Cloudflare TV

ℹ️ Access, Browser Isolation and DLP to protect self-hosted apps

Presented by Noelle Gotthardt, Tim Obezuk, Kenny Johnson
Originally aired on 

Welcome to Cloudflare CIO Week 2023!

This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.

In this episode, tune in for a conversation with Cloudflare's Noelle Gotthardt, Tim Obezuk, and Kenny Johnson.

Tune in all week for more news, announcements, and thought-provoking discussions!

Read the blog posts:

For more, don't miss the Cloudflare CIO Week Hub

CIO Week

Transcript (Beta)

Hello, and welcome back to Cloudflare TV and to CIO Week. We hope everyone has enjoyed all of the announcements so far, and we're excited to bring you even more today with talking about how two products will work together to solve more problems.

I'm Noelle, the product manager for data loss prevention, and I'm joined by Kenny, our product manager for access, and Tim, our product manager for browser isolation.

Today, we announce Cloudflare's best-in -class browser isolation technology to our industry-leading Zero Trust access control product.

So to kick us off, Tim, let's do a refresh on Zero Trust.

Yeah, thanks, Noelle. Hi, everyone. Let's talk about Zero Trust.

So for those who haven't heard much about it before, it's important to think of Zero Trust as a security architecture.

It's become a very large buzzword.

All sorts of businesses, including Cloudflare, have products called Zero Trust.

But fundamentally, it's a security architecture. And its goal is to move to a model where every single request and connection is encrypted, authenticated, and logged all the way through end-to-end.

And this architecture was born out of challenges with the legacy Kastle and Moat-style network, where users would authenticate once through the VPN.

And then once they're into the VPN, they're able to steer anywhere inside the network without their traffic being logged or inspected along the way.

And this has led to a number of security incidents for many businesses.

And Zero Trust is the answer to that by making sure that if a user goes to one application and then moves to another, that traffic is inspected and logged at every single point.

So what this typically means in practice for companies is it typically means implementing identity-aware proxies or identity-based framing clients that are integrated with a secure web gateway to ensure that regardless of where it's going, north, south, east, or west, that inspection occurs at every single step.

But the catch with it is deploying individual solutions makes it very hard to actually achieve a full end-to-end Zero Trust solution, because each daisy-chained service doesn't necessarily speak to the other box so that identity information and policies relating to identity aren't properly encrypted and tracked through every appliance.

So this is why at Cloudflare, we're working hard to build that end-to-end integrated solution with products like Kenny's Zero Trust Access product, which connects into identity providers to gather identity, and then being deeply integrated into browser isolation and DLP products, so that at every stage, you have that control and visibility over your traffic.


So let's talk a little bit about Cloudflare 1, which is the product line that we offer to help customers implement Zero Trust architecture.

So what do your products, Access and Browser Isolation, actually do to help implement Zero Trust?

And let's start with Kenny talking about Access.

Yeah, really excited to talk about Access.

And again, thank you for having me. Good to see everybody out there in the world watching Cloudflare TV.

So Access was actually born out of an internal need at Cloudflare.

We came to a realization that we needed to start working towards Zero Trust architecture that Tim outlined.

And one of the biggest steps towards achieving a Zero Trust architecture was sunsetting and deprecating our reliance of a VPN to access web-based tools, as well as tools over our internal network over things like SSH and RDP.

So we built Access to be an application-centric model of security or control over your applications that have an identity-driven component.

So what you're able to do is you can plug in your source of identity, your business, using a single sign-on provider or a social identity provider.

So that could be something like Azure AD or Okta, or something like GitHub, to be able to authenticate your users.

And then within Access, you're able to create policies at a very granular level down to the subdomain and path combination on your web properties to dictate which users should and should not be allowed access to those particular resources.

And the real magic behind that is that we're able to do that using what's called a reverse proxies.

So we sit in front of a given web property.

Let's say I have test.example .com, and I'm hosting a Jira server at that website.

Cloudflare is able to sit in between the user and the particular resource that's hosted at that particular subdomain hostname.

And Access is able to enforce whether or not that user has or has not authenticated already.

If they haven't authenticated, they're then served a login page.

If they have authenticated, they're let straight on through to the resource and they don't see a login page or anything like that.

So it all feels very seamless. And the other benefit is that the user doesn't have to install anything on their machine.

They're fully using the rails of the public Internet.

And there's nothing from a kind of old school perspective where you're having to route into a specific private subnet or anything like that.

It's all done over the public Internet, over Cloudflare's network.

And you get the other benefit of all of Cloudflare's additional security controls like DDoS, web application and firewall are also applied on top of the identity aware policies that you've crafted.

And with that, I'm really excited to turn it over to Tim to talk a little bit more about our browser isolation technology and then how that is actually getting paired in with our Access solution.

Yeah. Thank you, Kenny. So before we get into how we're connecting the Zero Trust Access into browser isolation, I just want to take a step back and talk about why we're isolating browsers in the first place.

And I think it's fairly fair to say that browsers have become the most ubiquitous desktop application that everyone uses all day every day.

And this wasn't always the case.

For a very long time, people were using bespoke desktop applications to access their corporate data.

But then sometime around 2007, they became really powerful when Google launched Chromium and the V8 runtime for very fast JavaScript execution.

And from what was at the time just really fast JavaScript, we saw this huge wave of browser based applications.

And this rapidly ate away at enterprise desktop applications.

And if you fast forward to today, we live in this world where we're now using browsers for everything.

We're accessing sensitive business data in internal applications and also in SaaS applications hosted by third parties.

But this move wasn't without any compromises. Before in the desktop world, we had a lot of control over how data was accessed.

But we traded it for losing control because in a web based environment, data can easily be, it's all too easy to scrape it or copy or print information, which could lead to it being exfiltrated from a web application.

And strangely, this is actually a reason we typically see virtual desktops deployed with the customers we're talking to because they need that way of isolating their web based applications from users that are connecting to it.

So in 2021, we launched browser isolation integrated with our secure web gateway and our roaming client.

And we did this to actually mitigate against how powerful and capable web browsers have become.

Just in 2022, we saw down nine zero dates that affected Chromium.

And this is a challenge because when you go to a website, you're immediately downloading untrusted code onto the user's device.

So browser isolation allows us to execute that code remotely in Cloudflare's network and not leave the user's device at risk from any malicious content on that site.

Now, what we found is when you're isolating a site, we're able to protect the user from any malware on that website.

But we're also able to control all interactions with the website they're accessing.

This means if it's a phishing website, we can prevent them inputting sensitive information.

Or if it's a legitimate business application, we're able to prevent inputs such as copying information or printing information.

And this is where the integration with access becomes really valuable since where we create a very transparent way of connecting users from any device to a isolated version of an internal tool and give administrators back control over their applications, regardless of how users are connecting to it.

And the technology we use for it is really cool.

Rather than being based on legacy pixel pushing style models, which is very common in virtual desktops, we actually leverage vector-based commands over the wire.

So this means rather than streaming bandwidth-heavy images to the user, we're streaming signals like draw a line, draw a squiggly shape, draw a few colors.

And this comes together into the final website and creates a very sharp image that performs very well for users, regardless of their bandwidth in their device or their screen size.

And by running a cloud-influenced network, the latency is so low that it just feels like using a local application.

Following that, so we originally launched with the roaming client and gateway model.

We then launched a clientless model, which does integrate with access.

There's an access on-ramp to using the remote browser.

And this is great because it allowed users to connect to any website using browser installation without installing any software on their device and also have that control over their data.

But there's still that missing link between the application authentication into the remote browser.

And that's what we're announcing today, is that deep integration between access, browser installation, and by extension, our DLP platform.

You took the words right out of my mouth there, Tim, was going to say.

So the next big question is going to be, how is our big announcement really going to tie into both browser isolation and access?

And how does it really tie into securing self-hosted applications, especially a huge concern for many of our customers?

So, Tim, since you gave the teaser, can you give us a walkthrough of what we're looking at?

Yeah. So what we've been hearing from countless conversations with our customers is a big challenge is protecting their data from misuse.

And a lot of the customers we're talking to are resorting to using expensive virtual desktops for their users.

This is quite a cumbersome solution to implement because it requires a very expensive infrastructure to deploy for what is quite a simple web-based application.

And it's a poor experience for end users as they need to first install a desktop client to connect to a virtual desktop, log into that, then open up the web browser inside the virtual desktop, and then log into the application a second time, which is very frustrating for end users.

It's also difficult for IT to connect into that wider security posture, since you then need to layer data loss prevention tools onto it in order to get that full end-to -end control over the data in the applications.

So we saw an opportunity here to combine the ease of use access, being able to just use your identity provider to log into any self-hosted application without using a VPN, and combine that into what we're doing with browser isolation to control how users can interact with data in those web apps.

So what we're announcing for our partnership is we are essentially making it so that you can go to an access app, log in a single time, and transparently see it into a remote browser.

The URL is exactly the same, so there's no special training. And if the user matches a policy, which has been marked as isolated, could be a subset of users or users on unpatched devices, that is sent into the isolation service for your given audience of users.

And it works just, it feels just like using any other normal access application.

There's no clients you need to install. You don't have to wait for anything to warm up.

They're just instantly connected to the application in the remote browser.

The other really cool part is, even though the remote browsers are hosted on Cloudflare's network, which we have about 270 around the world, this is really important for keeping the latency low and steering users to a very close remote browser.

You don't actually have to open your application to the Internet to benefit from this service.

You can use Cloudflare Tunnels to establish a private connection to Cloudflare without opening up any ports.

And that is natively integrated with the end-to-end solution, so traffic can go from the remote browser into your internal application without compromising any security.

The other valuable part, going back to what I mentioned in the beginning about delivering on the promise of Zero Trust, having every step integrated end-to-end, is because browser isolation is already integrated with our data loss prevention platform, all of those controls we have are still there.

So, Noelle, I'd love you to provide more detail on what we're doing in that space.

Yeah, yeah, thank you. So, to give a little bit of background on DLP and how it really ties into Zero Trust, which can be a common question I get.

So, we set that foundation of Zero Trust is, I'm going to validate every access attempt.

I'm going to make sure that identity is validated for every request that goes through.

But identity isn't just the only signal that a transaction should be happening.

The next level that can be is, you know, hey, maybe someone should have access to this application, but maybe the actual transaction that they're doing is something we also want to validate.

Are they really moving the data that we want them to move, and how do we ensure that?

And that's where data loss prevention comes in, is as those requests are going up and down, as customers are interacting with applications, uploading, downloading documents, we inspect that traffic and we look for indicators of sensitive data that the customer might not want to be in that traffic.

So, that can be anything from, you know, we have PII options pre-built in our application.

So, you can detect something like, you know, a national identifier, like a social security number or NSN number.

Or you can inspect for credit card numbers, other financial information, or you can build your own custom regex.

So, if you have something that's really unique to your company, or maybe something that's really industry specific, you can build your own detection for that.

So, then as that traffic goes up and down, you can inspect it and say, you know what, hey, this application isn't supposed to be hosting this type of information, you shouldn't be uploading it.

Or the inverse of, hey, this application is where this information is supposed to stay, and you shouldn't be downloading it.

So, that's a way that customers are really interested in protecting that data, making sure it doesn't go to the wrong place.

And a lot of times our customers will come to us and say, hey, I'm really interested, I really want to protect the data in this application.

But, you know, we have a contractor here, you know, like, we don't want to put, you know, it's his or her device, we don't want to deploy, you know, some client to it.

Is there any way you can provide data loss prevention without the client being deployed?

And this gives us an awesome way to do that. So, if the customer launches through access and launches in the browser, it'll onboard right to Cloudflare, and Cloudflare can provide those data loss prevention capabilities without having to deploy the client, which is a really awesome and flexible way to do it.

So, then as they get access to that application, you can still inspect the traffic, make sure that the requests that you want are going all the way through.

Tim, does that answer your question? Is there any more you want to build on top of that?

Yeah, I think that's a fantastic point. Just because a user can access an application doesn't mean that the data they're uploading to it necessarily makes sense to go into it.

And having that inspection within the access app is really powerful, especially for roaming or BYO device users or contractors who may be accessing the system.

So, there's so many use cases that having all three of these products deeply integrated together unlocks.

These are also some of the most sensitive applications that our customers are typically hosting and protecting.

It's things like internal wikis and code repositories and financial systems and things like that.

So, the ability to do clientless data loss prevention controls in these applications is really powerful and exciting.

I was very excited when we got to start working on this feature.

Yeah, this is a super cool one.

And I think here at Cloudflare, our solutions are always the goal is to make it better together.

You know, it's the one thing we don't want to hear from customers is, hey, these are point solutions and they don't work well.

Our design is always about managing for one control plane, being able to make it easy to manage for customers.

So, for anyone who hasn't been using Cloudflare Zero Trust yet and you want to get started, you can get started right now for free.

For teams of 50 or less, just check out slash Cloudflare1 and get started.

And if you are a current Zero Trust customer, you can definitely go to our website, learn more about access, gateway, DLP, whatever you'd like.

And if you're honestly not sure about the whole Zero Trust journey, how do I get involved?

How do I get started?

You can totally start to, you can go to ZeroTrustroadmap .org and you can start to learn about it and say, hey, how do I iteratively implement Zero Trust?

And how do I really get to where I want to get to? But do it in a way that we get to talk about and we get to walk you through.

And it's vendor agnostic, so you get to really learn about it, not just learning from Cloudflare, but learning about it holistically.

Kenny, Tim, is there anything you want to mention that we forgot about before we wrap up here today?

No, thank you for hosting us today, Noelle.

Thank you guys for being here. It was great talking to you and thanks for joining us for CIO Week and stay tuned for more announcements.

The real privilege of working at Mozilla is that we're a mission-driven organization.

And what that means is that before we do things, we ask, what's good for the users as opposed to what's going to make the most money?

Mozilla's values are similar to Cloudflare's.

They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.

We've been collaborating on improving the protocols that help secure connections between browsers and websites.

Mozilla and Cloudflare have collaborated on a wide range of technologies.

The first place we really collaborated was the new TLS 1.3 protocol, and then we followed that up with QUIC and DNS over HTTPS, and most recently the new Firefox Private Network.

DNS is core to the way that everything on the Internet works.

It's a very old protocol, and it's also in plain text, meaning that it's not encrypted.

And this is something that a lot of people don't realize.

You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.

When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.

The idea was that Cloudflare would run the server piece of it, and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.

Cloudflare was a great partner with this because they were really willing early on to implement the protocol, stand up a trusted recursive resolver, and create this experience for users.

They were strong supporters of it. One of the great things about working with Cloudflare is their engineers are crazy fast.

So the time between we decide to do something and we write down the barest protocol sketch and they have it running in their infrastructure is a matter of days to weeks, not a matter of months to years.

There's a difference between standing up a service that one person can use or ten people can use and a service that everybody on the Internet can use.

When we talk about bringing new protocols to the web, we're talking about bringing it not to millions, not to tens of millions.

We're talking about hundreds of millions to billions of people.

Cloudflare's been an amazing partner in the privacy front.

They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.

Really, users are getting two classes of benefits out of our partnership with Cloudflare.

The first is direct benefits.

That is, we're offering services to the user that make them more secure and we're offering them via Cloudflare.

So that's like an immediate benefit these users are getting.

The indirect benefit these users are getting is that we're developing the next generation of security and privacy technology and Cloudflare is helping us do it.

And that will ultimately benefit every user, both Firefox users and every user of the Internet.

We're really excited to work with an organization like Mozilla that is aligned with the user's interests and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.

Hi, we're Cloudflare.

We're building one of the world's largest global cloud networks to help make the Internet faster, more secure, and more reliable.

Meet our customer, Falabella.

They're South America's largest department store chain, with over a hundred locations and operations in over six countries.

My name is Karan Tiwari.

I work as a lead architect in Odessa e-commerce at Falabella.

Like many other retailers in the industry, Falabella is in the midst of a digital transformation to evolve their business culture to maintain their competitive advantage and to better serve their customers.

Cloudflare was an important step towards not only accelerating their website properties, but also increasing their organization's operational efficiencies and agility.

The TI decision was also a business decision.

I mean, the faster we can deliver the data to our customers, the less loading time and seconds we can improve our site.

And that internalizes it as a business metric. I mean, the business really understands that performance, that is, a second in the loading of a page, is a sale.

I mean, a loss in customer data is a loss of trust. So I think we are looking at better agility, better response time in terms of support, better operational capabilities.

Earlier, for a cache purge, it used to take around two hours. Today, it takes around 20 milliseconds, 30 milliseconds to do a cache purge.

The homepage loads faster.

Your first view is much faster. It's fast. Cloudflare plays an important role in safeguarding customer information and improving the efficiencies of all of their web properties.

Cloudflare, for me, is a perfect illustration of how we can deliver value to our customers quickly.

With customers like Falabella and over 10 million other domains that trust Cloudflare with their security and performance, we're making the Internet of Things a reality.

Get fast, secure, and reliable for everyone. Cloudflare, helping build a better Internet.

Cloudflare. Carousel is one of the leading C2C e -commerce marketplaces in the Southeast Asia region.

The marketplace mainly consists of preloved items, and we have categories such as electronics, fashion, property verticals, autos.

More than a quarter of the whole population of Singapore is on Carousel.

Our end-user traffic is close to 10,000 to 15,000 queries per second.

Carousel started working with Cloudflare to address their immediate DNS needs, but quickly expanded their usage in order to continue serving web content quickly as their user base grew.

Started off as a solution for our DNS and SSL termination requirements, and then we sort of explored the product further and our usage grew after that.

We started exploring the ability to cache our assets at Cloudflare, which we found quite good.

In the past three years, we have moved all our caching requirements to Cloudflare.

Carousel also adopted Cloudflare security features like the web application firewall after noticing vulnerabilities in their existing firewall.

As someone who would run a public property on the Internet, there is a constant threat of adversaries targeting you for DDoS attacks for various purposes.

The firewall, which we had at that time, there were a few lacunas, and we wanted to have a solution which was much more comprehensive in nature.

We explored the web application firewall offered by Cloudflare, and it ticked all our boxes.

It had the basic OWSP security-related rules as well as various other specialized rules that Cloudflare themselves added, and we also had the ability to add custom rules.

So all of these features essentially made it a perfect fit for our need.

As a thriving e-commerce platform, Carousel understands that its Internet security and performance must work hand-in -hand.

The company cannot allow its security posture to impact site speed and availability, especially when flash sales attract sudden influxes of valuable traffic.

One of the biggest benefits that we get out of Cloudflare is that the security is nearly free of cost when it comes to performance.

So user experience doesn't degrade with all these checks that are put in place before a particular request is served from our origin.

So that is one of the benefits that we definitely see.

In the past three and a half years of using Cloudflare, they have solved our problems around the various areas of handling traffic, in caching, in security, reliability.

Cloudflare is very key for the experience that we offer to our users.

With customers like Carousel and over 25 million other Internet properties that trust Cloudflare with their security and performance, we're making the Internet secure, fast, and reliable for everyone.

Cloudflare, helping build a better Internet.

Microsoft Mechanics

Thumbnail image for video "CIO Week"

CIO Week
Relive the exciting announcements from CIO Week! Check out the CIO Week Hub to find all of our announcements and blog posts!
Watch more episodes