Branch office security - what are the problems?

James Lyne, director of Technology Strategy, Sophos says that branch offices need the same security as the head office

Tags: Sophos
  • E-Mail
Branch office security - what are the problems? According to James Lyne from Sophos, the number of companies that have remote workers or branch offices is growing.
By  James Lyne Published  October 31, 2012

James Lyne, director of Technology Strategy, Sophos says that branch offices need the same security as the head office.

When it comes to IT security, almost all businesses using IP networks to transmit data will know that they have to protect themselves, and they will have systems in place to keep their data secure. Often focused at the head office, for workers not located at the central office – either branch offices or a remote worker at home - the question of security is a harder one to answer. It also affects IT security thinking - how can these remote locations be secured and what problems are there around managing this?

The number of companies that have remote workers or branch offices is growing. Typical examples of branch office IT deployments are retailers, travel agents, estate agents and petrol stations: the IT requirements at each location can be fairly basic and IT skills at these branches often don’t exist.

The first area to consider is how to manage many branch networks efficiently. Because each branch office is small, it will typically not have any on-site IT staff available to support users if something goes wrong. The emphasis therefore has to be on how the central IT department can provide this support and security without seriously impacting productivity and costs.


The typical branch office environment needs often the same functionality as the head office when it comes to security - firewall, VPN, IPS, web and email security are all just as important to remote workers as those at headquarters. For the central IT team committing resources to an implementation or upgrade can be very expensive.

If you are starting a new branch office, being able to control and manage an update to security systems centrally, without having to put an engineer on the road for several days, provides a far better return on investment and much lower costs. Pre-configuring each system at the head office is one approach, but in most cases adjustments must be made on-site. This leads to a different configuration in each location, which makes it hard to keep track. Dedicated solutions for central management exist, but are expensive and often very, very complex.

Another approach to solve this problem is to use a kind of ‘thin client’ approach for security. Instead of running firewall, VPN, IPS, web and email security functions on an expensive branch office device all functions are provided via a centralised powerful security gateway which can sit in your head office or in the cloud (e.g. at a service provider). A small remote Ethernet device in the branch office only forwards all traffic to the central device where it is scanned and filtered, before it is sent to the internet, the remote device behaves like a thin client.

These remote ethernet devices can be sent unconfigured to the branch offices. Its complete configuration is done on the central gateway. When the branch office device comes on-line, it automatically retrieves its setup information from the central provisioning service, configures itself and establishes an encrypted tunnel to the head office, without requiring IT staff to be present.

Once you have the IT network protected, the next point is to look at the company’s existing policies. From access to the Internet for personal use through to application installations and stopping unauthorised software, this set of rules for IT can be extrapolated into the branch office environment. Most of these guidelines should be the same - for example, not allowing peer-to-peer software to be installed without a valid business use case. If the remote worker is using personal devices then some of these policies may need to be more flexible.


Another point to consider around IT usage policies is that bandwidth at the branch office may be more limited. This may mean that rules on site access and surfing may have to be stricter, to ensure that all the bandwidth available is being used for business purposes and that the central IT team is able to support users properly.

The cost of maintaining a branch office network - particularly one with tens or even hundreds of sites - is another factor that has to be considered over time. By using the remote Ethernet device approach, branch offices can be managed as if they were located just within another in-house department and connected through an ultra long Ethernet cable.

A company’s security is only as strong as its weakest link. Yet this is often not recognised at the branch office level, or organisations face higher costs in order to maintain separate solutions at each office, hindering their day-to-day activities. What is needed is a new approach to branch office security that recognises these requirements, and ensures that each branch office remains secure by only using the skills that already exist within the head office.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code