Hybrid work has made the office boundary harder to draw. Staff move between branches, homes, client sites, trains, coffee shops, shared workspaces, and cloud applications. A firewall at head office can still matter, but it is no longer the centre of gravity. The Anywhere Office is the operating model that treats every user, device, app, and location as part of one managed security and connectivity estate.

That shift is not only about productivity. Acas describes flexible working as changes to where, when, and how someone works, and notes that it can help employers attract staff and support work-life balance. For UK leaders, the Anywhere Office is therefore a business reality as much as a network design challenge.

The security model needs to catch up. NIST SP 800-207 explains that zero trust moves away from static, network-based perimeters and focuses on protecting resources, with no implicit trust based only on network location. The NCSC zero trust design principles put it even more plainly: do not trust any network, verify every request by policy, and understand users, devices, services, and data flows.

That is where SD-WAN and SASE become useful. SD-WAN can make wide-area connectivity more application-aware, resilient, and centrally managed. SASE can bring identity-aware security controls closer to users and cloud apps. Used together, they help the Anywhere Office become a deliberate architecture rather than a collection of VPNs, broadband lines, SaaS logins, and hopeful firewall rules.

Anywhere Office at a glance

Anywhere Office remote worker using a laptop for secure hybrid access

The Anywhere Office is a practical way to describe secure hybrid working at scale. It does not mean every employee works everywhere all the time. It means the organisation can support approved work from multiple locations without losing visibility, performance, security discipline, or user support.

In a traditional branch model, people and applications were often close together. Traffic stayed inside known sites, applications lived in a data centre, and the network perimeter was easier to reason about. In the Anywhere Office, users may connect from unmanaged networks, SaaS platforms may hold business-critical data, and cloud services may replace old on-premises applications. The path between user and application changes throughout the day.

SD-WAN helps by making routing decisions based on application, link quality, site priority, and policy. SASE helps by applying security functions such as secure web access, cloud app control, zero trust network access, data protection, and inspection through cloud-delivered or distributed enforcement points. The value is not the acronym. The value is joined-up control.

The Anywhere Office should give users a fast route to approved applications, give IT a clear view of traffic and access decisions, and give leaders confidence that hybrid work has not created hidden unmanaged risk.

Why VPN and perimeter assumptions are failing

Anywhere Office home workspace for hybrid users and remote access planning

VPNs still have a place, especially for specific legacy applications and controlled administrator access. The problem starts when a VPN becomes the main trust boundary. Once connected, users may have broader reach than they need, traffic may hairpin through sites that were not designed for cloud volumes, and support teams may struggle to distinguish a device problem from an internet, application, or identity problem.

The NCSC zero trust introduction describes confidence as a combination of strong authentication, authorisation, device health, and the value of data being accessed. That is a better fit for hybrid work than asking whether someone is on a trusted network. The Anywhere Office requires access decisions that reflect who the user is, what device they are using, where the request is coming from, what service they want, and how risky the session appears.

Perimeter thinking also weakens resilience. If all remote staff rely on one VPN concentrator, one firewall pair, or one data-centre internet connection, the business can look modern while still carrying a single point of failure. If traffic to Microsoft 365, CRM, finance, voice, and collaboration tools is dragged through the wrong route, users feel the pain quickly.

The Anywhere Office needs a more flexible design: identity-aware access for users, application-aware routing for traffic, continuous monitoring for risk, and documented fallback when connectivity or cloud services fail.

1. Map users, devices, applications, and data flows

Anywhere Office SD-WAN cabling and network racks for application-aware routing

Advanced strategy begins with a basic inventory. Before choosing SD-WAN appliances, SASE services, or zero trust network access, map the real estate. List sites, home-worker patterns, roaming users, privileged administrators, guest access, third-party suppliers, cloud applications, legacy systems, SaaS data stores, voice services, and business-critical workflows.

This is where many Anywhere Office programmes become clearer. A finance team may need secure access to cloud accounting, banking, payroll, document storage, and a legacy reporting database. A customer service team may need CRM, telephony, call recording, knowledge base access, and stable video. Field staff may need mobile apps and secure file access from unpredictable networks. Executives may need stronger protection because their accounts are high-value targets.

For each workflow, document who needs access, which devices are allowed, what data is involved, which locations are normal, what latency matters, what logs are required, and what happens if the route fails. Include suppliers and support partners. Remote monitoring tools, outsourced helpdesks, finance providers, and software vendors can all become part of the effective office boundary.

The Anywhere Office should be designed around those flows, not around a generic diagram. This is also a natural point to connect with an identity-first security review, because access policy is only as strong as the identity, device, and lifecycle controls behind it.

2. Build SD-WAN around application performance, not cheaper circuits

Anywhere Office data centre racks for cloud and application traffic paths

SD-WAN is often sold as a way to reduce dependence on expensive private circuits. Cost can matter, but the stronger business case is control. A well-designed SD-WAN model can classify applications, prioritise sensitive traffic, use multiple links intelligently, fail over when a circuit degrades, and give IT a central policy layer across branches and smaller sites.

For the Anywhere Office, SD-WAN should answer practical questions. Which applications need low latency? Which sites need dual broadband or mobile failover? Which traffic can go directly to the cloud? Which traffic must pass through inspection? Which legacy systems still require private or tightly controlled paths? Which branch services must keep running if the primary circuit fails?

Do not let every site become a one-off exception. Define standard site profiles: head office, larger branch, small branch, warehouse, temporary office, and high-criticality site. Each profile should have expected circuits, routing policy, segmentation, security enforcement, monitoring, and support ownership. That makes the network easier to operate and easier to explain to non-technical leaders.

SD-WAN should also feed resilience planning. If a branch depends on payment systems, customer service, digital telephony, or stock control, a cheap single broadband line may not match the operational risk. Our guide to Satellite-as-a-Service covers wider backup WAN thinking for hard-to-reach or continuity-sensitive locations.

3. Use SASE to put security controls where users work

Anywhere Office network cable for segmentation and secure access paths

SASE is useful because it accepts that users and applications are distributed. Instead of forcing every decision through one office perimeter, it brings networking and security controls closer to the user, application, or cloud service. That can include secure web gateway, cloud access security broker, firewall-as-a-service, zero trust network access, data loss prevention, remote browser isolation, and central policy management.

The Anywhere Office does not need every SASE feature on day one. Start with the controls that reduce the biggest operational risk. For many UK SMEs, that means secure web access, identity-based application access, device posture checks, SaaS visibility, and consistent logging. For larger or regulated organisations, data protection, tenant restrictions, private application publishing, and administrator session controls may become more urgent.

The key design point is consistency. A user should not get strong controls in the branch, weak controls at home, and different controls on a mobile hotspot. Policies may adapt to risk, but they should come from the same governance model. SASE can help make access decisions portable, so the Anywhere Office is not dependent on where a user happened to plug in.

The NCSC zero trust implementation guidance is useful here because it recognises migration, mixed estates, and VPN removal as staged decisions. Most organisations will run hybrid controls for a while. The goal is progressive reduction of implicit trust, not a disruptive rip-and-replace project.

4. Replace blanket VPN trust with zero trust access policies

Anywhere Office monitoring for hybrid work security and incident response

Zero trust is not a product SKU. It is a security model that requires explicit decisions. NIST says access to resources should be granted per session, based on policy, with authentication and authorisation before access is allowed. The NCSC design principles add the need to know your architecture, understand user and device identities, assess health signals, authenticate and authorise everywhere, and monitor users, devices, and services.

For the Anywhere Office, translate that into usable rules. Employees should get access to the applications they need, not broad network ranges. Privileged administrators should have stronger authentication, shorter sessions, protected admin workstations where appropriate, and recorded or logged access to critical systems. Suppliers should have named accounts, time-bound access, and clear ownership. Devices should meet baseline health requirements before reaching sensitive services.

This does not mean every request should annoy the user. Good policy should reduce friction for normal low-risk work while stepping up controls when the context changes. A managed laptop on a normal connection may receive a smooth route to approved SaaS. A new device, unusual location, risky browser, or administrator action may trigger stronger checks.

The Anywhere Office works best when zero trust is explained in plain operational terms: least privilege, known devices, strong identity, monitored sessions, and access based on business need.

5. Segment branch, home, SaaS, and legacy paths

Anywhere Office server room operations and support governance

Segmentation is still important, even when the network perimeter is less central. In fact, the Anywhere Office often needs more deliberate segmentation because traffic patterns are more complex. Branch users, guest Wi-Fi, voice systems, IoT devices, payment terminals, administrator sessions, SaaS applications, and legacy systems should not all share the same level of trust.

Begin with high-risk and high-value areas. Separate guest and unmanaged devices from business systems. Limit lateral movement between branch networks. Put payment, voice, building systems, and operational technology on appropriate networks. Restrict administrator paths. Use identity and application policy to limit access to legacy systems that cannot be modernised immediately.

SASE and SD-WAN can support this together. SD-WAN can provide site and traffic segmentation across branches. SASE or SSE controls can segment access at the application layer for users outside the branch. Identity policy can decide who sees which private applications. Logs can show whether segmentation is working or whether teams are quietly bypassing it.

The NCSC 10 Steps guidance on architecture and configuration encourages organisations to build security in, reduce attack surface, use layered security, and prevent lateral movement. Those ideas are central to Anywhere Office design.

6. Centralise logging, monitoring, and incident response

Anywhere Office meeting room for hybrid-work governance and roadmap planning

Hybrid work makes weak logging obvious. A user may authenticate through one platform, browse through another, reach SaaS directly, connect through SD-WAN at a branch, and raise a ticket with a managed provider. If logs are scattered, incident response becomes guesswork.

The NCSC logging and monitoring guidance describes logs as the foundation of protective monitoring and recommends keeping important logs for at least six months, protecting them from tampering, and monitoring across networks, devices, and cloud services. That advice fits the Anywhere Office perfectly.

Decide which events matter: authentication, denied access, impossible travel, device compliance changes, administrator sessions, risky downloads, malware blocks, DNS anomalies, SaaS sharing changes, unusual data movement, SD-WAN link degradation, failover events, and policy changes. Feed those signals into a central system where internal IT, a managed provider, or a security partner can act.

For organisations moving from MSP support toward stronger detection and response, our MSP to MSSP guide explains why monitoring, escalation, evidence, and incident ownership need to mature together. The Anywhere Office makes that maturity more important because there are more places for risk to appear.

7. Govern suppliers, SLAs, and user experience

The Anywhere Office has more moving parts than a simple site network. Broadband providers, mobile networks, SD-WAN platforms, SASE services, identity providers, device management, cloud applications, endpoint security, helpdesk partners, and telecoms services can all affect the user experience. Someone has to own the whole service, not just individual contracts.

Define the operating model before trouble starts. Who investigates a slow SaaS application? Who can change routing policy? Who approves a new supplier connection? Who owns SASE policy exceptions? Who reviews logs? Who tests failover? Who tells users what to do when their home broadband is failing but the business application is healthy?

User experience is part of security. If controls are slow, confusing, or inconsistent, people find workarounds. Measure sign-in success, helpdesk tickets, application latency, call quality, failed device checks, policy exceptions, and recurring user pain. Then tune policy with evidence rather than anecdotes.

This is where a vCIO advantage can help. The Anywhere Office touches risk, cost, supplier governance, resilience, and employee experience. It needs a roadmap, not a drawer full of product renewals.

A 90-day Anywhere Office roadmap

In the first 30 days, build the baseline. Map users, sites, applications, devices, suppliers, internet circuits, VPN users, privileged accounts, SaaS platforms, and critical workflows. Pull together incident history, support tickets, complaints about performance, and known security exceptions. This gives the Anywhere Office programme a factual starting point.

In days 31 to 60, define the target policies. Choose standard site profiles, user groups, device requirements, private application access rules, internet security controls, logging requirements, and failover expectations. Decide where SD-WAN is needed, where SASE can simplify remote access, and which legacy applications need special handling.

In days 61 to 90, pilot and prove. Pick one branch, one remote-user group, and one sensitive workflow. Test application performance, access policy, device checks, logging, incident response, support handoffs, and user communication. Document what improves, what breaks, and what must change before wider rollout.

The point of the roadmap is not to finish the Anywhere Office in one quarter. It is to replace vague concern with visible progress, business priorities, and a defensible architecture.

Mistakes to avoid

The first mistake is buying SD-WAN or SASE before mapping the work. Without application and user context, teams may reproduce old network habits in a new platform. Inventory first, then design.

The second mistake is treating zero trust as a slogan. If policies still grant broad network access, unmanaged suppliers still share accounts, and device health is ignored, the Anywhere Office is not meaningfully zero trust.

The third mistake is ignoring user experience. A technically secure design that slows normal work or breaks meetings will generate pressure for exceptions. Performance, communication, and support are part of the control environment.

The fourth mistake is leaving logs with separate suppliers. During an incident, the organisation needs evidence quickly. Central visibility should be planned, tested, and owned.

FAQ

Does every hybrid workforce need SD-WAN and SASE?

No. A small organisation with simple SaaS use, strong identity controls, and few branches may not need a full SD-WAN and SASE programme immediately. The Anywhere Office still needs good access control, device management, backup connectivity decisions, and logging. SD-WAN and SASE become more valuable as sites, users, applications, and risk increase.

Is SASE the same as zero trust?

No. SASE is an architecture category that combines networking and security capabilities. Zero trust is a security model based on explicit verification, least privilege, and continuous evaluation. SASE can help deliver zero trust access, but buying a SASE service does not automatically create a zero trust operating model.

Should we remove the VPN?

Not automatically. Some VPN use may remain valid for legacy systems or administrator workflows. The stronger question is whether each VPN route is still justified, monitored, and limited. Over time, the Anywhere Office should move routine application access toward identity-aware, least-privilege controls.

What should UK SMEs do first?

Start with identity, device health, application inventory, and logging. Then review branch connectivity and remote access. The NCSC small organisations guide is a useful companion because it focuses on practical controls for devices, passwords, remote working, and incident preparation.

How do we measure success?

Track fewer broad VPN routes, fewer unmanaged devices, better sign-in success, lower remote-access ticket volume, faster incident investigation, tested failover, improved application performance, and clearer supplier ownership. The Anywhere Office should make hybrid work safer and easier to support.

Bottom line

The Anywhere Office is not a technology fashion label. It is the reality of UK hybrid work: users, devices, applications, and data are no longer contained by one building. SD-WAN and SASE help when they are used to solve that reality with application-aware connectivity, identity-based access, segmentation, monitoring, and supplier governance.

Start with the work people actually do. Map the flows, reduce implicit trust, route traffic intelligently, put security controls near the user and application, centralise evidence, and test resilience. Done well, the Anywhere Office can give hybrid teams the flexibility they expect without asking IT to accept avoidable risk.