BLUF: For a 150‑person Modesto firm consolidating two offices and keeping ~40% of staff remote, yes — there are tools and SASE/ZTNA patterns (plus microsegmentation inside cloud/SD‑WAN overlays) built explicitly for remote work; they trade broad per‑user access control for per‑resource enforcement and make least‑privilege practical for remote users when paired with device posture and identity controls. Choose ZTNA/SASE + microsegmentation for app‑level access and SD‑WAN segmentation for site‑level routing and QoS.
Opening scenario: Modesto, consolidation, and a hard decision
A 150‑employee accounting and payroll firm in Modesto, CA is merging two nearby offices onto one managed network and help desk while keeping ~60 staff on hybrid or permanent remote schedules. The firm processes high‑value wire transfers and must protect the wire‑approval workflow (multi‑step approvals, shared file storage, and the accounts payable server). The CIO asks: can we treat remote workers like branch users, or do we need different tools to safely segment who can see the wire‑approval systems from a home laptop?
This article shows the specific tool categories and patterns that work for that exact situation — what to ask vendors, what to expect operationally, and how Datapath would sequence it for a Modesto mid‑market customer using our /locations/modesto-california/ team and managed cybersecurity capabilities (/services/managed-cybersecurity-services/).
Short technical primer: what remote‑centric segmentation looks like
- SD‑WAN/site segmentation: extends on‑prem routing and VLAN segmentation to branch or remote offices, keeping site‑to‑site traffic separated and applying QoS for voice or EHR traffic.
- ZTNA / ZTNA‑style (Zero Trust Network Access): never trusts the network; grants per‑session, per‑application access to resources based on identity and device posture rather than IP location12.
- Microsegmentation: enforces east‑west controls at the workload or VM/container level inside clouds and data centers — useful when remote users access cloud‑hosted financial systems3.
NIST’s Zero Trust Architecture explains the shift from protecting networks to protecting resources and per‑request decisions1. CISA’s guidance and work on microsegmentation emphasize that as remote work scales, microsegmentation reduces exposure by limiting allowed connections to specific zones or workloads4.
Which tool categories matter for a Modesto consolidation (and why)
| Provider / Option | Best fit | Specialty / strengths | Buyer‑relevant differentiator |
|---|---|---|---|
| Palo Alto Prisma Access / Prisma SD‑WAN | Mid‑market + multi‑site firms that want an integrated firewall + SD‑WAN + SASE stack | Strong segmentation controls, single vendor policy model; good for extending segmentation from data center to remote sites | Integrated SASE + SD‑WAN design guidance for remote‑site segmentation (good when consolidating offices) [Vendor docs] |
| Zscaler (ZTNA / ZPA) | Firms prioritizing per‑user app access from unmanaged endpoints | Application‑level access, brokered connections, minimal on‑prem footprint | Hides internal apps; reduces lateral‑movement risk for remote users [Vendor docs] |
| VMware SASE / SD‑WAN | Organizations with heavy cloud app use and desire to extend DC segmentation to branches | SD‑WAN + cloud routing with the ability to map DC segmentation into WAN fabric | Strong for hybrid on‑prem + cloud migrations and consistent segmentation across branch and cloud |
Note: the table above compares vendor design orientations (Prisma, Zscaler, VMware) and should be read as architectural categories: SASE (Prisma), ZTNA (Zscaler), and SD‑WAN + SASE (VMware). We use vendor docs to identify where each emphasizes remote segmentation in their architecture.5
Real operational workflow: protecting a wire‑transfer approval flow
Concrete workflow to protect: initiator uploads wire request to a shared file store → first approver receives notification and opens a web app → second approver signs off via a browser UI → finance posts the wire from an accounts payable server.
Do this with remote‑centric segmentation by combining:
- Identity + conditional access (require MFA, device posture) for the web UI (ZTNA broker will do this).
- Per‑application access so home devices cannot reach the accounts payable server unless they present the correct identity, posture, and session attributes (ZTNA).
- Microsegmentation in the cloud/data center so even if the web app is compromised, east‑west connections to the AP server are restricted to the web tier only4.
Operationally this means changing three things in the approval workflow: (1) require device posture checks at login; (2) adopt per‑app tunnels (not full VPN split tunnels) for the accounts payable UI; and (3) apply least‑privilege security groups/rules between web and backend tiers. Datapath sequences those changes in a 60–90 day rollout as part of /services/managed-it-services/ and /services/managed-cybersecurity-services/ engagements.
Questions buyers actually type (and short answers)
Q: Can we simply put remote staff on VPN and keep our existing VLANs?
Short answer: That alone is risky at scale. Traditional VPNs place remote devices onto an internal network location; with compromised endpoints or stolen credentials, attackers gain broad lateral access. NIST’s Zero Trust guidance recommends moving from network‑centric controls to resource‑centric authorization — i6.e., per‑session, least‑privilege decisions1.
Q: Do remote‑first segmentation tools replace firewalls and VLANs?
No. SD‑WAN and SASE/ZTNA shift where policies are enforced: they reduce dependency on perimeter VLAN hops by enforcing per‑application or per‑workload controls, but on‑prem firewalls and network segmentation remain important for site‑to‑site segmentation and regulatory boundaries (for example, protecting an on‑prem accounts server versus cloud apps). Microsegmentation adds workload‑level controls inside the data center or cloud to stop east‑west movement once an attacker is inside4.
Q: Will this break our help desk or increase ticket volume?
If implemented without change control, yes. The operational work is in integrating IDP/MFA, device posture, and help‑desk playbooks for onboarding remote endpoints. Datapath’s approach is to pilot with a single user group (e.g., finance) and build a runbook so the help desk can triage device posture failures before broad rollout (/services/vcio-services/ or /services/co-managed-it-services/ can help run that pilot).
A practical decision checklist (what to ask vendors and why)
-
Do you offer per‑app access (ZTNA) — or only IP/VLAN‑based policies? (Per‑app avoids full network access.)
-
How do you integrate device posture and identity into session authorization?
-
Can you enforce microsegmentation inside our cloud workloads, and is policy consistent with on‑prem rules?
-
Will SD‑WAN carry voice/EHR traffic with QoS while keeping that traffic segmented from financial systems?
-
What logging/forensics do you produce to support incident response?
-
Choose the pilot group (finance/wires) and require a 60–90 day pilot that includes an incident‑response tabletop and a restore/test drill for the affected apps.
Example sizing / rough cost drivers (how Datapath frames it)
| Item | Driver | Typical Datapath sizing note |
|---|---|---|
| ZTNA seats | Number of remote users requiring app access | Per‑user licensing; pilot 25–50 seats, then expand |
| SD‑WAN | Number of branch sites / on‑prem appliances | Per‑site appliances + bandwidth; merging two offices often reduces MPLS cost |
| Microsegmentation | Number of server/workload zones | Pricing and effort scale with number of VMs/containers to instrument |
Costs vary widely by vendor contract and required log retention; Datapath provides a scoped estimate after discovery and a 30–60–90 onboarding plan (/blog/30-60-90-day-msp-onboarding-plan/).
How Datapath would execute this for the Modesto consolidation
- Discovery: inventory users, remote percentages, and the wire‑approval workflow; map which apps are on‑prem vs cloud.
- Pilot: 25 finance users on ZTNA for the AP UI with posture checks and per‑app logging.
- Microsegmentation: deploy workload rules around the web tier and AP database in the cloud/data center.
- Broaden: add SD‑WAN segmentation for the two offices (prioritize voice/EHR if present) and expand ZTNA to other groups.
- Ongoing: monitoring, incident response retainer (/services/incident-response-retainer-services/), and security awareness training (/services/security-awareness-training-services/).
Evidence and authority (short guide to the basis for these recommendations)
- NIST’s Zero Trust Architecture explains the shift to protecting resources and making per‑request access decisions instead of trusting network location, which is why ZTNA + identity posture is central to remote segmentation1.
- NIST guidance for telework and remote access explains remote access methods and the need to pair them with secure authentication and controls3.
- CISA has published guidance on microsegmentation and Zero Trust maturity that highlights microsegmentation as a control that limits connections to zones or segments — a useful control when large numbers of remote devices access enterprise resources45.
- Vendor solution guides (Prisma, Zscaler, VMware) explicitly position their SASE/SD‑WAN/ZTNA products as ways to extend segmentation to remote users and branch sites; use these vendor documents to evaluate the vendor’s policy model and management approach.5
Final advice — what to prioritize now
- Prioritize per‑application access (ZTNA) for the wire‑approval workflow and require posture + MFA before granting access.
- Pilot microsegmentation for your finance workloads so lateral movement is constrained even if a web session is compromised.
- Use SD‑WAN/site segmentation to keep voice/EHR/PCI zones logically separate when consolidating the two offices.
If you’d like, Datapath’s Modesto team can run a 30–60–90 assessment and pilot that maps the wire workflow to a ZTNA pilot and microsegmentation plan (/contact/ or /locations/modesto-california/). We combine named, accountable engineers with managed cybersecurity and managed IT to deliver uptime and auditable control changes; this is not commodity support — it’s a named team, measurable outcomes, and a tested pilot that keeps your most sensitive workflows safe.
1 NIST Zero Trust Architecture 3 NIST Guide to Enterprise Telework, Remote Access 4 CISA Zero Trust Maturity guidance 7 FBI CJIS Security Policy (on protecting lifecycle of CJI) 5 Vendor solution documents (Palo Alto, Zscaler, VMware) that describe remote‑site segmentation and SASE/SD‑WAN patterns
Need a partner for this work? Explore Datapath’s managed IT services or contact our team.