born in February 2012 from the joint venture between Penske Automotive and the AutoVanti group (of the Vanti and Mantellini families). The group's business, historically linked to the BMW and MINI brands, has expanded with the acquisition of luxury car dealerships in Northern Italy representing the Audi, Jaguar Land Rover, Lamborghini, Mercedes-Benz and Smart, Maserati, Volvo, and Porsche brands. The network of dealerships soon extended from Emilia-Romagna to Lombardia, moving from three locations in the Bolognese area to 20 sites, geographically scattered between the two regions.

PAG Italy is now the leading dealer network in the premium and luxury segment in the country and we continue to expand our group into the automotive market.

A Burdensome Multi-Vendor Network 

I’ve been the IT Manager here since 2004, and I handle our infrastructure and network. I work alongside an Application Manager, and our team of two is supported by a field engineer and our CTO. We rely on the support of our trusted technology provider, VIP IT Solutions, who provides services and support to 600 users across our locations. 

Moving to a single-vendor solution with a trusted partner—in this case, Cisco—was the best decision based on quality of service.

Like other businesses that have grown through mergers and acquisitions, we found ourselves managing complex networks with equipment from different vendors and integrating new dealerships into our existing infrastructure in a patchwork fashion. Our multi-vendor infrastructure required us to master multiple technologies to connect our dealerships securely, share apps and information seamlessly, and support and update software and systems. We had enough expertise to keep everything operational, but it wasn’t enough. We wanted cleaner and leaner infrastructure alongside single-pane-of-glass visibility that offered flexible, simplified network management. 

The pandemic added another requirement. When everyone started working remotely, we needed the ability to integrate mobile devices and support hundreds of users logging in from home via VPN. Accommodating these users increased the burden on our IT team and our MPLS network, which was too costly and not flexible enough for remote work.

We were already running Cisco Meraki MX appliances and firewalls to build secure wired, cellular, and Wi-Fi SD-WAN connectivity at some of our locations, so it made sense to expand our existing Cisco ecosystem.   

Cisco Is the Future of PAG Italy’s Network

We had considered using Cisco as a single vendor in the past, but the overall investment was a sticking point, and we ended up purchasing low-cost switches from other vendors instead. As time passed, we realized we were losing time and money troubleshooting and integrating equipment from multiple manufacturers.  

When used alone, VPN, SD-WAN, and cloud-native security solutions offer granular visibility and control. But when combined, IT teams gain a single integrated central management platform.

We were working with another IT partner to replace some of our aging infrastructure with Cisco Meraki access points and switches, but the project had stalled. We turned to Cisco partner VIP IT Solutions because they had a deep knowledge of our infrastructure and the appropriate Meraki certification to help with support. As work continued replacing the access points and switches, we thought, “what if we could do more?”


In early 2021, we sat down with Cisco and VIP IT Solutions to discuss the future of PAG Italy’s network and they helped make a case for a single-vendor solution to our board of directors. They recommended a Cisco Meraki full stack based on quality of service. It would also serve as a foundation to start talking about Secure Access Service Edge (SASE), a network architecture model that combines VPN and SD-WAN capabilities with cloud-native security functions.

The solution included a single-pane-of-glass web-based management dashboard with cloud-managed wireless access points (Meraki MR), switches (Meraki MS), and security appliances/firewalls (Meraki MX). When used alone, each of these products offers granular visibility and control. But by combining them, our team would gain the single integrated central management platform that we wanted. We could simultaneously simplify IT and network operations across our dealerships and easily configure access for internal and mobile devices as we prepared for the future. 

Easy-to-Use Interoperability and Dashboard Controls

All we needed to set up Cisco Meraki was an MX appliance and an internet connection at every location—perfect for our dispersed dealerships. Within minutes, we could configure and secure each dealership from the centralized dashboard and then secure our network perimeter by limiting network access to trusted devices and users over SD-WAN. This approach is far more efficient than a MPLS network because my team can manage and scale this network at the push of a button instead of having to remap it every time we make a change. SD-WAN is also better suited to cloud connectivity, giving us access to new tools and technologies we could not have deployed over MPLS. 

In some ways, the SASE model is architecture for the future. Still, by consolidating numerous networking and security functions that are traditionally delivered separately, we can realize the benefits of cloud integration right now.

Interoperability and dashboard controls are only part of the picture. Another critical benefit of an end-to-end Cisco network is the company’s warranty and support. Cisco equipment doesn’t reach end-of-life for many years, providing an additional level of stability. It’s reassuring for our small IT team to have the backup of the Cisco technical support team through frequent updates and product cycles. We can resolve most of our issues, but if we get stuck, we turn to the expertise of Cisco and VIP IT Solutions, who provide ongoing help desk and cybersecurity support. 

This level of customer care, combined with single-sourced infrastructure, translates into less maintenance, easier troubleshooting, and reduced downtime.  

Layering Cisco Products to Secure Our VPN

In the last few years, secure VPN technology has become a top priority for PAG Italy. Our Italian operations need enhanced protection to meet our updated standards from our end portal in the US. We must also provide secure and easy-to-configure network access for an increasing number of remote laptop users, including our executive and management teams. 

The authorization and authentication of account admins and remote users allow people to safely connect to a network via VPN from anywhere on any device.

To meet this challenge, we use a combination of Cisco technologies, including:

  • Cisco Meraki Enterprise Mobility Management. Its mobile device management (MDM) tools allow us to provision settings and restrictions, manage and track devices, partially and fully wipe compromised and decommissioned devices, and offer live troubleshooting and remote support. 
  • Cisco Umbrella Secure Web Gateway enables us to inspect and filter web traffic, including blocking files that may contain malware.
  • Cisco Umbrella DNS protects our hybrid network from domain name server-level cyberattacks. 
  • Cisco Secure Access by Duo authorizes and authenticates account admins and remote users. This zero-trust solution allows us to confirm user identities, monitor remote devices, and set adaptive security policies beyond our network perimeter. Our users can safely connect to PAG Italy’s network via VPN from anywhere on any device, making remote workers easier to manage.

We have transitioned 80% of our infrastructure to Cisco Meraki. Next, we’ll add more Cisco Umbrella technology as we continue to work toward realizing SASE. In some ways, the SASE model is architecture for the future. But by consolidating numerous networking and security functions that are traditionally delivered separately, we can realize the benefits of cloud integration right now. 

We Decentralized Our Architecture and Centralized Control

Our reliance on virtual network infrastructure and the need to secure our perimeter for mobile users requires us to balance decentralized architecture with centralized control. We have started our SASE journey as a way to simplify network management while reducing risk exposure and improving performance. It is the heart of every new Cisco device and feature we add to our infrastructure.

With the help of VIP IT Solutions and the Cisco Meraki full stack, PAG Italy's IT team can manage everything without needing to add more people.

PAG Italy has seen tremendous growth in the last decade, and network technology has continued to advance. With the help of VIP IT Solutions and the Cisco Meraki full stack, our IT team can manage everything without needing to add more people. We can continue moving forward by effectively managing, controlling, and maintaining our network while keeping pace with increased user demands as our company expands and evolves.

…and it's not over yet. Stay tuned!