🚚 DLP & CASB available in ZT Bundles
Presented by: Alex Dunbrack, Corey Mahan, Noelle Gotthardt
Originally aired on April 26, 2023 @ 4:30 PM - 5:00 PM EDT
Join Cloudflare Product Manager Noelle Gotthardt, Director, Product Management Corey Mahan, and New Product GTM Alex Dunbrack to learn about how Data Loss Prevention and Cloudflare CASB are now GA.
Read the blog post
- Cloudflare Data Loss Prevention now Generally Available
- Detect security issues in your SaaS apps with Cloudflare CASB
Visit the GA Week Hub for every announcement and CFTV episode — check back all week for more!
English
GA Week
Transcript (Beta)
Welcome back to Cloudflare TV and to GA Week. We hope everyone's enjoyed everything that we've announced so far, all the exciting things happening here at Cloudflare and all the things that are to come in the week.
It's still early. Lots more exciting things to share.
But today we're really excited to talk about two new products within our Zero Trust suite that are now generally available.
So for this session, my name is Corey Mahan.
I will be your host. I work on our Zero Trust products here at Cloudflare.
I am joined by Noelle Gotthardt, our Product Manager for our Data Loss Prevention solution and Alex Dunbrack, our Product Manager for our Cloud Access Security Broker or CASB solution.
So today we've announced that both DLP and CASB are available in GA and we're excited to share more about that.
Kind of two great products becoming better, if you will.
And I'm joined by Alex and Noelle to kind of talk through that.
So maybe to kick us off and kind of, you know, lacing groundwork, Alex and Noelle, do you mind giving us an overview of some of the challenges teams are facing today and kind of where DLP and CASB starts to play a role?
And Alex, I'll ask you to kind of kick us off. Yeah, absolutely.
Thanks, Corey. Yeah, so, you know, when we think about what problems security and IT teams are facing today, what are those challenges?
We really look at a high level of how is the corporate workplace evolving and what challenges have come as a result of that.
When we look at the last five to 10 years, and even post-COVID at this point, the remote landscape has really added or compounded or even sped up this transformation where the typical architecture of systems that an organization will run has evolved.
It's not just on premise systems anymore, but we look at SAS applications that need to be secured.
We think about bring your own device policies and how do we manage employees who are at home.
Because of this, you know, data has really spread everywhere and where that access is limited has become the most foremost problem that the security and IT teams are facing.
Access is harder to manage as they are spread across these disparate systems and security teams are left trying to basically claw at any visibility that they can across these systems.
That's very difficult. And then Noel will share a little bit more here about how that visibility and the lack of it is opposing these challenges.
Yeah, thanks Alex. So I would say that, like, the biggest problem we keep hearing from our customers is seeing the data, just as Alex said, where is it going, who has access to it, you know, is it moving in documents, is it moving to our SAS apps.
Is everyone who's supposed to have access, have access, or people who aren't supposed to have access thoroughly prevented.
And are the apps that we're moving our data to, are they the ones that are protected, you know, by our CASB solution, you know, are the proper security measures in place to protect those things.
And then making sure that employees aren't uploading that data to, say, some other small SAS app that they spun up in shadow IT to make their lives a little bit easier.
Tracking that is a huge challenge for our customers and they've come to us a number of times saying, how do I see my data, how do I make sure it's protected.
And so with DLP that's exactly the problem that we're trying to solve is showing that, giving that visibility and showing all of that information and making those decisions and then assessment as easy as possible for our customers.
Awesome. So definitely a theme around the data, the SAS kind of usage and consumption as it continues.
Thank you for kind of laying out the problems I think they're far and wide, if you will, in front of depending on where the customer kind of stands.
Can we talk a little bit about kind of jumping ahead a little bit about, you know, we mentioned in this segment even around Zero Trust right so we kind of outlined some of the problems.
But I kind of want to start with, you know, Zero Trust or let's lay that framework of, you know, what that actually means and where these two products fit in.
If that's okay with you all and actually maybe I'll jump to you Alex really quickly if just kind of like what Zero Trust means to you and Noel maybe I'll ask the same question I'll even perhaps with my own spin on it.
I just kind of where we go from there. Sure. Well, in my opinion, at least, it starts really with something that's maybe not even just Zero Trust specific as that paradigm but starting with least privilege everything right need to know basis.
Don't necessarily trust but verify every connection every request made.
And so when we talk about least privilege we talked about scoping down access to what is needed for employees for users anything that is trying to be accessed, essentially.
One more step from that is really just trying to leverage any kind of information to use or leverage for that verification that identity part.
So leveraging your identity providers your walk does your one logins, your sure a DS, and being able to leverage that in policy and rule creation to say these people based on where they are what organizational group they're, they're in can get a little bit more granular into.
I want them to be able to access this I want an HR department to only be able to access the system so really cutting down on over permissive access is really at the core of that.
And then as Zero Trust has really come to evolve in step with the evolving you know workplace and remote employees and proliferation of SAS, we then think about those those concepts of SAS security and what that makes up that concept and then DLP as well the data loss prevention side.
So from my perspective, it's really about scoping access down, giving people access to only what they need to be able to see, and then thinking about these other systems that maybe you don't manage but it's a SAS service that's managed elsewhere, and then how to basically reduce blast radius in those ways.
Awesome. Noel I'll come to you in a second of how or kind of what Zero Trust means at Cloudflare but to kind of build on what Alex said, I think, I think it's cool to kind of convey that you know Zero Trust is not a product it's a it's a security strategy and that kind of takes its shape in many forms Alex you mentioned kind of limiting the blast radius and those core tenants of moving to the never trust always verify model.
You know, we want to automate context and collection of all the things really kind of looking at, you know, Zero Trust is a collection of concepts ideas components architectures rather than just a single point solution.
And then, you know, that's, that's assuming that everything at the perimeter is inherently safe by default which we think we've all learned is a incorrect assumption to make.
And so kind of taking on that Zero Trust posture okay exactly like you said Alex every connection is something we should look, look at it verify a test to because that could be leading to the next issue or next incident.
And so it's always it's always moving into that never trust always verify model and mentality.
And I think we have a pretty solid take on that at Cloudflare Noel kind of thoughts on Zero Trust at Cloudflare what does that kind of mean to you.
Yeah, yeah, I think that was a was definitely a great segment and great discussion about it.
I always really liked Sam Ray story about sort of how do you describe and understand Zero Trust when it's a little bit more difficult is, you know, that concept of if everyone lives in an apartment building, and you only have a lock on the front of the apartment building then once you get into the apartment you can get into any apartment.
But so what if we start putting you know a bouncer and a lock in front of every single apartment, make sure that every possible attempt attempt to enter is validated is supposed to be there.
And I think that that was sort of the most tangible way I could understand Zero Trust is really make sure that you you you segment the way that you should and you protect the way that you should.
So that's kind of the best way that I interpret it.
Yeah, I love that analogy as well kind of the house once once you're in it's like yeah cool all the rooms are open there's really not that many locks on the door but an apartment complex with different controls at every level right to get into each and every room you need a unique key that's been authorized identified access to properly and kind of build from there and I think a lot of the principles you know we we lean on this 800 207 for kind of the guiding light, if you will, of kind of what Zero Trust looks like and how we build products but I'm kind of setting that stage of now we can talk a little bit about Zero Trust and the problems that we outlined before let's go into kind of a little bit about, you know, the, the solutions that you will the products that kind of help meet the Zero Trust vision, while also solving a lot of the headaches that you both kind of talked through earlier so maybe Alex can you can you start tell us a little bit, you know, kind of the, the casual access to pretty brokers of the world and then Noel love to hear kind of more on the, you know, the data loss prevention solution and you know what what that means for both of those going GA.
Yeah, thanks for the most fun part in my mind right when we get to talk about our exciting products that that are now ga just as Corey mentioned so what is cloud access security broker and what does Cloudflare mean by it so this term has been around for a little bit products have existed for for a few years in this realm, but it's important to understand really the evolution of what cloud access security broker means and really where we want to differentiate is that inline Casby model, and that unique identifiers or other parameters about the users, trying to access an application that today is really accomplished by one of our Zero Trust products that we offer called gateway, which is our secure web gateway offering, which allows you to create policies and rules for what people can access based on some of those identifiers that we're talking about before, potentially from one of your identity providers like octave.
Now as as the landscape of SAS has really evolved and matured over the years.
There's, there's now this gap where when you don't manage those services, how do you get visibility into what is going on within them, how things are configured and set up, it's not necessarily going to be over the network where you can't get that granularity or actually visibility in the first place into how things are being managed within a SAS application, but how do we do that today and that's really what we're about to talk about that API driven model of a Casby, and what we're able to do is essentially pull down metadata on objects within all of your SAS applications, your Google workspaces your Microsoft 365 slack Salesforce GitHub box the list goes on and on and on.
And when we pull down that metadata on those objects that I was just referencing, we're able to understand, basically misconfigurations insecure settings and and other ways that that these objects have been configured.
Some great examples are, you know, you have your files in Google Drive right those files are configured a certain way to provide visibility to the right people and hopefully not the wrong people so what we're able to do, and what this product is able to offer is visibility into problems that exist across all of your SAS applications that single pane of glass that we always like to talk about right and that's a lot of our Zero Trust paradigm here.
So we learned a lot over the last few months from our beta program, and we learned about what is, what are the end use cases that are that our customers are looking to achieve and what we understood was at minimum, it's immediate visibility across the breadth of SAS applications for security and it teams, this is no surprise here you have to go by every single SAS app user by user file by file setting by setting, and really try to understand what is problematic here, what we're able to offer today is a very simple way to connect all of your SAS applications, sometimes in just a few clicks to the Zero Trust platform.
And then we scan that metadata that I was referring to earlier, and identify problems across your applications that you can then take the next steps in remediating triaging, or at least raising for visibility sake.
So when I talk about problems at a high level to what do I mean by that really three major categories that we'll talk to here.
One of them is misconfiguration so settings that are configured in a way that that could prove problematic in the context of that data being exposed.
So, when we think about users that don't have to have a enabled in their accounts or GitHub repositories that are set to public visibility versus private.
If you're an IT or security administrator you might not have that line of sight by default.
So what we're able to provide is that visibility into, hey, you might want to go check these things out, at least make sure that they're correct in the context that they're set, and will provide recommendations on how to remediate should they be problematic.
That's one area.
The next one is file exposures and these really pertain a lot to the business collaboration suite so the Google workspaces the Microsoft 365.
But also when you think about it, it applies to most SaaS vendors today and so what we mean by that is, how are those files being shared, both internally and externally.
Did one of your employees change one of the settings from, you know, restricted access only my team can see it to anyone with this link on the, you know, open Internet can view it if they hit it.
So those kinds of considerations are very important for these teams and we've seen quite a few cases already where that kind of exposure was unknown by the managing team and they were able to take action right away.
The third area is shadow it and shadow it can mean a lot but what we mean in this context when we tap into the API of all of these SaaS vendors is what what third party services have been granted some form of access to the SaaS application in question.
We all know as we as we you know sign up for new accounts all day every day.
We see now, more and more of that sign in with Google button that sign in with Microsoft button employees don't always recognize that when they sign in for these new accounts, they're granting some level of permission to them to access some information within the SaaS application.
Sometimes it's just name and email for for registration purposes, but sometimes it gets way deeper than that, and it's not even known to the employee signing up in the first place.
So what we're able to do is provide visibility to these security and IT administrators to say, hey, these are these applications that have been granted.
Here's how to go revoke access should any of them be inappropriate.
That's the high level concept of what we talked about with Cloudflare CASB and us going GA today so we're constantly evolving we can talk a little bit more about what's on the roadmap for us but excited to pass it over here to Noel to talk a little bit more about the DLP rollout today.
Yeah, yeah, thank you so much that was a great overview.
So again, sort of going back to this concept of what were customers really struggling with and what was the heart and soul of this this DLP product.
And again, it was those questions that customers kept repeating of where's my sensitive data going, who's pulling it down from my cloud repositories, how do I protect it.
And the most common use cases across the board we're definitely PII, everyone is scared of losing PII, everyone is worried about how do I track it, it's difficult to track.
So we've been getting a ton of requests for help there. But then there are definitely more unique use cases where we have customers who are interested in protecting say their intellectual property or their trade secrets, or maybe some of their source code.
So there's a lot of different opportunities out there to protect the company and protect their business and make sure that their data is ultimately protected.
And so I think the thing that I identify with the most and I empathize with customers the most when they come to us with these problems is they always seem to feel like they're behind on it that like they should have already figured out this problem they're almost embarrassed to tell me that they haven't figured it out.
But then I get on the call with the next customer who's having the same problem.
So ultimately, like everyone is struggling with this, but no one really wants to talk about it because everybody feels a little bit behind.
But that's the point is we need to get better solutions out there and need to help these customers because it is a big challenge.
It's not easy and it's not that customers aren't trying, it's that they, you know, they need better solutions.
And so that's really the goal here is how do we get them something easy?
How do we solve the problem for them?
So how do we really dive into it and how do we really make it work?
So kind of thinking back to that concept earlier of, okay, let's look at every attempt to access an application and let's make sure that every application can be thoroughly, you know, thoroughly accessed with all of the vetting that they would need to get, you know, to get to our data.
Well, so then let's think about that in the same way, but let's think about it in terms of looking at the data with each request.
Let's look at the data that's traveling and see if that makes sense. Should it be going to this app?
Should it not be going to this app? So that was sort of the same model that we framed with the Zero Trust concept.
Like now let's do it with the data.
So the way that we actually deployed this is customers can build their own rule sets and they can say this kind of data can go to this application, or they can say it doesn't go to this application.
However, they want to build their rules and they build it right into their secure web gateway.
So as that traffic is going from your employees' laptops or up to the cloud or back down, we're looking at those transactions, those HTTP requests.
And we're looking, is this data that you've said can go here?
Is it data that you think can't go here? So that gives us the opportunity to really inspect each and every one of those requests and really make sure that your data is going where it should be.
And we give, we try to build as much flexibility into that as possible.
So you can write your rules based on domains or URLs or applications, HTTP methods.
I think my favorite one is probably device posture because so many customers are worried about, can I pull this down onto my corporate laptop?
So device posture is a great one. User is a great one that everyone sort of asked about at some point.
So we really want to make it flexible so that customers can build the rules as they need to, to allow their employees to have access to the data when they should and remove access when someone shouldn't.
So as that traffic is sort of going up and down, we have the proper protections in place.
And then again, if that data is found, customers get the option to either log or block the data.
So you get to allow it. If you want to just see where the data is going, you can track it, start to figure out, you know, like how the map of this whole ecosystem works.
Or you can just say, I know for a fact, this data is not allowed to go here.
So I'm just going to block it. And then, you know, you can work with your employees to try and figure out a better workflow.
So those are the options that we sort of have right now. Overall, sort of launching this product and building this product, you know, the problems that I always really identify with and think about for our customers is, again, trying to make this not a point solution.
If you think of DLP as a point solution, you're always going to look at it through sort of a very tiny lens, because, you know, you could have data that's going out through email, you could have data that's going out through your gateway.
And so how do we make it sure that like with all of the Cloudflare products, how do we deliver something that looks at all of your data and can give you a map of really what's going on out there.
So that's kind of a major thing for me is visibility and ensuring that one plus one equals three concept here at Cloudflare, making sure our products work together, making sure that you can really see the information you need to.
And then also the ease of use, we got to do this in one control plane, we don't need customers managing data across the board in lots of different areas being confused about what the rule sets are.
So how do we make this really easy, how do we make this really, you know, interoperable with all of our products and making sure that customers get the visibility that they need.
Awesome. I love you touch on some real world examples there and I want to dig into that from from both of you as well like tell like let's talk about the real real if you will like what's what's some things that we've actually seen but before we jump into that question for both of you on just kind of the, you know, kind of how it works did a little bit more.
I knew also you mentioned PII earlier that that personal identifiable information.
Can you give us one example maybe for, you know, an example of a string or a piece of data that you're like oh yeah I probably don't want to see that moving around on the wire.
Oh yeah, absolutely. I would say that many many customers come to us looking for any sort of national identifier, whether it be a social security number, or you know a tax ID number, or you know whatever other international identify that they have that is always sort of the number one that customers come to come to and they are scared to see that data out there.
The other one that I would say is always a concern but I would say something that customers are having trouble tracking because it can be used more often credit card numbers because there are perfectly legitimate credit card transactions and there are perfectly not legitimate places for credit cards to be moving.
So I would say those are the ones that I get asked about the most frequently.
Awesome. And then Alex kind of over to you talked a little bit about the data exposure and sharing things from from maybe the beta experience any anything stand out or from a from a setup and implementation perspective kind of that from, hey, let's connect this thing to like oh wow we found things what have you seen that journey look like for most of the beta customers.
Yeah, actually as you just alluded to CASB is very much one of those.
Aha tools you see your list of findings basically, as soon as you connect any of your SAS vendors, we start to show you what is problematic and as you know we've been I Corey you were you were there too when we were on these beta calls and and we're, we're walking through the setup flow trying to understand you know what can we improve and everything like that.
As soon as they'd start to see that that screen of findings eyes, you know why didn't they go didn't even know that that was problematic in the first place.
And like you mentioned, that spans data exposures that spans misconfigurations that spans inactive users and best practices not being followed but you know can think of just some some examples of what we saw you know, Google workspace file sharing settings or the exposure of those files is always a hallmark where we would see, you know, confidential information being accessible by anyone that has the link that tends to be a signature kind of file that that's out there that folks don't know about in the first place.
And that's always an aha moment. And then another one that we've seen in even in the real world start to become more of a visible issue in the security world is, you know, what is in what are in our chat chat application so slack is a is a perfect example and when we support as well where you know what channels have external members within them, sometimes obviously that's going to be expected where you have, you know, contractors or third party agencies that you're collaborating with totally normal, but that's good to see right that's still helpful to understand and have that kind of audit ability.
But what about in those instances where you know there's some private sensitive information being discussed.
And for some reason someone outside of your organization is in that in that channel would you even know about that in the first place so there and then an interesting finding that we've configured with with Casby to is that large file detection so right now it's set up so basically any file over a certain size, you know, maybe that's anomalous maybe that's suspicious or at least something that shouldn't just be sitting in slack right and and we've seen in the real world actually in very recent times, instances where you know a large file that's just been sitting around maybe uploaded months ago, should have been cleaned up should have been removed because, you know, improper inappropriate access to slack in this case, led someone or to be able to access a large file that's very sensitive be able to exfiltrate it and and do malicious things with it so very relevant very real world.
But we continue to see more and more use cases in these ways and SAS is not going anywhere.
Totally. Noel kind of on that same vein of like the real world examples that we've seen or you've talked about maybe can you give us a few on the DLP front again close close cousin here to Casby as we, we learned and continue to grow and build the products together but any real world examples you can share.
Yeah, yeah, absolutely. I would say the one that customers probably encounter most often is actually just employees looking for ease of use, where you know they they have a certain file and say they, they want to access it you know in this repository or they like this application or, you know, something like that we're just, it's just easier for them to, to use the app of their choosing.
And so they might just download the file to look to upload it to a different site, but that site might not be really approved by the company it's not you know their corporate repository, you know, or maybe someone is thinking about hey I just want to use this from my personal portfolio, you know, something like that where actually there's a lot of really sensitive data in here.
This is, you know, say an unreleased product or this giveaway some information about customers like we really have to protect it and so that is a major point for customers to be able to see is, is that data getting pulled down from our corporate repositories and then is it getting uploaded somewhere else you know to say a personal account, or you know to any, you know, some shadow IT version of, you know, a corporate instance somewhere.
And so, that's that was, I would say the most common use cases that customers are really interested in.
So I would say that that's a really common use case again and customers really shouldn't be embarrassed about having to be concerned about that it's it's something that we have to give visibility to and solve together.
Awesome. Now it makes total sense and we both alluded to it earlier but kind of the better together story and how all this is made it from it's one control plane right it's one console there's not, there are different tabs but you don't need a you know a giant monitor to manage all these different things because it's from one platform I think is a super exciting aspect just to touch on there as well.
I'm kind of before we wrap up one last question for both of you as product managers at Cloudflare, what is your favorite feature within your product or vice versa, and feel free I'll pick on you Noel to go first, whether the academy or DLP feature that customers should be excited about because it's your favorite.
What would you, what would you lean into there.
That's a great question. I think that my favorite part about it is how much we got to build it directly into gateway.
So from day one we had all of the options of our secure with gateway of fully available where someone could go in and and build that customization that they were already familiar with.
And just add in one more it's a new drop down in the selector and you can just roll right with it.
We didn't have to start from scratch in that way we didn't have to do something new.
So I think it was really fun for me to kind of build on the work that everyone else has been been already sort of working on and delivering to customers.
Awesome. Alex over to your favorite feature or product within the DLP or CASB world.
Yeah yeah selfishly I can talk a little bit about a new feature that we just released where the you know the problem that we were identifying within our own product was we list all of these these security issues or findings within the CASB application.
But, you know, in some of these contexts like I just mentioned previously, a slack user that's not in your organization but as in one of these channels that might be normal right.
So what we've implemented and we've already seen a lot of good use out of it is the ability to essentially configure what findings are relevant for your organization, and what that gives you the ability to is ignore or even hide specific instances where that user that doesn't have 2FA enabled, that's totally okay for whatever reason, you have the ability to hide those instances of those findings.
And then let's say that, for some reason, in that same context, user 2FA is not important for this one SAS application, because you use SSO to connect to it, you have the ability to ignore that finding type so that it doesn't keep pestering you saying have some problematic instances of users that aren't using 2FA where that's not applicable for your organization, kind of giving you that that inbox zero approach or philosophy to your findings page that only what is on there is actually what is problematic for your organization and that's what you have to go tackle and clean up.
It makes the product only that much more usable.
Awesome. Zero Trust to Inbox Zero, I feel like there's a there's a slogan somewhere in there that we're going to trademark.
Love that.
I'm kind of as we as we wrap up like all of our Zero Trust products, as I mentioned, you know, kind of working more and more closely together.
And I think hearing from both of you today, it sounds like there's more and more integrations, anything that you both want to hint at, not too much in detail, because we just launched all these amazing things, we want customers to dive into those.
But anything that you want to kind of hint at as coming soon as these two products kind of grow more and more so together in Zero Trust?
I'll take it away. That's a great question.
I would say the number one that I've been getting from customers right now is to build custom detections.
And so that is something that we are feverishly working on.
I'm hoping to get announcement out any day now to get that into customers' hands.
So I'm very excited to get that out there. And, you know, hopefully you'll be hearing from me very soon.
Yeah, we expect all the things. Alex, anything from you?
Yeah, on the CASB side, and actually, it's really not just limited to CASB.
This is where CASB and DLP will continue to only get closer and closer, is that in-content data loss prevention or string identification within your data at rest.
So your Google workspaces, your Microsoft 365s, where you have those files, you don't just want to necessarily know about how they have been shared out in the world, but also which files have the sensitive information in them.
That's all I'll say right now. But that's the direction that we're looking forward to getting into.
Awesome. I think using GA Week and GA Announcements to talk about what's coming next is on brand for Cloudflare as we continue to focus on shipping and delivering more value to customers.