Device? Check. Identity? Check. Tanium + Cloudflare explained.
Presented by: Simon Steiner, Sam Rhea
Originally aired on April 5, 2021 @ 9:00 AM - 9:30 AM EDT
Your people have gone everywhere and your data has left the building; as global workforces become remote, your users (internal, external, every-ternal) are now hitting company resources from wherever they are in that moment. Zero trust architecture means ensuring every connection originates from trusted devices and verified users - and it's never been easier to enable. Simon Steiner (Cloudflare), Sam Rhea (Cloudflare) and our guest Matt Hastings (Director Product, Tanium) will discuss how Cloudflare and Tanium work together to provide defense-in-depth to internally-hosted applications, and why that matters in the remote-work era.
English
Authentication
Cloudflare Access
Transcript (Beta)
Good morning, good afternoon, and good evening Sam. How are you? Simon, I'm well. How are you?
Good. So welcome everyone to Cloudflare TV. This is all new to us. We're a provider.
Matt's got a special guest, little cat in the background. Hey buddy.
Live TV. So just for introductions, my name is Simon Steiner and I'm responsible for technology partnerships at Cloudflare and I'll be your host for today.
In today's segment, we are going to talk about our newest technology partnership with Tanium, where we are able for customers to combine device security with Cloudflare's Zero Trust network access security.
And if the audience is familiar with our blog, then you might've heard and read about this new partnership.
And if you're not, then the next 30 minutes are going to give you a good idea of what we're offering together.
So without further ado, Sam, Matt, do you want to, would you like to introduce yourselves as well?
Yeah, thanks Simon. Hey everybody.
Appreciate the opportunity to be here. So I guess first of all, when I'm not herding cats in my personal life, I work at Tanium as one of our product managers, specifically on the security portfolio.
So my role at Tanium is to really focus on the products and features that we build to help our enterprise customers better secure and manage their endpoints.
Cool Sam. Thanks Matt. And hi everyone.
My name is Sam. On the Cloudflare side, I'm based here in our beautiful Lisbon office.
And at Cloudflare, I'm a product manager where I focus on our Cloudflare for Teams platform.
And I'm really excited to be here today to talk about the partnership between Cloudflare and Tanium.
And we're going to do two things during this session.
One, we're going to walk through how this works for our customers.
So the problem that we're solving with this partnership and how Tanium and Cloudflare for Teams can work together.
We're also going to highlight what it looks like when product teams from different companies collaborate on a release.
Because we think that's something that a lot of organizations can do to continue to build better products when you're working with the strengths of different organizations.
And it was, to be candid, a really fun experience for both sides.
And we want to walk through why that was a success. Yeah, thanks.
That's awesome. Good agenda for today. So I wanted to remind the audience that we're also taking questions.
If you do have questions, you can email to livestudio at Cloudflare.tv.
Again, that's livestudio at Cloudflare.tv. So yeah, to sort of kick this off, Matt, do you want to maybe for the audience, again, who might not be super familiar with, tell us a bit more about Tanium and what you guys do?
Yeah, for sure. So Tanium is an organization that provides instant visibility and control to endpoints and some of the largest and most heterogeneous environments in the world.
So as a quick example, our largest production customer has over 1 million managed devices on a single Tanium instance.
And what they're able to do with that and what all of our customers are really able to achieve is kind of endpoint management.
So ensuring all devices are configured, patched, up to date.
And therefore, from the security perspective, the attack surface is reduced.
And then apply their security settings in a very timely way. The way that we do this and what makes Tanium unique is that we don't rely on any kind of database structure or let's call it antiquated or outdated information when we want to get information about your environment.
With Tanium, you can ask any question and get any answer back in 15 seconds and then use that information to enact action.
And we see in today's attack landscape that attackers are using techniques and moving laterally through environments faster than ever.
And organizations need that same speed and scalability when they look to respond.
That's also something that we brought to this Cloudflare partnership.
So when we talked about how we wanted to put this thing together, you know, ensuring that we were delivering accurate and real-time data to the Cloudflare team was kind of one of the first things that we discussed.
And we'll get into this later in the session.
Cool. That's awesome. Thanks for the overview. And Sam, so what you all might not know about Sam, Sam's a product manager, but he's also a storyteller.
So Sam, do you want to maybe give us a bit of the story about Cloudflare for Teams and Access specifically?
I do. We launched Cloudflare for Teams in January. Cloudflare, though, since its founding has been really obsessed with using our network to make things faster and safer on the Internet.
And we built out that network to do that for the web properties and APIs and websites that serve some of the largest Internet properties in the world.
And we make that performant and secure through data centers in over 200 cities around the world.
But we managed all of that.
And this kind of came to a point of frustration a few years ago. We were managing that network and how our team worked together with a small private network constrained by a physical appliance in headquarters.
And that just didn't feel right for a handful of reasons.
One is that from a security perspective, private networks typically grant too much access to users.
So if you're on a private network, it's like being inside an apartment building and being able to walk into any given apartment unit, unless you build really specific rules about who's able to reach what.
And those rules can be hard to build.
Most deployments just default to let people kind of traverse the private network, whether or not they should be able to.
And the other challenge with private networks is really just the backhaul and the latency that that introduces.
And that manifests itself in a number of different pain points for what was at the time our own team and now customers.
Whether that's a growing organization around the world and everyone is constrained by a physical appliance in a central location, maybe across the ocean, or that's just the challenge of being a remote or distributed user and connecting from devices that maybe a VPN client becomes really difficult to use.
And that drives up IT help desk tickets and cost to maintain and cost to own these solutions.
So a few years ago, we took a look at what we could do by applying Cloudflare's network, that same network, those same data centers that protect public facing websites and Internet properties, and bringing that into a model, in this case, a Zero Trust model, where you're connecting to the resources that your organization controls, the resources that used to live on that VPN.
But instead of relying on an IP allow list or a clunky VPN client, you're logging in with your SSO.
We're taking Cloudflare's network and introducing identity into it so that you can build really granular policies about who's able to reach what.
And in January, we announced Cloudflare for Teams, a platform that combines this VPN replacement, this Zero Trust technology, as well as a secure web gateway into a single solution that takes Cloudflare's network and brings security and performance to your organization.
And it consists of two products, that VPN replacement, something we call access, which is really like a bouncer.
Access, like I mentioned earlier, checks for identity at the door, each and every door.
You can build rules that determine who's able to reach the resources in your organization and get granular logs about what's going on inside of your deployments.
The partner product to that gateway is a bodyguard.
As your users go about the public Internet, gateway is able to block and filter threats that otherwise could compromise your data or your devices and ultimately lead to an incident.
And all of this is possible because of Cloudflare's network.
We're able to build these solutions on Cloudflare's network in a way that doesn't compromise speed, because we're taking all the lessons we learned, improving the performance and security of some of the largest web properties in the world, and we're bringing that to your team's internal JIRA instance or your organization's source code control.
And that's really exciting for us, because by bringing identity into that network, we can really solve this challenge about secure access, but in a performant way.
But ever since we launched Access, one thing that we've heard from all of our customers is that identity is just one piece of the puzzle, and we agree.
The devices that you connect to, the devices that connect to that network and to those applications are just as important in many cases.
And when we were looking at how we wanted to solve this, we wanted to do so in a way that took Cloudflare's network, something that we've built out to improve speed and security for anything that has a connection there on the Internet, and find something that was just as powerful, but in a new space, in this case, device posture, which is why we reached out to Tanium to bring their expertise in that field and match that to Cloudflare's expertise in networking to deliver a solution that could solve that problem for our customers.
Awesome. Yeah, I think that's a really good segue to sort of start talking about the partnership a bit.
One thing that I really like hearing from Cloudflare that we say a lot is we do one thing really, really good, that's moving bits around the Internet faster and safer than anybody else.
But there's other things that we're not a leader, like device posture.
And so I remember that when we had our first conversations, both bodies were really excited to talk to each other because we're saying, hey, you're solving one of our problems.
And you said, we're solving one of your problems. And I think that's always the key foundation for a strategic partnership, a technology partnership, is that you sort of have the one plus one equals three equation, and the value together is better than both parties independently.
And so I think we had that here.
Would you guys like to talk a bit more about what those problems were that we had organizationally and how we were able to solve those in becoming partners?
And Matt, maybe, can you go first with this one? Yeah, I think as we pull the covers back a little bit, the first thing to understand is these things don't necessarily come together overnight.
And as Sam just mentioned, these were problems that we had both been hearing on kind of separate ends of customer conversations.
As a product manager, I talk to a number of organizations pretty regularly around how they are securing and what problems they're having.
And continually, and more often than not, I'm hearing about Zero Trust adoption and development and how they can both configure and secure the devices as well as the applications that their users are connecting to when they're not necessarily on the VPN.
So when we, I looked back, last night, I went through and tried to remember when we first picked up conversations, and it turns out I have a terrible memory.
So the first thing I did was go back to my email archive, because that's a great place to go back and look to see when things first kicked off.
And it turns out the first conversation I had around this partnership was actually internally with our chief information officer.
So Tanium internally is both a Cloudflare and a Tanium customer.
So we definitely eat our own dog food inside of Tanium.
And our CIO had come to me and scheduled up a conversation saying, hey, I would love to have an integration here.
We need to have no way of restricting access to any kind of public website or resource that we've now put externally, because Tanium is almost a completely remote workforce.
And we need a way of enforcing endpoint configuration and endpoint access to our web applications.
And so that was kind of the first conversation where Cloudflare was brought up.
And then I think the first time we kind of met mutually was back in October of 2019.
Yeah.
And there, I think we were able to both pretty quickly agree on what the problem was.
We, Cloudflare has customers who are deploying a Zero Trust model using Cloudflare's network to secure those applications that previously lived on a VPN, but they also want to incorporate device signal into that.
They want to build rules that say only users from my team who are also connecting from a managed and healthy device are able to reach those applications.
And so early in those conversations, we were able to find a product fit that, like Simon and like Matt mentioned, really brought out the strengths of both organizations, taking Cloudflare's network and our ability to apply these policies at our edge, the edge of our network, and incorporate that signal in the ability of Tanium to really scan that device and understand what that device is, what it's doing, what it shouldn't be doing, and to then feed that into our solution.
But once we agreed to the problem, there were a few really interesting technical challenges that we attempted to address because just having the problem alone wasn't enough, of course.
We wanted to make sure we were solving it in a way that really represented how our customers wanted it solved, something that was performant and reliable.
And the biggest question for us when we were meeting back in October and over the winter was how do we make sure we get that signal from the device to Cloudflare?
And we'll show you how this is built in a minute here, but when you're building a rule with Cloudflare Access, your internal applications just feel like SaaS apps for your users.
They go and they visit that URL that hosts the application, and they're prompted to log in with their identity provider.
It all happens without an agent in the browser, and we don't want to introduce a new agent in this flow.
We wanted to bring in what Tanium offers with the agents they have on their devices.
And the industry has such a strange term, Zero Trust, but what that really boils down to is the idea that we don't want to trust by default.
We instead want to enforce that authentication on every request, and this device posture piece is something we wanted to include.
So to achieve that Zero Trust model, we had to find a way to trust the Tanium agent.
And in doing so, we didn't want to just phone home to a central server and say, hey, we think this device is Matt's laptop.
Is Matt's laptop healthy based on your last interaction?
Instead, we wanted to have Cloudflare's network through the browser talk directly to the agent in a secure way.
Matt, you want to speak to that in a bit more detail?
Yeah, and before we even get into that, just one of those first kind of major technical decisions, as Sam just mentioned, was leveraging both Cloudflare's distributed network and Tanium's, what I'll call, distributive intelligent edge, and capitalizing on the endpoints themselves to provide a single source of truth.
One of the things that we were very cognizant of is, you know, one, performance, and making sure that we weren't slowing down how long it takes users to access the applications they're trying to get to.
And then two, and probably more importantly, how do we deliver that Zero Trust framework where every single request is being verified with accurate and real time information?
And so, we ultimately decided on a direct connection between the Tanium agent and the Cloudflare network.
And so, then the immediate, you know, next steps was, okay, how do we secure this?
You know, what are the attack paths that we want to make sure that we're guarding against, and what do we need to build towards the future?
So, you know, the first groups on the Tanium side that we brought in after, you know, Sam and I got to know each other, we brought in our engineers to kind of start designing the use case, we brought in our product security team.
And the product security team, you know, took a pretty hard look at what we were describing, what we wanted to do, and then made a number of recommendations, you know, ranging from how we do encryption and authorization, down towards, you know, how do we actually do whitelists?
Because, you know, we're now going to be looking at connections externally.
And so, what do we do from a security perspective?
I thought that was really interesting, also, because, you know, working with another company to, you know, build a secure communications channel is just an interesting problem in and of itself.
And I thought we did a pretty good job in kind of going back and forth.
Like, this took a couple months for us to feel like we got it, you know, we got it right.
I'm going to say, like, nothing's ever perfect, but I think we have a pretty good solution in terms of, you know, how we can deliver fast, reliable, and secure communications, and ultimately, a better experience for both of our customers.
Yeah, that's a good explanation.
And it's also timely with lots of companies who are beginning, or who are now entirely working from home.
And so, this is a solution that addresses some of these challenges.
Thanks for that background. Sam, do you think it's a good time to maybe show the audience of how this actually looks like and how this works?
Yeah, absolutely. So, I'm going to share my screen. I'm going to make sure you can see it.
One second here. Simon, can I get a thumbs up?
Yeah, that works. Great. So, what you're looking at is the Cloudflare for Teams dashboard.
In this dashboard, you can build the rules that we've been describing around who's able to reach what applications.
But to incorporate device posture, you begin here in the same place that you would integrate your identity provider.
You instead select Tanium. So, when adding device posture, what we rely on is a secure certificate handoff between the Tanium agent and Cloudflare's browser, which is all that you have to configure here.
What you'll be adding is Tanium's public key from your Tanium deployment.
And in turn, you'll be getting the public key from your Cloudflare deployment and supplying that to Tanium.
And this establishes that secure channel between the Tanium agent and Cloudflare access in the browser, so you can make sure that you're not getting spoofed about what is the actual health status of the device.
And you can also do it in a really performant way, because this is all happening both at Cloudflare's edge, but also Tanium's intelligent edge there on the device in that agent.
Once you've integrated the Tanium configuration here with your Cloudflare for Teams deployment, you can begin to pretty quickly build rules to enforce that.
So, in this case, I could come in and create an application.
I'll call this Jira. And I can make it available at a subdomain that my users can reach.
Again, just like any SaaS application, we want to make the apps that previously required that clunky VPN feel like seamless SSO SaaS apps.
And that extends to the experience we want users to have when you're integrating Tanium rules as well.
And speaking of those rules, I can begin to now add in rules that say identity and device posture.
And I can make this pretty flexible. I could say this is only available to people with a Cloudflare.com email address.
I could also use things like Okta groups.
If I have partners or contractors working together on an application, we can integrate with LinkedIn or GitHub.
It'll keep this pretty simple here.
And I'm going to require that not only must they be connecting from a Cloudflare.com identity account, they also need to connect from Tanium.
And so in this rule, what we're enforcing is that users must present their identity as Cloudflare.com employees and also connect from the device posture agent, in this case, Tanium.
I'm going to add that application here. So also in the Cloudflare for Teams dashboard, you can expand into some additional settings.
You can address cores, challenges, or filter what identity providers are available based on your needs if you want to present multiple while also maintaining that Tanium integration.
And it's just that easy.
So once you've integrated the policy like that, now any request to that application is going to prompt both for identity as well as Tanium device posture.
But earlier in the session, one thing we called out was what it looks like to have a successful partnership between teams.
And we, as we were building this, like Matt mentioned, it took several months.
It started now almost a year ago.
And if you think about building something even internally in organization, it can be really difficult to coordinate dependencies, timelines.
And so we wanted to highlight three things that we think are really critical to partnerships between product teams and different organizations that can make your integrations, your partnerships successful as well.
The first is finding a clear problem that you both agree on.
And we talked about that earlier, but it's fun to build things together.
But if you're not building something that solves a customer problem, you're just going to be wasting time.
So at the very beginning, the first thing that we did was we found a clear customer problem that both our organizations had that each of our respective organizations could solve a piece of together.
The second is bring in the experts. Matt mentioned this by bringing in the security team as well as the engineering group.
And we wanted to connect them directly.
The engineering team at Cloudflare met directly several times as we worked through the solution with the engineering team at Tanium.
We didn't want to introduce gatekeepers.
We wanted these organizations to be able to collaborate as if we were one big team.
And that leads to the third point, make it a collaborative UX.
So when we were thinking about how customers would set this up, we wanted not just to optimize for setting it up in Cloudflare for teams in our dashboard, as well as setting it up on the Tanium side.
We wanted to make it really seamless for our customers of both platforms to set this up and integrate it really quickly and without a bunch of issues.
And doing those three things, I think really made this something that we could release and are very excited for customers to be using, because now we're bringing Cloudflare's network, Tanium's device posture together to solve this particular need.
Yeah, that's awesome.
I agree. So being responsible for technology partnerships, I've worked on many different types of partnerships.
And I think the one thing you pointed out that really hits home is getting the company aligned and getting the product teams aligned.
And if I can be frank, Sam, you're really good to work with from a product perspective.
And so are you. It was easy for us because you understand the bigger picture.
I think for other companies who are pursuing these types of partnerships as well, again, it helps to have a product team that can collaborate.
And sometimes there's somebody needed who helps with coordinating things and keeping things on track, because oftentimes it's already hard enough to get things done in your own company.
And then having to work with a partner and collaborate across two different organizations is really tough.
And so that's why these things take a bit of time and took us well over six months to actually get out.
But I think the result is great. It came at the right time, and we're seeing good signal from the market that this is something that is going to be well received.
So I think we're all excited about it. Thanks for the demo, Sam.
I think we left some time for Q &A, yeah? Yeah. One more thing I'd like to talk about is this really gives a lot of possibilities in the types of signal that we can receive and what we can now do with access and the kinds of decisions customers will be able to make and the policies they can set based on the signals that Tanium gathers.
Can you maybe talk a bit about forward looking? Where are we going to go from a technology integration perspective?
What are some of the future use cases that we'll be able to solve for?
Yeah. So let me talk about the Tanium side first, and then I'll turn it back to Sam to talk a little more about Cloudflare.
But for Tanium, what we wanted to deliver beyond just the infrastructure and the transport layer was the data itself and to provide the right level of information that helps customers make the decision on whether or not this device should access this application.
And so today, that information is beyond just is it managed? Is it patched?
When was the last time it communicated with Tanium? What are the vulnerabilities on that machine?
And with those variables, you can start building a risk profile of that machine.
So where we want to take this in the future is kind of, I would say, twofold.
The first is extending on those variables. And this is going to be driven directly from our customers and the input that they provide.
So what else and what other variables do they want us to collect?
We can really do anything.
It's just a matter of this is what we want. But then the second part, I think this is probably the more interesting one for Tanium, is how do we fix the problem?
Let's say we do block a device from coming to an application. We don't want that to restrict a person's ability to get their job done.
We want to remediate that problem quickly and then get that person to the access that they need with an endpoint that's actually secure.
And so one of the things we're thinking about in the future is how do we actually provide proactive remediation for the user so they can fix the problem without having to contact the help desk.
They can do everything completely remotely just between Cloudflare and Tanium.
And to extend on that on the Cloudflare for Teams side, being proactive about this platform is something that we really want to continue to expand.
A few examples of that include if you have a user who's logging in with your identity provider but consistently failing the Tanium step and they're not remediating it because they're failing it for a reason, we want that to alert the administrator.
That might suggest that you've had credential compromise where your identity provider's been compromised but Cloudflare's network and Cloudflare for Teams is still blocking the request because you're also requiring Tanium.
So there's other ways that we can be really proactive about this comprehensive security picture for our customers.
And then like Matt mentioned, other sources of signal we can continue to expand and include into this policy engine.
And all of this is something that we want to do without compromising the performance by continuing to focus on the connection between Cloudflare's edge and Tanium's edge so that for the end user this is not something that ever slows them down.
Okay, awesome. So if I'm a customer, this sounds really exciting, or a prospect, where do I learn more about this integration?
Or for existing customers, mutual customers, how do I get started? I think you can get started at either place.
So with Tanium we have a number of publicly available resources for people to go on and learn more about the integration.
I know we have a shared blog post that we put together. This is fairly recent.
This is not something that's been out for a long period of time. So what I would say is the momentum behind it is growing pretty rapidly.
And so if you want to learn more, I'd say either come to either of our websites, contact your Tanium or Cloudflare account manager, and they'll put you in contact with the right person, at least from our side, to move the ball forward.
Cool, awesome. Let me actually check.
We have a couple more minutes if there's any questions from the audience.
There is. Okay, cool, awesome. So this is a question for you, Matt. What types of devices can a business put Tanium on?
And is this ever used as a bring your own device program, the comprehensive solution?
Yeah, so I think the first answer to that is Tanium runs on most traditional endpoints.
This would be your Mac, Linux, Windows, AIX, and Solaris devices.
And then when we start talking about BYOD, it really depends on how the organization wants to define those devices.
So for example, you could allow BYOD and then work with Cloudflare to say, well, if it's a BYOD device, let's still do the Tanium check because we can determine whether or not it's a managed or BYOD device, and then use that signal in and of itself, meaning the lack of the agent, to restrict application access to only non-critical apps.
Or we've seen a number of organizations have their users who want to reuse a BYOD device still install the Tanium agent so that they can provide some basic level of monitoring just to make sure that that device is in fact secure.
All right, thank you for that response.
I think we're about running out of time in a couple of seconds.
So thanks, Sam and Matt, for joining. Thank you, Simon, for hosting.
Yeah, thank you for attending Cloudflare TV. Thanks for having me. I appreciate the time.