Episode 5: Protect your users from Internet risks

Cloudflare's Connectivity Cloud hosts a complete Secure Access Service Edge, or SASE, platform, which allows organizations to create a new corporate network, leveraging the latest in Zero Trust security approaches and cloud-based networking. Many companies start by connecting applications, networks, and user devices to Cloudflare to use Zero Trust Network Access, or ZTNA, to authorize users to connect to self-hosted applications and private networks. But connecting devices and networks into Cloudflare can also help secure public Internet access and increase visibility and control over company data. Let's take a look at an example of a company that's already connected its corporate HQ network along with a few branch offices and many remote user devices. You can see that all these methods of on-ramping traffic to Cloudflare result in user traffic flowing through our network. Sometimes the traffic is destined for a private application or network, but a lot of the traffic is just heading for the public Internet. Cloudflare has the ability to inspect that traffic using another part of our SASE platform, the Secure Web Gateway. It can examine traffic either at the DNS request, the network level, or we can even inspect the contents of a HTTP request. Do you want to deny users from accessing websites known to be part of a phishing campaign or ransomware attack? Or only allow users coming from IP addresses in the US to access your workday instance? Or more seriously, do you want to prevent employees from sending sensitive information like financial data or source code to AI sites like ChatGPT? Policies in the Secure Web Gateway allow you to achieve this and they can be written using a wide variety of attributes. We can even isolate a website by running not in the user's browser, but by rendering it in our headless browser running on our own network and then we send the results down to the user device. And this protects them from any nasty code running in that website. Let's take a look at the different ways our Secure Web Gateway can help protect your organization. The first method to protect any user or device is to look at their DNS requests. Some of the most common policies are simply designed to prevent access to known high-risk websites. To make your life easier, Cloudflare manages large lists of sites that are known to be dangerous. Either they've been found to distribute malware or they're part of a phishing campaign. All you need to do is include that category in the denied policy and users will be blocked from visiting them. Cloudflare keeps the sites in each category up to date. In fact, we block an average of 158 billion cyber threats a day. So we have an amazing view into what's bad out there on the Internet. You could never maintain this amount of data yourself. Policies can be applied at the user level or be based on network location. You might wish to implement a policy that limits certain websites depending on the country the network request is coming from. You can even subscribe to government cyber defense lists of known malicious websites. You can also use a DNS policy to simplify some of your IT infrastructure. A policy can override the IP address returned from a DNS request and point to a service that might be local. For example, you might configure all employee laptops to use a single host name for connecting to the office printer. Let's say it's printer .company.local. Then if a user is attempting to print in the Seattle office, Cloudflare will replace the IP address for that host with the local office printer. But if the same user then travels to the London office, the same laptop makes the same request to print and Cloudflare replaces the IP address now for the London printer. The second method of protection is by using network policies. So for all your networks connected to Cloudflare's SASE platform, it's possible to write simple firewall-like rules. These are often used to allow access to specific services on private IP addresses. Say, for example, you have a lot of Windows servers running in your corporate network and you want to ensure only IT admins are allowed to connect to them over RDP. How? Well, when users access Cloudflare using our device agent, network access policies can use identity information such as the method of authentication, what groups the user is in, as part of the policy. Device security posture can also be taken from that device agent, making sure that IT admins access Windows servers only using secured company-managed devices. The third and the one with the most control is HTTP policies, since it allows you to inspect the actual HTTP traffic. For devices where a Cloudflare certificate has been deployed, the TLS and SSL connection terminates at Cloudflare where you can expect the traffic and apply your policies. You can build policies that limit the uploading or downloading files based on their file type or prevent HTTP POST or PUT to prevent the certain upload of content to any websites. We also have a sandboxing feature where we can use AV scanning to examine certain files being downloaded and quarantine them if they contain malicious content. But the true power of inspecting HTTP traffic is when it's combined with our DLP policies. Here we can match any part of the HTTP request, either the body of the request or if a file contains specific content, and then protect that data from leaving your organization or being downloaded to insecure devices. We have built-in DLP profiles for matching common data such as health or financial information, source code or privately identifiable information such as social security or tax identifiers. You can also create your own DLP profiles by either defining patterns to match sensitive data or just by uploading a list of known customer accounts. Now when users attempt to download or upload any content that matches these profiles, you have the ability to block it. Sometimes the risk for a website isn't well known. For example, you might deem social media websites to be a little risky, but your marketing department still requires access. Newly registered domains might sometimes be part of a phishing campaign or they might just be a legitimate new website. In these examples, Cloudflare has a really cool capability. You can write a policy that when a user makes a request for a website you think is a little risky, instead of their machine receiving all the content directly, we spin up a headless browser on our network and render the content first. Here we isolate any potential bad behavior in a secure isolated environment. We then send the results of the render page down to the user's device and you can optionally turn on and off certain capabilities such as the ability to enter text into the web page or download files. We call this remote browser isolation. You can also use this service to limit access to SaaS application data for a certain set of users. You might for example want to allow contractors or partners to have access to your Salesforce instance and you can use our browser isolation to prevent copy and paste printing or downloading of Salesforce data. So in summary, Cloudflare has a powerful range of capabilities to protect users from the threat of bad actors on the Internet, while also identifying company data and protecting its use. You can ensure safe browsing by blocking known malicious websites, detect when company data is being uploaded to unapproved cloud storage or downloaded to insecure devices. You can even isolate the entire website so that users are protected from any dangerous activity. Well thanks for watching. This video is part of a series which explains how to build your new corporate network using Cloudflare's SASE platform. Watch the other videos in this series to learn more. Hi, I'm Simon from Cloudflare. Congrats on finding this video. We also cover a wide variety of topics including application security, corporate networking and all the developer content the Internet can hold. Follow us online and thanks for watching.