Education Transport Cloudflare Tunnel Gateway / SWG Zero Trust Access

Emirates Driving Institute unified four entities under one Zero Trust SASE stack.

How Brixio deployed Cloudflare Zero Trust SASE across 4 entities and 5 domains for Emirates Driving Institute, with 12 tunnels, 31 gateway rules, and identity-aware access control.

United Arab Emirates 4 entities · 5 domains 5 min read
Emirates Driving Institute
ENTITIES4EDI, FNDI, SDI and DIDC unified under one Zero Trust posture
TUNNELS12Cloudflared tunnels for secure per-entity application access
GATEWAY31 rulesPolicy enforcement across branch and corporate users
DOMAINS5Entity domains protected by unified Access and SAML SSO policies

The challenge

Emirates Driving Institute is the UAE's flagship government-recognised driving education group. It operates four distinct entities (EDI, FNDI, SDI, DIDC) across multiple sites, each with independent network environments, user domains, and on-premises application stacks hosted on Oracle Cloud Infrastructure (OCI).

This organic growth created compounding challenges:

  • Fragmented multi-entity security perimeter. Four entities operating under separate domains with no unified security policy enforcement. Cross-entity access was managed through manual, ad-hoc network configurations.
  • No identity-aware access control. Internal applications (Orbits ERP, DMS, HR systems, hospitality platforms) were accessible based on network location, not user identity. Insider threat, credential misuse, and overprivileged access were unmanaged risks.
  • No internet filtering at branch locations. Branch users could freely access any internet destination without URL-level filtering, allowing potential data exfiltration and shadow IT.
  • Multi-vendor DNS complexity. Internal DNS was split across multiple name servers (OCI Dubai, OCI Abu Dhabi, DIDC, FNDI, SDI). WARP-enrolled devices could not reliably resolve internal hostnames across all entities.

What Brixio deployed

12 Cloudflared Tunnels for secure application access

  • Each tunnel mapped to specific applications per entity for segmentation.
  • Internal applications accessible without public internet exposure.
  • Replaced ad-hoc network access with structured, per-application connectivity.

31 Gateway rules for policy enforcement

  • Branch locations restricted to approved URL lists.
  • Corporate users retain full internet access with security filtering.
  • Location-sensitive, identity-aware filtering architecture.

3 WARP profiles across entities

  • All managed devices enrolled with encrypted, inspected traffic.
  • Split tunneling configured to resolve internal DNS per entity.
  • Device posture enforcement for corporate vs contractor devices.

Identity-aware access via Oracle IDCS SAML SSO

  • SAML integration with Oracle Identity Cloud Service.
  • Cloudflare One-Time PIN as fallback authentication.
  • Access policies scoped to all five entity domains.
  • Role-based access restricting users to entity-specific applications.

15 Gateway lists for granular control

  • Approved URL lists per branch location.
  • Blocked categories and known malicious domains.
  • Entity-specific filtering policies.

Architecture

Four entity user populations route through one Cloudflare SASE plane with identity-aware policy enforcement.

Branch users EDI · FNDI · SDI · DIDC
Corporate users WARP enrolled
Contractors Scoped access
Cloudflare Zero Trust SASE
WARPGATEWAYACCESSTUNNELS
Internal apps Orbits ERP · DMS · HR
Oracle Cloud OCI Dubai + Abu Dhabi
Approved internet URL allow / deny lists

Results

After phased rollout, the four entities operate under a unified Zero Trust posture with identity-driven access, branch-aware filtering, and reliable cross-entity DNS resolution.

Unified security across 4 entitiesEDI, FNDI, SDI and DIDC, previously independent, now share a single Zero Trust security posture.
Identity-driven accessAccess is governed by user identity and role rather than network location, across all entity applications.
Branch internet filteringURL-level filtering applied consistently across every branch location, ending unrestricted internet access.
Audit-ready visibilityFull audit trail of access attempts, policy decisions and gateway events available for compliance review.
Sector perspective

Multi-entity organisations across the GCC face the same fragmented-security pattern.

Holding companies, government groups and conglomerates operate dozens of entities with independent IT. The challenge is always the same: unifying security without rebuilding infrastructure. NESA in the UAE expects identity-aware access control, branch-level filtering and auditability across all operational entities. This deployment shows how Cloudflare SASE can be layered onto a complex, multi-vendor environment (Oracle Cloud, on-premises AD, multiple DNS servers) without requiring a rip-and-replace.

NESA UAE TDRA ISO 27001
Zero Trust case studiesEducation industry
Other client stories

More Brixio × Cloudflare deployments

Transport Zero Trust Access Gateway / SWG

Identity-based access for 2,000+ airport operations users

Identity-based access replaces legacy VPN for 2,000+ operations users on Cloudflare Zero Trust and Gateway.

Read the case study
Education Zero Trust Access Gateway / SWG

Zero Trust, Gateway and DLP for academic and research data

Zero Trust Access, Gateway and DLP protect academic and research data for a Makkah university.

Read the case study
Government Cloudflare Tunnel Zero Trust Access

Zero Trust Access without public IP exposure

Cloudflare Tunnel and Zero Trust Access remove the public IP from a Saudi government valuation platform.

Read the case study
Your Cloudflare environment, audited

See where your Zero Trust posture stands across every entity.

Run a free Snapshot to map your current exposure across multi-entity environments, identify access-control gaps, and get a prioritised roadmap from a Cloudflare ASDP partner.

Get a free Cloudflare audit Talk to a specialist