Name: Building the foundation for Coffee Shop Networking
Uploaded: 2025-10-22T18:31:07.984Z
Duration: 31 min 16 s
Description: Building the foundation for Coffee Shop Networking

Transcript for "Building the foundation for Coffee Shop Networking": Good morning. My name is Brian Tokayoshi. I am the director of product marketing, for network services at Cloudflare. And today, we're gonna be walking you through building the foundation for coffee shop networking. It's an exciting topic, and there's a lot of nuances to what's happening at coffee shop networking. Being able to talk through this and understand the dynamics for why it's occurring, how organizations can address it, and being able to look at some practical steps organizations can take to adopt these concepts is what we're gonna cover today. Being able to walk through this though, I think that it's important to understand some of these concepts because that coffee shop networking is really less about product and more about a philosophy. In many ways such as like as organizations have adopted zero trust, there's not products that specifically that you purchased for zero trust. It's a philosophy that you adopt. Coffee shop networking is much of the same way. Because in the philosophy of what coffee shop networking, it has its genesis from ex from it stems from some of the lessons from the pandemic, meaning that organizations were faced with idle resources such as empty offices, networks that weren't being used. These resources were being, were things that organizations need to pay for. They had them on the books, but they weren't using them because there was nobody in the office at the time. Now what happened was that as organizations rapidly tried to pivot to users that were gonna be working remotely, they started to adopt applications that were no longer in the office as well. And even though that they started to take these philosophies, these steps towards how can we rebuild our infrastructure, IT infrastructure, they they started to think about, well, isn't it going to make a lot more sense if we optimized for agility? Being able to make it so that we could rapidly adapt rather than having to deal with these situations where all these resources, which may have been operating in optimal configuration when users were in the office, but were suboptimal suboptimal when users were located in different locations. That meant that organizations were relooking about at their network architecture, how their architecture was built, how their data centers were constructed, and where did their networking resources get in built and deployed and where do the security implementations get, inserted into the network traffic flows. But underlying all of these philosophies behind how organizations have been switching to hybrid work as the primary way that they've been doing business, they've actually started to take a look at a secondary effect, meaning that we can address the IT portion of what we're doing with our resources. But what about the people portion? Because that if you think about this from the perspective that if you are now making it so that people can work at any location that they need to be, do you need to have them assigned to a desk? Like, what does the person normally have a singular office or desk that they work from? Or is it more like a hotel where you go to your office and you check-in for a desk for the day? Because that if you actually think about it, when you're using a hybrid work model, you don't have 100% of your people at the office at any given time. Could you then further optimize how you actually built your networking and how you built your resources for office space so that you could solve for people using desks in a fungal banner. They could use any desk that was assigned to them at any given time. And the networking resources needed to support that actually started to become a lot different as well because that instead of thinking about this where users were getting into the trusted network, wasn't it more likely that they're going they could treat this like you are doing your networking from a coffee shop? What I mean by that is that when you go to a coffee shop, you connect to a network that is not trusted, you are still able to get your work done even though you're working with other people that are not part of your company. This idea that a coffee shop networking style where it's a casual relationship between you and the coffee shop, you're not formally enrolled in any type of program before you're allowed to use the network. You typically are given the network password and signing on. This makes it so that really you could now treat your users operating from a untrusted network in a similar manner and, you could borrow that paradigm and apply it to your office. Why wouldn't you also take further steps to start taking out the complexity for your enterprise network so that you don't have to make it so that it is as complicated as what it currently is? Couldn't you borrow some of these, ideas? Could you borrow some of these concepts and apply them to the enterprise network? Well, the thing is that the enterprise network is extraordinarily complicated because that in effect, it's built around a trusted network, the network that's behind the firewall, and the untrusted network, which is everything outside of the firewall. But, you know, if you think about this from the landscape of what we're now dealing with, a lot of these users are outside of the firewall as well. And a lot of the applications are outside of the firewall as well when you think about the effects of cloud and SaaS. With this idea that with resources being outside of this trusted network, what role does the trusted network play anymore? And the thing is is that building out a trusted network is extraordinarily complicated, it's extraordinarily expensive, and it's something that you as the, IT organization need to operate and run on your own. With that, organizations have been building out stacks and stacks of network equipment to support their internal trusted network and building stacks of equipment to make sure that only the right users are allowed into the network and building all of these controls and complex network constructs such as your VLANs and so forth so that you can segment out what is trusted and what is less trusted or degrees of trust. And that made it so that, really, that trusted network is really a, a source of a security problem because I anything that you misconfigure, anything that might not be set up exactly right or a policy changes or there's a piece of equipment that's changing, it changes the dynamics entirely about what is actually, what could happen if in the case of metal movement. Meaning that one misconfigured policy can make it so that they, someone that is not supposed to be allowed to do something is allowed to do something by virtue of not being able to see the consequences. Now the way that networks are built built out and if organizations have typically been building out three tier networks and then then starting to deploy firewalls and the security appliances and supporting network equipment. They built out these network racks to have multiple different functions to put functionality in the network path and then rely on different vendors to come build these components out. These different vendors are all performing specific functions. Not saying that they're not necessary, but these functions inserted one into another required management of different appliances, and these different appliances typically required even additional equipment to be able to manage them to, being able to just even do get to the administrative interface through the KVM, being able to support the power needs, being able to support the ability for these devices to fail over to a secondary device or in some cases, fail open should that they disrupt traffic. All of these may that organizations needed to insert network equipment in every place that they had at at a minimum, egress, for example. And with the problem with organizations now starting to look at how this is replicated over and over again with organizations opt optimizing traffic to the cloud, they had to build these network racks the in every single place that they had egress, which meant that every single branch needed a set of firewalls and, corresponding sets of, full stack security appliances and so forth, which makes it so that overall, this proliferation of network equipment became more and more problematic over time. And managing this becomes more and more problematic over time. Even on a small scale such as a regional deployment such as this, a regional deployment of multiple branches requiring this stack of hardware that needs to be deployed where every single egress point is this potential security problem and it's presumed that everything connecting between these sites is presumed to be trusted, all of this meant that these created scenarios where you could have ended up having to manage full stacks of appliances in multiple locations and that's not, that's just the steady state of things. When you need to expand, you need to get the stack replicated out to your next branch. When your IT department needs to implement a policy change, you have to push a change out to all of these appliances and hope that they all commit. If they don't commit, how do you roll back the policy in one location without affecting the others or do you roll back all of them at the same time? All of these great administrative inner, headaches because that building this out at scale with the infrastructure that it requires to operate it is where the genesis of why, how and why and how organizations have found so much complexity. It's been presumed that there have been additional ways that you could address security, and they all have their acronyms like being able to address how do I address security for cloud applications? Maybe I might insert Karesby for example for SaaS. How do I insert, traffic, inspection for organizations that are doing direct to Internet without having to go through the the enterprise firewall? Well, there's SWIG or, the secure web gateways. How do I address organizations that are looking to deploy, let's say, connectivity over, the Internet? They might introduce some SD WAN appliances at each branch. So what had been intended to solve complexity has actually made it a lot worse because that all of these compliance appliances that you are using in your network complemented with all of these services that you see in the red boxes have made it so that organizations have now seen a proliferation of both on prem appliances as well as cloud based equivalents for security, which makes these all breach scenarios where now you're starting to face, what can I do to make this better? What can I do to start taking this complexity away because that now I have made my problem what I thought was trying to help me with, much much worse? Well, the path to coffee shop networking is actually and again, is philosophically based on how do we make the network, the enterprise network as simple as the coffee shop network. I think one of the underlying premises of that is that makes it so how could you treat your enterprise network to be just as untrusted or not dependent upon trust as the coffee shop. In the thought experiment, if you were designing your network so that it was purely designed for connectivity, so that all you needed to do is establish connection to the Internet, and you can deploy the security services so that they were not dependent upon on prem appliances, couldn't you then take out a lot of the appliances that were already there? Couldn't you make it so that instead of having this full stack of appliances that were required at every single location that you had users, every single locations where you had egress, couldn't you make a simpler model where the endpoint is, for example, from the user to connect securely to applications without relying on the network being secure? Or if your office is located in a, in a remote location, couldn't the branch use a lightweight device to connect to a cloud resort cloud based service so that it can do secure connectivity and without having to depend on setting up a private network to reach location to location. By taking trust out of the equation, couldn't you just start to eliminate layers and layers of enforcements, all the appliances that were put in place to establish trust, which is never a good construct in the first place? With the idea with zero trust, meaning that if I can make it so that I treat everything as being equally untrusted, I make my network purely focused on connectivity and I really enforce the security from a central location, then I'll be in a much better place. And that's really at the heart of what coffee shop networking is all about. With coffee shop networking, it's really based on how I can then establish what is a light branch rather than a full stack of appliances at the each location. I use a heavy cloud, meaning that I become, use the cloud for the delivery of my connectivity and the delivery of network services. And then I use concepts based in zero trust to establish connections between user access to the applications and resources that it needs. And this is all based on combining concepts from based on SASE, the secure access service edge. But builds on top of that because you also need to think about how do I establish connectivity for all these sites with the, global private backbone that connects the sites with that are located in the cloud, and use consolidated management to borrow all and bring all of these concepts together. Now to start thinking about how this all frames scatter, this is based on the CloudFlare connectivity cloud. But instead of using a the concept of a firewall to establish a trusted and untrusted zone, make it so that CloudFlare itself is the way that you establish connectivity between your disparate locations because CloudFlare exists in all the places that you are possibly doing business today, in all the places that you're possibly doing business tomorrow. So that makes it so that CloudFlare establishes the secure access service edge, the private background, and the centralized management to make coffee shop networking possible. How? First off, I wanted to introduce the concept that Cloudflare makes it so that you can connect, protect, and build by bringing everything that you do from all the places that your users exist to every place where your applications are located and makes it so that you can think of a connectivity cloud as not being a destination, but the way that you dig traffic from one location to another. And being able to use the connectivity cloud as that concept is the way that we can start to apply the path to get to coffee shop networking. Coffee shop networking to me is built on the concept of how do you build the network as a service and the zero trust for, and combine those concepts together for a secure access service edge and then build those out on top of consolidated management and a global network to get to coffee shop networking. Now I know that there's a lot of things that we're gonna cover in a very short period of time, but let's walk through that one of one at a time. The first one is network as a service. Network as a service is the way that you can conceptually take your existing networking and apply service based delivery to make it so that organizations no longer need to use, MPLS, private network transports, using SD WAN, which are single functions for doing transport, but integrate them over a cloud based service so that network as a service can be delivered to address what had not been resolved with MPLS. For example, in the traditional network, MPLS is used as the way to connect branches to a, central organization's firewall for egress. Hub and spoke is the model for MPLS, but as everybody knows, MPLS is not particularly fast. It's not particularly, it's it's not particularly cost effective and it takes a lot of time to set it up. So organizations with users that are in locations with retail branch locations, these users frequently need access to applications. So these applications used to be in the data center, but increasingly, they need applications that are in Internet and SaaS, and thus, MPLS does not provide an ideal way to access those applications because sending the traffic out to egress over a firewall over a possibly distant firewall to egress is not ideal. The organizations need some blend of being able to take the traffic and optimize for direct to Internet as well. Using CloudFlare, you can use Magic WAN as the way that organizations can now establish a connection from an office to CloudFlare to any of the CloudFlare's 330 cities that we have a data center and make it so that you can now have the connectivity to whether you're going to SaaS applications, Internet applications, or to your internal data center so that this connectivity, which had traditionally been put dependent upon hub and spoke through MPLS, can now be addressed through a Internet based transport for lower cost and using Cloudflare as a way to take the traffic to a nearby data center for transport across our network to make it so that organizations can now use CloudFlare as an extension of your network, making it so CloudFlare can establish the connectivity that you need from location to location for the security that you need to make that the security enforcement of what applications that users access and make it so that you can access any type of application without having to be constrained in the ways that NPL is having done. In a similar vein, SD WAN had first generation of SD WAN faced many of the same problems with security being a separate construct from what the networking has been, with Cloudflare. Networking and security are both delivered through the Cloudflare network, through the Cloudflare connectivity cloud, making it so that Magic WAN is the way that you can replace on prem appliances with a single, a single, lightweight device that can establish connectivity to CloudFlare. That's what MagicWAN is all about, and that's the one step organizations could take to reduce the hardware footprint at branch locations. The second concept that I wanted to talk about is using zero trust as the way for user access to get to your applications for the users that may be in any location. Now in the traditional VPN model, VPN had been optimized for taking users that are remote to the traffic that's in a data center. It makes sense because that you actually have the VPN concentrator near your data center, and that was the destination of the application. What doesn't make sense is when you actually have applications that are not in the data center with the applications that are in the cloud, applications that are in the SaaS, well, people are using that firewall as the way to establish the security for access to the Internet. So VPN creates a backhaul problem now where you're taking the traffic to where the security is located no matter where the user is located and thus creating a latency, overhead for everything that the user is doing when they're not working on prem. The solution for this is to replace VPN with a z t with zero trust network access. What this does is that instead of using VPN, VPN puts users onto a network. What you do with zero trust is that you no inbound traffic is allowed into your applications. What you're doing is that you're establishing a connection between users to the resources that they need through CloudFlare, brokered through CloudFlare to make it so that you can get users to the specific application that they need, users connect to applications rather than users connected to networks. Makes it so that I can now establish where a user, users can connect from any of the Powerflyers to 830 cities. That's making it so that the users, no matter where they're located, is now has the optimal path to get to any of the resource they need whether they're going to the cloud, the SaaS application, the Internet, or the private data center. It makes it so that the application resource becomes irrelevant, but with the precision so that I can establish criteria for which users and which conditions are allowed access without depending on the network itself to establish that trust. The third aspect of what I think coffee shop networking requires is that building on the concept of network as a service and zero trust network access and using the model for secure access service edge that brings those together, well, not every secure access service edge is the same. In fact, if you look at the implementation about how secure access service edge has been implemented over the years, it makes us so that there's been a lot of questions about what makes one secure access service edge different than the other. And I think that it's important to consider whether or not you have consolidated management, whether or not you have that global network because the ability to do all these functions that we just discussed for networking purposes requires these as the additional component. If you have a secure access service edge that doesn't have consolidated management or does not have a global network, you're now faced with a problematic, a problem of, like, where does this consolidation exist? If I have, like, let's say, multiple types of, a dual vendor scenario of where, multiple concepts of how the SASE is constructed, maybe I don't have the optimal reduction of complexity that I'm looking for for coffee shop networking. With CloudFlare, the way that we've built our network is that we have the 303 cities that we have data centers, all delivering local services in the data plane, meaning that it provides service in each of those locations. It's not dependent on sending the traffic to a different location. All of these sites are connected through a global backbone, making so that you can use, these sites to help, facilitate the transport of traffic from one location to the other, either through the global backbone or through one of our interconnects. So making it so that our widely connected network will get your traffic to the right location. Using a centralized enforcement of a control point to make sure that services are delivered in each location with centralized management, centralized reporting and analytics, the ability to take off threat intel into application of AI enforcement, and then take your traffic to the proper location with route optimizations, whether it is a direct interconnect, whether it is a, open, one of our open peers, or being able to take it through the Internet exchanges through the 13,000 adjacent networks that we're connected to. That's really at the heart of what the Cloudflare network is all about. So you can see that in effect, what Cloudflare does is it establishes the way to take complexity out of your network by delivering services through ours, making it so that instead of having to deploy and use appliances to get the functionality you need or the connectivity you need, You use Cloudflare to establish how, where, and the security you need to for the conditions when a particular resource, office or user needs to connect to any given particular location. So that makes it so that you can use Hotflare's network as an extension of yours, and that's really the key for how you actually build out coffee shop networking. I did have time for a question or two. If there's any questions for the audience, I, please submit your questions to the q and a. If you have any, wanted to learn more about any of the concepts that I just discussed, go to the docs tab, and there's a modernized net enterprise networks page for you to click that will explain all of these concepts in much more depth. But if you have questions right now, I have time for a question or two. I have a question, about which Gartner reports talk about coffee shop networking. I mentioned that coffee shop networking is a concept that emerged from, the Gartner, group, but it's the, initial way that that concept has been introduced is through a report called is SD WAN dead. That was the first time that they introduced the concept of what, of coffee shop networking means, but you can now read about it in the hype cycle, and you can now get more definition about how it actually applies and its relationship through SASE as the critical capabilities for SASE platforms. So that, is a report that actually provides much more detail about what other requirements for coffee shop networking and how does that apply into the particular ways that organizations can adopt it. Let's see. I have another question here. What are the options for connecting offices to Cloudflare? Great question. So I mentioned that, the light edge concept of connecting to a heavy cloud. The way that you can do that is the primary way is using a lightweight device, we call it the Magic Wand connector, which is a hardware appliance who which has a sole function of connecting and establishing connectivity to a Cloudflare data center. So this is an on prem device that makes it so that instead of thinking about all those on prem complex on prem devices that you normally have at your branch location, you can use this lightweight magic LAN connector to connect your office to a CloudFlare data center. And then, use the CloudFlare data center to deliver services such as firewall, being able to enforce policies, gateway, making it so that you can establish connectivity through zero trust. All of those things are all delivered through the Cloudflare network, making it so that you don't actually have to deploy appliances there. Now if you don't, there are other options whether you just take a firewall and connect it directly through Cloudflare or, you know, by establishing a tunnel from your existing on prem device. You can use a virtualized MagicWAN connector as well. So that's, Coffee Shop Networking, and I would know that we're out of time. Thank you for attending for this session. It was a great discussion. Appreciate the all the the questions that we had today, and look forward for more about what we're doing with Coffee Shop Networking. Thank you for attending today.