ℹ️ CASB integrations update
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Tarika Srinivasan and Alex Dunbrack about our new CASB integrations with Salesforce and Box.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
Hi there. My name is Tarika Srinivasan. I'm a product marketing manager here at Cloudflare and I'm joined with Corey Mahan, who is a director of product for our Zero Trust platform.
And today we actually announced during CIO Week that we have two new integrations for our Cloudflare CASB product, one for Salesforce and one for Box.
But before we dive right into that, Corey, since you've been a critical part of helping build out the Cloudflare CASB product over the past year, could you just give us a quick rundown on what it is?
Yeah, totally. Thanks for having me today as well, Tarika.
Yeah, so when we talk about Cloudflare CASB, what we're talking about is a cloud access security broker.
A lot of words there.
What does it really mean? Well, there's kind of two camps when we think about CASB.
The first is inline, meaning sitting inline or in between the connection between the source and destination.
Cloudflare has lots of those capabilities for our inline services, usually supported by Cloudflare Gateway and that product suite, making sure that we can do things like tenant control so that your end users can only access your instance of, say, Box versus Box.com in their personal account.
Other things like inspecting traffic to make sure that they're not uploading or downloading anything potentially malicious.
So that's the inline version.
We're excited about that, but today we're really going to focus on the API version.
And that second camp is really what we're talking about in how we connect to the various services that we're helping protect.
And that is, as the name implies, via API.
So an API driven CASB or an API CASB, the center of this conversation, helps companies make sure that the data that their employees in their organization is accessing is protected, is safe.
And a simple misconfiguration or an overprivileged user or a user we forgot to deprovision are all taken care of.
So really, at the end of the day, what we're doing is helping you keep your data secure using a product like CASB for the various services that you use.
Yeah. And since this is CIO week, Corey, if you put yourself in the shoe of a CIO, why would a product like Cloudflare CASB actually be helpful and useful to them?
Yeah, great question. I think about it from any type of, in a day to day, just as a regular user, if you will, the amount of things that you share internally, you send that link in chat, you email this link to a partner, you download this file, you upload to that folder.
All of those things are part of our daily lives, right? Especially when we're adopting more and more SAS.
So if I'm a CIO, I'm thinking about, okay, cool.
We're moving all this data around. Is it moving to the right place?
Is it being accessed by the right people? Have we removed access for those that shouldn't have it?
And all the things around that data control, that data protection, that data privacy to some extent.
And so I'm really, really worried about that because as we've seen in recent past, some in more public cases than others, how easy it is to overshare, in addition to how easy it is to upload, hey, I was dragging all of my downloads to the upload folder and oops, I forgot that there was a customer spreadsheet and there wasn't some data that shouldn't be moved anywhere, right?
So all of those little things. So if I'm a CIO, I'm worried about, hey, I want to encourage my end users to continue to use SAS and to continue to use the cloud for all of the things.
But in that, we have to make sure there's some guardrails in place.
So that's what I'm most thinking about as an end user, all the way to, I guess, as a CIO.
Yeah. And when I think about also the past few years, given the pandemic and a lot of organizations adopting remote or hybrid work comes with that kind of a shift to the cloud for all of your productivity suites and tools.
And so how do you kind of see remote work being and Cloudflare CASB kind of being essential to that picture?
Yeah, I think they go hand in hand.
I think there's a lot of great native built-in controls that should be leveraged totally within these SAS services and specifically within the business suite set of services.
But where CASB really shines and adds the value is the behaviors and the settings and services and data across those SAS services.
So it may be your business suite, it may be your telecommunications suite, maybe your chat suite, maybe your storage suite, maybe your CRM.
Knowing that, hey, we'll pick on ourselves here.
Tariq and Corey are sharing stuff publicly in all these services.
And Tariq had downloaded all of our data from our CRM and moved it over to this personal Google Drive.
Like, that's a bit odd. And so while these services help accelerate business and make sure that we can collaborate much easier and faster, they also introduce more attack surface and more areas for CIOs to care about.
It used to be kind of guard the bank vault, the one door in and out.
And now there's hundreds, if not thousands, of doors in and out and windows and all the other ways people can get in and out as part of our jobs.
So how do we make sure that we're protecting those? How do we add guardrails where we need to?
And then how do we see that complete visibility across all of those services?
And that's exactly what the API driven CASB does, integrating with those services and then shining the light across what all of it looks like to get kind of that single pane of glass.
When I think about our CASB product, I often think about the statement, you can't protect what you don't see or know.
And I feel like our API driven CASB really does like lift that curtain to unveil all the security issues that you maybe didn't know.
And so over the past year or so, we've launched a variety of integrations with very popular SaaS apps, some of them being Microsoft 365, Google Workspace, Slack, and now GitHub as well.
And now we're introducing Salesforce and Box.
Why was this the next important two SaaS apps to introduce to our CASB integration set?
Great question. So there's, I think for every business, different levels of risk exist based off of their business, right?
Maybe this company stores all their sensitive data in this SaaS service and another in this SaaS service.
So really how we prioritize this is listening to customers and where their customer demand is.
And if you think about these two services with immense amount of built-in security controls, which are fantastic and you should totally leverage those.
But the addition of the API integrations from the Cloud for CASB gives you that additional layer of insight and then ties everything together.
So why Salesforce? Well, it is where most companies store all of their customer data.
For those unfamiliar with Salesforce, it's a CRM or a customer relationship management cloud-based software that helps with flexible sales operations, quoting, contracting, customer engagements.
And so there's a lot of customer-centric data that's stored there.
Kind of like the bolt, if you want to think about it in regards to sensitive customer data, who's buying what, et cetera, et cetera.
And so for example, to kind of make this very easy and clear is during some of the early onboardings with the Salesforce integration with the API CASB of Cloudflare, one of the Salesforce administrators literal quote was, oh, explicit.
As they soon realized that a lot of their contracts were publicly available on the web via a link, right?
And so just a simple oops and hmm, your pricing data is now on the Internet is not a great thing.
And so it's just a simple issue like that or simple oops like that of why we really partnered and built this integration.
Second, with Box, it is a very popular storage service for those unfamiliar with Box.
You can think about it as a content cloud, if you will, where you can store data, docs, files, folders, pictures, anything that you'd want to enable and your business from a collaboration perspective, and maybe a backup use case.
There's lots of different things that help within the business. And obviously, they have a personal offering as well.
So why Box? Well, a lot of our customers move a lot of their data through Box.
And so they were asking, hey, again, we've turned on all the native stuff, but we want to see what this looks like across services.
And so you can think about things like, hey, my Box admin doesn't have the 2FA enabled all the way to we've shared this Box folder with a contractor that we'd stopped doing business with three years ago.
Maybe we should bring that in, a little bit of housekeeping, right, and everything in between.
So these two services we see our Cloudflare customers using, and we listen very closely to them.
And thus, we prioritize both of these. If we deep dive kind of into specifically the Salesforce integration, is there anything interesting or something that as a security person, you wouldn't necessarily think about checking for as a finding that the CASB integration detects?
Yeah. Great question. I think you can kind of center it all around back to kind of, well, what are we protecting?
And that's the data, right? And so data that's perhaps there's files or folders shared publicly that have no password.
That's one that you're like, oh, yeah, we should probably look at least what those are.
Maybe they're intentionally there, maybe they're not.
And then two is, okay, there's stuff shared publicly.
And this is the one I was like, ah, share publicly with a password, but that password is super weak or a lowercase string tag, you know, it's password or something like that.
But someone just said it in haste to try to do something quickly.
Those are the things where you're like, oh, okay, what else is here?
Right. And so just around the sharing behavior of that data and what's available, again, the tools are there.
You can set a password if you'd like, you can make it strong, but did you?
And so those are the things I have found very, very intriguing, kind of surfacing immediately within the first couple of seconds of connecting to Salesforce.
And then when we think about Box similarly, what is our integration kind of surface that is out of the ordinary?
Yeah. Some really cool things I think about with Box in particular are, again, back to that, and I'll pick on this use case because it usually gives CIOs and CISOs the most heartburn of like, that's public on the web.
One that's really, really cool with Box is a file or a folder with a high view count.
So, hey, you've got this file public and the file name is marketing template.
Totally okay. That's what it's supposed to be.
And that view count kind of helps you understand like who's looking at what.
When you see one like Q4 earnings and it's not the end of Q4 yet, and that's public with a high view count, what's going on here?
And so it's not just the, hey, here's a bad thing or potentially bad thing.
It's here's a thing with some context around.
And so those are the things I think I'm most excited about for how I think customers will leverage the Box integration.
And so when I think about also these SaaS applications, specifically Salesforce or even Microsoft's of the world, they have already really strong, built-in native security in their applications.
How does Cloudflare CASB either supplement or kind of layer on additional protections for an integration for the Salesforce or Box?
Great question. Yeah.
So I think it's twofold. One, and I've already touched on a little bit, is seeing the different services together.
For example, I'm unaware of any, but as a one is, how many Box and Salesforce sharing permissions can you look at in a single screen?
Can you look at Tariqa and understand what she's, her activities across these services without this type of tool?
And the answer is usually no. So that's one unique benefit is that, oh, okay.
I can leverage the existing technology and controls there and start seeing them together.
The second is the, what I would call like the ancillary behaviors, right?
And so we can understand using kind of the wider Zero Trust suite.
What makes it awesome is, hey, for users, we'll pick on Tariq and Corey again.
Hey, they're uploading everything. They're copying all this stuff that we don't want to.
We uncovered this via the API integration to say Box.
Using the wider Zero Trust suite, we can now isolate their session using something like our remote browser isolation technology and just stop uploads for those two users or that group of users or all of those users.
So we can turn their session into a read-only session.
So we don't have to worry about them oversharing until, you know, we've had a conversation with them or we've educated them on what they should or shouldn't be sharing.
So it's not only just that this, you know, kind of the, we talk about it internally one plus one equals three, two individual things making the greater, you know, the greater whole when they work together.
That's the exact thing with our API CASB with these integrations.
And that's really great to mention because I think the power of our Cloudflare CASB tool is actually being built into our larger CF1 Zero Trust platform.
How does CASB today kind of work across the different existing tools? And like, do you see the Cloudflare CASB getting closer towards other products in our platform today?
Yeah, great question. I think the one existing today is obviously for inline actions.
So blocking via the, what we would call gateway. So for example, to the previous use case of, Hey, Tariq is behaving in a way that we would prefer if she didn't, we need to have give her some training.
There's a one click policy option that integrates with gateway to create a block policy for certain behaviors, such as uploading to say, Google drive.
That is just in production today.
And anyone can use it if it's a Cloudflare CASB and gateway customer.
Ones that we're forward looking to and are excited about. And there's a blog out today, actually related to this, or I believe it was yesterday around CASB plus DLP.
And so back to the, Hey, we've surfaced all these behaviors and we've surfaced all these settings and permissions and these data sharing behaviors.
Now going then level deeper of, Hmm, this file or folder had 30 credit card numbers in it, or this file had tons of PII and integrating with our DLP platform to say, Hey, you really should address this one first.
And then this one second, and then this one third, so that we're not only just highlighting the risk, but also giving you actual tangible steps to remediate it.
So CASB and DLP are kind of one in the same.
And we joke internally that they're kind of yin and yang, they go one hand in hand.
So that will, that integration and those two products will become very, very much intertwined.
And kind of adding to that, I know we also have like a remote browser isolation tool.
And so when we find kind of surface threats using API CASB, and then we're starting to block them.
I think another cool thing is that you could also isolate those threats using a remote browser product.
And then looking forward, looking for CASB integrations overall, like what do you see down the line?
How do you feel that we're going to kind of grow the product overall in terms of number of integrations and what SAS apps we're going to support?
Yeah, great question. We're definitely focused on customer demand.
And so if you're a current customer or soon to be, we listen very intently.
That's how we arrived at building these two. One I can kind of tease out a little bit is thinking about kind of that business operations or your collaboration toolkits, right?
So those cloud-based services that you use for your engineering wiki-like services, those are ones we're working on now.
And then we'll continue to expand it to where our customers are most concerned and to where the most risk lies, right?
Is it the HR apps of the world, which is very much likely the case where all of our employee personal data lives, payroll data, all of those services and things like that.
In addition, kind of the further CRMs of the world, again, customer data is kind of consolidated there, as well as storage services of the world, right?
That is their job is to store lots of data. And so those are kind of the three over-generic or generalized buckets that we kind of think about.
But it doesn't mean that we won't go into something more specific as well.
So there is a lot to protect. There is an N number of SaaS apps that are out there.
We're really focused on what makes the most impact and reduces the most risk for our customers.
Thank you so much, Corey, for chatting with me about Cloudflare CASB and our new Salesforce and Box integrations.
One last thing before we hop off is if someone wanted to get started with Cloudflare CASB today, around how long does it take to get started and how can one do that?
Yeah, great question. So if you're an enterprise customer today in our Zero Trust suite or Cloudflare one set of products, I think we kind of joke it would usually take you longer to find an admin than it will to set it up.
And so it is seamless to do. We say usually over a cup of coffee, which is actually probably too long, your coffee would be cold.
It'll take about five minutes to do. So integrating it usually follows what we call an OAuth prompt or think about it as like a couple of clicks and then you're in.
And so it's really, really seamless to set up. And this is available, CASB is available to our Zero Trust customers on contract plans.
Well, great. Thank you so much, Corey.
Have a great rest of your day. Awesome. Thanks for having me, Trica. We're betting on the technology for the future, not the technology for the past.
So having a broad network, having global companies now running at full enterprise scale gives us great comfort.
It's dead clear that no one is innovating in this space as fast as Cloudflare is.
With the help of Cloudflare, we were able to add an extra layer of network security controlled by Allianz, including WAF, DDoS.
Cloudflare uses CDN and so allows us to keep costs under control and caching and improves speed.
Cloudflare has been an amazing partner in the privacy front. They've been willing to be extremely transparent about the data that they are collecting and why they're using it.
And they've also been willing to throw those logs away.
I think one of our favorite features of Cloudflare has been the worker technology.
Our origins can go down and things will continue to operate perfectly. I think having that kind of a safety net provided by Cloudflare goes a long ways.
We were able to leverage Cloudflare to save about $250,000 within about a day.
The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service with Cloudflare.
It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world-class capabilities in bot management and web application firewall to protect our large public-facing digital presence.
We ended up building our own fleet of HAProxy servers, such that we could easily lose one and then it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines as we grew.
With Cloudflare, we were able to just scrap all of that, because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction.
It removed the friction with our customer engagement.
It's very low maintenance, and very cost effective, and very easy to deploy, and it improves the customer experiences big time.
Cloudflare is amazing. Cloudflare is such a relief. Cloudflare is very easy to use.
It's fast. Cloudflare really plays the first level of defense for us. Cloudflare has given us peace of mind.
They've got our backs. Cloudflare has been fantastic.
I would definitely recommend Cloudflare. Cloudflare is providing an incredible service to the world right now.
Cloudflare has helped save lives through Project FairShot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient, and ethical manner.
The release of worker sites makes it super easy to deploy static applications to Cloudflare Workers.
In this example, I'll use create-react-app to quickly deploy a React application to Cloudflare Workers.
To start, I'll run npx create-react-app, passing in the name of my project.
Here, I'll call it my-react-app. Once create -react-app has finished setting up my project, we can go in the folder and run wrangler-init –site.
This will set up some sane defaults that we can use to get started deploying our React app.
wrangler .toml, which we'll get to in a second, represents the configuration for my project, and worker-site is the default code needed to run it on the worker's platform.
If you're interested, you can look in the worker-site folder to understand how it works, but for now we'll just use the default configuration.
For now, I'll open wrangler.toml and paste in a couple configuration keys.
I'll need my Cloudflare account ID to indicate to Wrangler where I actually want to deploy my application, so in the Cloudflare UI, I'll go to my account, go to workers, and on the sidebar, I'll scroll down and find my account ID here and copy it to my clipboard.
Back in my wrangler.toml, I'll paste in my account ID, and bucket is the location that my project will be built out to.
With create-react-app, this is the build folder. Once I've set those up, I'll save the file and run npm build.
create -react-app will build my project in just a couple seconds, and once it's done, I'm ready to deploy my project to Cloudflare Workers.
I'll run wrangler publish, which will take my project, build it, and upload all of the static assets to workers.kv, as well as the necessary script to serve those assets from kv to my users.
Opening up my new project in the browser, you can see that my react app is available at my workers.dev domain, and with a couple minutes and just a brief amount of config, we've deployed an application that's automatically cached on Cloudflare servers, so it stays super fast.
If you're interested in learning more about worker sites, make sure to check out our docs, where we've added a new tutorial to go along with this video, as well as an entire new workers sites section to help you learn how to deploy other applications to Cloudflare Workers.
So, the real privilege of working at Mozilla is that we're a mission-driven organization, and what that means is that before we do things, we ask what's good for the users, as opposed to what's going to make the most money.
Mozilla's values are similar to Cloudflare's.
They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
Mozilla and Cloudflare collaborated on a wide range of technologies.
The first place we really collaborated was the new TLS 1.3 protocol, and then we followed that up with QUIC and DNS over HTTPS, and most recently, the new Firefox Private Network.
DNS is core to the way that everything on the Internet works.
It's a very old protocol, and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize. You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it, and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.
Cloudflare was a great partner with this, because they were really willing early on to implement the protocol, stand up a trusted recursive resolver, and create this experience for users.
They were strong supporters of it. One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something, and we write down the barest protocol sketch, and they have it running in their infrastructure, is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use, or 10 people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the web, we're talking about bringing it not to millions, not to tens of millions.
We're talking about hundreds of millions to billions of people.
Cloudflare's been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting, and why they're using it, and they've also been willing to throw those logs away.
Really, users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the user that make them more secure, and we're offering them via Cloudflare.
So that's like an immediate benefit these users are getting. The indirect benefit these users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it.
And that will ultimately benefit every user, both Firefox users and every user of the Internet.
We're really excited to work with an organization like Mozilla that is aligned with the user's interests, and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.
The About You fashion platform has become the number one fashion platform in Europe in the generation Y and Z.
It has been tremendously successful because we have built the technology stack from a commerce perspective, then decided to also make it available to leading fashion brands such as Marco Polo, Tom Taylor, The Founded, and many others.
Yeah, and that's how scale was born. What we see in the market is that the attack vectors are becoming increasingly more scaled, distributed, and complex as a whole.
We decided to bring on Cloudflare to ultimately have the best possible security tech stack in place to protect our brands and retailers.
We use the Cloudflare spot management, rate limiting, and WAF as an extra layer of protection for our customers by tackling the major cyber threats that we see in the market.
DDoS attacks credential stuffing at scalping bots. What we see with a scalping bot here is that they are targeting high-end products and then buying them up within a few seconds.
That leaves the customer dissatisfied. They will turn away and purchase somewhere else the product and thereby we have lost the customer.
Generally before it could take maybe up to half an hour for a security engineer to handle DDoS attacks.
Now we are seeing that Cloudflare could help us to stop that in an automatic way.
Cloudflare helps us to bring the site performance to the best and ultimately therefore create even more revenue with our clients.