Cloudflare for HR Tech
Cloudflare has an interactive Hiring Dashboard on the People Team that sits behind Cloudflare Access. This segment will demonstrate how we integrated Access login credentials deep within our custom data app, enabling us to render dynamic dashboards tailored to the user.
Hi everyone, my name is Boris Yanovsky and I work in people analytics on the Cloudflare's people team and welcome to another installment of Cloudflare for HR Tech.
So this will be a follow-up, we're going to kind of build on some concepts that I shared in the last segment which talked about how to build secure dashboards and put them behind Cloudflare access which is a product that Cloudflare, which is a Cloudflare product that we use internally on the people team.
So I kind of showcased some I guess some best practices and some use cases of how we secured our data dashboards behind access on the people team and this time around I actually wanted to dig a little bit deeper and talk a little bit more about some more advanced use cases of how you can basically leverage access in a little bit more of an advanced way that you can share dashboards that are more custom and tailored to specific users based on their credentials and their logins through access.
So we'll talk a little bit about that this is going to be more of a case study instead of kind of like a how-to.
If you're interested in how to actually get this done I do have a website landing page that I created where you can find some resources and it is at hrtech.cf.
I'll have some links here to the site in a little bit but I wanted to just basically talk at more of a high level here and just kind of give you a conceptual review of how we went about this and some of the problems that we ended up solving which enabled us to basically evolve and elevate our analytics on the people team and share data broadly but also share it securely so that the decision makers that we need to make you know have basically important context for making decisions around the data would actually have access to it and then people that don't need the data would be restricted from that access.
So here's a little overview of how plots and dashboards typically look and I know this meme sometimes is used as a satire for the highest level of achievement here in the Galaxy brain but I actually think this part this flowchart sort of kind of makes sense to me in a data evolution or a dashboard evolution process.
So you first get your plot on your local machine and it looks great.
It's a static graph called a png whatever you want however you want to save it you can send it an email and you can share with people you can print it you can screenshot it do whatever you want with it it's great but it's static I mean I think that stuff's very useful and you can make it very pretty if you are if you have an eye for design and then you're you know able to format all of these different visuals great that's that's very useful still.
Next step is and we actually get this ask a lot from stakeholders is dashboards and you know dashboards can be defined in many different ways but really the way that I think about it as a dashboard is just a collection of different plots and different metrics that are kind of all in one page on like the same landing page so they can have multiple pngs for example so great now you've made you know 20 pngs and then you put them on this dashboard and everybody can have access to an overwhelming amount of data so sometimes the data can be just a little bit too much you can go overboard with these but that's what you choose to do great you have still data at somebody's fingertip.
The problem again is that it's static so you can't really share this you can make live dashboards and put them on the server so that is the part that I talked about in the last segment about how to take these dashboards and then essentially share them on a domain well on a server and then share them through a domain that people can access them.
One of the risks here is security because now you're actually exposing this data to all of the Internet so you want to make sure to go through very deliberate processes to actually not expose it and only show it internally and I talked about that in the last segment so for all the fans that tuned in for the last one thanks for tuning in if you haven't you can go back I think some of them are playing on repeat and I do believe we'll actually have these for kind of on-demand streaming and I'm not sure what the timeline is but you can go back and keep checking on Cloudflare.tv to see when we're actually going to put those on there.
So once you get this dashboard live on a server it can be very sleek and very powerful because it can be dynamic you know people can filter data they can go to your url and you can design it however you want again if you have an eye for design if you know a little bit of html or css you can really do a lot here and really make it powerful.
Now that is where Cloudflare access comes in because we can essentially block off we can block off access to this url to this domain to only people who you would like to restrict it to you can be as granular as for example locking it down to just specific email addresses or you can be as broad as saying only lock it down to let's say ips from certain countries or certain regions or let's say domains from certain companies and certain emails like let's say you want to only restrict it to google .com to gmail.com so you can do that as well so essentially this kind of acts as a replacement for your vpn and it's instant because it sits at the application level so you don't have to log into any any vpn to get into it it's right in front of the application and all you need to do is just have the identity have your identity provider that logs in through it and it can verify that that is indeed your email and that is into your identity and it lets you into the dashboard.
So what I'll talk about here today though is something that's a little bit that takes us a little bit deeper to the next level and not only is this showing not only is it showing you live dashboards but it would also show you custom and secure dashboards based on who the user is.
So because we will be using access on these dashboards one powerful thing from this is that we are able to consume a json web token that actually has a lot of useful information from the user who logs in and we're able to use that web token to decode it, take the information of the user, find out who the user is and then render a custom dashboard that is tailored to that user and to whatever security group that you want them to be in whether it's a security group that you want them in or whether it's a specific user who you just want special access to them or vice versa if it's a user who you don't want access to but maybe you want to show them maybe you want to let them into the actual dashboard but let's say only want to show them a few of the plots so you don't want to restrict access to the entire thing to the entire domain but you want to restrict access to a couple of different elements in there and maybe even furthermore let's say you just want to filter it down to specific people based on who logs in.
So the first two kind of parts here the galaxy brain you got the PlotPNG dashboard you know these are usually done on your local machine you can do them on your desktop you can use any application any language that you want.
I will be talking in terms of the R language and using Shiny specifically for the dashboarding.
The Shiny is a package in R that lets you build interactive dashboards.
And then these live dashboards that I talked about in my previous segment they are they're very similar to the previous dashboard but it's something that you can actually share with an audience.
They're built on a virtual machine typically and then they are delivered through some kind of either an internal domain or an IP address if I wouldn't recommend that but if you want to keep it internally you can potentially do that as well.
And then here is the ultimate galaxy brain of course we have a secured customized dash and I'll show you kind of at a high level of what that looks like in a second here.
So a quick review of the previous segment.
I think this is helpful to understand the kind of foundational work that's needed before you can actually get to this next level of the evolution into the galaxy brain.
So you first have to have some kind of a virtual machine whether it's on gcs as your digital lotion you need to install your environment on there so whether you use docker whether you're just installing R Shiny or R Studio or whatever it is then you can build your R Shiny app on that virtual machine.
You build it on there you can test it you can you know basically troubleshoot it do whatever you need and then you can share that with others internally.
So when you share them with others this is a step that you have to be careful and because this is where you can actually expose it to the entire Internet so before sharing it with others make sure that your domain that you're sharing through is either what was behind Cloudflare first of all behind Cloudflare access but also that your origin server is locked down to only allow certain IP addresses potentially from let's say from within your domain if you have secure data on there and in the case of the people team in the case of any kind of company data or really any data that you work with I mean you really just should be careful and just you know be I guess like treat this as kind of as a Zero Trust security model that any individual that logs in it doesn't matter from what domain from what organization whether it's within your organization or whether somebody that's external you have to treat each user as a potential threat because you know that you really can't verify what the user is and then after you secure app you can share the profit so that's when kind of the magic I guess happens that's when the payout happens is when you actually share the app out with people they can log in they can use it and potentially make decisions from the important data that you share and you know now great you've enabled a bunch of people to make some very powerful data-driven decisions.
So if you want to review this like I said you can go to hrtech.cf and it actually will ask you to verify through access so you can see how that workflow functions too if you're interested and I have a bunch of resources on there I have a demo app on there as you can check out.
So our use case here in today's case study is that we have access set up we're restricting access to specific individuals let's say it's people from Cloudflare.com or yourorganization.org or acme.com whatever any company let's say that you have access restricted just to those individuals and let's say you also have access to partners outside of your organization.
The nice thing about Cloudflare is that we use different methods of identity management and single sign-on so you can use things like google i think well you can authenticate through google you can authenticate through okta you can use linkedin you can use facebook you can even just use a token that sends it to any email address that is in the list and if the email it checks against the verified email address list that you can upload for verified users and it will send a token for a login code that then you can use.