Managing Quality of Experience for Work-from-Anywhere Employees with SD-WAN and ZTNA

Just over a year ago, organizations were grappling with transitioning their traditional workforce to a work-from-home model. This included moving critical resources to the cloud, ensuring every employee had access to essential business applications, and securing communications between the home office and the corporate network. But today, most of those same organizations are undergoing another shift. But instead of returning to the traditional pre-pandemic work model, they are looking to accommodate a new work-from-anywhere (WFA) approach.

There are many reasons why a WFA strategy is quickly becoming the new norm. Many workers prefer working from home, and there are few technical reasons why they should not be able to do so. Productivity rates and work satisfaction scores are consistently high because many workers appreciate the work-life balance that remote work, even part of the time, offers. And for the savvy company, there are numerous logistical and financial advantages that can be realized by reducing brick and mortar overhead.

But to accommodate this hybrid workforce, networks have had to become hybrid as well. While many resources such as applications have been moved to the cloud, some business-critical applications and data still need to remain on-premises and accessing them should be seamless. Similarly, users need to split time between on-premises and home office environments without impacting user experience. One measure of how satisfied workers are with their entire work experience is Quality of Experience (QoE). This includes ease and speed of access to essential resources, consistent availability of business-critical applications, and quality of service, especially for things like voice and video conferencing.

Providing a consistent user experience for today’s WFA workforce is one of the biggest challenges faced by many organizations. And since home networks and remote devices are notoriously undersecured, organizations are trying to balance ubiquitous access to business applications and the risks that the rise in cybercrime introduces.

The challenges of a hybrid worker/hybrid network model

Hybrid architectures, including remote connectivity, make user experience inconsistent and reduce security posture effectiveness.​ To resolve these issues, there are three key IT pain points that organizations need to address:

1. Unpredictable experience: For security reasons, many organizations don’t allow branches—or even home users—to connect directly to the internet or the cloud. Instead, they backhaul all application and internet traffic through the data center, even when an application is in the cloud. This adds latency and wastes bandwidth compared to having direct connectivity to where the applications reside.

Organizations have traditionally deployed a router and firewall at the branch office that connects directly to the data center via a fixed MPLS connection. Secure connections to the cloud or internet are then created and maintained at the data center. However, such architectures can be complex and expensive to operate, as IT must individually configure and manage branch routers and stitch firewall policies. For branch end-users, QoE is inconsistent because backhauling application traffic to the data center can impact application reliability. Similarly, home users must force all application traffic through a VPN tunnel to the corporate network. But their experience can be even more unpredictable because home bandwidth can vary widely, not just from one location to the next, but from hour to hour, depending on local usage.

Even when organizations allow direct access to cloud applications, the challenges remain. While users may have a better application experience, the risk is higher. And they still must use VPN if they want to access internal resources, so the overall experience remains inconsistent.

2. Inconsistent policies: With one set of security deployed on campus, another at the branch, a third in the cloud, and yet another for home locations, IT teams find it challenging, if not impossible, to ensure consistent policy enforcement across the network. Visibility is fragmented, control is constrained, and threats leak through.

Cybercriminals are eager to exploit inconsistencies in protections and policies, which explains why threat researchers have detected a recent shift in threat actor behavior. Cybercriminals are increasingly targeting home or smaller branch offices rather than attacking traditional network devices, as they did pre-Covid. Compromising a device deployed in an undersecured network enables them to hijack a VPN connection back to corporate resources, rather than having to force their way past the commercial-grade security deployed at the campus or data center edge.

3. Implicit trust: This leads to the third issue. An often-overlooked piece of the puzzle is that many organizations use an implicit trust model when providing access to applications. Off-network users using a VPN to access applications—whether on-prem or in the cloud—are usually authenticated with a generic authentication process that provides access to the entire network. That’s because any device connecting to an application through a secure VPN tunnel is assumed to be trusted and is given free access to a wide range of resources. However, if a user’s machine, identity, or credential is compromised, an attacker can use that same access to roam the network looking for ways to compromise your business.

Solutions designed for the way companies do business today

Fortunately, there are several technologies designed to address these challenges that organizations should seriously consider. SD-WAN provides reliable connections to cloud-based applications to ensure QoE. However, one of the most significant weak spots of most SD-WAN solutions is their lack of integrated security. Secure SD-WAN, built on a purpose-built security platform, fixes this problem by blending advanced connectivity with enterprise-grade security, all managed through a single console for consistent policy creation, deployment, and enforcement.

Additionally, Zero Trust Network Access (ZTNA) enables IT teams to provide per-user access to specific applications so that every device, user and application is seen and controlled regardless of from where they are connecting. ZTNA bridges the gap between a WFA user and applications that may be deployed anywhere. It sits in the middle, granting per-use access, enforcing user identity and device posture, and providing continuous monitoring. 

The new WFA model is not going away. Instead, organizations need to adapt their existing infrastructures and security models to accommodate the wide variety of users, devices, and use cases they need to support. Traditional security and connectivity solutions are not up to the task. Solutions like SD-WAN and ZTNA are critical for helping businesses keep up with the new expectations, challenges, and opportunities that WFA provides.

Take a security-driven networking approach to improve user experience and simplify operations at the WAN edge with Fortinet Secure SD-WAN.