🔒 Actionable Zero Trust for the enterprise
Presented by: Alex Dunbrack, Noelle Kagan, Kenny Johnson
Originally aired on June 20, 2023 @ 7:30 AM - 8:00 AM EDT
Welcome to Cloudflare Security Week 2023!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Alex Dunbrack, Noelle Kagan, and Kenny Johnson.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
- Zero Trust security with Ping Identity and Cloudflare Access
- Scan and secure Atlassian with Cloudflare CASB
- Adding Zero Trust signals to Sumo Logic for better security insights
- Cloudflare One DLP integrates with Microsoft Information Protection labels
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Hi everyone, and welcome back to Cloudflare TV and to Cloudflare Security week.
I hope everyone's been enjoying all the exciting announcements that have already happened and all the exciting announcements to come.
We have a lot in store for for all of our users and customers.
My name is Alex Dunbrack and I'm the product manager of the Cloud Access Security Broker product out of the Zero Trust Group.
And I'm joined by two of our fantastic product managers as well, Noelle Kagan from the Data Loss Prevention Team, DLP Team.
And then we've got Kenny Johnson, the product manager of our Access product.
We've got a lot to cover today. Very exciting news across the partnership front where we have found plenty of opportunities to work with with our partners across the tech space and find ways to provide our customers even better products and solutions.
Some of those topics that we'll cover is our new CASB integrations with Atlassian.
We also have our new work with Microsoft Information labels out of the DLP product.
And then we've got Kenny here who will share our exciting announcements that we're working with Ping and Sumo Logic out of Zero Trust.
But to kick us off, let's just do a quick recap on what Zero Trust is, what products make up the platform, and for those that are not familiar with it, trying to understand what they can accomplish.
So with Cloudflare Zero Trust, made up of a variety of products that give enterprises the way to gain visibility into the activity of their employees and gain control over their activity on the Internet at a at a broad scope.
A few of those products that make up Zero Trust include our Access product, Gateway product, CASB product, got DLP over here and then Remote Browser Isolation and a few more coming on on their way.
With that out of the way, let's just jump into some of these announcements and we can start with CASB here and a quick recap on CASB.
CASB is a product for security and IT operators who are looking to gain visibility over their SaaS applications, whether it's Google Workspace, Microsoft 365, now Atlassian, they're able to understand pressing security issues like misconfigurations, data exposure, user access security risks across all of their SaaS apps.
But most importantly, today we're announcing our two newest integrations with Atlassian Confluence and Atlassian Jira Software, both the cloud native versions of those.
We can jump into what our cloud or our confluence integration will be able to perform and give security operators visibility into.
And that really starts with Who can gain access?
Who can see our our internal content?
Who are those external collaborators that might have access to our space or our individual wiki pages?
You know, it's not always the case that you have someone internally at your at your organization just accessing this these documents on a day to day basis.
But you also have contractors and attorneys and all these different personas who might be interacting and security operators might not know who exactly has that access.
That's something that these new integrations can can provide visibility into.
Another area of importance out of both of these integrations is visibility into third party applications that have some form of access into your account.
These are those third party apps that have been integrated once years ago and no one has followed up on What permissions do they actually have to our space?
What if one of those apps were compromised and and malicious and trying to gain access across our environments?
That's something that our integration is now able to provide visibility into.
And then across Jira Software as well, we're doing very similar things.
Being able to identify misconfigurations, like What are those maybe those attachments on issues that are suspicious or risky that are above a certain size that might prompt concern from a security engineer?
That's another area of of visibility that we're able to provide.
And then one more on the inactive user front.
Who has access to to our environments? And if they were activated by some rogue employee, would they be able then to navigate around our environment and see what we're doing?
So both of these new integrations, we've been excited to work with Atlassian on that front, can provide this visibility where these security operators haven't been able to understand before.
And so really this is just one domain of SaaS security that we're talking about in the context of CASB.
But that's not it. That's not all that Zero Trust does. Maybe Noelle, you can tell us a little bit more about DLP and our work with Microsoft 365.
Yeah, yeah, some super exciting work.
So for those who are familiar with data classification, you know, many organizations struggle with having a lot of different types of data flowing around their network and it can be something as public as, hey, you know, like this is, you know, like the public company picnic we're having with our community.
And that information can be fine being shared with the community.
And then you have information that's highly top secret, unreleased product or intellectual property, things that absolutely shouldn't leave the company.
And so customers are always looking for a solution for How do I know what data can get out and what data can't?
And how do I protect that data and make sure that it stays in the right places?
And so with Microsoft Purview and their information protection labels, Microsoft offers one of the most popular data classification tools around.
And with these tools, you can classify documents and and classify a bunch of data within O365 so that you can put the controls in the Microsoft environment, you know, preventing things like, Hey, this is marked top secret or highly confidential, this shouldn't be downloaded, things like that, it shouldn't be emailed out.
And customers love that because it provides that visibility and that control over their sensitive data and then allowing the productivity with some of their less sensitive data and allowing it to be shared as needed.
And so one of the major things, one of the major pieces that some customers will worry about, though, is, Hey, for some of the data that is allowed to be downloaded, then I sort of lose visibility on it.
It's come down from the Microsoft infrastructure and I don't really necessarily know what my employee is going to do with it.
You know, have they uploaded it somewhere they shouldn't or shared it somewhere they shouldn't?
How do I know that, how do I extend those controls past Microsoft and make sure that nothing really gets out that shouldn't?
And that's where we decided to build our solution with an integration with CASB and DLP to leverage those those labels and extend the power of them to other infrastructure.
And so, as as Alex mentioned earlier, we can integrate with SaaS apps with our CASB product.
So right within our ability to integrate with a Microsoft application as as you go to integrate with CASB, we just look to see, Hey, are you using these these Purview information protection labels?
And if so, great, we'll pull those right down for you and we'll populate them into a DLP profile.
Very easy. Doesn't require any extra steps from our customers. We just check for you and if you have it, we give you a profile that you can use whenever you would like to.
And so any labels that you have in your environment, say you have a public label, a confidential label and a top secret label, those will all go right into a profile for you.
And then you can build other, you can you can build other profiles using them if you want.
You can use the profile we provide for you, whatever, however you'd like to do it.
And with that profile, then you can go over to our Gateway product and build inline rules to say, Hey, if you see a document that has this top secret label being downloaded or uploaded or you see this, you know, confidential label being uploaded to, say, a file sharing service that we don't use or something that is in a content category that's a little bit risky or, you know, like maybe is it from a user group that doesn't really make sense?
However you want to build the rules, you can do so.
So it extends the power of those labels, giving you that visibility and control that Microsoft provides, and we're just extending it to these other applications, which is really the goal for DLP, right?
You want the visibility and control of your data.
So that's really what we're, our goal is to provide here, is to just extend that power, extend that visibility and control and do it in as few clicks as possible.
So just integrate with CASB, you've got your profile, build your rules as you need to.
So we're really we're really excited about this.
Kind of a really big feature, something that customers have been asking for for a long time, so we're very excited to deliver it.
And then, you know, kind of kind of on that note about all the different things that Cloudflare One and Zero Trust offer, Kenny, do you want to start talking about some of the other integrations that we're working on now?
Yeah, absolutely.
Thank you, Noelle. Hey, everybody. My name is Kenny Johnson. I'm the product manager for Cloudflare Access.
Cloudflare Access is our Zero Trust network access solution.
Basically, it powers any of the identity components that you want to enforce for users accessing either public applications that are available just as a web app over the Internet or applications that are in your private network, whether or not they're on premise or web apps hosted on a private DNS or IP address.
So I'm really excited to talk about two different integrations today.
The first one is with our partner Ping Identity. We're really excited today to announce kind of full, broad support for Ping as an identity provider within Cloudflare Access and more broadly as an identity provider across our Zero Trust Suite.
Identity is a really important component for Zero Trust. Previously, the way that many organizations worked is if you logged into the VPN, we just look to see, Hey, is that...
Or the security model looked to see, Hey, is this user coming from a known IP address?
That's not how humans think. Humans think in terms of people and applications and devices.
So identity is a really, really key component for building a Zero Trust and people first-minded security posture.
And a key part of that is actually understanding who somebody is.
And we rely on identity providers for that, that process and for that step.
So the way that the integration works is we're able to integrate with Ping .
By default, we integrate over OIDC, but an option to use SAML is also available.
And then what we're able to do is at different stages of either logging into a web application or if you're running the Cloudflare Warp client on the device, you're able to trigger and pop up a login notification to the user.
And then we redirect them to your Ping account, where you're able to configure granular policies within Ping around specific types of MFA that you want to use, specific things depending on the user.
Really you're able to do all of that in a self-contained OIDC or SAML request.
And then if the user passes that request, they're then passed back to Access to federate their final elements of, of access, basically looking at their device posture, network, context, location, things like that.
Even an arbitrary API call. We recently announced an option called External Evaluation Rules that allows you to do arbitrary API checks against a user that has been authenticated via your identity provider.
So once Ping has signed off on the user and then Access has signed off on the user, then we'll grant the user access to that particular application.
And an added benefit here is that we're doing this at a DNS hostname level as opposed to directly within the application itself.
So if you've ever been daunted by a kind of homegrown custom application that you don't want to build authentication code into, Access plus Ping is the perfect solution for that.
You're able to take the the identity component and provide a SaaS-style authentication experience where you're providing a user an SSO-type login without having to modify anything about the underlying application itself.
You don't have to build in authentication libraries or dependencies or things like that.
So there's a lot of kind of added benefit and security that you're able to layer on legacy applications that would either be difficult to modify the underlying code or impossible.
Sometimes folks that even maintain the applications no longer are within an organization.
We see that all the time.
So we really aim to make it easy to provide a SaaS app-style SSO login experience for any application within your business, whether or not it's a web app or actually on-premise within your within your own infrastructure as well.
So definitely give that a try, that's that's available within Access.
And then the final integration that we're really excited to announce today is with Sumo Logic.
Sumo Logic's been a partner for a long time, but we're really excited to announce a deeper integration via one of our products called Log Push.
And what Log Push allows you to do is push logs automatically from your Cloudflare instance to whatever SIEM provider that you would like.
SIEM is a Security Event and Incident Management tool, just to define the acronym and Sumo Logic is one of our preferred partners in this area and we have extended our Log Push integration with Sumo Logic to support all of our Zero Trust log types.
So that includes Access logs, Gateway logs, DLP logs, CASB logs, any of the logs associated with either your users' traffic or your connected applications.
You're now able to push that automatically to Sumo Logic and then pipe that into preconfigured dashboards that provide you a really clear, concise overview of what's occurring within your Zero Trust environment, but that also provides you with the opportunity to customize those views and feed in additional data sources to look at based on what's going on in something like Ping or what's going on in your AWS or GCP account, as well as what you're seeing in Zero Trust to begin to identify potential security threats or breaches or anomalies and things like that.
So we're very excited about this option.
It also provides you a lot more flexibility in terms of the amount of logs that you're pulling down, the amount of logs that you want to store.
We really believe that that should be up to customers as opposed to creating kind of arbitrary limitations within our dashboard because of different log capacities and things like that within our dash.
Log Push really opens that up and gives you a lot of control in terms of how much data you do or don't want to ingest because the the request volume can get significant, especially if you're running something like Gateway, where you're piping your entire Internet traffic for your business through through the secure Web gateway.
So we definitely understand that the need to kind of either ratchet up or ratchet down, depending on the the aspect of the traffic or the nature of the business that you're in.
So we really believe in customer choice there and creating a lot of flexibility.
Awesome, so that's the kind of a quick overview on, on the Ping integrations and Sumo Logic integrations.
Those are both widely available in the dashboard. Stay tuned for more and more integration stuff coming over the next few weeks.
Alex, I'm not sure if you had any closing remarks.
Yeah, yeah, yeah.
I was just going to say, I know as a as a product team, we're we're constantly invigorated by our ability to work with our industry partners and find common solutions for for both of our customer bases.
You know, it's a theme here that we see where we want to be able to provide our customers the ability to utilize all their security tooling across the board.
And I think that this demonstrates here our desire to have the most simplistic way of that for for our users, that they can reference everything, leverage it and create a stronger security posture as an end result.
I'll mention too, for those that aren't using Zero Trust already, if you're interested or just want to learn more, always, you can always visit cloudflare.com/cloudflare-1.
If you have a team of 50 or less, you can get started for free.
Or if you're just curious to check out the platform, you can do that.
If you have any questions, you always have the product team here to support you.
And then if you're not even sure where to start on your Zero Trust journey, because sometimes that's what it can feel like and can be, please don't hesitate to to visit zerotrustroadmap.org, which is a vendor agnostic journey roadmap that can lay out essentially the step-by -step instructions on on how to get Zero Trust underway at your organization.
And with that, thank you everyone for watching.
Very excited to have these partnerships out there in the wild for everyone to use.
We we appreciate the interest and look forward to more releases soon.
Thank you everyone for watching. Thank you.
Bye-bye.
We're betting on the technology for the future, not the technology for the past.
So having a broad network, having global companies now running at full Enterprise scale gives us great comfort.
It's dead clear that no one is innovating in this space as fast as Cloudflare is.
With the help of Cloudflare, we were able to add an extra layer of network security controlled by Allianz, including WAF, DDoS, Cloudflare Users, CDN, and so, allowing us to keep costs under control and caching and improve speed.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.
I think one of our favorite features of Cloudflare has been the Worker technology.
Our origins can go down and things will continue to operate perfectly.
I think having that kind of a safety net, you know, provided by Cloudflare goes a long ways.
We were able to leverage Cloudflare to save about $250,000 within about a day.
The cost savings across the board is, is is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service with Cloudflare.
It's really amazing to partner with a vendor who's not just providing a great Enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring world class capabilities in bot management and web application firewall to protect our large public-facing digital presence.
We ended up building our own fleet of HAProxy servers such that we could easily lose one and then it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines as we grew.
With Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction.
It removed the friction with our customer engagement.
It's very low maintenance and very cost effective and very easy to deploy and it improves the customer experience big time.
Cloudflare is amazing.
Cloudflare is such a relief.
Cloudflare is very easy to use.
It's fast.
Cloudflare today plays the first level of defense for us.
Cloudflare has given us peace of mind.
They've got our backs. Cloudflare's been fantastic.
I would definitely recommend Cloudflare.
Cloudflare is providing an incredible service to the world right now.
Cloudflare has helped save lives through Project Fair Shot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient and ethical manner.
Thank you. Q2's customers love our ability to innovate quickly and deliver what was traditionally very static old-school banking applications into more modern technologies and integrations in the marketplace.
Our customers are banks, credit unions and fintech clients.
We really focus on providing end to end solutions for the account holder throughout the course of their financial lives.
Our availability is super important to our customers here at Q2.
Even one minute of downtime can have an economic impact.
So we specifically chose Cloudflare for their Magic Transit solution because it offered a way for us to displace legacy vendors in the layer three and layer four space, but also extend layer seven services to some of our cloud-native products and more traditional infrastructure.
I think one of the things that separates Magic Transit from some of the legacy solutions that we had leveraged in the past is the ability to manage policy from a single place.
What I love about Cloudflare for Q2 is it allows us to get ten times the coverage as we previously could with legacy technologies.
I think one of the many benefits of Cloudflare is just how quickly the solution allows us to scale and deliver solutions across multiple platforms.
My favorite thing about Cloudflare is that they keep developing solutions and products.
They keep providing solutions. They keep investing in technology. They keep making the Internet safe.
Security has always been looked at as a friction point, but I feel like with Cloudflare, it doesn't need to be.
You can deliver innovation quickly, but also have those those innovative solutions be secure.
The About You fashion platform has become the number one fashion platform in Europe in the Generation Y and Z.
It has been tremendously successful because we have built the technology stack from a commerce perspective, then decided to also make it available to leading fashion brands such as Marc O'Polo, Tom Tailor, The Founded, and many others.
And that's how scale was born. What we see in the market is that the attack vectors are becoming increasingly more scaled, distributed and complex as a whole.
We decided to bring on Cloudflare to ultimately have the best possible security tech stack in place to protect our brands and retailers.
We use the Cloudflare Bot Management, Rate Limiting and WAF as an extra layer of protection for our customers by tackling the major cyber threats that we see in the market.
DDoS attacks, credential stuffing and scalping bots. What we see with a scalping bot here is that they are targeting high-end products and then buying them up within a few seconds.
That leaves the customer dissatisfied.
They will turn away, purchase somewhere else the product and thereby we have lost a customer.
Generally before, it could take maybe up to half an hour for a security engineer to handle DDoS attacks.
Now we are seeing that Cloudflare can help us to stop that in an automatic way.
Cloudflare helps us to bring the site performance to the best and ultimately therefore create even more revenue with our clients.
Cloudflare Access allows you to securely expose your internal applications and services, enforce user access policies and log per application activity all without a VPN.
This video will show you how to enable Cloudflare Access, configure an identity provider, build Access policies and enable Access App Launch.
Before enabling Access, you need to create an account and add a domain to Cloudflare.
If you have a Cloudflare account, sign in, navigate to the Access app and then click Enable Access.
For this demo, Cloudflare Access is already enabled, so let's move on to the next step.
Configuring an identity provider. Depending on your subscription plan, Access supports integration with all major identity providers or IDPs that support OIDC or SAML.
To configure an IDP, click the ADD button in the Login Methods card, then select an identity provider.
For the purposes of this demo, we're going to choose AzureAD. Follow the provider-specific setup instructions to retrieve the application ID and application secret along with the directory ID.
Toggle support groups to ON if you want to give Cloudflare access to read specific SAML attributes about the users in your tenant of AzureAD.
Enter the required fields, then click Save.
If you'd like to test the configuration after saving, click the Test button.
Cloudflare Access policies allow you to protect an entire website or resource by defining specific users or groups to deny, allow or ignore.
For the purposes of this demo, we're going to create a policy to protect a generic internal resource, resourceonintra.net.
To set up your policy, click Create Access Policy.
Let's call this application Internal Wiki.
As you can see here, policies can apply to an entire site, a specific path, apex domain, subdomain or all subdomains using a wildcard policy.
Session duration determines the length of time an authenticated user can access your application without having to log in again .
This can range from 30 minutes to one month.
Let's choose 24 hours. For the purposes of this demo, let's call the policy Just Me.
You can choose to allow, deny, bypass or choose non-identity .
Non-identity policies enforce authentication flows that don't require an identity provider IDP login such as service tokens.
You can choose to include users by an email address, emails ending in a certain domain, Access groups, which are policies defined within the Access app in the Cloudflare dashboard, IP ranges, so you can lock down a resource to a specific location or whitelist a location or your existing Azure groups.
Large businesses with complex Azure groupings tend to choose this option.
For this demo, let's use an email address.
After finalizing the policy parameters, click Save.
To test this policy, let's open an incognito window and navigate to the resource, resourceon intra.net.
Cloudflare has inserted a login screen that forces me to authenticate.
Let's choose AzureAD, login with a Microsoft username and password, and click Sign In.
After a successful authentication, I'm directed to the resource.
This process works well for an individual resource or application, but what if you have a large number of resources or applications?
That's where Access App Launch comes in handy. Access App Launch serves as a single dashboard for your users to view and launch their allowed applications.
Our test domain already has Access App Launch enabled, but to enable this feature, click the Create App Launch Portal button, which usually shows here.
In the Edit Access App Launch dialog that appears, select a rule type from the Include dropdown list.
You have the option to include the same types of users or groups that you do when creating policies.
You also have the option to exclude or require certain users or groups by clicking these buttons.
After configuring your rule, click Save.
After saving the policy, users can access the App Launch Portal at the URL listed on the Access App Launch card.
If you or your users navigate to that portal and authenticate, you'll see every application that you or your user is allowed to view based on the Cloudflare Access policies you've configured.
Now you're ready to get started with Cloudflare Access.
In this demo, you've seen how to configure an identity provider, build Access policies and enable Access App Launch.
To learn more about how Cloudflare can help you protect your users and network visit teams.cloudflare.com /access.