Serving up coffee shop networking

Enabling secure remote access, with a side of network simplification

For the better part of a decade, enterprise IT leaders have managed two distinct realities. We built “fortresses” for our offices — secured by firewalls, rigid virtual LANs (VLANs), and expensive MPLS circuits. Simultaneously, we built “tunnels” for our remote workforce — secured by VPNs and, more recently, zero trust network access (ZTNA) solutions.

While these parallel initiatives delivered value, they have resulted in a fragmented reality. The network experience for a remote user is fundamentally different from the experience of someone working in the office. This creates operational drag for our teams and an inconsistent security posture for the organization.

It is time to merge these streams. It is time to stop managing our branch offices like data centers and start managing them like coffee shops.

Gartner coined the term “coffee shop networking” to describe this shift. The premise is deceptive in its simplicity: Give your entire workforce a simple, fast connection to the Internet, with secure access to all applications they need — whether they are at home, in a branch office, or working from their neighborhood cafe.

This approach abandons the obsolete concept of the trusted LAN; instead, we can use the public Internet as our primary corporate WAN, significantly reducing infrastructure costs while actually improving security.

Despite its apparent simplicity, implementing coffee shop networking does require some planning. Following a strategic roadmap helps executives simplify their network architecture and deliver a consistent, “Internet-first” employee experience.

The paradox of the “trusted” office

Traditionally, branch security relied on a stack of local appliances: network access control (NAC) solutions for authentication, VLANs for segmentation, and network firewalls to enforce authorization. This “box-by-box” management model is unsustainable at scale. It requires local expertise and frequent truck rolls for updates. It also creates a brittle environment where a user’s location dictates their security policy.

The coffee shop model asks a fundamental question: How can you secure connectivity for all users — without being dependent on the security of the network itself?

Enter secure access service edge (SASE), a cloud-based architecture that unifies software-defined networking and security services. One of the core elements of a SASE platform is ZTNA, which treats every user, device, and location as untrusted by default. If ZTNA provides superior, granular, identity-based control for remote users, why do we disable it the moment they walk into the office? By keeping ZTNA “always on,” the office network becomes a dumb pipe — a transport layer indistinguishable from a Starbucks or an airport lounge.

Modernizing network access using SASE with ZTNA — along with other network-as-a-service (NaaS) capabilities and mesh networking — can deliver some important and immediate benefits, including:

• Simplicity: Employees no longer have to toggle VPNs: The experience is identical everywhere.

• Agility: New branch sites can be spun up with basic broadband rather than waiting months for private circuits.

• Cost savings: Organizations can shed the capital expenditures of heavy branch hardware and the operating expense of MPLS.

The “invisible” security experience

Historically, “more security” has meant more friction for the end user. The coffee shop model flips this dynamic. By treating the office network as an untrusted transport layer, we paradoxically create a smoother, more consistent workflow for employees.

In a traditional setup, a user’s experience fluctuates wildly. In the office, they are on a trusted LAN with direct access; at home, they struggle with VPN toggles and backhauled traffic latency. In the coffee shop model, a zero trust agent creates a uniform layer of connectivity. The agent is always on, transparently handling authentication and routing in the background.

This yields two immediate experience dividends:

• Performance equity: Whether a user is at headquarters or a hotel, their traffic takes the most direct path to the application via the global backbone, rather than being hairpin-routed through a central data center.

• Proactive support: Because the security and networking stack are unified on the device, IT teams gain visibility into the user's actual digital experience. Those teams can differentiate between a slow device, a poor local WiFi connection, or an application outage — often fixing issues before the user can open a ticket.

So, how do you get started? A three-phased approach can streamline implementation.

Phase 1: Make identity the new perimeter

The first step in this transformation is decoupling secure communications from potentially untrustworthy public networks. We must use cloud-delivered infrastructure — ZTNA — to broker secure user access to private applications and infrastructure targets in any location. Instead of placing endpoints (like a VPN or firewall) “on” the network, ZTNA gives your workforce the precise level of access needed to perform their work — and nothing more.

For unmanaged devices — such as third-party contractors or bring-your-own-device (BYOD) scenarios — where agents aren't practical, we can leverage agentless ZTNA. By using reverse proxies and browser isolation, we enforce context-based controls (like location or time of day) without touching the device.

Phase 2: Use the Internet as the corporate backbone

Once the user is secured by the agent, the branch network itself can be radically simplified. The goal is to move from a heavy, hardware-centric WAN to a “light-branch, heavy-cloud” model that represents the evolution of SD-WAN connectivity.

In this Internet-first architecture, the branch appliance performs only minimal tasks:

1. Basic path selection: Routing traffic over dual Internet links (fiber, 5G, or broadband) for resilience.

2. Tunneling: Encapsulating non-user traffic (from printers, IoT devices, or servers) via IPsec to the nearest security cloud node.

This allows us to treat the public Internet as the underlay for all connectivity: By routing all site-to-site traffic through a SASE platform instead of SD-WAN appliances or MPLS circuits, we extend the WAN using local Internet connections. The cloud handles performance optimization, routing, and security, while the local hardware becomes a simple commodity.

Phase 3: Handle headless devices

The primary objection to the coffee shop model is the reality of “headless” (non-user) devices — such as printers, WiFi access points, and other IoT/OT devices that cannot run a ZTNA agent. This is where the lightweight edge appliance proves its value. Instead of implementing complex local VLANs, we can use the WAN edge to isolate these devices into a non-ZTNA segment and tunnel their traffic to the cloud for filtering.

This allows us to flatten our LAN designs. We should aim for, at most, two segments: ZTNA devices (trusted users) and non-ZTNA devices (for IoT devices and guests). We stop managing local access control lists (ACLs) and shift all north-south filtering to the cloud policy engine.

Streamline coffee shop networking

While the coffee shop concept is vendor-agnostic, executing it requires a SASE platform that integrates network connectivity and zero trust security into a single control plane. This is where Cloudflare distinguishes itself.

Cloudflare One provides all the ingredients for coffee shop networking. It offers ZTNA, NaaS, a secure web gateway (SWG), firewall-as-a-service (FWaaS) capabilities, and digital experience monitoring (DEM) — all from a single, unified platform. It is built on a globally distributed, cloud-native architecture that runs all services on every server, ensuring high resiliency and consistent policy application.The disjointed model of secure offices and insecure remote work is a relic of a perimeter-based past. Adopting a coffee shop networking architecture enables you to align your infrastructure with the realities of hybrid work. You can deliver a consistent, secure experience to users, wherever they are working, while avoiding the costs of legacy hardware.

The future of the corporate network isn't a fortress. It’s a global mesh of secure, Internet-native connections.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Author

Daniel Creed
Field CISO, Cloudflare

Key takeaways

After reading this article you will be able to understand:

• Why organizations should avoid distinct networks for remote and in-office users

• How “coffee shop networking” unifies experiences and simplifies operations

• 3 phases to streamline implementation of coffee shop networking

Related resources

• The blueprint to coffee shop networking

• The future of networking

• The corporate network is now the Internet