π Managing Clouds - Cloudflare CASB
Presented by: Corey Mahan, Matt Lewis
Originally aired on December 12, 2023 @ 2:00 AM - 2:30 AM EST
Join Cloudflare's Product Management team to learn more about the products announced today during Security Week.
Get started today with the Cloudflare CASB beta! Request Beta access here:
Read the blog posts:
- A bridge to Zero Trust
- Cloudflare partners with Microsoft to protect joint customers with a Global Zero Trust Network
- Introducing SSH command logging
- Zero Trust client sessions
- Managing Clouds - Cloudflare CASB and our not so secret plan for whatβs next
Tune in daily for more Security Week at Cloudflare!
SecurityWeek
English
Security Week
Transcript (Beta)
Hello everyone. Welcome to Cloudflare TV and Cloudflare Security week. My name is Corey Mahan.
I am a product manager on the CASB team here at Cloudflare.
And I'm Matt and I'm Corey's counterpart, an engineering manager here on the CASB team at Cloudflare.
Today we're going to talk about what customers can come to expect from the API driven CASB product.
Some timelines to support that.
How to get started with protecting your critical SAS applications by joining the beta.
And then more details of what that beta entails towards the end of this segment, how you can join, what integrations will come, when all the exciting things to gear up for that early access beta.
But before we go any further, probably best to reintroduce or kind of dive into an API-driven CASB.
It's a lot of acronyms, it's a lot of words.
What does that actually even mean?
So as a quick recap, Cloudflare's CASB helps IT and security teams detect security issues in and across their SaaS apps.
We're looking at both users and data at rest to alert teams to issues ranging from unauthorized user access, file exposure, misconfigurations and shadow IT.
The term can be itself stands for cloud access security broker.
We append or rather put at the front that API driven context to kind of infer how it works.
The word is about a little over a decade old, but really the takeaway is, is that we're helping secure data at rest in your SaaS applications.
Matt, we'll kind of talk about some examples.
These are probably front of mind for you as well.
When we talk about what an API CASB can help users do, we say unauthorized user access?
What does that mean exactly to you? Yeah.
I think unauthorized user access is always kind of a polymorphic term when it comes to when it comes to thinking about it from that security operator mindset in a company.
But often I think it really comes down to kind of like the core CIA triangle that we think about when we think of security.
And that's just making sure from often a confidentiality perspective that who should be authorized to access those resources are authorized.
And so when we think about that access paradigm, especially across the SaaS application suite, we definitely continue to think of how evolving the organization is with employees joining and leaving and contractors and all other kind of parties that need to have any sort of awareness around their SaaS data and have application access to all of your SaaS suite of apps.
We definitely hear kind of time and time again unauthorized access of being able to kind of monitor, know and control who has access to SaaS applications and kind of continuously be able to evolve that capability as your organization continues to kind of be ephemeral throughout your day to day kind of work.
Exactly.
And that's definitely a big one. Another big one.
Part of the API has been kind of core functionality is that kind of that data loss and protection story, right?
File exposures or data exposure?
Who's sharing what with whom?
Whether you use one or many SaaS applications, this is a very big problem, especially as more teams kind of rely on SaaS services and that kind of leads into the shadow.
It use cases of users gaining access to systems and services, maybe that they shouldn't all the way down to misconfigurations right.
Something wasn't turned on or set properly, or a user intentionally or unintentionally changed the setting.
So all of those things is when we talk about CASB is what we're really referencing.
And the drilling just said the API driven kind of how it works. It's the modern approach, right?
So there's no agents, there's no downloads, there's no installs.
And because of that, that also means there's no network changes or impact on network performance.
So in most cases, IT and security administrators can get up and running and literally in a matter of minutes to kind of close this of recapping of what it means.
I like to paint a picture of kind of setting up or protecting, say, your home so you can have security cameras, maybe you have some gates or maybe you're very extreme and you've hired guards to kind of guard outside of your home.
That's great.
You're going to prevent or at least notify you if anything coming up to your door that you may not necessarily want.
But you have no real insight into what's happening inside the house.
And that's where an API cavity really works, is we're telling you what's going on within these SaaS applications, within the perimeter that you want to protect, whether that be user behavior or data moving to and fro, we're really able to glean insights and then allow you to protect and detect things happening there.
So now that we kind of level set on what an API CASB is, we're excited to kind of share more of where we're going with it at Cloudflare.
And that starts with new integrations.
So when we say integrations, what does that does exactly mean?
We call integrations the method or the services in SaaS land that we connect with.
Usually this is via a common Workstreams OAuth 2.0 for secure authorization and it allows us to securely scan and manage the SAS applications.
Matt, kind of as we've built this out, how have you thought about integrating and working with the various SaaS providers, what we call integrations today?
Yeah, for sure.
I think when we think about integrations a lot is the question is which integrations, right?
As we kind of continue to continue to see that security administrator, we often have a chance to speak to them and think what are their really, really top priority things?
And what we absolutely continue to hear is kind of where their work takes place and subsequently where their users and data live.
And so often that's kind of revolving the business suite of products.
That's your Google workspace and your M365.
So we absolutely support today Google Workspace that will actually be our first service in beta here.
Cloudflare has been as we continue to move forward that really.
M365 and kind of residual business suite.
It's definitely a very large kind of kind of point of contention for security ministers is there's just so many services, so much breadth there and that's that's where the org kind of takes place with their work now.
Exactly.
Know exactly that. So yeah excited to share.
Our Google Workspace will be our first service available starting in the beta and that will soon be followed by Microsoft 365.
So those core business suites that customers are coming to know and love will be integrating with them to look at the variety of services and applications within how teams communicate, how teams share data or your documents, files and folders lived, what's where those are moving, how they're being accessed, the settings around it that full visibility and control into those business suites from there kind of looking forward, we're excited to share kind of what comes next and that looks like a variety of things, right?
It's where business data lives and what's most important to customers.
So this is twofold where we're going and also to shape very much by the customers that are that are listening.
Now we want to drive what we integrate with next based off which applications match to what you're trying to protect most.
Maybe this is a risky app or maybe risky or data lives or sensitive data lives in this service.
How do we integrate with that and provide value back to you. I can tease a few more, such as the Slacks of the world, the actors, the Zooms, and even the SalesForces where that really customer critical data exists in large masses.
You want to be able to detect what's going on there and then prevent any issues going forward.
So if you're a customer or use the services, we want to hear from you.
We want to understand what apps matter most to you. And that's something I'll talk about at the end is during the beta process is really getting to know how you'd like to manage these services as we continue to add more and more integration, understanding what the risk may live in a different place for you than it does for someone else.
So we talked a little bit about integrations, know that there'll be lots more to come.
Those are just the first two that we're really excited to get customers using from there, something that we've heard customers talk about a lot is what we're calling SaaS Asset Management.
So on top of the integrations that each SaaS service has, what we would call a digital noun, think about users data files, folders, repos, calendars, meeting, invite settings, etc., etc., etc..
These all are in context to the SaaS service and they each live within their own individual SaaS service.
But you can't really protect what you don't even know you have.
They're kind of the age old adage in security you have to know what you have in order to protect it.
And so we're introducing the SaaS asset management feature.
You can kind of think of it like an inventory of sorts so that as a user or as an item security and administrator, you can see, hey, Corrie, for example, has access to this service, access to this service, access to this service, but is missing multifactor authentication in this one.
We should probably have a chat with him being able to view your wide variety of settings, users and data across services in a very easy to use dashboard.
We believe we'll give it in security administrators that easy one stop shop.
Matt I know you've worked with a bunch of folks kind of on this and as we begin to build kind of think through this, what does that look like for you and what would you say you're most excited about giving this into customers hands?
Yeah, I think that's a really good question.
And I think a lot of it comes down to what they do today.
We look at that kind of like previous Castle-and-moat model where we owned our kind of physical assets of the world, the servers, and we could actually label them and do kind of like all this really good shepherding of that it work around our assets.
But as we continue to evolve and continue to grow our kind of topologies that real world use case there of all these users kind of sprawl out to all your different areas and you don't really have a good way to really get good reporting and insight around that.
So when we often talk to customers either A, it's hey, I don't really have a great asset management story in the digital use case or B, we're kind of tracking on spreadsheets and these old antiquated methods that don't really react in real time to how that environment evolves or changes over time.
And then they'll often say, Hey, we try to go to our S.O.
provider and try to get better reporting there.
But often just because it's an SO doesn't doesn't even mean that the user is even active in that system anymore.
We're actively utilizing those applications.
You kind of all the residual areas of just because they may have identity in that application doesn't really tell the full picture of what that inventory lifecycle looks like.
And it absolutely doesn't give insight into exactly what you mentioned before, like the files and the calendars and the meetings and kind of everything outside of the user landscape.
They really continue to lack visibility there.
So I think it's I think it's really big.
And what excites me the most here from an inventory perspective is the fact that kind of like agile or age old security perspective, like you can't secure what you don't know.
And so when we really think about that, I think it's really powerful to just a good lay of the land insight into kind of here's your operating parameters of what's even going on in the SaaS applications and just what data and users and kind of other residual nouns live there in that space.
So really, really excited to be able to give and unlock that kind of visible landscape of just what does it look like from a user perspective?
And that kind of checks your first box.
I can start securing now that I know what's even going on in these applications.
Exactly that and exactly to the point of being able to know what's there.
A really popular if you're an administrator or working to own or manage multiple SaaS applications, you'll probably resonate with this story and something you'll be able to soon do where maybe it's a compliance framework time or you're implementing a more controls to meet a compliance objective.
And all of the teams will start coming to you and saying, Hey, can you can you give me a report of what users are in what system?
And you have the pleasure of logging into six, ten, 50, 100 different SaaS services hoping they have a reporting system.
Maybe they do, maybe they don't screen shotting who has access, what permissions they have, what folders or files or other things that are associated with them.
Putting all that back together and then sending over this very less than ideal report so that your compliance folks can work with you.
That all becomes the old way to do it.
With asset management, you're able to see who has what access.
Is this user enabled, disabled?
What settings do they have?
When was the last time they logged in?
Right.
You're able to get that visibility from one place. So the more apps that you integrate with, the more powerful this kind of pain and view becomes.
Another one that would be really exciting kind of now on the compliance side is being able to provide higher level reports to your CISOs, CTOs, CIOs, etc., where you can really demonstrate, hey, we were able to look at all of what lives in these various SAS applications and we're able to really narrow it and focus on this particular one because we have a lot more users and a lot more data there.
So you can immediately start doing things like risk scoring or prioritizing what supporting controls you want to put around that SaaS service because you have that insight to know, Hey, this is where most of the data lives or most of our sensitive data lives.
Again, you don't have that visibility unless you're able to kind of compare it and look across, hence the idea of a SaaS asset management or inventory system.
So we're really, really excited about this and just kind of launching forward of the information across the various integrated applications from a single screen.
I'll jump kind of next to the other thing we're super excited about announcing, which now that, you know what's out there is kind of how do you fix it, right?
So you detect, you prevent things and then you do need to resolve things and the API has to be laid.
We think about this in two different ways.
Firstly, remediation guides, secondly, automated workflows.
I'll touch on the first one, a bit of remediation guides.
We want to arm customers with what they need to know in context to make sure issues don't happen again.
And we want to be able to do that in a way that fits your workflow.
Sometimes this is a JIRA ticket to a specific team.
Sometimes this is actioning on the spot.
Sometimes this is making a configuration change to never allow it again and then manage by exception or something similar.
So with remediation guides you get step by step workflows and walkthroughs of how to resolve an issue.
Maybe it's a setting that needs to be checked. It's ten or seven, ten or seven, 7 to 10 layers deep into a configuration panel.
Maybe it's a user conversation you need to have, and there's some education and training, but all with the remediation guides in context, the SAS issues that we help identify via the API be the other end of that is the automated route.
It always tends to be Friday afternoons on the train, bus or at dinner that you get that message that, hey, something's something's gone wrong.
A really good example of this is if Friday evening you get a notification that, hey, the Q2 earnings folder has been shared publicly and it's not public yet is not a great feeling.
And by the time that you call the right person to try to find someone to disable that, that's probably too much time for your risk threat or your threat model to to have lapsed.
The easier option is that one click. Let's take all the settings away to not let it be publicly shared.
So kind of thinking through those automated workflows where read and write access is at play.
We'll talk about the security around that in a moment.
But those are the two things that we're kind of thinking through on, Hey, this is how you can do it with a guide and this is the way that you can build a workflow around it.
Matt, kind of to the things that you're thinking about on the remediation guides and automated flow, how do you see those use cases playing out and do you have any examples of how you'd use either one of those?
Yeah, absolutely.
I think to the remediation, given the use cases that really lives there is look SAS applications, we don't we don't have this ability anymore of understanding that, hey, at the end of the day it's a server and we control it and we can kind of actually get access to the operating system and kill the process and kind of do these higher level abstractions of management around it.
But compared to when you live in SaaS applications, you're really executing at that kind of application level topology.
And so you might not even really understand in Zoom's case, hey, what exactly is a Zoom meeting recording?
Could there be multiple recordings per meeting?
Are they chunked like all of these like really more in depth understanding around the application, each application utilized and really what exactly that terminology means.
And often administrators even of these tools don't exactly understand really how that application is really working underneath the surface and understanding that, hey, there might be a little bit more than meets the eye to securing this application.
They're just changing a couple of configurations in the settings page.
So I think really from that remediation guide standpoint, it's absolutely important that like for one, we can provide that context to the administrator action and saying, Hey, we just found this and here's the exact steps that you need to do and here's a little bit more context on this alert and really what it means and kind of the implications around that.
And I think that's extremely helpful when you start thinking of like a third party contractor or something like that who has a termination date or kind of anything around that and being able to quickly remediate and understand, Oh hey, they were administrator and this is what it meant, and they were suspended.
And that's a jargon term, some business suite applications.
And what does suspension mean compared to a deletion?
Kind of all these things we can really contextualize.
But meanwhile, with the remediation guide, we don't need right access in your environment.
It's a laissez faire model where we can be very just a read only product where we don't have to take any intrusiveness into the application itself, but give you the easiest workflow that you can do, and maybe even a shell script or something like that.
So you can really quickly remediate it if you want to by yourself.
But then if you want our application to go a step further in that automated workflow model, it's kind of the pinnacle of being able to have a single pane of glass that not only monitors and detects things, but also gives you that level of control.
It can really kind of do that whole right flow for you, and then you can set up your workflows such that often you don't have that level of control and application to make sure that a user never flips that switch again.
And when you're thinking that security landscape, you want to prevent, detect and systemically prevent that thing, and how do you do that?
If you don't have something like an automated workflow that gives you that level of control around the applications that might not really have that native functionality built in yet.
Exactly that.
And that's the thing that we're excited to offer to customers to kind of meet everyone where they're at.
Right.
That read write story is as security professionals ourselves, it takes some building of trust and demonstrating the technology is safe and that you can have a safe experience with that, whether that be remediation or just a pure out prevent type control.
And so we're excited to kind of offer both through the remediation guides and automated workflows, obviously continuing to work very closely with customers on what meets their needs in both domains.
A it's a nice segue kind of leading into speaking of preventing and detecting, one thing that we're super excited about with the API product in particular is kind of the better together story that we get by being part of the Zero Trust platform.
This means solving very complex problems through one seamless experience, a fabric, if you will, that is the zero trust platform.
An example, although there are many I want to highlight, it's thought through one that I'm personally most excited about and I've heard the most from customers is the zero trust gateway plus API Caspi solution and in particular that we're excited about is kind of the shadow IT use case.
I'm talking about SAS applications and we're only using more.
And there are cases of this where, you know, just trying to get my job done.
So a user set something up that maybe they should or shouldn't have.
Today with Cloudflare Gateway, it already routes all of your Internet and Internet inbound traffic through Cloudflare network, so you can enforce granular controls to block users from unknown security threats.
But it also provides your team with added assurance pretty low effort, but high visibility overview into what they're actually using.
What SaaS applications is my team and company using within our environment.
So you kind of have the granularity and visibility provided by Gateway.
You then have the intersection with the API.
Cosby And combining those together, you're able to take, Hey, this looks like an app that my team is using quite widely.
This is an unsanctioned app that I've detected through the shadow.
It reported Gateway.
I'm going to install the API integration API integration and rein that in to make it a sanctioned app.
So in just a few clicks you can go from detecting, Hey, what are my users using?
Maybe this isn't allowed to, Hey, we've reined this in.
We have full visibility and control over the application itself.
And you've kind of gone the full journey from completely unknown to detecting to remediating and then being able to manage it going forward.
So Gateway also tracks the top approved and unimproved applications so you can better your profile and posture around that.
And then you can also stack rank, right?
You can figure out what is the most important thing and prioritize which integrations that you do first.
So the more API CASB integrations that you add, the more visibility that you'll get.
Which also means that the more control that you'll have and Gateway will help you continue to onboard new ones that would help protect your company the most.
Matt, kind of you're thinking on this as kind of the full rein it in journey, right the shadow IT we saw this to wow we have full control with CASB how are you thinking about that from an engineering perspective and then as a user yourself?
Yeah, I think I think the big thing was shadow IP that might often be glossed over with kind of other solutions in the space is that you don't really have that full lifecycle capability of number one, you catch it.
Let's say that you use a corporate password manager, but then you see another team using a different password manager.
For whatever reason, the next kind of big thing up is, hey, how bad is this problem?
Right.
We have a lot of shadow i.t in organizations and maybe, maybe it's that it's that classic age old security thing.
Is it a tragedy or a statistic?
And when we often are a large company, we just have hundreds of SaaS applications being used.
We kind of know that chat right is going to exist and it often becomes a game of really good management around that.
And it kind of starts with, Hey, look like we can all look at a dashboard and see, hey, there's, there's a thousand kind of issues, or we can get better insight and contextualize and understand, hey, maybe this is a top priority.
Like you're using an unapproved password manager, which is kind of categorized as a pretty business critical application of storing secrets, number one.
And then number two, if you see, hey, from our API integrations into that password manager to see, hey, you've only got a couple of passwords being stored in there.
They haven't been updated or even pulled from in three years. It's probably not that big of a deal.
It can probably get knocked down to the end of the list compared with just kind of looking at a top level categorization, a password manager might seem like a really critical thing, but with that additional kind of API context around that shadow, it it might not become your kind of like first critical thing of whether you want to unsanctioned or sanction or really get better control around that application.
And so I think that story together, being able to have kind of an inline capability of looking at that network traffic and having Gateway be able to really do the discoverability around it is powerful.
And then the API integration to really understand how bad is this problem is kind of the next up big thing that can help out with administering really kind of stack ranking and prioritizing how we want to actually approach the shadow IT landscape.
So it's really and this is kind of like one of the one of the larger reasons why Cloudflare is such a large offering where we can have that API integration base and that inline base that Cloudflare so well known for that it really helps contextualize further when we think about really all of this or misconfigurations to shadow it and the whole gamut of zero trust.
Precisely that.
And this is just one of the amazing things we're thinking about to highlight and kind of the power of Cloudflare Zero Trust as a platform.
So many more to come as we continue to build this out again, making it feel like a very seamless fabric of a platform and service.
So we've talked a little bit about what to expect in what's coming.
To get started now, I want to share a little bit more about the Cloudflare API, Cosby Beta and what you can do today.
So we're excited to welcome anyone to sign up for the beta, whether you're an existing Cloudflare customer or someone new thinking about it.
What I can I can offer in setting expectations is one, direct access to our product team.
We are very passionate about listening and working very closely with those beta participants and making sure that one the solution does meet your needs.
And to that we're able to take your feedback and have direct your feedback, rather having direct say into the product roadmap to, as we alluded to earlier, setting expectations.
We're starting with Google workspace.
That means if you're a company of five or 500,000, if you use Google workspace, congrats, you're you can get started with the beta program today.
And then three as far as timelines and timing.
So we'll be sending out the first wave of beta invitations early next month.
You can request access via the link, which will be in the description of this Cloudflare TV segment, but also by going to the Cloudflare website, you'll see banners related to Kazmi and you'll be able to find the link there.
Once you've signed up, we'll be able to reach out to you, talk to you about what you need, and then set expectations for getting started.
That doesn't mean, however, while the beta is coming that you can't get started with Cloudflare Zero Trust.
Today you can create a free account, a free zero trust account to get started.
Now offering to Gateway into access to start exploring what you can control and protect there, which can be, again, like I mentioned, signed up today with just a credit card.
So that kind of brings us to the conclusion of, of kind of talking through today's API.
Crosby and what's to come, what to expect next and the beta program that we're super excited to continue offering and onboarding users to.
I want to thank you for watching and thank you for being part of Cloudflare Security week.
Stay tuned for more product announcements updates coming later today and in the API CASB space.
I want to thank Matt for joining me.
And Matt, any closing thoughts or words for the for the audience here?
I think really, my only closing thought here is that kind of unlike maybe a lot of other products too, is that Zero Trust is easy to sign up and we really mean it that you can get on.
And often a lot of people come on and they just try it out in their home network first.
They want to get a better insight into that level of control before ever really thinking about the corporate environment.
And that's that's a pretty big kind of motivator to go.
They just jump on and it's very easy to kind of set up in your home environment if you want to kind of take a peek in a little virtual lab before you would ever even go further.
So just super simple and really looking forward to continue to grow the zero trust offering with everything API has to offer.
Awesome.
Matt, thank you again for joining. That's all we have for you.
Thanks for watching. We built our e-commerce platform from scratch.
There is a lot of security requirements from processing credit cards to just making sure that the site loads quickly and is responsive so that people don't get deterred or lose trust in us since they are trusting us with their personal information.
Believe it or not, we've actually had customers write in and tell us that they have gone into their browser and viewed the source code to the web page to find out what's happening with their personal information.
Twice in the last year that I can remember, we came to work and we couldn't work because Amazon was down.
We couldn't log into our support panel.
We couldn't manage our shipments through our third party logistics provider, but our site was still working and being able to stay online through to Amazon down times has been amazing.
In fact, there's some of the highest, highest sales days of the past year in terms of bandwidth savings.
We have gotten amazing bandwidth savings from Cloudflare.
Over 95% of the bandwidth that we use is cash now, and most of that are large static images which are getting optimized through mirage.
And so we know that they're just loading so quickly and the best that they possibly can.
Also, the web application firewall is really great because it allows us to make sure that people aren't compromising our system through any known attack vectors or browser vulnerabilities.
We're a really small engineering team.
We only have about one and a half technical people that write code on a day to day basis.
So any time that we have the opportunity to use a service that reduces our need to write code, it really means a lot to us.
We've had zero security breaches the entire time that we've been online and Cloudflare has been there with us every step of the way.
Hi.
We're Cloudflare. We're building one of the world's largest global cloud networks to help make the Internet faster, more secure and more reliable.
Meet our customer FindLaw.
FindLaw is a Thomson Reuters company.
They're a digital marketing agency for law firms.
Their primary goal is to provide cost-effective marketing solutions for their customers.
My name is Theresa Jurisch.
I'm a lead security engineer at Thomson Reuters.
Hello.
My name is Jessie Haraldson. I'm a senior architect for FineLaw, a Thomson Reuters business.
So as the lead security engineer, I get to do anything and everything related to security, which is interesting.
FindLaw's primary challenge was to be able to maintain the scale and volume needed to onboard thousands of customers and their individual websites.
So the major challenge that led us to using Cloudflare is Google was making some noises around emphasizing cell sites.
They were going to modify the Chrome browser to mark sites that weren't SSL as non secure.
We wanted to find a way to at scale move 8500 sites to SSL reasonably quickly.
And doing that to scale up, to speed with our operations, It needed to be something that was seamless, it needed to be something that just happened.
We had tried a few different things previously and it was not going well and we tried out Cloudflare and it worked just kind of out of the gate.
Like us, FindLaw cares about making security and performance a priority, not only for their customers, but for their customers.
Customers faster web performance means having customers who actually continue to sites.
It means having customers who maintain and go with the sites. 65% of our customers are seeing faster network performance due to Argo.
So that's an extremely important thing.
The performance, the accuracy, the speed of that site fronted by Cloudflare is super essential in getting that connection made.
I like the continued innovation of push that Cloudflare brings.
And Cloudflare is amazing.
Cloudflare is such a relief.
With customers like Thomson Reuters find law and over 10 million other domains that trust Cloudflare with their security and performance.
we're making the Internet fast, secure and reliable for everyone.
Cloudflare.
Helping Build a Better Internet.