In this article

With hybrid work and a remote workforce now the prevailing model, IT leaders must ensure employees have a seamless technology experience at home, in the office or anywhere in between. Doing so successfully will require evolving network and security architectures. 

Traditional network and security architectures assumed that most employees worked from campus or branch locations. It also assumed that the bulk of applications they relied on lived inside a corporate data center. 

But architectures that design around the centralized data center cannot keep pace with employees and applications that are becoming more geographically dispersed. IT leaders will need to shift their attention to designing for secure, global connectivity. 

There are many pieces of the hybrid work puzzle. For example, we've discussed how to adapt your wireless network for hybrid work. Here, we'll focus on steps that IT leaders can take to close connectivity gaps, apply ubiquitous security policies and enhance application performance.

1. Know your user traffic flows  

Hybrid work has led to drastically different user traffic flows compared to when employees spent most of their time at the campus or branch. Leaders should start by discovering how user traffic is flowing because of hybrid work. This will help identify traffic that could benefit from a secure access service edge (SASE) or secure service edge (SSE) solution as well as understand how software-defined WAN (SD-WAN) can optimize traffic flows and reduce costs.

2. Define your evaluation criteria 

Both the SD-WAN and SASE/SSE markets are confusing. Pure-play providers and hardware vendors are constantly adding new capabilities to present complete visions of their solutions. We've developed key evaluation criteria that can help narrow the playing field. These include items such as operational simplicity, remote access as a service, cloud access security broker, advanced security features, and analytics, visibility and telemetry.

3. Build confidence in your cloud-delivered security models 

With SD-WAN redirecting branch traffic, IT leaders will want to ensure teams trust SASE/SSE solutions to deliver security at the cloud edge. This often takes some confidence building for security teams as they will want to compare the security capabilities they have implemented in on-premises demilitarized zones (DMZs) and internet edges with capabilities available from the SASE/SSE service. Building confidence will include education, hands-on exploration, and quite likely, a proof of concept.

4. Apply security policy based on identity

IT departments have long granted access to resources based on authentication and authorization. However, given the user and device fluidity of hybrid work, a better approach is to use SSE to apply identity, context-based security policy, which effectively brings secure access policies closer to the identity regardless of location or identity type. 

Identity with context can include traditional authentication elements, user location, device location, device security posture, time of day, headless devices, applications and more. This results in logical boundaries for precise, least-privileged access, which becomes more important as employees access resources from different places, at different times and through different devices. Identity also serves as a building block for zero trust

5. Know where your applications are running

Because many organizations have adopted cloud and software-as-a-service (SaaS) applications without considering ideal connectivity, IT leaders will first want to know where all user applications are running today and where they are likely to be running as their organizations move forward with hybrid work. When applications are plotted this way, it's easy to visualize the suboptimal paths traffic flows must take to reach applications and what design changes can yield the biggest business impact.

6. Optimize connectivity between applications and services

After knowing where applications are running, it's time to optimize traffic between applications and services. This step will show stakeholders the performance gains that can be achieved when, for example, traffic to cloud-delivered applications doesn't have to hairpin to a corporate data center for services like load balancing and security inspection.

7. Evaluate fabric options for cloud connectivity

From here, it's time to connect the dots. What is the best connectivity fabric to bring everything together? Proximity, ease of management, costs and cloud adoption initiatives will factor into the decision. One option is to go with a public cloud provider's own fabric. Alternatively, organizations can move infrastructure into colocation facilities next to public clouds. In some cases, a managed network fabric or third-party fabric will make the most sense.


To meet the demands of hybrid work, network and security architectures must evolve. Security and networking services need to exist where users exist — everywhere. It's not an easy path, but it is one that's possible to navigate with the right focus. By breaking down the many architectural components of the evolution toward secure, global connectivity, IT leaders can zero in on what investments make the most sense for their hybrid workforces. 

Some information in this article comes from our research report on networking priorities. Access the report for more ways to achieve secure, global connectivity.

5 Networking Priorities for 2023  ACCESS THE REPORT