🔒 New ways to strengthen access with Cloudflare
Presented by: Kenny Johnson, David Tuber
Originally aired on March 17, 2023 @ 1:00 PM - 1:30 PM EDT
Welcome to Cloudflare Security Week 2023!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Kenny Johnson, and David Tuber.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
<v Kenny Johnson> Good morning. Good afternoon. Good evening. Depending on where you're joining at in the in the world.
Welcome to Cloudflare Security week. My name is Kenny Johnson.
I'm the product manager for Cloudflare Access. David, if you want to introduce yourself.
<v David Tuber> Hey, yeah, I'm Tubes.
I'm a product manager for interconnection availability and performance.
And we're here. Yeah. And we're here to talk to you about a cool new combination of products that you may not have thought about or maybe you have thought about, and you're super psyched that it is now live.
You know, Kenny, we wrote a blog, right?
Like, that's what we did. We wrote a blog, uh, Access plus CNI plus the new Cloudflare Aegis, the brand new Cloudflare Aegis.
So. What?
What the hell are you like, Kenny? Give me a scoop. Give me a scoop for the folks playing at home.
What are we, what are we trying to solve? What's the problem here?
<v Kenny Johnson> Yeah, so this.
This is a really exciting problem that we're able to start to now fix with a combination of Cloudflare products.
This was something where Tubes and I kind of had an a-ha moment.
We were like, "Oh, holy smokes, this is going to solve a problem that a number of Access customers have had." To kind of answer that question, I want to just do a really quick review on what Access does.
Access is basically a reverse proxy that sits in front of any DNS record that you would like that's hosted within Cloudflare and allows you to serve a login screen for that particular application.
So you could have something like myapplication .example.com and you can tell Cloudflare that you want to enforce a use's...
a user goes through Single Sign On before they access that particular hostname.
The challenge is that particular application has likely has some kind of origin server that's running out there in the world.
It needs to run and serve the actual code of your website and that origin server has an IP address.
So if I take my DNS record like my app.example.com, that DNS record is locked down.
But the IP address that's like 116 dot something, just whatever arbitrary IP address it is, you could hit that IP address directly from your browser and completely bypass Cloudflare Access.
And the way that we've dealt with that in the past with customers is either using what's called Cloudflare Tunnel, which requires you to install a daemon on your virtual machine.
It takes takes a certain amount of effort to have to install software, keep it updated, maintain it, things like that, or to do what's called JSON web token validation.
So Access the way it authenticates it issues a cookie and you're able to, in your origin server check for the presence of that cookie on any inbound request.
So those are really the two main ways that we've been able to guarantee that a request has gone through the Access check.
<v David Tuber> You said a lot of words and one of them was cookie, and that had me intrigued.
<v Kenny Johnson> Yeah.
So now, now we're at the point with what we can do with CNI and Aegis and Tubes will be able to talk a little bit more about how that component works.
But we can now guarantee that a request is coming from directly from Cloudflare without any need for Cloudflare Tunnel or any need for JSON web token validation.
Tubes, do you want to talk a little bit about how this this magic works?
<v David Tuber> Sure.
But, like, I'm a networking guy. so I don't understand applications at all. So if I understand correctly, Access basically allows me to enforce security policies for any application on the internet with Cloudflare as kind of the shield or it's kind of a proxy there.
So that's super cool, right? Like you could do stuff like replace an entire VPN, like you could have all of your apps, you could have all of your applications just managed securely on Cloudflare and talking to whatever you need to.
Right? <v Kenny Johnson> Yeah.
And you define it at the application layer, not like a CIDR range or like a broad range of IP addresses that you're letting something somebody get access to.
You're able to define and say, My wiki gets these policies and my email server gets these policies and my Grafana instance gets these policies.
So, it allows you to really granularly define your different access or your different application policies.
<v David Tuber> That's really cool.
I feel like a lot of people should use Access if they have the opportunity to do so.
But you're totally right. Like. Going back to what you said, like those applications are still hosted on the public Internet.
And yeah, you know, I'm gonna, I'm gonna [inaudible] a little bit, like you could install Tunnel on your application side, but like, what if your application is, you know, Office 365?
What if your application is hosted in AWS and you don't really want to install another VM for for Tunnel, right.
Like what if you know? What if Tunnel is not feasible?
What if JWT authentication or whatever the the thing with the cookies.
What if JWT enforcement is not entirely, you know, feasible either due to time constraints or maybe you're just not feeling it?
How can you ensure that your origin is protected?
Well, you know, Access or Tunnel and, you know, JWT authentication and allow a publicly accessible endpoint to be protected.
But what if that endpoint just wasn't accessible via the public Internet?
What if the only way that it was accessible was through Cloudflare?
Well. It's almost like Cloudflare should have this product that allows people to directly connect their applications and their their server instances to Cloudflare.
And we do. It's called Cloudflare Network Interconnect.
You can get a direct, you can either get a physical cable and plug your router into our router, or you can use a virtual cable through one of our cloud partners.
So we've got Megaport and Equinix and Packet Fabric are some of our, you know, kind of data center fabric providers.
Um, and we're also working on support and partnership with our existing with some of the large cloud providers like GCP, AWS, Azure, Oracle and IBM.
So we're working on supporting those as well.
And so when that's done and, you know, it is done for some providers, what you'll be able to do is you'll be able to open up a private connection to your application that either lives in the private space.
So RFC 1918 so you can use your famous you can use your favorite ten dot address if you want, or you can advertise your own ranges privately to Cloudflare over this link and not over to the public internet.
And that's actually the that's actually kind of what we like.
That's what a lot of people are doing today.
And we have a lot of CNI customers who are just, who are just advertising their IP ranges only to Cloudflare, so that only Cloudflare can route to them.
So to your point, Kenny, before there was a public endpoint in that IP address was advertised on the internet and someone somewhere knew how to get to it.
But in the new world, only Cloudflare knows how to get to it.
Cool. We have drastically shrunk the amount of people who can look at this endpoint, but.
There are a lot of people who use Cloudflare.
Cloudflare hosts how many Internet properties, Kenny?
Around 28 million. That's a lot of people who use Cloudflare.
And so if you're using Cloudflare, you could, in theory, access this endpoint.
So we developed a product that would restrict the people who could access an origin down to the people who have a dedicated IP that was given to a customer.
So if, let's say you bought, you got a CNI and you got Access and you have an origin server somewhere, let's say Seattle, because, you know, I live right down the street from the Westin.
If you bought a data center in Seattle and you have an application running there, you could get, you could buy an Aegis IP and Cloudflare would only send, and Cloudflare would send traffic only to your application through that IP.
And what you can do there is if you're smart and you're, you know, you're a normal good network engineer, you probably have a layer 3 firewall sitting somewhere between us and your server.
You can configure allow lists on your layer 3 firewall to only let that Cloudflare Aegis IP through so anybody else who tries to access your site, even through Cloudflare IPs is not able to do so.
So you've shrunk the number of people who can access your application down to one.
Only you, and only through this private path that only Cloudflare can see.
And this is a really great way to jump start your Zero Trust journey, because we would love, and everyone would love to just say, well, you know, you and I both know, hey, IP addresses are not identity.
We give you an IP address and say, this is your address.
That's not how the Internet is supposed to work. IP addresses aren't meant for association with identity, but the reality of the world says they very much are.
But we're trying to change that, right? So Access is actually a really great way to change that, right?
Access says you don't have to whitelist our allow these IP addresses.
You can do it on a per user basis, and that user is determined by how you authenticate to your Okta instance or your identity provider or whatever.
The Internet is still quite large and your surface area, even though you have Internet, even though you have Access, the surface area of the Internet that is exposed that your application is exposed to is still quite large.
So if you can do anything to shrink that down while you build up your Zero Trust story, that's a nice little security blanket that you can take with you as you move down the Zero Trust path towards, you know, towards, you know, user based, user based application policy, user based access policies and secure web gateway filtering, and everything that is a trustless model as opposed to relying on something.
And that's really, really powerful.
And a lot of our customers are very, very excited because these features together unlock a nice, happy, protected path for them to pursue Zero Trust on.
<v Kenny Johnson> Yeah.
100%. And that that's that that specific piece that you talked about in terms of being able to just allow list a single IP address.
And that's that's something that a majority of network engineers are going to know how to do.
You've likely already got infrastructure in place to be able to create that allow list and add that as a particular policy to the to the network that you're targeting.
That is a massive reduction in terms of level of effort that it takes to roll out a Zero Trust application access solution at Cloudflare or just frankly, in the market, any any of the other Zero Trust providers have an analogous application connector to something like Cloudflare T.
This is, I spend a lot of time thinking about application access, and this is the really the easiest approach I've ever seen to on ramping your web applications to a zero trust network access provider.
There just are very few other ways to on ramp traffic and guarantee that it's coming from your reverse proxy provider without installing an application connector or having to modify the code of your underlying application.
And that has really big implications because with larger organizations, you likely are sitting here thinking about, I would love to move my apps to a zero trust model, but I don't want to get onto the network team's roadmap or it's going to be really difficult to have to modify or install different sets of software into different VMs across my fleet or across my network.
Same thing with doing JWT validation or cookie validation that requires actually modifying or adding additional code or logic to some of these underlying applications.
And we know some of those applications are ancient or were built by folks that are no longer in your organization or for stability reasons you don't necessarily want to touch or update.
So there are a number of different reasons why this can become a blocker to moving towards more of a zero trust mindset and away from a VPN style approach.
So we really see this as just another tool in your tool belt to start moving towards a zero trust security posture with minimum effort and kind of minimum overhead on other teams within your organization.
So we're, we're really excited about that.
This was kind of a big a-ha moment when we we discovered how this this might work.
<v David Tuber> Yeah.
And I think it's also worth noting that like, you know, we talk a lot about CNI and the second that you bring up Network Interconnect, a lot of people are going to be like, whoa, whoa.
You're telling me that it's going to be easier for me to literally run a physical cable between two data centers than it is to configure Cloudflare Tunnel You're out of your mind.
And the answer is, well, you don't have to have a CNI, right?
So when we talk about, you know, security and levels of security and defense in depth, there are kind of tiers, right?
Like, let's call it tier one.
Let's call it tier one, total isolation. Total isolation is my application is not exposed to the public Internet.
And the only people who can access it are the people who I say can access it.
And I have layers of firewall filters in place, firewall rules and ACLs in place that allow me to get that access.
Plus CNI plus Aegis meets that tier one completely, totally locked down.
And if that's what you want, we can support that.
But not everybody needs that level of lockdown.
Some people just want to say, well, I would actually just prefer, you know, maybe only like I don't necessarily need CNI, can I still use this?
And the answer is 100% yes, you can.
You could still have a publicly facing endpoint. And get Access and use Access with Aegis because Aegis gives you those dedicated IPs and so you could still apply those dedicated IPs.
Into your firewall ACLs and let your firewall handle all of the blocking if that's something you trust.
Great.
We've got a lot of customers who use Aegis by itself, even without Access in this model today.
And it works for them.
It's great. It definitely puts them on the path to zero trust because, you know, as Kenny said, you know, installing Tunnel and, you know, configuring Mtls or JWT validation is challenging.
And so for some of our customers and we talk about this in the Aegis blog, some of our customers don't just have one application, they have 900, which is which you think is, you know, that's a lot of applications.
That's kind of on the low side from some of the customers that we're talking about.
We have so many applications hosted in so many different places, and all they want to be able to do is lock them all down and put them behind One layer 3 firewall rules.
That's exactly what Kenny said. And so that problem is exactly what Aegis is trying to solve.
And it works so well with Access because it adds that extra layer of security and gives you some protection.
And so then if you want to say, well, I don't necessarily need a layer 3 firewall, well cool, Access plus Tunnel or Access plus JWT validation allows you to have a publicly facing endpoint and just secure stuff on your application.
Let's say you don't want to mess around with layer 3 firewall rules.
That's fair. Most people don't, but that's available to you and you can support that with our configurations.
And I think that what we're trying to do here really and Kenny, you can stop me if you think I'm talking crazy, is we're really trying to make it as easy as possible for customers to get the level of protection that they want at any tier.
It's all, you know, however deep you want the rabbit hole to go.
We can support you in your journey.
<v Kenny Johnson> Yeah, 100%.
And that's where we're huge proponents of meeting folks where they're at.
We want to we want to give you as many tools in your tool belt as possible to safely and easily onramp your traffic to Cloudflare, to be able to serve as a layer of security.
So you can start with an Aegis and work your way to Cloudflare Tunnels to micro segment, different parts of your VMs.
There's loads of different options and opportunities.
<v David Tuber> What if I'm not?
What if I'm not very handy and I don't have a tool belt? <v Kenny Johnson> You're not, if you don't have a tool belt ?
Then Aegis works pretty well. It's just a set and forget.
And then you're good to go. <v David Tuber> It's true.
It does.Especially because, you know, when we, we've spoken to customers about, you know, MTLS and Tunnel and JWT authentication, like for, you know, 1 or 2 endpoints.
Cool. Easy.
Nice. Let's get it done. But for 900, that's going to take years. And if you're a CSO and you are seeing this and you are saying like, well, I just told my development teams that they can't do anything until they fix this problem.
Aegis is a really good solution to that.
And Aegis and the thing that we're trying to say here is that Aegis not just pairs well with Access, it pairs well with like any of our existing products in a way so that like you can just get that security and peace of mind while still leveraging all of our existing products.
<v Kenny Johnson> Yeah.
This, this request came from CDN customers, right? Or like app security customers, right?
<v David Tuber> Oh yeah.
100%, like they want. This is a problem that they want to solve. Um, and you know, we want to help them solve it.
<v Kenny Johnson> Yea., and this was, yeah, this was born not out of like internal wikis or like Grafana servers.
This was huge public web facing properties that see millions of visitors a day.
That's where this, this requirement was born out of. And that's kind of the the benefit of what we're able to do at Cloudflare in terms of running our setting it up in a situation where you're able to run your private company network on Cloudflare, you're sharing that same infrastructure with web properties that do a factor of 100 or maybe even a factor of a 1,000 more traffic than than anything that you'd be running at an internal level.
So this product was built for scale that is well beyond anything your employee base would run through the system, which is really exciting and compelling because you just don't have to think about scale or performance issues.
You just know it's going to work because it's powering the public web facing properties for members of the Fortune 500.
<v David Tuber> Exactly, 100%.
You said it better than I could.
You want to be the PM. You can take my job right now.
I'll give you the orange shirt. You can join all the stand ups like you got this nice and easy.
<v Kenny Johnson> Yeah, Tubes and were talking.
We were saying, should we just switch our products and just give it a go?
See how it see how it goes on our segment today? <v David Tuber> Access you will, you can access things, right?
Like that's what it lets you do. It lets you access things.
<v Kenny Johnson> So yeah, it's just a pretty fun, pretty login page, you know.
<v David Tuber> Cool.
<v Kenny Johnson> Yeah, I've tried it out.
Um, well, cool. I think that that's a really strong, solid overview of how Access and Aegis can be can be used in conjunction.
We've got a blog post live on blog.cloudflare.com.
If you want to find out more information and please do let your account teams know if this is at all interesting.
We'd be happy to facilitate and coordinate a conversation.
<v David Tuber> Yes, exactly.
100%. And you know, both of, you know, and also, if you have any just questions about the product as well, you can reach out to us, reach out to your account teams, you know where we want you to get involved.
We want to help protect you. So however we can help, we're here for.
<v Kenny Johnson> All right.
Tubes and I are both marginally fun. Follow us on Twitter. You can find us there.
Right on. All right.
Y'all have a good good Friday. Enjoy your weekends. Thank you guys for joining.
And with that, we'll go ahead and conclude. Thank you very much. <v Outdoorsy 1> Security is paramount at Outdoorsy because our entire platform is built on trust and safety.
People are literally handing over the keys to a super expensive RV. There's a massive element of trust.
My name is Nathaniel Hill. I am the director of engineering at Outdoorsy.
Outdoorsy is an online RV rental marketplace with the goal of reconnecting people with the outdoors.
Prior to Cloudflare, Outdoorsy was repeatedly scraped by competitors and bad actors, and we found it extremely difficult to prevent its unfortunate situation where we don't want to cause friction for our renters browsing inventory.
But we also don't want people to be able to download the entire inventory.
At Outdoorsy, ince implementing Cloudflare Bot Management and WAF Protection, we have been able to focus more on the customer and our product, and we spend far fewer engineering resources configuring and maintaining those.
Since Outdoorsy has been using Cloudflare, we have 4x the size of our engineering team, but we actually spend less time now, I would say less than half of the time configuring our security rules.
Prior to Cloudflare, we did not have a strong security posture for our self-hosted resources.
We began to realize it was only a matter of time before we had a data breach or an attacker was successful.
And so we were looking for a solution to secure those resources.
So Outdoorsy has always been a digital native company. We've never had any on premise servers.
Adding a VPN would seem almost like going backwards.
Our Access users are located all over the globe. They're all using Access for our self-hosted resources.
Cloudflare Zero Trust has eased employee and contractor onboarding and made it much simpler to access our internal tooling.
I would say that Cloudflare Zero Trust has made it at least 25 to 50% faster to grant access to our internal tooling to new team members and contractors.
The security landscape is difficult enough.
I think that I feel like I have a fighting chance there with Cloudflare.
<v Bob Varnadoe> NCR is a company that's got a long history of innovation in retail and hospitality and banking.
NCR has a customer-first approach to business and we really focus hard on making sure that our customers have what they need to be successful.
<v Alok Kumar> We are automating the restaurants, the retail store and the bank from end to end.
<v Bob Varnadoe> I think information security is a really critical component of a company's success and it has become more critical as more transactions have moved online to make sure that we combat the fraud and attacks that we see in the industry.
What is really attractive about Cloudflare was that it provided really sophisticated controls against these kinds of attacks, but did so in the cloud.
So the security team wasn't responsible for managing infrastructure and they were able to focus on doing higher value security work.
<v Alok Kumar> One of the biggest threats right now in the industry is the DDoS, which reduces the availability of the site, and that's loss of revenue for customers, right?
What Cloudflare does for us is block that DDoS at the perimeter level.
We were able to prevent almost 80 to 90% of the brute force attack using Cloudflare.
<v Bob Varnadoe> There's credential stuffing attacks where attackers try and guess their way into a consumer's account.
Also, credit card tumbling and other forms of online transaction fraud.
<v Alok Kumar> If they try the same card number X number of times in, you know, 30 seconds, 60 seconds.
We stopped it right away using Cloudflare writing the Workers rule. That was a very big, big thing trying to stop fraud.
<v Bob Varnadoe> Cloudflare was probably one of the easiest decisions that we ever made, and it's been a great partnership.
<v Alok Kumar> It's been a pleasure and a very great experience working with Cloudflare.
<v Aditya Bansod> My name is Aditya and I'm one of the founders and CTO at Luma Health.
We partner with over 500 healthcare systems across the United States to deliver a platform that they use to build their own patient journeys.
Starting last winter, we launched our Vaccine Operations Solution, which is a full suite of solutions that let healthcare systems craft, deliver and manage their COVID 19 vaccination strategies.
We partnered with Cook County, Illinois, the second largest county in the United States, with a population of over 5 million residents.
As demand ramped up, our platform began to see over 500,000 requests per second.
Hundreds of thousands of patients were looking to get scheduled for their vaccines, getting checked in at clinics and mass vaccination sites, getting text or email reminders about their upcoming vaccinations and more.
At Luma Health, we've been a customer of Cloudflare for over six years.
But to continue to scale further, we partnered with Cloudflare Project Fair Shot to utilize their Waiting Room.
We were able to integrate the Cloudflare Waiting Room within 72 hours, we're able to fine tune the number of concurrent users within the Luma patient experience and provide accurate information about vaccine availability for users who are waiting.
Layering the Waiting Room with Cloudflare Workers has allowed us to scale up to virtually unlimited demand.
The result? Over 1.5 million vaccines have been scheduled via Luma Health, and we're not done yet.
We continue to work closely with our health systems and clinic partners to help address vaccine hesitancy, ensure vaccine access to all Americans, and to help all of us chart a way out of the pandemic.
<v Stefan Farr> Flutter Entertainment is a holding company of many online gaming companies responsible for the Paddypower and Betfair brands.
At heart, we are a technology company operating in a very dynamic financial market.
We handle lots of transactions, people's assets and personal information, and we take that role very seriously.
We had a very extensive credential stuffing attack, 70 to 90% of all our traffic was classified as malicious traffic.
After using Cloudflare Bot Management, we managed to drive down in certain situations up to 90% the rate of these events.
And that obviously meant a great deal from a financial perspective from us, probably more than 2 million pounds per year.
For us, bot management and the bot score gives us great visibility into the nature of the visitor.
We really love that. It gives us a sense of control. Cloudflare is the biggest and most cost effective security upgrade.
<v Eric Pierce> Mindbody is specifically focused on the health and wellness space and was built by people who were passionate about health and wellness.
We serve health and wellness businesses all over the world.
<v Adelyn Fears> We allow our customers to spend more time focusing on the parts of their business that they love and less time worrying about scheduling software and payroll and other day to day administrative work.
We want to protect customers from attacks that could hurt their business and their brand.
At Mindbody, we're passionate about ensuring that our customers data is secure.
<v Eric Pierce> When we first approached Cloudflare, we had a lot of different tools in our security stack and there was a lot of management overhead associated with all that kind of complexity.
<v Adelyn Fears> I think at one point we had four different WAFs, a separate tool for bot management and two CDNs, and we've basically managed to consolidate all of that into using just Cloudflare without losing any of the functionality or any of the protections that we had in place.
<v Eric Pierce> It was the kind of tool I could hand to junior analysts or senior engineers, and they would all know how to manage it pretty quickly.
With our old environment, we were constantly fighting botnets and attempts to scrape our inventory Credential stuffing attacks.
When we moved to Cloudflare, we were able to mitigate a lot of these kinds of attacks much easier and more consistently.
<v Adelyn Fears> Using Cloudflare Bot Management, we see a lot fewer false positives with actual valid end users using our application and being flagged as a bot.
We've gone from dealing with several per day to only a few per week.
<v Eric Pierce> With the Cloudflare Access solution, we are able to provide Zero Trust access to sensitive internal applications to contractors and third-party vendors.
It puts our internal applications behind strong authentication protocols and allows us to ensure that only authorized users are able to even see the service.
The health and wellness industry is only going to grow.
I think Mindbody is going to be part of that rising tide that floats all boats.
Cloudflare will help us scale and grow and secure all those services as the industry expands.