Cloudflare for HR Tech

Hi everyone, welcome to Cloudflare TV. I'm Boris Yanovsky and I'm glad that you're joining the session for the next 30 minutes with me.

Thanks to Michael and Matt for the previous session.

So for the next 30 minutes what I wanted to talk to you about was kind of share a solution that we came up with internally on our people team where we got to use actual Cloudflare products to you know secure our HR data and be able to share it with people who we care about that who wanted to see it.

So this you know this presentation is titled Cloudflare for HR tech how to guide for securely sharing your HR dashboards but this can really be applied to any other setting where you are trying to share something on a yeah whether it's an app on your website whether it's a dashboard or whether it's some kind of a service that you don't really want to expose to the whole Internet that you know something that you want to share broadly beyond just your personal laptop but it has sensitive data so I think you know HR data is one really great example of this because while we do want to share things internally with the right audiences you don't necessarily or you don't at all actually want to expose this to anybody else.

So I will walk you through some of the kind of like not so technical but slightly technical steps of how this this was done and just just you know just to kind of get like set the stage here just to be up front is I'm not that technical so some of this stuff wasn't really that hard to do so I actually want to show you how easy it is to implement some of these things at kind of a very high level.

There's like more detailed guides that I can link to to kind of give you just more resources I guess for the future that you can go in and actually get this done yourself but I will show you how to you know there will be a little bit of code in here but it's mainly just for mainly sorry mainly just for showing you kind of like the actual process like you don't actually have to like write any of the code there's a lot of references and resources that I'll share with you pretty soon here so that said let's begin let's talk about how to actually get this done.

So typically in whether whether you're in the HR setting whether you're in marketing analytics whether you're in any kind of other analytics or data science a common workflow that I have seen and I have done before is that somebody asks you to build a let's say a kind of a self-serving dashboard whether it's a graph an application somebody can go into and explore data or just your typical traditional dashboard that has a usually a data scientist or an analyst will try to solution for this by turning to some kind of a scripting language in my case I use R a lot so I would probably turn to like R shiny and build a dashboard in there I'd build it on my local machine because that's easy to do and that's basically just kind of like first I would say that just like the first thing that comes to my mind let's just build it on my machine and then figure out how to share it later maybe I'll get to explore data on my own and build this very nice pretty interface great once you do that what are the next steps actually I do apologize I think I have a cat in the background who's screaming so it's a little house panther so if you hear that noise just ignore it no big deal um so when you build it on your local machine it's it works great it looks amazing but you're kind of limited with what you can do with it sure you can explore data on your own maybe you can have somebody look over your shoulder and show them how to break things down how to drill down into certain pieces of information how to slice and cut the data all that stuff but there's not much you can do this is essentially an exercise in futility it's not going to get you anywhere and a better solution would be to first acquire a virtual machine then you can build our shiny app or any other application on there on a virtual machine then you share the our shiny app with other people and profit great right success now people are able to access your application it looks wonderful everybody can see it you can send it to anybody people are using it making decisions based on it everything's amazing right well not exactly because now you expose your application to the whole to all of it the Internet so sure you can share your application but you can also share with everybody else so somebody knows your ip address or somebody knows your url or domain that you're using they'll be able to find it and get into it and see what everybody else is seeing now that doesn't necessarily mean that they can actually get into your origin server or get into the underlying data but they can at least see the like the y the application and have as much access as your users would internally in the company not great right that's not exactly what you want a more practical approach so probably the best approach you can take here is that you would add an extra step um it'd be the step four here secure your app and this is basically what we'll focus on today is you know i'll show i'll have a bunch of resources for you on how to acquire the machine the virtual machine how to build a shiny app how to share it and you know i'm not going to spend too much time talking about that here that's a little more technical and that can be up to you to determine how much you want to dive into that there's a whole community about around art and around shiny around our studio um if you haven't heard of it um there is definitely a rabbit hole you can go down there's a lot of stack overflow stack exchange um very kind of i would say loyal loyal fans of it um so you can get into that yourself but i'll share resources with you and all of the demos actually that i'm going to be showing you um um they will be available on hrtech.cf so i set up a just a demo landing page website and i use all of the things we're going to use here today for it so i use Cloudflare access uh to secure everything and i use um our shiny to build a sample app on there and it was pretty straightforward um pretty really kind of easy to do actually so um let's just let's walk through and give you a high level overview and if you you know if this is something that is just like too technical or it's kind of hard to follow don't worry because you can still go to this hrtech.cf and click through the references you'll get an idea of some of the terms you can search to get more kind of training and knowledge around some of these things um this is supposed to be kind of more of a high level and then in the end i will actually show you um the cool portion of this and this is that would be how to configure all of this stuff in Cloudflare um and the best thing about this i think in my my opinion is that actually i was using i think the free service um and i was able to set up all of these things that we are um that i'll show you today on the free account okay so let's jump in actually you know what before we get in um let me show you this site real quick just so i can you can orient yourself so if you're on if you're following along um and you just want to go to the site and just click through the links yourself this is what it looks like it's just very straightforward it's supposed to be just like a um basically like a landing page for information um just do the data dump of everything in here um put a bunch of different steps that will go through like acquiring the virtual machine building the app sharing the app securing it and then the actual sample app right here so the typical workflow like i talked about um you build your shiny app on a local machine nothing happens so here is our studio again you don't have to really know this for those of you that are familiar with it um you might be aware of different ui server and global um scripts that you can set up here so this is my very basic application um it's a what you some might call a dashboard i just have a bunch of fake data in here it's on my local machine i run it great it looks fine you know you can make it as pretty as you want i didn't spend too much time on this but cool like you actually can you know throw down into things um you can look into different headcounts uh you have different sub tabs here wow that's you know interesting uh but like i said this is on your local machine so you can see the local host on here you can't share it with anybody so this is nice to show off but not really not really practical so what can we do well instead of just building an analytical machine the first thing we can do is we need to get a virtual machine now in my example i used digital ocean and i just created a very standard droplet um that isn't i think it's like the the least powerful machine on there i want to say it was like five or ten bucks a month for it um it's you don't really need a lot for something like this i mean if you're maybe running a lot of applications and you are doing pretty huge data pools on your virtual machine you might reconsider and figure out what other kind of droplet you might need but for this case i just needed the very basic one um your organization might also already have a service a cloud service provider that they're using um there's a lot out there a lot of big ones a lot of big names that you might already have be familiar with um or your organization might already actually have set up so you might actually be using them yourself and if that's the case then you know talk to somebody in your in your um it department potentially and see if you can set up a virtual machine in that environment um on that on those instances so once you set that up essentially like the way that i think about is that the virtual machine basically becomes your computer is the same as what you were doing on your local machine except now that you have this ip address that can be connected to the Internet and you can set up different software different programs on there that you need um in order to run the services that we'll talk about so the rshiny application for example okay so next step here would be to build your rshiny app on a virtual machine conceptually it's the same process as building it on your local machine um i would say practically it involves a little bit more work because you actually have to set up some configurations on the front end to make sure that the virtual machine and you know rshiny or again whatever framework you use uh whether it's javascript python you know just to make sure that the virtual machine or make sure that those configurations and those languages and those applications work on a virtual machine there are many great resources for this i have one here on the website um under step two so this is a good resource over here on how to configure your um your virtual machine and you typically you have to probably log into um ssh in the machine and then work through terminal but other people might have better workflows again i'm not an engineer so i you know don't claim to know how to do this the right way i kind of just like pack this together uh based on different guides so i think if i could do it you could you could do it too but there's also experts in this area who have a probably better workflow a better um advice on how this can be done okay we have our shiny application built in the virtual machine um we can run it internally and it looks great it looks the same as what i just showed you on my local machine so now let's let's share it let's share it with a with the audience that we care about so in order to share it you have to actually have a website to share it on um so you first have to acquire a domain name in my case i ended up going with this hrtech.cf um i just came up with the name because it was available it's really no meaning um and i got it on freenum uh you can i would recommend if you're actually using this for either like a business or even a side project or especially organization um i would use like a paid service um that's a little bit more reliable and secure i'm not sure about the security of freedom but it's good for just projects so anyways that's why i have this landing page to just kind of show you um how practically how this can be how this can be accomplished so once get the domain name um and actually so one more comment i want to make is that your organization might already have a domain that they use for either applications dashboards or whatever internal purposes um so if they they have one you might want to see if you can get a subdomain from them that you can put these applications on once you do that um you can either put your domain or your subdomain on Cloudflare i'm not going to talk about that here it's actually very straightforward um ton of resources out there for it um i think i have a link in there too if not a simple google search or just going to Cloudflare will give you um a very simple walkthrough about how to um how to point your name servers to Cloudflare and then how to connect your ip address so that your website routes through Cloudflare and one of the final steps and this is again more technical i just wanted to mention it i'm not going to talk about the details here but you would need to install a virtual server on your uh droplets or on your virtual machine um digital ocean calls and droplets that actually takes the content that you will create whether it's a static websites like an index.html or whatever or whether it's your application it actually has to take that content and serve it onto the domain onto the ip address and there are free open source servers out there like nginx for example there's other ones too i think you can use apache not not an experience area but um there's simple walkthroughs for it and one thing i'll mention that when you're building this out um you will so all of the so the server the content and your websites your application these will all be um obviously on the same uh droplet so they'll all be on the same ip address that you just set up on digital ocean or you set up on gcp or whatever service you're using and then you will have to ssh into this in order to do work within the server because you'll have to make sure that you know the files are in the right folders and any edits that are made are updated in the actual um droplet there are when you look through this resource right here um under step two on how to set up our shining our studio virtual machine it also includes this kind of these walkthroughs about how to access your virtual machine um how to save files in there how to move files around if you've never woken the terminal before it's it's a little different but it's pretty straightforward there are basic commands that you can learn um that copy files that move files over so there's definitely again resources on that kind of stuff okay great so we have our application built and we have connected it to a url on our website um and people are able to access this that's good right again we need to secure it now so if you are not securing these kinds of applications um behind whether it's vpn well the idea behind platform access is this is kind of supposed to replace the vpn but whether it's vpn whether it's access whether it's any kind of like sso sign on um i can't make you do things but if there was one thing i could make you do would be do this this is extremely important um you know we the idea behind access is kind of it's a it's a Zero Trust security policy where we check first to make sure that the people that are a venue to access it are the ones that legitimately have the rights to access this so you know don't trust the open Internet don't put this out there um secure this first and only specify access to the people that need the access so in order to do that um let me first show you the application and where it sits so under hr tech there is a link here on the bottom where you can access the demo right here and there it is this is the same one that we saw on my local machine right now it's just under this url and right now it's exposed so it works it's great but everybody can see it um you know it's your typical typical dashboard you can interact with it so i won't spend too much time on this but yes this is this is where it would sit so let's go ahead and secure it um so first step in securing it is setting up Cloudflare access so this is kind of i think this is kind of the fun part actually um because this and here we'll go into our Cloudflare dashboard and i'll show you some of the features that are pretty pretty easy to use and um for me it took me a second to to kind of figure out and learn some of these some of these terms you know i you know again i said i'm not an engineer i'm not a web developer i know how to use the Internet i don't know how the Internet works necessarily um but i think that's a testament to how this is explained in here um in pretty straightforward way and also how the workflow that i can show you here um with the ui that you can manipulate and some of the features and some of the options you can turn on um how you can test them live and see if they work because they instantly um activate i think that's like a really cool feature i mean you can also access this through the api back end i haven't gotten to that stage yet um i'm sure that's a little bit more efficient but i think this is kind of easier to at least um communicate and explain so let's walk through this so we have our hrtech.cf um we have our application that sits at hrtech.cf slash dash slash tv demo let's say we wanted to um secure the entire website let's say this website is an internal website and we want only people at our company to access it because right now it's only it's open to the whole Internet so let's just start there let's start broadly what you would do is you would go to access and you would set up your policy so there's a couple things a couple links in here but one of main ones that you want to look into is um access policy so create your access policy let's call this entire org so this is just for our org and domain we're going to use here is hrtech.cf because this is the one that we want to block from all of the Internet besides internal people um don't worry about the session duration for now let's call this policy allow internal and what we do is decision here is to allow emails and there's a bunch of different options here you can use um i will go with emails ending in and let's say that we only want people from Cloudflare to access this so email is ending at Cloudflare.com great and then i'm going to create another one for the the www version of this okay um entire org allow and then email is ending in Cloudflare again perfect great so the access policy is now in effect and when we go to hrtech.cf now you can see that it is blocked and it will only restrict access to people who have the email address that matches my rules and the reason that it knows that it matches the rules is because you have to type in the address here so let's do my Cloudflare.com address and it sends you a token or a code that you can use to log in if i were to type in another email address like my gmail account for example um it would it checks it against the list and it just wouldn't send a token it wouldn't send the link so you can type in any email address in there you want but you will only get it if you're on list so i got it on my phone um through my email so i'm just going to type it in here and we're in great so now we're here um now we have this set up for the entire org right let's say that we wanted to set up the dashboard only for me let's say um in reality you probably do this for maybe maybe your leaders maybe your executive team maybe managers it depends it depends on what you're doing um and what the purpose of this is let's say that for this purpose we want to have a specific policy just for the dash um url so we do create access policy create a new one and we'll call this one dash and we will put in dash into here so everything after and the reason i'm doing this because if you look at the url here it's a dash slash tv demo so you know what we'll actually use all of this because we don't want everything in dash blocked we just want the tv demo blocked because this is the very specific one that we are that we care about so we put this in here um allow let's call this allow tv demo and allow emails let's do a specific one and let's just do my email save this great um i will create another policy for the www version of this okay and let's do wow i know i'm not consistent with my names but you get the idea okay so now we have the access set up and if we go to websites it actually does take me in and this is because um i already had a token that is saved on here because i submitted it um um so yeah it's not it's not showing because i haven't reset it um but when i typed in my my email address for boris at clothler.com um i had already submitted my token so it recognizes that and it knows that i have access to the dash um so this is i'm actually going to turn these off because we have two minutes left here and i want you all to have access to this um because right now i have it blocked for everybody who's not at Cloudflare.com so one other quick thing i did want to show you is that um for security you know we like to approach this as defense and depth and access is one step or kind of one layer of defense you can apply other layers to um you know you first of all like you actually should secure your origin server to only restrict non to restrict non-file for ip addresses um that's a whole different topic um then on kind of the client side you can use access for people to um restrict and block you know access to the website which is what i just talked about um additionally we can also set up a firewall setting um again this is kind of like cool because it provides multiple layers of security defense against your content so let's say that you want to set up a firewall rule um let's say you work at a company that is based in the u.s only and you only want us ip addresses um to access your website or your application so what you can do is you can actually create a firewall rule that lets you do just that um so there's a couple different options we can use here and it says when incoming requests match let's say country um is in let's say united states then you can have a couple different options here you can have them complete a javascript challenge a captcha allow or bypass something else um or you can block um i think in this case let's do is not in us and just completely block them so you can deploy this um i'm not going to because um again like i said yeah thank you for joining and next i will kick it off to todd roshani and jason from recruiting