Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

The (Thick) Branch is Dead. Long Live the (Thin) Branch.

This post also appeared on LinkedIn.

Even with the pandemic (hopefully) winding down, mass remote work will stick around for the foreseeable future. Twitter, Google, Facebook, Deutsche Bank and other globally recognized companies are letting their employees work from home at least through the summer, if not longer. But what about beyond? Comprehensive studies such as McKinsey indicate that most companies will keep work-from-anywhere (WFA) as a permanent part of their corporate strategy. 

But what does this look like? Based on my conversations with various companies in different sectors, the WFA answer isn’t black and white. Most likely, some split percentage of people in vs. out of the office will continue, and a new hybrid model will take hold as the norm. 

The next logical question is, what about the expensive investments in physical data centers located in high-priced office campuses? As companies dusted off their business continuity plans during the pandemic, many saw traffic and workloads shift quickly from complex network and security stacks to remote connections. What does this mean for legacy equipment and architectures? 

What do we do about the internet?

Managing internet traffic is a significant portion of the IT department’s daily struggle. It makes up 40 to 70 percent of all corporate traffic. Continued adoption of SaaS applications like Microsoft 365, Workday, and ServiceNow will only increase this percentage. As more people work outside the corporate office and connect to more cloud-based applications and infrastructures, more traffic gets backhauled or "tromboned” via the classical IT infrastructure. This increase can congest and overwhelm legacy network security infrastructure. 

As more employees moved outside the office during the pandemic, legacy network and security setups struggled to handle the unanticipated onslaught of users working from home. Why? With very little time to prepare for quarantines, organizations couldn’t build or scale legacy infrastructure fast enough to meet new expectations, such as where, how, and when workforces were using apps. This lack of scalability led to a poor user experience for millions of remote workers afflicted by complicated security processes through friction-filled logins, complex architectures that made finding applications difficult, and poor applications due to backhauled internet-bound traffic. 

Frankly, many users confronted with this experience looked for quick ways to bypass controls. This behavior, while understandable, opened a new can of worms by increasing the network attack surface: each additional device that remotely tries to connect to corporate content is a potential attack vector!

Get lean, get svelte, get “thin”

A better alternative to the situation described above is using direct internet connections from the branch office. They’re certainly cheaper (even for higher bandwidths). But they do require proper security, which often ends in complex network and security stacks at the branch office. For remote work (or an office of one), this isn’t a viable option.

The right approach is to replace the traditional heavy branch model with a cloud-centric, thin branch model using a Secure Access Service Edge architecture. In a paper, Gartner succinctly posits this concept in the way that only industry analysts can: 

Instead of forcing (via “tromboning”) various entities’ traffic to inspection engines entombed in boxes in the data center, we need to invert our thinking to bring the inspection engines and algorithms closest to where the entities are located.

The chart below captures the difference between a heavy and thin branch: 


  • Heavy branch: Has security applied locally in the form of hardware.
  • Thin branch: Relies heavily on centralized cloud control for managing security and access.

Gartner suggests that most networking actions should be delivered from the cloud in WFA models. Any decisions not made in the cloud should be made as close to the edge as possible, with as light a touch on the device as possible.

As we’ve seen play out the world over during the pandemic, a heavy-branch model required physical network changes to the systems that allowed employees to access applications and assets at branch locations. Upgrading equipment at every branch (e.g., VPN access) to accommodate growing traffic was cost-intensive, and procurement was slow since they were ordering new stacks of gear simultaneously with every other company. The thin-branch/heavy-cloud model provides more agility and can auto-scale to virtually meet any requirement since the compute is offloaded to a heavy cloud. 

Thin is cost-effective and secure

With vaccinations and loosening social distancing requirements, companies will allow employees back into the office. They can ease back on some of the scaling they’ve done for branches, but how much? With expanded remote work here to stay, what happens to the investments made towards achieving a thin branch?

Beyond where employees sit while they work, many companies will need to find ways to scale back costs. One method might be scaling back on physical locations completely. Using SASE architectures and Zero Trust models can enable a company to scale up connections faster than ever while scaling back on physical locations. 

During the crisis, I’ve watched companies go from tens of branch offices to thousands of branch offices — of one employee. Allowing employees to work wherever they want using whatever connections and equipment they want — secured by identity-based zero trust —means less overhead and a better employee experience for those who’ve found success and balance working from anywhere. 

On a side note, an article I read recently seems to suggest that some organizations will keep some hub-and-spoke architectures alive via an HQ and temporary satellite offices (e.g. rented office space like WeWork, Regus, etc.) to ensure that employees can meet and exchange work related plans. This isn't an architecture model, however, but a conceptual localization plan. In fact, the more companies adopt temporary meeting spaces for in-person gathering, the more they are going to need non-traditional security models that use identity to link users to applications

It’s not inconceivable that many branch locations employing SASE Architectures could simply use 4G/5G SIM cards as a primary connection. With Zero Trust, this connection could provide the security, agility, and cost savings that would mean an acceleration to open new “branches.” There are many benefits from going thin from a security standpoint since you don’t need to constantly provision, update, and maintain hardware appliances. Nor do you even need an MPLS or VPN connection. That means you reduce your attack surface, complexity and costs. 

The office is dead; long live the office!

The office as we know it is not yet dead, but the COVID-19 crisis has shown that the new hybrid workplace requires scalable solutions. Newer architectures such as SASE and Zero Trust that support today’s realities are replacing legacy networks and delivering the agility and resiliency that businesses need to compete and succeed in the modern, digital landscape. 

These architectures use the internet as the new corporate network and the cloud as the new data center. Zero trust architectures create less expensive and better-performing security by securing connections between users and applications and removing the need for costly infrastructure services. 

As the new hybrid workforce takes shape, thin branch office models that include work-from-home options will be necessary for modern business. Therefore, the office is dead, long live the office!


form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

Exceptional Customer Experiences Begin at Home
Exceptional Customer Experiences Begin at Home
Read Post
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
Read Post
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Read Post
Cloud Compliance
The Impact of Public Cloud Across Your Organization
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.