Cloudflare TV

1️⃣ Announcing Gateway + CASB

Presented by Corey Mahan, Alex Dunbrack, Ankur Aggarwal
Originally aired on 

Join our product and engineering teams as they discuss what products have shipped today during Cloudflare One Week!

Read the blog posts:

Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!


Transcript (Beta)

Hey, everyone. Welcome back to Cloudflare TV and to Friday of Cloudflare One Week. We hope everyone's enjoyed all the exciting announcements that have taken place this week, and we're even more excited today in this segment to share two products within our Zero Trust suite that now are even getting better by working together.

So I'm your host, Alex Dunbrack. I work on the New Product Go to Market side of the product team.

And I'm joined today by Ankur Aggarwal, the product manager of our Secure Web Gateway, and Corey Mahan, a PM director for our Zero Trust Suite responsible for CASB.

So today we announced CASB +Gateway, and we're excited to share more about how these two already great products are now even working more closely together for a better solution.

But before we dive into the solution, I wanted to first talk about the problem that most organizations are facing today across shadow IT and protecting their their their users and their data.

So Corey, do you mind giving us a quick overview of the challenges that teams are facing today?


Yeah. Thanks, Alex. Yeah.

So kind of talking about shadow IT and managing access to the many, likely many unsanctioned apps being used across the organization.

I think about the challenge of an organization or a company I worked at in a previous life, around, we ended up with seven chat applications.

There are seven of them out there.

There may actually be more, but everyone kind of brought their own or this team was using that and then someone signed up with a credit card.

And so then we were using that app and it became really, really troubling to have all that data and obviously those user accounts across all those services.

So there was one approved one, we had seven and it wasn't great.

And so what we wanted to do was have that user behavior and educate the team to use the sanctioned and approved one.


The reason for that is we wanted to minimize the risk of oversharing. All the security controls may not be turned on in that application, and we really didn't have any insight or visibility into what was happening.

And so that's kind of a common story across different applications, chat being one example.

But the SAS sprawl of engineers, sales folks, marketing, there's no one no one's discriminated against.

It's everyone signing up for tools and services that they need or may think they need to do their job rather than perhaps the approved ones.

So that is the shadow IT kind of conundrum that faces every almost every if not every organization today.

So that's kind of the problem at hand.

Ankur, anything to add of what you've seen kind of around the shadow IT sprawl and the trouble or difficulty in managing them?

For sure.

Organizations often come to us trying to roll out the Zero Trust suite or just any security edge services and their first kind of questions or as they're going through implementation, their questions for their teams are just trying to gather and figure out what services they're using.

A lot of times these security teams just don't know what's going on within their perimeter.

And a lot of times, like by getting this solution up in front of that perimeter, they're able to ID those applications and with those IDs actually start enforcing some of their actual organization policies, because it's...

how often have we all been at companies where it's, yeah, this is the one sanctioned app we're supposed to use.

And then it's obviously not the one sanctioned app we're all using.

So with a lot of the kind of analytics that they're able to get by proxying this traffic through Cloudflare and Cloudflare gateways especially, they're able to surface the individual applications.

And each of these individual applications essentially surfaces with the optionality to say, I want to approve this, deny this, or I just want to kind of put this in a monitoring mode.

I just want to come back to it later. So a lot of times we'll see organizations just let that run for a week, let it bake in, and then slowly start enforcing those policies on their organization.

So it's really interesting to see kind of security teams essentially just start proxying traffic and then instantly executing on all their kind of really business policies that they've had for a while now.


I'm going to take over or kind of build off of that. Yeah, it's definitely a widespread problem.

And then I'll get to your point of kind of using the Secure Web Gateway technology to surface that and being able to see it almost, I would say, nearly immediately, right?

Seeing all the traffic route. The other end of that is is kind of on the CASB, API-driven CASB side of the house, right?

So we're able to to surface and see all of that, the times that the users have granted access or the thing that everyone loves to do is sign in with Google, for example, or the sign in with your favorite flavor of the day.

And you're able to connect to those services really, really easily.

Then you don't have to worry about credentials.

But when your users do that, we're able to see that through what we call integrations in our API CASB.

And so we know, or are able to surface to you rather, through your services like Google Workspace or Microsoft 365, what users are using what services.


So we're taking a lens through the API to detect these things. That's kind of the API-driven model and as Ankur mentioned, through the kind of the inline model of, Hey, here's what's happening with your users out there today.

So that's kind of the overview of I think like the two solutions.

Ankur, anything to add - kind of on the Secure Web Gateway front?

- For sure. Yeah, so looking at just the shadow IT portion of it is great, but obviously the Secure Web Gateway is made up of, really kind of three distinct components.

You have DNS filtering and then you have kind of our Secure Web Gateway, which contains our network policies as well as our HTTP policies.

And what's really nice about this is we've packaged things together so you don't have to worry about, Oh, I'm only able to do, I'm only able to proxy traffic, but I'm not able to inspect it.

And it's...

what we've tried to essentially surface for customers and administrators really is, You don't have to figure that out.

It's all available to you and it's all available to configure easily within our UI, API, TerraForm.

So essentially with DNS, you're able to filter any sort of applications, domains, hosts.

And the nice thing about our DNS filtering is it's built on top of our one dot service.

So essentially, all of your queries are resolving through the fastest DNS resolver in the world.

It's powered by all of our edge data centers.

And essentially this applies your filtering rules just on top of that service.

And then within our Secure Web Gateway, when you're looking just at those network policies, what's really neat about it is you can use those to essentially replace your VPN, so it replaces your on-prem VPN, any sort of other tunnels you might have out there to access it, internal resources via IPsec tunnels you might have.

Instead now you can use Cloudflare Tunnel.

Essentially, it's a daemon that runs on your machines and your data center and you can either proxy networks to it or just strictly for a single web server, really, however you want to kind of cut that up.

And what's nice is you're also able to again apply those application, domain level kind of filtering controls because we essentially do a lot of the SNI inspection at that stage too.

So you don't actually have to do the full HTTP inspection, which comes next with that HTTP filter.

And then finally, that HTTP policy builder allows you to do that rich inspection, which gives surfaces really that shadow IT information and then also starts to power really our DLP services, any sort of URL filtering, and honestly, I think the biggest thing here really across all three components is the fact that we apply all of our Cloudforce One intel to all of them.

So it's it's all the intel that we collect from our network as well as all of our third party resources that we kind of kind of weed through to surface for our customers.

So that's kind of the overview of the kind of policy engine that's available through Cloudflare Gateway today.

That's great.

Awesome. Yeah.

Corey, I was just going to say, you know, we've talked a little bit about about this pervasive, many pervasive issues at hand that span security teams and IT teams.

And we've talked about these these products individually and how great they are and the progress being made.

I'd like to talk a little bit now about how they're going to work together to solve these kinds of problems.

Corey, not sure if this is something you can give us a little bit of background on.

Sure, totally.

So I think kind of from the API CASB-driven world, right, is we're able to, from the gateway side of the house as well, depending on what product you're using first or what you may be familiar with, we're able to surface a lot of different data and that's great, right?

We would call them perhaps findings in the CASB world or security issues, alerts, you can think about it differently.

But what do you do with that?

How do you action that, right?

How do you take that next step into, as Ankur mentioned, kind of blocking, preventing, controlling that traffic and that data.

And so that's how kind of we started to bring these two products together, so that, as Ankur mentioned, all from the same dashboard, all from the same console.

It feels like one thing.

And so maybe walking through a use case is a really good example of of using kind of the API driven CASB and our Secure Web Gateway solution to solve problems that span much greater than the two could individually.

The ones that spring to mind are around the, as we kind of talked about earlier, the detection of who's using what.


So you're able to you're able to look at who's using what on the wire, right?

What services are being accessed, what data is moving, how much data, etc.. But also too, I'll call it offline, right, that clicking the button to log in or before you've established any network controls whatsoever, you're able to gain that historical view of what your users and your systems have been accessing.

So bringing that together, what it looks like is, is using the findings, as we call them, from the API-driven CASB and in literally one click being able to create detailed gateway policies to prevent that action altogether, to log that action or to stop behaviors around that action.

So a really good example I like to dig into is we'll pick Google Workspace as a very common and popular business suite of tools and we're able to, with our API CASB, surface certain permissions around certain third party SAS applications that are being used by your users, perhaps that you see that someone's granted lots of access to their Google Drive or to their slides or other documents and things that you probably wouldn't want them to.

You have a few options at that point, right?

You can say, Hey, let's just stop usage to that SAS application altogether.

That's an option that you can click and create a gateway policy, Ankur has mentioned, like a DNS policy and let's say let's just not let traffic ever get to that service.

Additionally, you can go one step further and say, hey, let's control certain behaviors around that, right?

Maybe it's Google Drive and we saw some users that were uploading lots of things and we don't want them to upload that anymore.

So we're just going to stop file uploads.

You can still get to drive and we know that they're using that service from our API CASB because we saw the data being moved and now we're going to go stop it on the wire with our Secure Web Gateway.

So in being able to, I would call, in one click create policies from one product into another with that seamless experience feeling like one thing.

Ankur, any other examples that come to mind around kind of the shadow IT use case and how the kind of two go back and forth?


Yeah. So earlier we spoke about essentially being able to block unsanctioned applications and something that you can even do, say one step further, is block it for say, specific user groups.

So with those shadow IT analytics, you'd be able to see all the different types of users that are trying to...

or not even trying, that are accessing those applications and use that to inform what kind of rules you build within Gateway.

So one kind of common use case we see is if you have contractors that are on site, they have access to all your systems.

You can just like let them in via, gave them access by Okta or something, but you weren't too coarse on their, or sorry, too granular on the permissions that you gave them to, which are which SAS apps.

Something you could do is you could easily see that, hey, I have contractor X, Y and Z hitting my Salesforce instance and I want to actually put a block policy in for them.

So something you can do is you can create a gateway policy that explicitly blocks those contractors, either by their direct email or by linking it directly to that Okta group that has those contractors there.

So you can easily add that block in or even just kind of flip it and say, if not employ, just don't allow.

So a lot of these integrations tie really well together because we have that identity piece, we have the Shadow IT piece and like that inline CASB truly kind of helps just keep your organization and your information secure.


I love that use case as well as, I guess a former practitioner if you will, like finding out what, who's using what is super important and to build off just for one use case it's super front of mind is we can do as much security awareness training as possible and I encourage that and I think that we should.

But you're still probably going to find a user or two doing the things that you just wish they wouldn't.

And a really good example of that is, is kind of again working through that workflow of, hey, our API CASB has shown that, we'll pick on Alex, Alex has shared like all of these files and folders on the internet, right?

His behavior around data sharing is quite poor. What we can do, not even at the contractor level, but to the individual user level, we've realized the behavior Alex is doing is not ideal and potentially putting us at risk.

Alex still needs to do his job, so what we're going to do is, we detected with the API CASB that hey, Alex is sharing a ton of files and folders that he probably shouldn't.

We're going to go create a gateway policy that stops uploads for Alex.

No more of that, my friend.

Just for Alex, until we can go have some type of remedial training and conversation or worse, I suppose.

But that granularity that we're allowed to in gateway with the very specific insight that you need to action..

blocking uploads for all users may be something that you need that seems perhaps quite extreme.

So it gives you that ability to go quite broad with the brush or very, very fine- grain when you use both these products together.

And so it's kind of yeah, that idea of you can't protect what you don't know you have.

So you know what you have. You're protecting things on the wire, protecting things in the API, and then you're able to action that very quickly, whether that be a block policy or blocking all actions, some actions, etc., etc..

Alex, I picked on you there.

Sorry, anything to add on the use cases of what you see, kind of on the other side of the house?

No, I was just going to mention that that customers have been asking for this level of actionability for a while and how hard our teams internally have been working on this.

So I know that it's relevant in the space. The problem is pervasive and getting this kind of, not just the visibility, but that layer of action ability is going to change things for for a lot of organizations.

So, so very, very excited on that end. You know, unless there's anything else to that you guys both have to add, I just know that we've been able to highlight the many ways that the Cloudflare One suite together works seamlessly and and provides this unified platform that you can fix SAS security issues but then also get that that layer of control on top via the network.

So I'll pass it to Corey and Ankur for any last, last words here.


No, I'm sorry Ankur I'll...

in jumping in. I think the exciting bit is this is definitely the first of many different kind of cross collaboration, if you will.

And the idea that the Zero Trust suite, the Cloudflare One product suite feels like one thing is good and that's the intent, right?

We want to make things seamless across, so that it's not necessarily matter what product you're using, it's the problem that you're solving and you have the tools to do it.

And this is just a really good example of that. So why we call it CASB + Gateway, what we're really saying is like being able to find, detect and prevent shadow IT, misconfigurations or any of the other behaviors that may surface getting very, very...

having the ability to get very, very granular with those actions instead of having to do broad sweeping things and then obviously do the broad sweeping things when you need.

So that's what I'd say that I'm most excited about and I think you'll be hearing more and more of the X plus Y in kind of the whole Zero Trust and Cloudflare One journey.


And yeah, and the one last thing I want to add here is just the fact that because everything's built on Cloudflare, built on Cloudflare's edge, everything occurs, everything is executed, everything is filtered and routed all in that same edge machine that you hit.

So there's no chaining services together.

There's no chaining different metals together, different...

sending it to different locations.

All of this happens to that connected colo that your user's connected to, so we're able to provide all of these services at a very performant kind of line rate speed without having to impact anything going either east or west or having to go through and ship it to another continent to have that other service looped in.

So I just love the fact that we're able to kind of integrate all these things in a very, just what feels like a Cloudflare way.

So true.

Yeah. I'll add one last shameless plug here and thank you both for joining.

I think that this has been incredibly insightful for for customers and folks looking for a Zero Trust solution.

But for those out there listening that aren't already using Cloudflare Zero Trust suite, you can get started for free if you're a team of less than 50 just by visiting our website, which is

You can get started any time.

I think that's it.

So thank you everyone for watching.

Have a great rest of your day and a great weekend.

Thanks so much to you.


The real privilege of working at Mozilla is that we're a mission-driven organization.

And what that means is that before we do things, we ask what's good for the users as opposed to what's going to make the most money.

Mozilla's values are similar to Cloudflare's.

They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.

We've been collaborating on improving the protocols that help secure connections between browsers and websites.

Mozilla and Cloudflare have collaborated on a wide range of technologies.

The first place we really collaborated with the new TLS 1.3 protocol, and then we followed it up with QUIC and DNS over HTTPS, and most recently the new Firefox private network.

DNS is core to the way that everything on the internet works.

It's a very old protocol and it's also in plain text, meaning that it's not encrypted.

And this is something that a lot of people don't realize. You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.

When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.

The idea was that Cloudflare would run the server piece of it and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.

Cloudflare was a great partner with this because they were really willing early on to implement the protocol, stand up a trusted recursive resolver and create this experience for users.

They were strong supporters of it.

One of the great things about working with Cloudflare is their engineers are crazy fast.

So the time between we decide to do something and we write down the barest protocol sketch and they have it running in their infrastructure is a matter of days to weeks, not a matter of months to years.

There's a difference between standing up a service that one person can use or ten people can use, and a service that everybody on the Internet can use.

When we talk about bringing new protocols to the Web, we're talking about bringing it not to millions, not to tens of millions.

We're talking about hundreds of millions to billions of people.

Cloudflare has been an amazing partner in the privacy front.

They've been willing to be extremely transparent about the data that they are collecting and why they're using it.

and they've also been willing to throw those logs away.

Really, users are getting two classes of benefits out of our partnership with Cloudflare.

The first is direct benefits. That is, we're offering services to the user that make them more secure and we're offering them via Cloudflare.

So that's like an immediate benefit the users are getting.

The indirect benefit the users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it, and that will ultimately benefit every user, both Firefox users and every user of the Internet.

We're really excited to work with an organization like Mozilla that is aligned with the user's interests and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.

We have seen malicious foreign actors attempt to subvert democracy.

What we saw was a sophisticated attack on our electoral system.

The Athenian project is our little contribution as a company to say, How can we help ensure that the political process has integrity, that people can trust it, and that people can rely on it?

It's like a small family or community here, and I think elections around the nation is the same way.

We're not a big agency.

We don't have thousands of employees.

We have tens of employees.

We have less than 100 here in North Carolina. So what's on my mind when I get up and go to work every morning is, What's next?

What did we not think of and what are the bad actors thinking of?

The Athenian project, we use that to protect our voter information center site and allow it to be securely accessed by the citizens of Rhode Island.

It's extremely important to protect that and to be able to keep it available.

There are many bad actors out there that are trying to bring that down and others trying to penetrate our perimeter defenses from the Internet to access our voter registration and/or tabulation data.

So it's very important to have a elections website that is safe, secure and foremost accurate.

The Athenian project for anyone who is trying to run an election, anywhere in the United States is provided by us for free.

We think of it as a community service.

I stay optimistic by reminding myself there's a light at the end of the tunnel.

- It's not a train.

- Having this protection gives us some peace of mind that we know if for some reason we were to come under attack, we wouldn't have to scramble or worry about trying to keep our site up, that Cloudflare has our back.


What is the cloud?

The cloud refers to servers that are accessed over the Internet, along with the software and databases that run on those servers.

Cloud servers are located in data centers all over the world.

By using the cloud, users and companies don't have to manage physical servers themselves or run software applications on their own machines.

The cloud enables users to access the same files and applications from almost any device because the computing and storage takes place on servers in a remote data center instead of on a user's device.

For example, Gmail stores emails and attachments in Google Drive cloud storage, allowing users to access their email and files via any Internet connected device.

We're betting on the technology for the future, not the technology for the past.

So having a broad network, having global companies now running at full enterprise scale gives us great comfort.

It's dead clear that no one is innovating in this space as fast as Cloudflare is.

With the help of Cloudflare, we were able to add an extra layer of network security controlled by alliance, including WAF, DDoS, Cloudflare Users, CDN and so it allows us to keep costs under control and caching and improve speed.

Cloudflare has been an amazing partner in the privacy front.

They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.

I think one of our favorite features of Cloudflare has been the Worker technology.

Our origins can go down and things will continue to operate perfectly.

I think having that kind of a safety net provided by Cloudflare goes a long ways.

We were able to leverage Cloudflare to save about $ 250,000 within about a day.

The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our - service with Cloudflare.

- It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.

One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.

Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.

We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world-class capabilities in bot management and Web Application Firewall - to protect our large public-facing digital presence.

- We ended up building our own fleet of HAProxy servers, such that we can easily lose one and then it wouldn't have a massive effect.

But it was very hard to manage because we kept adding more and more machines as we grew.

With Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.

Cloudflare helped us to improve the customer satisfaction.

It removed the friction with our customer engagement.

It's very low maintenance and are very cost effective and are very easy to deploy and it improves the customer experiences big time.

And Cloudflare is amazing.

Cloudflare is amazing.

Cloudflare is such a relief. - Cloudflare is very easy to use.

- It's fast. Cloudflare really plays the first level of defense for us.

Cloudflare has given us peace of mind.

They've got our backs.

Cloudflare has been fantastic.

I would definitely recommend Cloudflare.

Cloudflare is providing an incredible service to the world right now.

Cloudflare has helped save lives through Project Fair Shot.

We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient and ethical manner.

Thank you.

Thumbnail image for video "Cloudflare One Week"

Cloudflare One Week
It's Cloudflare One Week, featuring an array of announcements and discussions related to Zero Trust and SASE. Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
Watch more episodes