๐ต Keynote: What's Next โ Our Point of View
Presented by: Jen Taylor
Originally aired on September 6, 2023 @ 10:30 AM - 11:00 AM EDT
Cloudflare Connect 2021 Keynote Session
Jen Taylor, SVP and Chief Product Officer of Cloudflare, shares 5 bold predictions for how leading IT teams will connect and protect the workforce of the future.
English
Cloudflare Connect
Interviews
Transcript (Beta)
Hi, I'm Jen Taylor, Chief Product Officer at Cloudflare. We're a global cloud platform that helps make anything connected to the Internet safer, faster, and more reliable.
In talking with customers around the globe, one of the most profound shifts I'm hearing is that the legacy solutions that they use to secure their employees and networks just aren't working anymore.
We're here to help.
Now, there are a variety of reasons for this transformative shift. For one, with the rise of SaaS applications, many of the solutions that employees now need live in the cloud rather than in the organization's on-premise data centers.
Also, employees are working in different ways.
Gone are the days when employees accessed applications primarily from within the office.
The pandemic only accelerated the growing trend of work from anywhere, be it at home or on the road.
And finally, in this work-from-anywhere world, employees increasingly access applications with personal devices, such as phones and tablets, which are outside the organization's direct management.
The common thread between these trends is that increasingly, enterprise workloads and the people who use them are all moving to the public Internet.
Cloud-based applications, remote users, and personal devices, they all require mission-critical data and traffic to transit the Internet, even with all of its inefficiencies and threats.
Essentially, the public Internet is becoming the new corporate network.
This shift calls for a radical reimagining of network security and connectivity.
Cloudflare One is our Zero Trust network -as-a-service offering.
It draws on Cloudflare's massive global reach to provide reliable and fast connectivity wherever people are.
It uses our up-to-the -second threat intelligence to keep users, traffic, and systems secure.
Our simple, intuitive, and unified control plane makes it easy to connect users, build branch office on-ramps, and delegate application access, often in a matter of minutes.
Let me show you how it works.
To start, let's address the capabilities companies need to use the Internet as their corporate network.
The first capability is security, specifically the ability to better control all traffic at every point in the network.
When companies rely on traditional remote access tools like VPN, they risk giving carte blanche network access to anyone with the right credentials.
In addition, when remote employees use the public Internet to connect to applications, they're exposed to public Internet threats like malware and phishing.
With more users accessing corporate resources on a greater variety of devices, companies can't rely on keeping every remote device up-to-date with the latest endpoint security software.
When we talk to customers, they say that what they need is the ability to isolate locations, applications, and devices from attacks, inspect all traffic for threats, and then apply consistent least-privilege access regardless of a user's location.
The second capability is connectivity, specifically reliable and performant connectivity between the network and the Internet and within the network itself.
In this new world, routing all inbound and outbound traffic through centralized hardware appliances and dedicated lines is slow and inefficient.
Tromboning traffic back to specific locations is not necessarily the most efficient, performant, or secure way to get the work done.
We're hearing from customers that they need a seamless, secure, and efficient way to connect users, devices, locations, and applications over the public Internet.
Finally, customers tell us they want to provide all of this security and connectivity from a single fabric.
It is unwieldy to manage individual services for different parts of the network, different applications, and different buckets of users.
Companies want a unified control plane that provides visibility into oncoming threats, access trends, and traffic patterns without having to piece together signals from many sources.
This is where Cloudflare and our Cloudflare One solution comes in.
Fundamentally, Cloudflare is a network that operates at the edge of the Internet.
We have data centers in over 200 cities globally and over 9,500 interconnections with ISPs, corporate networks, and every application in the cloud.
Our network supports approximately 25 million Internet properties, which give us tremendous insights into network conditions and cyber threats everywhere on earth.
On that network, we offer a variety of security, performance, and reliability services.
We can enforce firewall and user access rules, block DDoS attacks, encrypt traffic, route it over the fastest network path, and much, much more.
One of the things that is special about Cloudflare is that all of those services run on every single server in every single one of our data centers all around the world.
This unified architecture gives us incredible flexibility in how we use our vast capacity and provides resilience against large attacks and network outages.
It also means we act fast. When you push new security policies, routing rules, or serverless applications, they're deployed globally in a matter of seconds.
We also make our network easy for you to use. You can connect to Cloudflare through physical connections or via tunnels that are simple to build.
All of this means that our network can become the fast, reliable, encrypted connective tissue between your organization's branch offices, remote users, and applications.
It can also authenticate traffic moving between any of those points in both directions, stopping attacks, unwanted access, and data loss.
The end result is a cloud native network solution that provides exactly what we hear organizations are asking for.
Zero Trust security with incredible performance, all easily accessible and manageable through a unified interface.
We call this solution Cloudflare One.
Zero Trust security means not trusting any request to or from the network by default.
Rather than giving broad application access to anyone with a VPN connection or corporate device, rather than allowing code from potentially malicious websites onto endpoint devices, Zero Trust security assumes any request or code is malicious until proven otherwise.
One aspect of this approach is authenticating every user and every device that accesses an application.
Cloudflare One accomplishes this with Cloudflare Access.
With Cloudflare Access, you author rules that evaluate the device's security posture, contextual factors like geographical location, and multi-factor identity authentication.
We integrate with most leading identity providers and can draw on information from these solutions from within our rules.
You can apply these rules to all sorts of applications and environments, including internal web apps, machines accessed over SSH, cloud-based SaaS apps, and private IP subnets.
It's easy to make new rules using the Cloudflare dashboard and API, and new rules deployed globally in seconds across our unified architecture.
Once a valid request is approved, Cloudflare's network scale provides the fastest connections to all of these applications and environments using our up-to-the-second intelligence about network connections.
And the connection is secure.
All traffic on our network is encrypted by default. Another aspect of Zero Trust security is protecting users and sensitive data from threats like malware and phishing.
Cloudflare One accomplishes this with our gateway and browser isolation products.
With Cloudflare Gateway, we serve as the proxy between the user and the web property.
Our identity-based policy engine can block access to risky or unwanted destinations at the DNS or HTTP level.
You can configure this access by drawing on our massive body of threat intelligence or by writing any additional policies you like.
Of course, block and allow lists can't provide complete protection.
Trusted sites may be compromised with malicious code, and phishing sites may use various tactics to avoid detection.
Cloudflare's browser isolation tackles just these problems.
Rather than connecting the user directly to the site, browser isolation isolates all browsing activity in the Cloudflare data center, so any malicious activity is contained.
A lightweight draw command then renders the web experience onto the user's device.
Unlike comparable solutions that rely on stripping out malicious code, this unique approach gives users a fast and safe experience without breaking the website.
What's really exciting is how easy all of this is to manage.
To show it to you in action, I'm going to hand you off to my colleague Neil, who's going to walk you through the process of setting up Cloudflare access, gateway, and browser isolation all from within the Cloudflare dashboard.
Thanks, Jin. In this demo of Cloudflare for Teams, the Zero Trust platform for Cloudflare 1, we'll start with the admin experience of connecting and securing any user to any self-hosted, SaaS, or Internet application.
Then, we'll show the end user experience for how we make application access and Internet browsing safer and faster.
We've already onboarded a few SaaS and self-hosted applications with outbound tunnels to Cloudflare's edge.
We defined which federated identity groups are authorized to access each application.
Then, we applied Zero Trust rules based on the user's country, authentication method from the IDP, and device posture required for CrowdStrike.
Cloudflare acts as an identity proxy, federating identity from multiple enterprise and social identity providers.
And we can use device posture attributes from multiple endpoint partnerships, as well as Cloudflare's own device client and gateway protection.
Typically, our device client would split tunnel private network traffic, but we've configured it to route traffic to a private IP subnet through Cloudflare's edge.
We also set up identity-based HTTP filter policies to block access and isolate activity to enable Zero Trust browsing for SaaS and Internet apps.
We're blocking malware, phishing, and other known threats.
And besides AV scanning, we're blocking any EXE and zip file downloads in file sharing and email apps for the finance team.
To reduce risk of malware, phishing, and data loss without overblocking users, we're isolating all web code from social networking, productivity, email, and even newly seen domains far away from their devices.
And we also set up identity-based network rules to only allow RDP access to specific private IPs and host names for the production team.
Now let's switch to the end user experience.
We have several users authorized to access Moodle, our self -hosted learning management application.
One is prompted to authenticate, chooses Okta, but hasn't enrolled their hard key and is denied.
Another user logs in with their hard key, allowing Cloudflare to verify their identity, and now they're in.
It doesn't matter that IT doesn't manage their laptop, because no client on the device is required.
Another user is an employee authorized to RDP into a server within a private network.
Their device is running Cloudflare's client, which is always running without sacrificing performance.
They've already authenticated, such that their RDP thick client can connect to the server's private IP.
The same user now accesses their Google SaaS applications. Cloudflare verifies that CrowdStrike is running, and their Azure AD authentication passes before granting access.
But they're blocked from uploading certain file types like zip files, which could be used to exfiltrate something sensitive.
They're also blocked from accessing certain settings within the application.
Their entire browsing experience feels the same as it always had, and yet the web code is running at Cloudflare's edge.
So they're interacting with just the final rendering, securely streamed via an encrypted tunnel to their local browser.
Next, they browse to an online gaming application, and like most Internet applications, there's third -party ads sending code to their browsers.
Such code can exploit a browser's vulnerability.
In our example, we're using a benign exploit that opens the user's calculator app, but we know in most cases this will be malicious.
Now, we're going to run the exploit again, but this time we'll enable gateway protections.
Since we're isolating the device from the web code, we can see that the exploit is not reaching the device at all.
Returning to the product's dashboard, the IT and security teams can quickly learn which applications have the most logins, new trends, and what's being blocked the most.
Cloudflare can push activity logs wherever you prefer to keep them, whether it's a sim like Splunk or a cloud storage bucket like Amazon S3.
And that's it. Back to you, Jen. So, we've seen how Cloudflare 1 secures and authenticates users, devices, and applications, but that's only half of the equation.
To safely and reliably use the public Internet as a critical part of your enterprise network, you need secure connectivity, both with the public Internet and between different offices.
Step one is to move the network perimeter to the Internet edge.
Cloudflare 1 accomplishes this with Magic Transit, which puts our global network between the public Internet and your internal infrastructure in order to provide secure connectivity, traffic acceleration, and DDoS protection.
Our Magic Firewall allows you to craft powerful rules to precisely allow or deny any traffic in or out of your network.
Companies can connect to our network in a variety of ways.
Branch offices and privately hosted data centers can do so through tunneling.
Servers in a shared data center can establish a physical connection to our network, either directly or through one of a dozen on-ramp partnerships.
Once connected, Cloudflare uses any cast to advertise your company's public IP range from every data center in our network.
When traffic hits one of our data centers, Magic Transit uses our vast trove of threat intelligence to filter out network layer DDoS attacks in less than three seconds.
Magic Firewall rules are applied to further filter what traffic is allowed in.
Now, another aspect of connectivity is routing.
Specifically, routing approved traffic to and from the correct network locations.
Cloudflare 1 accomplishes this with Magic WAN, in which Cloudflare's network serves as the connective tissue.
Over time, as more applications move to the cloud, more teams move to distributed work, and more network traffic transits the public Internet, we expect that customers will transition away from leased lines, which currently connect the branch offices.
Any replacement for a leased line needs to be fast, and Cloudflare delivers that speed.
Our network scale, our 200-plus network cities, and 9,000-plus interconnections let us minimize the number of network hops the traffic must make in its journey to and from all of those endpoints.
As with other parts of Cloudflare 1, all of this is easy to accomplish in the Cloudflare dashboard.
I'm going to hand you off again to Neil, who will show you how to configure this connectivity in real time.
Thanks, Jen.
Let's jump in and take a look. We're going to start with Magic Transit.
With Magic Transit, Cloudflare will advertise your external IP prefixes for you, so that traffic destined for your network benefits from Cloudflare's network acceleration, as well as security controls, before it reaches your network.
This really enables the Internet to be the true edge of your network.
Here in the example, you can see I've got a pair of ranges, which I'm allowing Cloudflare to advertise through Magic Transit.
If we switch over to the network analytics dashboard, you can see all of the visibility for the traffic destined to all of our IP addresses.
To take a look at some of the security benefits of Magic Transit, we're going to simulate a denial -of-service attack against our Cloudflare -protected network from this remote endpoint.
You can see the remote endpoint is located in a different country by its external IP address.
In the background here, I'm going to start the denial-of -service attack, and I'm going to switch back to the network analytics dashboard.
And you can see very quickly that there is an active attack that is being mitigated.
You have visibility into the originating IP.
You can see that it is indeed our remote endpoint by matching the IP addresses.
And we can also see some details about the attack. The fact that it's a UDP flood, the volume of packets, and the volume of data over a certain period, as well as the duration of the attack.
You can see this one is ongoing. So not only can we prevent this kind of attack, we can actually define specific controls on the traffic that you want to be permitted inside your network with our Magic Firewall.
So it's very easy to define a new rule in Magic Firewall. For example, if we take this attacker IP, we can pull that into a Magic Firewall rule here and drop all the traffic.
There's a number of other parameters that we can use to match against, but for this case, I'm just going to keep it simple, and we're just going to block a single IP.
So with the outer edge of your network protected with Cloudflare's network, it comes down to connectivity and routing within your environment.
This is where Cloudflare's Magic WAN can route traffic in between branches and data centers using Cloudflare's global network as that connected tissue.
This organization that we're looking at actually has a few locations already set up, and you can see the tunnels here in the dashboard.
These branches are all connected using Cloudflare's network as a global hub, and traffic is routed between them through Cloudflare.
In this way, Magic WAN can really simplify and ease connectivity between an ever-growing and expanding network.
For this example, let's take a look at a few endpoints behind these branches and check out the connectivity.
Here you can see that we've got a single endpoint out in EMEA, and it's attempting to make connections into both LAX and US East Coast.
These are two of our data centers. With these simple commands, you can see that there is a very clear communication back and forth.
I can send some messages one way, and I can see it on the other side.
However, it's not just important to enable this broad global connectivity, but we also need to be able to apply security controls to it.
What we're going to do is we're going to actually jump right back into Magic Firewall, that single firewall dashboard for your entire network, and we're going to apply rules that are going to prevent traffic from flowing from EMEA to the LAX data center.
It's a very simple rule. You can see we have a couple conditions matching the source and the destination IP address.
Once we put this rule into place, you can see almost immediately when I switch back and try to run commands on the EMEA endpoint, everything is failing.
And then you can see we get a connection timeout.
However, traffic from EMEA to the East Coast is still permitted and working as expected.
It's really as simple as that.
With Cloudflare 1, you can connect and secure your users, devices, applications, branches, data centers, everything seamlessly.
With that, back to you, Jen.
We've covered a lot of ground. It has been a pleasure sharing the many benefits of Cloudflare 1 with you.
Our customers tell us time and time again how important Zero Trust network security and fast, reliable network connectivity are to them.
We're excited that our network makes those capabilities possible and simpler to achieve and maintain as well.
We have exciting breakouts throughout the week where you can dive deeper into each of these technologies that I spoke about.
Don't forget to add these live learning sessions through the Connect 2021 portal.
Thank you so much for joining me today.
I look forward to meeting with many of you in the coming months.