Cloudflare TV

ℹ️ Cloudflare Zero Trust for managed service providers

Presented by Dan Hollinger, Ankur Aggarwal, Teddy Solano
Originally aired on 

Welcome to Cloudflare CIO Week 2023!

This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.

In this episode, tune in for a conversation with Cloudflare's Ankur Aggarwal, and Dan Hollinger about Cloudflare Gateway for Managed Service Providers (MSPs).

Tune in all week for more news, announcements, and thought-provoking discussions!

Read the blog posts:

For more, don't miss the Cloudflare CIO Week Hub

CIO Week

Transcript (Beta)

Hello, hello, everyone. Welcome to this segment of Cloudflare TV, where me and my guest Ankur here are going to talk about a new feature we recently released, particularly aiming for managed service providers, managed security providers that are looking to provide Zero Trust services to their customers.

This is part of our rollout of CIO Week, hence our beautiful backgrounds.

The goal here is we're going to review the solution.

We're going to talk about MSPs and how they fit into a CIO's view, and then really dig into some of the examples and use cases that we explored in our blog post as part of CIO Week.

So with that, I'm Dan Hollinger. I'm reporting to you from Munich, Germany.

I am the product manager for partners, meaning I manage our tenant platform and our partner platform that helps MSP partners as well as platform partners connect to Cloudflare.

And with that, I'll hand it off to Ankur for a quick introduction.

Thanks, Dan. Hey, everyone. My name is Ankur Aggarwal.

I'm based out of San Francisco, California, and I'm the product manager for Cloudflare Gateway.

So Gateway sits within our Zero Trust suite of products.

And working with Dan and team, we were able to integrate that with the partner platform.

So we'll go through a little bit about how it's helped MSPs as well as additional features we added to both platforms to essentially work better together.

Awesome. Thank you for that intro. How's the weather in San Francisco? It is rainy.

I believe it's warm.

But to get dig into the meat of our presentation or our chat. First, I'd like to talk a bit about managed service providers or MSPs, what they are and ultimately how CIOs tend to work with them.

So ultimately, managed service providers or managed security service providers are partners that are providing resources, security tooling and expertise that can be IT operations and security operations can be outsourced to these providers.

They're often a common tool in the toolbox of a CIO.

Some elements of IT operations or security operations are often best handled by a managed security provider or each business can come to its own conclusion.

They tend to bring in a healthy amount of expertise across multiple solutions as well as many customers that are in very much the same boat as your company might be.

So ultimately, they provide a way to provide managed services like SOC as a service or security operations centers as a service that allow you to focus your IT team on more strategic internal needs as opposed to focusing them externally on security threats and external threats that become very difficult to manage independently or manage as a lone company.

The Internet's a big place and attackers will attack the large companies as well as the small companies on a day-to-day basis.

So with that, Cloudflare is partnering with quite a few MSPs and our hope is, you know, part of my core job is to make sure that their experience with Cloudflare is as seamless as possible and that they're able to use all of our products.

So anything from the web application firewall or DDoS mitigation into our Zero Trust suite such as DNS filtering.

And to learn more about DNS filtering, Encore is our expert.

Thanks, Ed. And with DNS filtering, essentially, it allows a lot of our customers and now managed service providers to filter or really kind of get the quickest time to value when they're trying to offer a security rollout or just roll out security services for their users.

So it allows them to filter any sort of like malicious content, ransomware, phishing, and basically a whole load of Internet threats that are out there.

We break these down into content categories under our gateway policies.

So essentially, any administrator can easily select the security categories that they want to block.

And then they have DNS locations, which essentially contain the DNS endpoints of where they can point their users' machines.

So it's just as easy as either changing the DNS endpoint on your router, so it changes it for your entire office, or it's as easy as kind of rolling out that endpoint to all your users.

Now, you can do this over IPv4, IPv6, DoH, which is DNS over HTTPS, or DoT, which is DNS over TLS.

The last option also in there is you can optionally install the warp client on all your end user machines, which allows you to essentially proxy traffic as well.

But you can also just send DNS queries.

Now, with all of those options out there, you could do this for each individual account and each individual user.

But in working with the tenant platform, we're able to kind of rule this out in a much broader sense for MSPs.

For that, I'm going to turn it back over to Dan. Thank you for that intro into DNS filtering.

And with regards to the tenant platform, this was a solution we built for some of our largest integration partners.

So it's been running now flawlessly for integrations like IBM Cloud, who white labels the Cloudflare services, as well as JD Cloud, who's providing our application services within China and outside of China.

So the goal for the tenant platform was to essentially give some of the keys of the kingdom away that were previously only available to Cloudflare, the creation of accounts, the establishment of subscriptions and entitlements, you know, really the ability to set up an end customer.

And what these partners needed to do was be able to integrate their Cloudflare into their current solution, into their current user interface.

And we had an amazing client API, we still do, I think, api.Cloudflare .com.

But what we lacked at that time was those keys to the kingdom, the ability to create those accounts, to set subscriptions, to enable a customer from zero into a productive customer.

So where the tenant platform came into play, and I'll go ahead and share my screen, I tend to be a visual learner, hopefully some of our viewers are as well, is ultimately the tenant system and the tenant structure is an abstraction layer on top of our accounts.

So what it allows a tenant admin to do or an API key of that tenant admin is to create those accounts from scratch.

Within that account, they can then provision the various products that they might need, you know, websites and zones, or workers or Zero Trust policies, and then ultimately provide access to those accounts for the individual users that might need to do work within those accounts and on those resources, or multiple since we do support role based access control.

So in the diagram here, you know, we see that there's two different admins of the different accounts, but you still might have someone coming in exploring the analytics of both accounts or for maintaining them.

So where this platform comes into play is allowing those partners to have a scaled solution for creating accounts and creating those subscriptions.

And this becomes vital for allowing the partners to provide our services within the platform or the UI that they're already providing today.

So what we're really talking about today is the extension of that platform in partnership with our gateway product for allowing a parent child configuration.

So what that means is within an account, or you can now have accounts that reference a parent account, and reference the configuration within that parent account.

And this is vital for MSPs, as well as other platform partners that need to have some level of global rule sets.

What we've seen commonly is the need for an MSP to be able to institute corporate policies, corporate security rules across the entire company, while still allowing an individual business unit or an individual account or set of accounts, the room to customize or adjust the things that they're blocking or their policies and locations at that individual level.

So this allows the best of both worlds, that corporate governance that can apply to an entire company, as well as the individual customizations that exist at each business unit.

So that parent child capability is what allows or is now our new feature that allows these platform partners and MSP partners to better control and manage configurations at scale for their customers that they're working with.

And with that, I'll hand it over to back to you to kind of discuss the new policy features that we built in onto that parent account system.

Sure, yeah. So as Dan said, we instituted basically a parent child structure.

So you could have a single account within all of your tenant managed accounts.

And for MSPs, this is great, because if they're rolling out, say, a managed service for their child account users, so that could be any business they bring on, or as we'll dive into the cases later on here, even agencies that they bring on, they can have certain things at the very top layer.

So typical policies that we tend to see that these parent accounts configure are things like block malware, block DNS tunneling, block spyware.

And that basically sets all of your child accounts up for these to be blocked against the security threats on the Internet.

Now, each of these child accounts then has their own set of policies.

So they can go things and configure things that are wholly relevant to them.

So if they would choose to, say, block social media for their entire company or agency, then they can add that policy in and any DNS query that is sent to their DNS endpoints will essentially go through this parent policies first, if it passes, or is allowed by essentially all of those policies, then it starts to go through their policies in their account.

So then say it's a social media site would be blocked.

But if it wasn't, it would also be allowed if there are no other matching policies.

And essentially, they're able to have that control over their local user.

Now, what's also nice about this is all the logs are still separated by account.

So each account can send out their own logs to their own kind of security desks to monitor.

And then also at the parent level, if they are managing the logs for say, their child accounts, instead of having to configure a tap or a log post shop for each individual child account, they can just configure a single log post shop at the parent level account.

So then they're able to get the logs of all the child accounts.

This essentially eases the administration burden for MSPs when they're rolling out a structure like this.

Some additional features that we added here to were to essentially allow parents to allow child accounts to bypass a policy.

And an example of this is essentially, we had a domain that was actually triggering a false positive in our malware category.

So typically, when a false positive occurs, our customer will send us a request through our API to say, hey, we want you to update this category, we'll go to our security team, we'll look at it, and we'll resolve it.

But typically, it's up to the MSP of which course of action they want to take.

And so it's their child account usually reporting, hey, I'm viewing this false positive, and then the MSP doing two things.

So one is informing us to update the category, and then two, they can enable bypass on that policy.

So basically, it allows that child account to be able to kind of create a rule that bypasses that MSP policy or that parent level policy.

So this is fully controlled by our API. So then, however, they choose to service this within their UI or what restrictions they put on this.

So essentially, hey, I only want to allow customers or my child accounts to bypass this parent policy with only using X, Y, and Z selector, they can choose to do that.

So they can also limit the amount of choices that work together. So we'll dive a little bit more into that as we kind of get into the examples.

And then the last thing I want to mention here is we have this concept of dedicated IPv4 resolver IPs.

So today, when you configure a gateway DNS account, you're given the same two general IPv4 addresses, and you have to enter in either your source IP or source network to be able to match the DNS query to a location in your account.

And that's how we can apply the correct DNS policies to your query.

Now, some customers want their own IPv4, one, because they either can't input in the source IP addresses because they're not static and fixed, or two, because they want their own kind of IP address.

And it makes also onboarding a lot easier for your child accounts, because it's easy to kind of share, hey, this is our IP, let us know your source IPs, and we can kind of configure this for you.

It's a it's kind of a big branding opportunity for them as well.

So we made it so whenever we add this customized dedicated IPv4 resolver IP to the parent account, that IP is now used throughout all the child accounts as well.

So all these child accounts don't have to have their own separate dedicated IPv4 DNS endpoints, they can just assume the parent one.

So it also, again, eases the burden of onboarding for MSPs and users. As I say, it has to make implementation just much more scalable to have those same IPs across all of the children.

And ultimately, not having to worry about that as an additional operational cost when you're managing those each of those accounts.

Exactly. All right. And with that, we'll kind of pivot a little bit into some of the use cases, some of the customers live that we've seen both leveraging this new solution as well as having general integration with Cloudflare and our gateway and DNS filtering solution.

So with that, you know, first, I'd love to dive into the federal government one.

I think there's a fascinating space here where there's plenty of managed service providers providing dedicated services, they have cleared personnel, you know, plenty of experience working with public sector.

And, you know, one would be great to learn of one of our key examples that has come and been partnering with us for over a year now, integrating DNS filtering for their departments.

Would you like to get into that one first?

Sure. Yeah. Let's kind of walk through some of their challenges and then how we solve that problem.

So basically, when they started onboarding with us, or even just kind of testing first to kind of before they put this into production, they started using a single gateway account.

So they were essentially asking for, like, basically adding a longer list of policies.

So today, we offer 500 policies per account, but they're like, hey, can we add 1000?

Can we add 10,000?

So, you know, we started to look deeper into this of how else we could solve this, because essentially, they wanted to onboard every agency into a single account.

So they would add a DNS location for each agency, and then they would add policies against that location.

So then they would just have one single policy list for all agencies.

Now, I think we can all see how that can quickly become a giant administration burden, because having to look at, hey, policy number 13,000, and how that triggered maybe policy 12,000 for it, and having to troubleshoot that would be pretty difficult.

So that's how we kind of came up with the integration or better together, really, of the tenant platform.

So then we could split that out so that every agency can be within their own siloed tenant.

And then beyond that, it was essentially then creating this parent -child concept of policies.

So then they were able to have a centralized way to still apply their global policies they wanted to while still allowing agencies to apply their own.

So the two kind of large features we just discussed were really key to enabling AFS to provide this protective DNS service or size it in the federal government.

And yeah, I don't know if we touched on that. So this was Cloudflare working with Accenture Federal Services.

We had won the deal together to support and defend some of the Department of Homeland Security.

So this is all civilian federal agencies.

So this, in conjunction with a integrated or singular user interface that Accenture Federal was already providing to these departments, were able to integrate using the tenant platform and our gateway solution for all of these individual departments.

And they're continuing to onboard these departments over time, leveraging these two solutions.

Ultimately, a very good use case that highlights both the integration with a managed service provider, a managed security provider in Accenture Federal, as well as dealing with a lot of the unique use cases within a public sector space, and particularly for the Department of Homeland Security and cybersecurity.

Yep. So yeah, with that, I'm happy to pivot to kind of the next major platform partner that is integrated DNS filtering with us.

Yeah, and I can take that one. So Malwarebytes is the next managed service provider we work with here.

So Malwarebytes provides security services to tons of individual users, small businesses, and kind of growing up that stack as well.

So typically, they buy per user or per device.

So when looking at our Cloudflare DNS or Cloudflare Zero Trust Platform, they saw essentially DNS filtering could be a great value add to their services that they offer today.

So essentially, they wanted a way to identify each device, and then also be able to apply policies to each individual device.

So for that, we worked with them to essentially create a unique token per device that their central platform would reach out to Cloudflare and obtain that token and then push that down to the end user device.

So then with every DNS query that was sent over DOH, they would send that token.

So then we could, one, identify the device, apply the correct policies, and then Malwarebytes could control essentially who or which users had access to this DNS filtering capability.

So kind of really key to this was being able to integrate seamlessly into Malwarebytes' existing security services without having them to kind of refactor anything they were doing.

So because we're able to kind of fit seamlessly in there, this has been kind of a great partnership between our two companies, and they're continuing to onboard devices week over week.


Yeah, that's another amazing example. And I know as we near the end of time here, we have a smaller one that would basically a sneak peek that I'm guessing we'll talk about in a lot greater detail later this year.

But I'd love to kind of tell the audience about a large ISP we've begun discussions with and how much you are comfortable sharing on that use case.

Yeah, so recently we started to work with a very large global ISP to do something similar to what I just spoke about with Malwarebytes, which is essentially they offer security services for, in their case, for individual families, and they would like to integrate our DNS filtering and DNS policies for those families.

So we're working with them to put a service into production later this year, and we'll have more details to share, and at least we can be more descriptive of what we're doing here later in the year.

But we're really excited for this. And one of the kind of keys to this implementation is being able to support this for well over 1 million accounts.

So this is truly taking that tenant platform integration that we built and stretching it to a very large number of accounts.

And this is also just the initial set of first 1 million accounts.

So we're excited to, one, share more details with you later this year on this, and two, to honestly see this grow.

So yeah, definitely an exciting opportunity there, and it'll be great to see as it develops and as we continue to work through the integration and onboarding of that partner, you know, how well we'll continue to scale and evolve both DNS filtering as a whole and the tenant partner platform as a whole.

Yeah. And we're glad to kind of share these features with you and excited to see, you know, what's next here.

Awesome. So hopefully one thing those use cases highlight is the ability to work with DNS filtering at scale.

So Cloudflare was built for scale, and the way we've managed our network, the way we are distributed across the globe, I think we're 275 cities or more.

And what this means is for DNS filtering and other Zero Trust solutions, we're never slowing you down as you're connecting to one of those global pops.

And we're able to provide that scale, not only at the solution level, handling all those requests, but at the administrative level as well, making it easy for large customers that are managing multiple accounts or business units or large partners that are managing multiple customers that are managing multiple accounts to do that as straightforward and seamless of a way as possible.

That's my core goal for 2023.

And with that, you know, happy to take any closing thoughts you might have on where DNS filtering and gateway are going this year.

Yeah, for sure.

Basically, with Cloudflare gateway, we want to actually dive deeper into our proxy services.

So we want to start offering additional features there. And then on the DNS side, we really want to make policy management a lot easier.

So we want to start servicing a lot of features that allow administrators to essentially create different rule groupings, policy profiles, basically things that just make their lives easier.

And on the partner platform side, we actually released version one of UI for our partner platform.

So it's been working very well for API integrations.

And that's been its primary use. But as we work with more MSPs, ultimately, they're leveraging our dashboard to build and administer many of these accounts.

And so ultimately, version one has been completed, and we're moving forward for version two throughout 2023.

So with that, I want to thank everyone for catching us live or catching one of the reruns.

And I'm happy to wish everyone a happy Friday.

Happy Friday, all.

Thumbnail image for video "CIO Week"

CIO Week
Relive the exciting announcements from CIO Week! Check out the CIO Week Hub to find all of our announcements and blog posts!
Watch more episodes