One security policy for office and remote staff
One security policy for office and remote staff
Last updated: 9 July 2026
One security policy for office and remote staff sounds like something every company already has. Most do not. We have seen this same gap at more than one NBFC audit this year: the office network runs one ruleset, and the laptop that leaves the building every evening runs something close to nothing at all.
09:14 AM: the question the auditor would not let go
The conference room in Coimbatore had a co-lending bank’s vendor risk team on one side of the table and a 190-person NBFC’s IT lead on the other. The NBFC writes vehicle and MSME loans through 74 field officers who spend most of a working week at dealerships, client offices, and home, not at the head branch. One question sat unanswered for eleven minutes by the wall clock: “Show me the content filtering and DLP log for a laptop that has not touched this building in six weeks.”
The IT lead pulled up the office firewall dashboard first, out of habit. Clean logs, tidy policy hits, nothing unusual. Then the risk officer asked the same question about a specific loan officer’s laptop, the one that had been in Erode and Tirupur for most of the quarter. There was nothing to pull up. That laptop had a VPN client for the loan origination system and, for everything else, an ordinary internet connection with none of the office’s rules applied to it.
Why office and remote end up on two different rulesets
This is not carelessness. It is how most VPNs get built. The office sits behind a unified threat management box that filters web content, scans downloads, and watches for data leaving through email or upload forms. Every packet passes through it because there is nowhere else for the packet to go.
A remote laptop on a split-tunnel VPN is different by design. Traffic bound for the loan system goes through the tunnel and hits the office rules. Traffic bound for everywhere else, a personal email account, a file-sharing link, a browser extension nobody vetted, goes straight to the internet. Nobody chose this as a security posture. It is what happens when a VPN gets configured for access speed and application reachability, and policy enforcement is never part of that conversation.
One security policy for office and remote staff, on one console
A cloud-delivered SASE platform removes the fork in the road. Cato Networks runs the inspection engine, secure web gateway, next-gen firewall rules, and DLP checks at points of presence spread across the world, not inside a single box in one office. A user in the head branch connects through a Cato Socket appliance. A field officer’s laptop connects through the same platform via a lightweight client. Both hit the identical policy object, because there is only one policy object, defined once and pushed everywhere.
The administrative gain is less about elegance and more about not forgetting something. Two rulesets drift apart the moment nobody is watching, because one gets a new exception added in a hurry and the other does not. NIST’s Zero Trust Architecture guidance (SP 800-207) makes the same point in policy language: a security boundary that depends on where a device happens to be sitting is not really a boundary, it is a coincidence.
| Aspect | Office firewall only | Split-tunnel VPN | Cato single policy |
|---|---|---|---|
| Where policy is enforced | On-prem box, office traffic only | Only for tunnelled apps | Nearest cloud PoP, every user |
| General browsing, remote staff | Not covered | Unfiltered, uninspected | Same filtering as the office |
| DLP coverage | Office devices only | Rarely extended to remote | Applied to every connection |
| Audit evidence for one policy | Cannot produce it | Cannot produce it | Single export, all users |
| Keeping rules in sync | Manual, single location | Two rulesets to maintain | One definition, no drift |
Talk to us about closing your office-to-remote policy gap
The part that made me nervous
I assumed the field officers would hate this. Erode and Tirupur do not have office-grade broadband. My first draft of the rollout plan proposed a lighter inspection depth for remote connections, half the ruleset, to protect latency on patchy mobile data. That assumption did not survive contact with two test users.
Inspection at the nearest PoP added under 15 milliseconds to page loads for the two field officers we piloted it with, measured against their existing VPN baseline over one working week. The bottleneck had never been the policy engine. It was the same mobile network congestion they already lived with every day. Full parity, not a diluted version, went out to all 74 field officers over the following six weeks: head branch and two regional offices first, travelling loan officers next, and the two outsourced collection agents on browser-based clientless access last, since their laptops were never going to get a managed client installed on them.
What the next audit looked like
The co-lending bank’s team came back roughly five months later for the annual review. Same question, different answer. The IT lead exported one policy report from the Cato console and it covered head office, branches, and every field laptop with the identical ruleset applied, timestamped, no manual reconciliation required. The meeting that had run three follow-up calls the previous year closed in one sitting.
One addition came out of that cycle that is worth naming honestly: a web-and-app policy match is not the same as knowing whether a specific customer file left through a personal email account. For that layer, the NBFC added Secure Data Guard’s endpoint DLP module on top of the Cato policy, watching file-level movement rather than just traffic rules. The two are complementary, not a substitute for each other, and a lender handling loan applicant KYC data under DPDP needs both questions answered, not just one.
Key takeaways
- If your office firewall enforces content filtering and DLP but your VPN is split-tunnel, remote staff are almost certainly running with a lighter policy than the office, whether anyone decided that on purpose or not.
- An auditor asking for policy evidence “regardless of location” is asking a question most split-tunnel VPN setups cannot answer with a single report.
- A cloud-delivered SASE platform enforces one policy definition at the nearest point of presence, so office and remote users see the same ruleset without a second box to maintain.
- Test latency before assuming remote users need a lighter policy. The nearest-PoP model usually removes the tradeoff, not just shrinks it.
- Endpoint DLP and network policy answer different audit questions. Lenders and anyone holding DPDP-covered personal data need both.
Frequently asked questions
Do we need to replace our VPN completely to get one policy for office and remote staff?
No. Legacy on-prem systems that cannot speak modern identity protocols can stay behind a VPN while everything else, browsing, SaaS apps, remote desktop sessions, moves to the unified policy layer.
Will remote employees notice a difference once the same content filtering applies to them?
Most notice nothing, because the inspection happens at a nearby cloud point of presence instead of being backhauled to a head office data centre. The two field officers in our pilot saw under 15 milliseconds of added latency.
How does this help with a DPDP or lender vendor security audit specifically?
It gives you a single policy export that applies to every user regardless of location, instead of two separate rulesets and no clean way to prove they match. That single artefact is what most vendor risk teams and CERT-In incident-reporting timelines actually ask for.
What does unifying office and remote policy typically cost for an Indian mid-size company?
It depends on user count and how many applications sit behind the policy. A single-vendor SASE platform that folds SD-WAN, firewall, and access policy into one console usually costs less than running a separate firewall, a VPN concentrator, and a standalone policy tool with three support contracts.
How long does a rollout like this realistically take?
The Coimbatore NBFC took about six weeks for all 74 field officers, moving branch by branch and role by role rather than switching everyone over on one date. A smaller field force can move faster; a larger, more distributed one should plan for longer.
The gap between office and remote policy rarely shows up until someone asks the right question in a room like that Coimbatore conference room. Cato Networks SASE in India is the platform we use to put one policy definition in front of every user, in the office or three states away, without a second box to keep in sync.
Related reading: what SASE actually means for an Indian business buyer, why the VPN keeps falling over and what ZTNA fixes, and moving to SASE without downtime: a phased cutover.
Book a discovery call before your next vendor audit
Free policy-gap review, no card and no contract. We have done this for 200+ Indian businesses. Reach us on WhatsApp at +91 91375 93228 during 10 to 7 IST if you would rather just ask a question first.
P.S. Priya here. The number that stayed with me from that Coimbatore meeting was not the eleven minutes of silence. It was that nobody in that room had ever been dishonest about the gap, they had simply never been asked to prove it before. Amber alerts like that one are worth listening to before an auditor finds them for you.







