* [Blog](https://www2.paloaltonetworks.com/blog)
* [SASE](https://www2.paloaltonetworks.com/blog/sase/)
* [Product Features](https://www2.paloaltonetworks.com/blog/sase/category/product-features/)
* Examining the Coffee Shop...

# Examining the Coffee Shop Model and SASE

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsase%2Fexamining-the-coffee-shop-model-and-sase%2F)  
[](https://twitter.com/share?text=Examining+the+Coffee+Shop+Model+and+SASE&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsase%2Fexamining-the-coffee-shop-model-and-sase%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsase%2Fexamining-the-coffee-shop-model-and-sase%2F&title=Examining+the+Coffee+Shop+Model+and+SASE&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/sase/examining-the-coffee-shop-model-and-sase/&ts=markdown)  
\[\](mailto:?subject=Examining the Coffee Shop Model and SASE)  
Link copied  
By [Noah Williams](https://www.paloaltonetworks.com/blog/author/noah-williams/?ts=markdown "Posts by Noah Williams")  
Jun 11, 2025  
6 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)  
[Zero Trust Branch](https://www.paloaltonetworks.com/blog/tag/zero-trust-branch/?ts=markdown)

Ahh the coffee shop: the aroma of freshly roasted coffee, friendly baristas who know your name and a third place to catch up with friends and colleagues. Now, with zero trust architectures, coffee shops are a place for remote workers to get things done without compromising on security.

CIOs and CISOs often wonder why they can't build their offices like coffee shops to help reduce spending. The general perception is that the coffee shop model only provides minimal networking services, often perceived as enough for small remote locations.

Additionally, this model forces all network users to be treated as untrusted guests, eliminating any implicit trust gained by being on the network, a net security benefit. Employees access company resources securely through their remote access solution, just as they would from their home office. At the branch, all that is required is an authenticated Wi-Fi service and a terms and conditions splash page.

# Spilling the Beans: Three Coffee Shop Network Model Shortcomings

The coffee shop model's perceived cost savings are alluring to CIOs and CISOs, but the viability of this approach quickly falls apart upon further inspection. Here are three ways the coffee shop network model falls short.

1. You still need a reliable and segmented network.

---------------------------------------------------

Shared office workspaces aside, every enterprise-managed location requires a network footprint---including [SD-WAN](https://www.paloaltonetworks.com/cyberpedia/what-is-sd-wan), a firewall, router, switch and Wi-Fi access points---to provide reliable connectivity to branch users and devices. The edge network appliance terminates one or more WAN connections and provides isolation between network segments. Even our smallest customers operating userless locations, such as ATM locations, maintain these requirements.

With the coffee shop model, enterprise-level network requirements are too often ignored, and everything is treated like a home office or someone else's guest Wi-Fi: uncontrolled, unrestricted and unreliable.

2. You lose application visibility and traffic prioritization.

--------------------------------------------------------------

When moving to a coffee shop model, clients now build tunnels---including IPsec, SSL and DTLS---to the [security service edge (SSE)](https://www.paloaltonetworks.com/cyberpedia/what-is-security-service-edge-sse) to provide secure access to internal apps, SaaS apps and web browsing destinations. These tunnels obfuscate the underlying application, restricting the network edge's ability to provide effective application prioritization, connectivity and performance guarantees.

The network is unable to differentiate between low-priority traffic like OS updates, backups and social media, from critical revenue-generating traffic, like ERP data, point-of-sale system transactions, and your executive team's critical Zoom calls. In any enterprise, traffic types have differing business priorities, and your network design needs to reflect these priorities to ensure business continuity.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-340145-1.png)

*Figure 1: Client SSE tunnels obfuscate applications from the network.*

3. Your IoT devices are incompatible with the coffee shop model.

----------------------------------------------------------------

IoT devices are pervasive across all enterprise-managed locations; security cameras, printers, badge readers and room sensors are needed even in the smallest of workspaces. Most IoT devices do not support SSE clients or proxy configurations, making them incompatible with the coffee shop model. Traditionally, IoT devices are segmented in isolated VLANs and their traffic is tunneled to the closest data center firewall, a traffic pattern that requires enterprise infrastructure to support.

# Applying Coffee Shop Learnings to Design a Zero Trust Branch with SASE (SD-WAN + SSE)

When designing a zero-trust branch with learnings from the coffee shop model, the primary underlying goals are to reduce costs and risk. An evolved branch model and [SASE](https://www.paloaltonetworks.com/cyberpedia/what-is-sase) can achieve these goals.

Traditional network designs stop at 802.1X/NAC authentication and do not provide the level of security required by today's enterprises. Instead, zero-trust security controls must be installed between users' communication and internal and external applications. From there, continuous security inspection and continuous trust verification, including IoT protections, must be applied to minimize risks without adding complexity.

For most organizations, the solution is to adopt [SASE](https://www.paloaltonetworks.com/sase) as part of their zero-trust architecture, helping to reduce costs and eliminating implicit trust. The following are three design recommendations for modernizing your branch with SD-WAN and SASE.

1. Adopt SD-WAN and the thin branch model.

------------------------------------------

When deployed at the network edge, SD-WAN provides network resiliency across multiple WAN connections, autonomous connections to multiple SSE points of presence, and network and application segmentation between VLANs.

Prisma SD-WAN's built-in zero touch provisioning makes your network easy to manage, regardless if you have ten sites or thousands of sites. Prisma SD-WAN enables enterprises to minimize their branch hardware footprint and simultaneously accelerate deployment with zero touch provisioning, increase visibility with [analytic dashboards](https://docs.paloaltonetworks.com/prisma-sd-wan/administration/get-started-with-prisma-sd-wan/prisma-sd-wan-dashboard), and streamline operations with [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem). Full transparency of operation down to the application flow eliminates guesswork and fuels operational AI use cases with rich structured data. SD-WAN programmatically improves resilience, streamlines operations and provides consistent security.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-340145-2.png)

*Figure 2: The Zero Trust Branch with Prisma SASE.*

2. When on-premises, eliminate SSE client tunnels to maximize application resiliency while maintaining zero-trust client protections.

-------------------------------------------------------------------------------------------------------------------------------------

When clients are on-site, connectivity to the SSE layer is best handled by the SD-WAN and network layer, which has full control and visibility across all WAN connections. Clients can easily determine when they are connected to a trusted network using [internal host detection](https://docs.paloaltonetworks.com/globalprotect/6-1/globalprotect-app-new-features/new-features-released-in-gp-app/advanced-internal-host-detection), which enables user-ID authorization and continuous trust verification.

Because the branch leverages SASE, [Prisma Access](https://www.paloaltonetworks.com/sase/access) provides identity-based continuous security inspection. The network layer now has application visibility, so application SLAs are applied on all paths to maximize uptime and provide autonomous resilience to brownouts.

[Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan) application SLAs identify, prioritize and monitor all applications to help ensure client-to-server application connectivity and performance. [Prisma SASE App Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration) reduces application latency and increases performance by up to five times, improving user experience.

3. Leverage SSE to secure ALL branch traffic, including headless IoT.

---------------------------------------------------------------------

Given the inherent security risks associated with IoT, protections are applied in two steps. First, headless IoT devices are isolated into their own VLANs based on device type and risk profile. Second, IoT traffic is routed through Prisma Access, where it can be further secured.

IoT devices are inventoried, posture checked, and assessed for risk against device-specific CVEs using the [Enterprise IoT subscription](https://www.paloaltonetworks.com/network-security/enterprise-device-security) and [additional telemetry from Prisma SD-WAN](https://docs.paloaltonetworks.com/prisma-sd-wan/administration/prisma-sd-wan-sites-and-devices/set-up-sites/enable-device-iot-visibility). IoT traffic is continuously inspected for noncompliant behavior with device-specific behavioral analysis. Bidirectional traffic flows of all types are secured using the zero trust policy in Prisma Access that uses User-ID, App-ID and Device-ID constructs.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-340145-3.png)

*Figure 3: Identify IoT vulnerabilities and block threats with integrated Internet of Things (IoT) security.*

# Build Your Office as a Zero Trust Branch, Not a Coffee Shop

Conceptually, the coffee shop model is alluring, but does not meet enterprise standards for even the smallest of branches. Security, business continuity and supportability remain critical needs, and these needs can be met at scale through proven solutions.

Adopting a zero-trust branch architecture using [Prisma SASE](https://www.paloaltonetworks.com/sase) offers organizations a cost-effective, secure and future-proof solution to branch modernization without the pitfalls and oversights of a coffee shop design.

As I finish this blog post, I'm working in a coffee shop where the espresso machine is deafening, my table is uncomfortable to sit at for more than 15 minutes, and the constant stream of customers offers little privacy. Also, my guest Wi-Fi connection has been unreliable at best. Maybe coffee shops aren't the best place to get work done after all?

[Contact us](https://start.paloaltonetworks.com/sase-contact-us.html) today to learn more.

*** ** * ** ***

## Related Blogs

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown)

[#### Palo Alto Networks Announces New SD-WAN Innovations](https://www2.paloaltonetworks.com/blog/sase/palo-alto-networks-announces-new-sd-wan-innovations/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Day 2 Operations Simplified with the Power of AI](https://www2.paloaltonetworks.com/blog/sase/day-2-operations-simplified-with-the-power-of-ai/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Securing your Branches with Zero Compromise](https://www2.paloaltonetworks.com/blog/sase/securing-branches-zero-compromise/)

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Exceptional User Experience with Prisma SD-WAN's App-Defined Fabric](https://www2.paloaltonetworks.com/blog/sase/exceptional-user-experience-with-prisma-sd-wan-app-defined-fabric/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [IoT](https://www.paloaltonetworks.com/blog/category/iot/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Introducing the Industry's First SD-WAN with Integrated IoT](https://www2.paloaltonetworks.com/blog/sase/introducing-the-industrys-first-sd-wan-with-integrated-iot/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown)

[#### Chart Your SASE Transformation with Prisma SD-WAN](https://www2.paloaltonetworks.com/blog/2025/06/chart-sase-transformation-prisma-sd-wan/)

### Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language