Originally aired on May 28 @ 5:00 PM - 5:30 PM EDT
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Abhi Das, Kenny Johnson, and Michael Keane — joined by special guest Fernando Perez, Sr. Product Manager at Microsoft.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog post: For more, don't miss the Cloudflare CIO Week Hub Okay, so just as a quick set of intro, first we have Fernando Perez from Microsoft. He's a senior product manager from the Strategic Alliances team under the Microsoft Identity and Network Access division. Then we have Kenny next, who is a product manager at Cloudflare for the Cloudflare One and specifically Access product. Then we have Michael Keane, who is the senior product marketing manager at Cloudflare. And then we have myself, Abhi Das, part of the Special Projects team at Cloudflare. So just as a quick background on the companies, Cloudflare is fundamentally a network. We started building a network of data centers present in 250 plus cities around the globe. It brings together Zero Trust services, application services, network security services and developer services built on that edge. And it's also built using our own developer platform for unparalleled cost efficiency and piece of innovation. On the other hand, Microsoft, everyone knows Microsoft, but Microsoft Azure Active Directory is a part of Microsoft Enter product suite, which helps protect access to resources and data using strong authentication and risk based adaptive access policies without compromising the user experience. They provide a quick and easy sign in experience to keep your users productive, reduce time managing passwords and minimize friction. With Azure AD, you can ensure that only authorized users have access to apps and data for users and admins with efficient and automated identity governance. So what is the topic for today? As we all know, there's nothing has changed for the past three years in our life has been so static. We need some more adventure. So with that sarcasm, today's employees are highly mobile with no longer residing inside an office protected by a secure perimeter. The fundamental shift in where and how people work has caused enterprises to rethink the legacy tools like VPN or hardware boxes and has caused them to move away from traditional castle and moat approach to a more Zero Trust model of security. In this context, we are very excited today to announce four latest integrations that we planned with Microsoft Azure Active Directory. These integration combine the power of Cloudflare's expansive network and Zero Trust suit with the power of Microsoft Azure Active Directory to make joint customer more secure with ease of use. For the flow of content today, Michael will cover the Zero Trust aspect. Kenny will cover the Cloudflare one aspect and how Cloudflare one fits into Zero Trust. Fernando will cover Zero Trust from the Microsoft side. And Kenny will cover finally the integrations that we're launching today. And Fernando can jump in anytime. So Zero Trust is a term that was coined by Forrester sometime back. And just so that all of our viewers are sort of aware, let's clarify that first. So starting with Michael, Michael, why don't you kind of walk us through what is Zero Trust and why it is important? Why should the CIO think about and implement Zero Trust? Yeah, I think essentially this zero trust trend in the market really just means to not trust anything by default. And just I like to think of it as a nice little double check. Let's just verify everything first. I think never trust, always verify is probably the most common mantra that you hear out there. But what's funny is the the principles of this make a lot of sense. But some, you know, IT and security folks can reasonably so be a little a little detail oriented type folks. And sometimes they don't love that term. They think it's either overly negative, or they might say, oh, zero, you know, in security, you never really reach zero, you're never truly done. So some people don't like the term. And I think I encourage them to say, great, let's just reframe to something like security modernization, or any term you want. I think the the actual goal and outcomes we're going for here make a lot more sense than whatever words used to describe it, which really is moving away from what worked 20 years ago with just a hardware based or perimeter based model with everybody going to the big office building. And instead, just acknowledging our realities of this extremely distributed world where our applications and our employees and contractors and just overall users are located everywhere and all across the globe. And we need everything to work and stay secure and work quickly. And we're just in such a different world that the tools from 20 years ago are just not quite going to cut it. And there's a really common example that I think helps illustrate it. Some folks listening might have heard it before. So it can humor me just for a second here. But for those that haven't, hopefully that it helps illustrate it. And it's this idea of a castle and a moat, where the castle can kind of be thought of as our old office building, it has a moat around it protecting it from all the scary bad things that live on the outside. And that kind of is the perimeter firewall for maybe the enterprise office building from a few years back. And when someone from the outside needed to get in and be allowed permission into the castle and all the great things inside it, maybe a drawbridge opens up over that moat. And in that case, that could be a VPN in the analogy. And I think that the first challenge is that if something bad, if an attacker, so to speak, gets over the drawbridge into the castle, suddenly they have free reign to that whole castle and all the rooms inside of it. And that's similar to if an attacker happens to gain your password of a VPN, maybe it's not even protected by multi-factor authentication, they can get into that corporate network and start moving around. So the second practical challenge is that a lot of the rooms, so to speak, or the resources within our network, they're not in the castle anymore. They're not on premise, they might not even be in our data center. We're using SaaS tools more than ever, and we're moving to the cloud. And so increasingly, if the resources themselves aren't in the castle, then maybe the castle and its walls aren't the best framework for how we think about security. And then kind of on the other side, the resources are leaving the castle, but so are the users, so are employees, so are the people inside of it. And so when the resources and the users are no longer in the castle, then why would we focus on the castle at all? Why would we attempt to say that the perimeter walls are the right way to still think about security? So really, the core idea here, to move on from that analogy, is that in an intranet, it should not be based on physical walls or a physical firewall or any of this, but instead of a singular moat or a firewall, we should think about little tiny individual perimeters or moats around every single resource that we have. And whether you call it a microperimeter or a software -defined perimeter, a lot of different terms that might resonate. It's really just the idea of authenticating every single login and request every time to every resource that we have, verifying that continuously, you know, rooting it in identity, but also other kinds of context as well that we'll probably mention in a second. And kind of the last thing I would say, for getting into more specifics on announcements today is that while a lot of products help achieve Zero Trust, it's important for organizations to realize that Zero Trust itself is just this abstract thing and this concept and this framework instead of principles. And there's so many products and solutions and ways of thinking to help you get there. And it's also just not a switch that someone flips and says they've achieved Zero Trust, but there's a slew of use cases based on what's important to every company that they're probably going to realistically tackle for many, many years to come. So with that, I think I'll pass it over to Kenny to talk more about the access side of things. Yeah, thank you, Michael. And I'm very excited to talk about the actual underlying products that power the movement away from the castle-in -moat approach. So the primary two products that we use in this situation are Cloudflare Access and Cloudflare Gateway. Cloudflare Access was actually born out of replacing our own VPN internally at Cloudflare. We had a number of homegrown and self-hosted applications that we needed to basically access securely without needing a VPN. So the way that Cloudflare Access works is you're able to put a username and password, single sign on login flow. One of the most common ways that this is done is using Azure Active Directory and enforcing that a user goes through an SSO-like experience when accessing self-hosted applications within your own infrastructure. So traditionally, instead of accessing over a VPN and looking at an IP address, now you're able to bring an identity component and move towards an application-driven approach where you're thinking about individual applications, not CIDR ranges or IP addresses or things like that that are difficult to understand and oftentimes lead to things slipping through the cracks. And really, the beauty of this is that instead of having to rely on your own private network, you're able to use Cloudflare's network and the broader public Internet to make these tools available while still enforcing a high level of control over which users are able to get access to those particular resources. The other component of this is Cloudflare Gateway, which is focused on controlling a user's outbound Internet traffic. So at a baseline, it protects the user from going to phishing links, known malware, things like that. But there's an added benefit in that you're also able to use the forward proxy capability of Cloudflare Gateway to route into things within your own infrastructure. These can be things that either can't be served over the public Internet, have to be on a private DNS record or private IP address, or they're a thick client or something like that that just can't run in a web browser. So similarly, the secure web gateway allows you to bake in identity based controls beyond what you would have with a VPN. So you're able to take signal from tools like Azure Active Directory before allowing a user to connect to a specific thick client or specific IP address or private DNS record. So we really give you a lot of tools to use the identity based signal of your user coming and accessing a resource. And we want to make it really easy and flexible to access various resources, whether or not they're publicly served over the Internet, or still hosted within your own infrastructure. And we're working really closely with the Microsoft team and the Azure Active Directory team to make sure that not only is this really easy to do, but we're also providing a world-class integration in terms of signal that's being shared back and forth, and making sure that configurability is really streamlined. So with that, we've got Fernando here today as a special guest speaker. I'm very excited to have him. Fernando, I'd love to kick off in terms of how you guys at Microsoft are thinking about Zero Trust in general, and where do you think Azure Active Directory fits into that story? Yeah, thanks for having me first of all, and I kind of agree with what you guys have been saying so far. We've been supporting at Microsoft that Zero Trust story for several years now, and if I hone in on what you and Michael have already mentioned already, we kind of recommend following three key principles that essentially translate into treating every access attempt as if they were coming from an untrusted place, be that a source, or a network, or a person. So the first one would be about verifying explicitly, meaning that you always verify that authentication authorization based on any data points that you have, be that the identity of the user, the location, the health of the device they're coming from, or the service they're trying to access, etc. Then the next one will be around using that least privilege access model. That means no standing access, and then you limit that to just-in-time or just -enough access using adaptive policies. And then the last one, very important as well, is to assume breach, assume that post-breach mentality. A couple of prominent cybersecurity figures made this quote very popular about 10 years ago, which is, there are two types of companies, those that know that they've been breached already, and those that don't know yet, but they have already been breached. And that principle is kind of the digital transformation of our security practice, as well as Microsoft, is about minimizing the blast radius of any potential breach with the likes of micro -segmentation, or end-to-end encryption, or monitoring continuously, and where possible, automating any detection of risks and the response to them as well, which is going to be very key when the minutes matter. Now, also echoing some of what Michael mentioned as well, we also recognize that there was a massive shift to remote work at the start of the pandemic in 2020. And we saw that companies that hadn't already adopted these Zero Trust principles or any associated technologies, or that were not on their way to doing that, they found it more challenging to support that remote work. And it wasn't just about the fact that users were outside the corporate network, those threats and risks we're talking about, they exist across all of the six foundational pillars of zero -trust, which are going to be identities, devices, data, applications, infrastructure, and the network. So when we think about Zero Trust and a strategy around it, we need to think about practically across all of those pillars and all those layers. Now, we often hear, where do you start? Again, we've got tons of resources around that, wouldn't need to throw at you, but like Michael said, there's no magic switch you just flip to turn on Zero Trust. It's an ongoing journey, and security professionals would probably want to begin small with baby steps. And then good news for you, it doesn't just end, it just continues, so we need to continue to iterate and improve. And there's just not one-size-fits-all approach that you follow. So I think the goal should be to aim for progress rather than perfection. That's what I would say. Now, can you ask about Azure Active Directory and where it fits in all this story? If you think about identities that represent people, services, or IoT devices, they're kind of a common denominator across some of these pillars that I just talked about, like endpoints or networks or applications. So for that reason alone, your Zero Trust security model needs to have identities at the forefront of that, right? They're very powerful, they're very flexible, they're very granular way to control access to the data. And they're also going to become a primary target for the attackers. So Azure Active Directory or Azure AD, I may refer to it at that, is going to be that central pivotal component to enable that strong authentication and those adaptive policies. And then just to call out maybe a couple of examples, and I know we're going to talk about some of the integrations that we're launching, but multi-factor authentication or MFA is part of Azure Active Directory. And just think about the following fact, just by enabling MFA, you can reduce the effectiveness of those attacks by 99%, so kind of a no -brainer there. And then conditional access, which we're going to talk about as well, they're going to be that policy decision point for your access to your resources. And they're going to be based on the user identity, those risks, that device health, et cetera, that we've been talking about, therefore verifying explicitly that access. Cool. Thank you, Fernando, for the background. And thank you, Michael, for giving the analogy, the castle and moat, I think it was very easily understandable and completely agree with the rooms are moving out of castles instead of flying everywhere. And thank you, Kenny, for the explanation about Cloud for Access. So since all the basics are kind of covered now, maybe we can dive deeper into the integrations. Kenny, do you want to sort of, you're the one who has been working hard from this room to get these integrations shipped. Do you want to walk us through what are the four integrations? And I'll share some of the diagrams for you to explain easier. Yeah, that's perfect. Thank you, Avi. And for the folks listening at home, we actually shipped this out onto the blog today, highlighting these in more detail. So if any of these do catch your interest, definitely check out blog.Cloudflare.com. You'll see it as one of the top blog posts there. If you want to find out any additional detail about these releases that have gone out today. So I'm very excited to dive in and talk about some of the different things that we're or that we're making possible now after working really closely with the Azure Active Directory team. The first one actually highlights a product I didn't even mention when I was talking through our security capabilities, and that's our remote browser isolation technology. I know some of you out there might roll your eyes when you hear remote browsing, but I promise ours is different. Please give it a try. We have a very novel way of being able to serve a remote browser where we're actually using native HTML commands instead of doing DOM manipulation or pixel pushing that have a lot of kind of broken page or bandwidth limitations. But what we're able to do with our remote browser isolation technology in conjunction with Azure Active Directory is we built an integration where we're able to query the Azure Active Directory Risky Users API, which basically the Risky Users API is a component that's within Azure Active Directory that allows you to flag users that have performed potentially risky activities. Fernando, I'm not sure if you know any of those signals off the top of your head, what would typically trigger a risky user? I've heard just a couple of them, like when users' credentials have been leaked, for example, on the dark web or when there's any anomalous logon type thing, like impossible travel time or signing from an anonymous location or an unusual location for that user or outside their usual working hours. So kind of user entity behavior analytics. That's great. And I think what's really powerful about that is you have Microsoft watching your back. They're combing the dark web. They're looking for individual information about your users and they're providing you signal instead of each individual company having to go try and craft that signal on their own. So what we're able to do with that Risky Users API is if a user gets flagged as potentially high risk, we're then able to create a policy via Cloudflare Gateway that automatically begins to isolate that user's traffic. So the Risky Users API says, hey, this user might have their credentials that have been stolen or they might be accessing from a weird place in the world. Let's by default put them into an isolated browsing session, which then allows you to do things like blocking keyboard input or just potentially protecting the user from any malicious code from getting executed on their device. So it provides you with a really strong level of control to kind of quarantine and isolate a potential user that has been flagged before any kind of bad action can be taken while you complete an investigation. So we're very excited about that one. The next one is a really powerful feature. So Azure Active Directory has this concept of what's called conditional access. And what conditional access allows you to do is create really granular policies based on the context that a user is attempting to log in with. Are they accessing from a compliant device? Are they using MFA? Things like that. You are now today able to create policies or tie your access applications to specific conditional access policies. So what this allows you to do is reference individual Azure Active Directory conditional access policies directly in Cloudflare Access, which gives you a lot of flexibility in terms of signal that you wouldn't necessarily have down in Cloudflare Access that's available from an Azure Active Directory standpoint. So you get a lot of flexibility with how you're able to enforce your conditional access policies for self-hosted applications. This is one we're really excited about. Another one that I'm even more excited about is we're really excited to announce support for SCIM starting today. SCIM stands for the System for Cross-Domain Identity Management. And what SCIM allows you to do is automatically synchronize user and group information from Azure AD out to any arbitrary system. But in this situation, it's being synchronized down to Cloudflare Zero Trust. And what that makes possible is you can automate your user deprovisioning. So in the case of needing to exit an employee from the business, whether or not they've been terminated or there's just a potential breach or something like that, once you deactivate that user in Azure Active Directory, that automatically pushes an alert to Cloudflare Access and Gateway to revoke that user's current session. So they will lose access to everything and then they'll have to go back through and re-authenticate if you ever did reissue them access directly in Azure Active Directory. The other component of this is from a group management perspective. So if a user gets added to an Azure Active Directory group or removed from an Azure Active Directory group, you can force that user to have to re-authenticate, which is really powerful in the sense of if you want to put them into a risky users group or you want to remove them from the developers group, you're basically able to allow or force the user to re-authenticate and prove they are who they say they are and that they have access to that particular application given that their group membership changes. Another kind of smaller piece that's powerful there is in your policy selectors now directly in Access and Gateway, you'll be able to see a full complete list of your Azure Active Directory identity provider groups, which is again really powerful and streamlines creating identity -based policies down in Cloudflare. And then the final one is we've announced support and the ability to work with the Azure Government Cloud. So you're now able to configure an Azure Active Directory integration that points to the Azure Government Cloud. So for either any government users out there or users who need to meet certain government compliance standards, you can now use Cloudflare Access and Cloudflare Gateway in conjunction with the Azure Government Cloud as well. Perfect. Thank you, Kenny, for kind of walking the audience through integrations, very clear from the images and all your hard work. Since Fernando is here anyway, and Fernando, you focus on the partner side of Microsoft, I was curious, maybe it would be helpful for you to put a little bit light on what is the partner focus at Microsoft and how do you look at partners and how Cloudflare fits into the Microsoft ecosystem? Yeah, big. So you've already heard from Kenny just now that we're looking to build on some of the integrations. I'm going to talk about maybe some of the existing ones that are out there for you guys to use. But we're looking to build more integrations with Cloudflare into other areas so we can offer them jointly to our customers. So it's important for us to work with partners, period. I mean, we know that customers adopt a variety of technologies based on their organization's requirements or budget or whatever decision was made previously. And we recognize that not all of them are going to be Microsoft, right? And that's fine. So in order for us to meet customers where they are in their security journey or their Zero Trust journey, we form what we call the Microsoft Intelligent Security Alliance, AMI, SA, or MISA, to acknowledge exactly that and to support security organizations that integrate strongly with Microsoft products. So maybe to talk a little bit more about some of the existing integrations, I've already talked about how Azure Active Directory is a key component in anyone's Zero Trust journey. When we talk about applications specifically, for example, Azure AD will simplify the way you manage and secure these applications. So you've got, as an admin, one identity system that you can then use to apply a strong authentication and single sign-on to all applications, regardless of where they are, be that cloud applications, on-prem, line of business applications. And with Azure AD, we support modern authentication protocols like SAML, WS Federation, OIDC, which is a great way for applications that sit in the cloud. However, we know that many important business applications still rely on legacy protocols because they were created a long time ago, just because that's the nature of the way they were created. And they were also perhaps designed to work in some of those corporate castles and moats that Kenny and Michael had been talking about. So our customers are wanting a way to be able to connect to all of their apps, regardless of whether they're legacy applications, on -prem, or not. So that's where we're talking about maybe a couple of other elements linked with Azure Active Directory. First of all is the Azure Active Directory application proxy that provides a secure remote access to some of those on-prem applications, typically web applications, without a VPN. And that's using the likes of Kerberos or header -based authentication for legacy applications. And then we've got a program called Secure Hybrid Access, where partners like Kloffler, in this case, have the opportunity to extend this capability further to other applications or legacy applications that use SSH, NTLM, LDAP, cookies, you name it. And by doing so, customers can consolidate their app management and security onto a single platform. And that helps, hopefully, enable to implement a Zero Trust principle, or those Zero Trust principles we talked about across their entire app portfolio, not just the cloud ones or the modern authentication protocol ones. So I'm excited that Kloffler is part of Mesa and that together we can support our customers with a Zero Trust journey with some of these integrations. Thank you, Fernando, for elaborating on that. And also for viewers, Kloffler is humbled and proud to win Microsoft Security Award last year, and we have a new one coming up this year as well. So looking forward to that as well. We have a little bit of time left, so quickly closing. Just wanted to mention we're just getting started. Look for a bunch of new integrations coming between Kloffler and Microsoft Zero Trust site over the next six to 12 months. Call to action, read the blog, go to blog .kloffler.com, read PR. And if you are already Kloffler Access and Azure AD customer, please try out this integration. And most importantly, if you have any other integration ideas, any other friction points, write to us. We have a feedback form linked in the blog right at the end. We'd love to hear from you. Our product roadmap is always changing. Your feedback is super valuable. So with that, I'll thank everyone in the panel and everyone in the audience. Great session. Thank you, everyone, for joining. more time focusing on the parts of their business that they love and less time worrying about scheduling software and payroll and other day-to-day administrative work. We want to protect customers from attacks that could hurt their business and their brand. At Mindbody, we're passionate about ensuring that our customers' data is secure. When we first approached Kloffler, we had a lot of different tools in our security stack, and there was a lot of management overhead associated with all that kind of complexity. I think at one point, we had four different WAFs, a separate tool for bot management, and two CDNs. And we basically managed to consolidate all of that into using just Kloffler without losing any of the functionality or any of the protections that we had in place. It was the kind of tool I could hand to junior analysts or senior engineers, and they would all know how to manage it pretty quickly. With our old environment, we were constantly fighting botnets and attempts to scrape our inventory, credential stuffing attacks. When we moved to Kloffler, we were able to mitigate a lot of these kinds of attacks much easier and more consistently. Using Kloffler bot management, we see a lot fewer false positives with actual valid end users using our application and being flagged as a bot. We've gone from dealing with several per day to only a few per week. With the Kloffler Access Solution, we are able to provide Zero Trust access to sensitive internal applications to contractors and third-party vendors. It puts our internal applications behind strong authentication protocols and allows us to ensure that only authorized users are able to even see the service. The health and wellness industry is only going to grow. I think mind-body is going to be part of that rising tide that floats all boats. Kloffler will help us scale and grow and secure all those services as the industry expands.