ℹ️ Access, Browser Isolation and DLP to protect self-hosted apps
Presented by: Noelle Gotthardt, Tim Obezuk, Kenny Johnson
Originally aired on January 11, 2023 @ 5:30 PM - 6:00 PM EST
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Noelle Gotthardt, Tim Obezuk, and Kenny Johnson.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
CIO Week
Transcript (Beta)
Hello, and welcome back to Cloudflare TV and to CIO Week. We hope everyone has enjoyed all of the announcements so far, and we're excited to bring you even more today with talking about how two products will work together to solve more problems.
I'm Noelle, the product manager for data loss prevention, and I'm joined by Kenny, our product manager for access, and Tim, our product manager for browser isolation.
Today, we announce Cloudflare's best-in -class browser isolation technology to our industry-leading Zero Trust access control product.
So to kick us off, Tim, let's do a refresh on Zero Trust.
Yeah, thanks, Noelle. Hi, everyone. Let's talk about Zero Trust.
So for those who haven't heard much about it before, it's important to think of Zero Trust as a security architecture.
It's become a very large buzzword.
All sorts of businesses, including Cloudflare, have products called Zero Trust, but fundamentally, it's a security architecture.
And its goal is to move to a model where every single request and connection is encrypted, authenticated, and logged all the way through end-to-end.
And this architecture was born out of challenges with the legacy Kastle and Moat-style network, where users would authenticate once through the VPN, and then once they're into the VPN, they're able to steer anywhere inside the network without their traffic being logged or inspected along the way.
And this has led to a number of security incidents for many businesses, and Zero Trust is the answer to that by making sure that if a user goes to one application and then moves to another, that traffic is inspected and logged at every single point.
So what this typically means in practice for companies is it typically means implementing identity-aware proxies or identity-based framing clients that are integrated with a secure web gateway to ensure that regardless of where it's going north, south, east, or west, that inspection occurs at every single step.
But the catch with it is deploying individual solutions makes it very hard to actually achieve a full end-to-end Zero Trust solution, because each data change service doesn't necessarily speak to the other box, so that identity information and policies relating to identity aren't properly encrypted and tracked through every appliance.
So this is why at Cloudflare we're working hard to build that end-to-end integrated solution with products like Kenny's Zero Trust Access product, which connects into identity providers to gather identity, and then being deeply integrated into browser isolation and DLP products, so that at every stage you have that control and visibility over your traffic.
Awesome.
So let's talk a little bit about Cloudflare 1, which is the product line that we offer to help customers implement Zero Trust architecture.
So what do your products, Access and Browser Isolation, actually do to help implement Zero Trust?
And let's start with Kenny talking about Access.
Yeah, really excited to talk about Access.
And again, thank you for having me. Good to see everybody out there in the world watching Cloudflare TV.
So Access was actually born out of an internal need at Cloudflare.
We came to a realization that we needed to start working towards Zero Trust architecture that Tim outlined.
And one of the biggest steps towards achieving a Zero Trust architecture was sunsetting and deprecating our reliance of a VPN to access web-based tools, as well as tools over our internal network over things like SSH and RDP.
So we built Access to be an application-centric model of security or control over your applications that have an identity-driven component.
So what you're able to do is you can plug in your source of identity, your business, using a single sign-on provider or a social identity provider.
So that could be something like Azure AD or Okta or something like GitHub to be able to authenticate your users.
And then within Access, you're able to create policies at a very granular level down to the subdomain and path combination on your web properties to dictate which users should and should not be allowed access to those particular resources.
And the real magic behind that is that we're able to do that using what's called a reverse proxies.
So we sit in front of a given web property.
Let's say I have testing.example .com, and I'm hosting a JIRA server at that website.
Cloudflare is able to sit in between the user and the particular resource that's hosted at that particular subdomain hosting.
And Access is able to enforce whether or not that user has or has not authenticated already.
If they haven't authenticated, they're then served a login page.
If they have authenticated, they're let straight on through to the resource and they don't see a login page or anything like that.
So it all feels very seamless. And the other benefit is that the user doesn't have to install anything on their machine.
They're fully using the rails of the public Internet.
And there's nothing from a kind of old school perspective where you're having to route into a specific private subnet or anything like that.
It's all done over the public Internet, over Cloudflare's network.
And you get the other benefit of all of Cloudflare's additional security controls like DDoS, web application firewall, are also applied on top of the identity aware policies that you've crafted.
And with that, I'm really excited to turn it over to Tim to talk a little bit more about our browser isolation technology and then how that is actually getting paired in with our Access solution.
Yeah. Thank you, Kenny. So before we get into how we're connecting the Zero Trust Access into browser isolation, I just want to take a step back and talk about why we're isolating browsers in the first place.
And I think it's fairly fair to say that browsers have become the most ubiquitous desktop application that everyone uses all day, every day.
And this wasn't always the case.
For a very long time, people were using bespoke desktop applications to access their corporate data.
But then sometime around 2007, they became really powerful when Google launched Chromium and the V8 runtime for very fast JavaScript execution.
And from what was at the time just really fast JavaScript, we saw this huge wave of browser-based applications.
And this rapidly ate away at enterprise desktop applications.
And if you fast forward to today, we live in this world where we're now using browsers for everything.
We're accessing sensitive business starter and internal applications, and also in SaaS applications hosted by third parties.
But this move wasn't without any compromises. Before in the desktop world, we had a lot of control over how data was accessed.
But we traded it for losing control because in a web-based environment, data can easily be it's all too easy to scrape it or copy or print information, which could lead to it being exfiltrated from a web application.
And strangely, this is actually a reason we typically see virtual desktops deployed with the customers we're talking to because they need that way of isolating their web-based applications from users that are connecting to it.
So in 2021, we launched browser isolation integrated with our secure web gateway and roaming client.
And we did this to actually mitigate against how powerful and capable web browsers have become.
Just in 2022, we saw that on nine zero days have affected Chromium.
And this is a challenge because when you go to a website, you're immediately downloading untrusted code onto the user's device.
So browser isolation allows us to execute that code remotely in Cloudflare's network and not leave the user's device at risk from any malicious content on that site.
Now, what we found is when you're isolating a site, we're able to protect the user from any malware on that website, but we're also able to control all interactions with the website they're accessing.
This means if it's a phishing website, we can prevent them inputting sensitive information, or if it's a legitimate business application, we're able to prevent inputs such as copying information or printing information.
And this is where the integration with access becomes really valuable since where we create a very transparent way of connecting users from any device to a isolated version of an internal tool and give administrators back control over their applications regardless of how users are connecting to it.
And the technology we use for this is really cool. Rather than being based on legacy pixel pushing style models, which is very common in virtual desktops, we actually leverage vector-based commands over the wire.
So this means rather than streaming bandwidth -heavy images to the user, we're streaming signals like draw a line, draw a squiggly shape, draw a few colors, and this comes together into the final website and creates a very sharp image that performs very well for users regardless of their bandwidth in their device or their screen size.
And by running a cloud-influenced network, the latency is so low that it just feels like using a local application.
Following that, we originally launched with the roaming clients and gateway model.
We then launched a clientless model which does integrate with access, a access on-ramp to using the remote browser.
And this is great because it allowed users to connect to any website using browser installation without installing any software on their device and also have that control over their data.
But there's still that missing link between the application authentication into the remote browser, and that's what we're announcing today.
It's a deep integration between access, browser isolation, and by extension, LTP platform.
You took the words right out of my mouth there, Tim, was going to say.
So the next big question is going to be, how is our big announcement really going to tie into both browser isolation and access?
And how does it really tie into securing self-hosted applications, especially a huge concern for many of our customers?
So Tim, since you gave the teaser, can you give us a walkthrough of what we're looking at?
Yeah, so what we've been hearing from countless conversations with our customers is a big challenge is protecting their data from misuse.
And a lot of the customers we're talking to are resorting to using expensive virtual desktops for their users.
This is quite a cumbersome solution to implement because it requires a very expensive infrastructure to deploy for what is quite a simple web-based application.
And it's a poor experience for end users as they need to first install a desktop client to connect to a virtual desktop, log into that, then open up the web browser inside the virtual desktop, and then log into the application a second time, which is very frustrating for end users.
It's also difficult for IT to connect into that wider security posture, since you then need to layer data loss prevention tools onto it in order to get that full end-to-end control over the data in the applications.
So we saw an opportunity here to combine the ease of use access, being able to just use your identity provider to log into any self -hosted application without using a VPN, and combine that into what we're doing with browser isolation to control how users can interact with data in those web apps.
So what we're announcing to our partnership is we are essentially making it so that you can go to an access app, log in a single time, and transparently the users see it into a remote browser.
The URL is exactly the same, so there's no special training, and if the user matches a policy which has been marked as isolated, it could be a subset of users or users on unpatched devices, that is sent into the isolation service for your given audience of users.
And it works just, it feels just like using any of a normal access application.
There's no clients you need to install, you don't have to wait for anything to warm up, they're just instantly connected to the application in the remote browser.
The other really cool part is even though the remote browsers are hosted on Cloudflare's network, which we have about 270 around the world, and this is really important for keeping the latency low and steering users to a very close remote browser, you don't actually have to open your application to the Internet to benefit from this service.
You can use Cloudflare tunnels to establish a private connection to Cloudflare without opening up any ports, and that is natively integrated with the end-to-end solution, so traffic can go from the remote browser into your internal application without compromising any security.
The other valuable part, going back to what I mentioned in the beginning about delivering on promise of Zero Trust, it's having every step integrated end-to-end, is because browser isolation is also already integrated with our data loss prevention platform, all of those controls we have are still there.
So Noelle, I'd love you to provide more detail on what we're doing in that space.
Yeah, thank you.
So to give a little bit of background on DLP and how it really ties into zero trust, which can be a common question I get, so we set that foundation of zero trust as I'm going to validate every access attempt, I'm going to make sure that identity is validated for every request that goes through, but identity isn't just the only signal that a transaction should be happening.
The next level that can be is, hey, maybe someone should have access to this application, but maybe the actual transaction that they're doing is something we also want to validate.
Are they really moving the data that we want them to move, and how do we ensure that?
And that's where data loss prevention comes in, is as those requests are going up and down, as customers are interacting with applications, uploading, downloading documents, we inspect that traffic and we look for indicators of sensitive data that the customer might not want to be in that transaction.
So that can be anything from, we have PII options pre-built in our application, so you can detect something like a national identifier, like a social security number or NSN number, or you can inspect for credit card numbers, other financial information, or you can build your own custom regex.
So if you have something that's really unique to your company, or maybe something that's really industry specific, you can build your own detection for that.
So then as that traffic goes up and down, you can inspect it and say, you know what, hey, this application isn't supposed to be hosting this type of information, you shouldn't be uploading it, or the inverse of, hey, this application is where this information is supposed to stay, and you shouldn't be downloading it.
So that's a way that customers are really interested in protecting that data, making sure it doesn't go to the wrong place.
And a lot of times our customers will come to us and say, hey, I'm really interested, I really want to protect the data in this application, but we have a contractor here, like we don't want to put his or her device, we don't want to deploy some client to it, is there any way you can provide data loss prevention without the client being deployed?
And this gives us an awesome way to do that.
So if the customer launches through access and launches in the browser, it'll onboard right to Cloudflare, and Cloudflare can provide those data loss prevention capabilities without having to deploy the client, which is a really awesome and flexible way to do it.
So then as they get access to that application, you can still inspect the traffic, make sure that the requests that you want are going all the way through.
Tim, does that answer your question?
Is there any more you want to build on top of that? Yeah, I think that's a fantastic point.
Just because a user can access an application doesn't mean that the data they're uploading to it necessarily makes sense to go into it.
And having that inspection within the access app is really powerful, especially for roaming BYO device users or contractors who may be accessing the system.
So there's so many use cases that having all three of these products deeply integrated together unlocks.
These are also some of the most sensitive applications that our customers are typically hosting and protecting.
It's things like internal wikis and code repositories and financial systems and things like that.
So the ability to do clientless data loss prevention controls in these applications is really powerful and exciting.
I was very excited when we got to start working on this feature.
Yeah, this is a super cool one. And I think here at Cloudflare, our the goal is to make it better together.
The one thing we don't want to hear from customers is, hey, these are point solutions.
They don't work well. Our design is always about managing for one control plane, being able to make it easy to manage for customers.
So for anyone who hasn't been using Cloudflare Zero Trust yet and you want to get started, you can get started right now for free.
For teams of 50 or less, just check out Cloudflare .com slash Cloudflare1 and get started.
And if you are a current Zero Trust customer, you can definitely go to our website, learn more about Access, Gateway, DLP, whatever you'd like.
And if you're honestly not sure about the whole Zero Trust journey, how do I get involved?
How do I get started?
You can totally start to, you can go to Zero Trustroadmap.org and you can start to learn about it and say, hey, how do I iteratively implement Zero Trust and how do I really get to where I want to get to, but do it in a way that we get to talk about and we get to walk you through.
And it's vendor agnostic.
So you get to really learn about it, not just learning from Cloudflare, but learning about it holistically.
Kenny, Tim, is there anything you want to mention that we forgot about before we wrap up here today?
No. Thank you for hosting us today, Noah.
Thank you guys for being here. It was great talking to you and thanks for joining us for CIO Week and stay tuned for more announcements.