🔒 The Latest with Cloudflare Access
Presented by: Kenny Johnson
Originally aired on January 16 @ 2:00 AM - 2:30 AM EST
Welcome to Cloudflare Security Week 2023!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Kenny Johnson.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
<v Kenny Johnson> Hello. Good morning. Good afternoon. Good evening. Depending on where you're joining in the world, welcome to another edition of Cloudflare TV as part of Cloudflare Security week.
My name is Kenny Johnson, I am a product manager based out of Austin, Texas.
And today I'm going to be talking about all things Cloudflare Access. I'm very excited to talk about a number of different improvements that we have either recently launched for Access or will be launching quite soon.
So if you are already using Access, thank you again for being a customer, and if you're interested in Access, what I'll do is I'll go ahead and kick off and just give a really quick introduction to what access does and then we can dive into the new features that we've gone ahead and shipped or are about to ship for for Cloudflare Access.
So, at its core, Cloudflare Access was built as a VPN replacement tool for applications that you host yourself.
So, if you have applications you're hosting either in a public cloud or your own infrastructure and you have been authenticating user traffic to those websites or to those web apps with a VPN, Access provides a much better way to provide actual Zero Trust controls in front of that particular application.
So, what Access allows you to do is, by pointing the hostname of whatever the target application that you want to protect is at Cloudflare, you can then configure access policies to serve a login page as well as enforce additional policies for that set of applications.
So you can look at things like, is this user in a specific Azure ad group, or what device is this user attempting to access from?
Is it compliant with my corporate standards? Is the user accessing from the correct country?
Is there a certificate on the user's device? There's really a number of different things that you're able to check, and you can do this on a granular per user basis as well as per application basis.
So something that's just an internal info source or something like that can have a really basic check and then something that can access production data can be really tightly locked down and enforced device posture, certificate network and user level checks to make sure that that application has been tightly locked down to the specific users that that have access to it.
And this is all without modifying the underlying application itself.
We see a lot of companies get tripped up having to implement authentication logic directly into their self-hosted applications, and that can add a whole set of lifecycle and management headache to managing those applications versus Access allows you to do that one layer above your application and still enforce tight user authentication and authorization controls.
So that's a really quick reminder of what Access does.
It's also available in our free tier.
So your first 50 users are totally free within Cloudflare Access, so you can go give it a try today in your dashboard if you'd like to learn more.
Awesome.
So now I'm really excited to talk about some of the new things that we've shipped within Cloudflare Access.
The first one is wild card application definition.
And what this feature allows for is, previously in Access, you had to define an application based on a URL match.
So, this would be something like application.example.com/path, something like that.
Basically a literal URL. That I'm able to define and then Cloudflare will match traffic coming to that URL and serve a login page as well as enforce tha any requests made to that page have to have a specific session cookie present in order to allow either a user or a service through for that application.
This is great. If you've got like 5 to 10 applications, it becomes more of a challenge if you have hundreds of applications, say, and what you're able to do now with wild card application definitions are, instead of having something like app.
example.com, I could say star.example.com.
So, that means if I had app1.example.com Through app500.example.com, instead of having to explicitly define all of those individual applications, I can define them with a star character, which is a wild card and create a blanket policy across all of those applications.
So this is now live in the Cloudflare Access dashboard. You're able to define apps broadly using wild cards anywhere in the path or subdomain of that particular application.
And we're very excited about this because it's going to provide a lot more flexibility in situations of just laying out blanket policy coverage for all of your applications.
And then if you have a specific application where you would like to increase the policy or bypass the access check or something like that, you can also create an explicit application definition.
And that explicit application definition will beat out the wild card definition.
So you can create kind of a blanket set of app policies that look at, like start out example.com.
And then if you have a sensitive application example.com, you can create that individual application as well and enforce its own specific policies.
So we're very excited about that. That's, that's now available.
I've posted about it in the community, you'll see tweets that go out about it tomorrow.
There's a blog post that's going to get launched as part of Security Week tomorrow for that piece.
So next up for application definition is something that is coming quite soon and that's multi hostname support in the scope of a single access application.
And what this is going to be really useful for is things like single page applications where I might have something like app .example.com and API.test.com, where my front end server is served by the app hostname, and I have a back end service served by my api.test.com hostname.
This currently presents a challenge for Access customers, because if I have those two hostnames that both have access applications, they need to be able to speak to each other.
And those requests from app. won't have the correct cookie to be able to make requests to the API, nor will the API be able to have the correct cookie to make requests to the app server.
So, what customers have had to do in the past is implement cores to be able to pass the cookie back and forth between those two different domains, as well as configure logic themselves to share the cookie back and forth at the time of authenticating that application.
If that sounds really complicated, it's because it is.
It has been a known pain for quite a while for Access customers.
So we set out to make that a lot easier. And what we're going to be able to do very soon is to be able to define Access applications with multiple host names.
And what that will allow you to do is when you're defining an Access application, instead of just defining a single URL, you'll be able to specify multiple host name URLs in the context of the single application.
And then what we will do under the hood is when a user authenticates to that target application, we will run through and authenticate the user to all of those host names associated with that application.
So then they will all share the same cookie or have knowledge of the same cookie to be able to seamlessly authenticate and move between those different URLs.
So this will be really, really helpful in terms of things like single page applications or if there's a set of apps that have different domains baked into the different sections of the application, any of those are going to become a heck of a lot easier when we launch the ability to to define multiple host names.
And that will be available in the dashboard via the API and the TerraForm provider as well.
So we're very excited to get that launched out into the world. Next up, that's coming down the line is a blog post that went live today, which is Access Custom Pages.
And what access custom pages is going to allow is the ability to automatically, or not sorry, not automatically, but to customize the various pages that Cloudflare Access surfaces to an end user.
So currently today, the way that it works in access is there's some very basic customization that an administrator can make, you can do things like change the top logo on the login screen, you can add a little header message, you can add a footer message, but really we have this pretty locked down.
You're not, as an administrator able to broadly customize the look and feel of the portal that the user's landing on.
And this creates issues in larger organizations.
If you have a team of ten, it's usually not a huge deal. They know they probably know that you use Cloudflare.
They know what Cloudflare is. If you're on a team of 1,000 people or 5000 people, it's much more difficult.
And there's even security implications to having to train users to use a portal that they don't recognize and a vendor that they don't recognize.
So we fully acknowledge that we need to give security teams the ability to customize the Access login screen, the access blog screen, the Cloudflare interstitial pop up page, which really only deep, deep power users would know what that screen is.
But if you if you know it, you definitely know it.
And then the final one is the Cloudflare Application Launcher.
And really, the plan there is that we want to make it really, really flexible in terms of what a security administrator is able to surface to their end user via those screens.
So, for things like the login screen and the blog page, we're actually going to make it possible to where you're able to upload your own custom HTML and CSS to match the exact branding of whatever kind of the desired look and feel is for your end users, as well as being able to provide instructions and things like that.
So, the only thing we'll look for there is a specific code snippet to be able to host the tiles for which IDPs that you want to log into or the one time pin code option.
So those will be the pieces that are required.
But really, we want to make it super flexible for you and your end users. The other element is going to be the application launcher.
And the Cloudflare Application Launcher is basically a portal that gives a user a view of all the applications that they can log into.
That one will not be at the full level of custom HTML and CSS, but we will open up the level of flexibility in terms of the look and feel of that view.
What logos appear being able to scrub out any Cloudflare branding to make it feel like a really kind of company led consistent experience for your end users when they're looking at the applications available to them.
So stay tuned for that. We're targeting kind of progressive launches for different pages over the next few months.
We'll continue to post updates on Twitter as well as on the blog as new customization options are available in Cloudflare Access.
Excellent. So next up is Browser Isolation support for self-hosted access applications.
And what that will do is - or sorry, I should take a step back.
Cloudflare has a Browser Isolation technology that before you roll your eyes at.
Oh, I've tried Browser Isolation technology.
It's really slow or it's really buggy. Cloudflare has a very novel way of supplying Browser Isolation that is actually very performant as well as doesn't break websites.
And the way that we're able to do this is we're able to take the full contents of a website and rerender them using native HTML draw commands.
So we're basically just drawing the different components of the website on screen in an isolated environment, running on Cloudflare Edge very close to the user.
So we're able to take that technology now and fold that into Access self-hosted applications.
So if I have something like any self-hosted app that I've stood up and the DNS is running on Cloudflare, we're able to proxy the traffic going to that particular web application via the remote browser without any software installed on the end user machine.
All they are doing is entering a URL into the browser or using the Cloudflare app launcher to access that particular resource.
They get run through all the normal access policy and identity checks.
Like is their device compliant? Does their user group match the access for this particular application?
And then in Access, you're able to, at a policy level, configure who should go into a remote browser as well as who should just have direct access to that particular application.
And then for users accessing via the remote browser, you can use all of the existing remote Browser Isolation controls like block copy and paste, block file, upload scan for malicious files or known data patterns like social security numbers, credit card numbers, things like that.
And then enforce those on that user session all without having to install end user software.
So, this is a piece that's coming here in the next probably week or two.
You'll see it pop up in the Access policy builder itself and we're very excited to to get that out in the world.
That's going to really open up the flexibility of who you're able to grant access to for Web applications and control what they do in those particular Web applications.
We've we've already seen lots of potential use cases for things like contractors, external customers, vendor access, things like that into into Web applications.
Awesome. And then really the final feature that's recently launched within Access that we're excited about is, previously the Access session cookie was always scoped at a subdomain or domain level, so when access authenticates a user, we issue a cookie to that particular specific domain.
And then any Access applications that share that domain and are on a different path would share that same cookie.
If a user didn't match the policy on the existing cookie, we would force them to reauthenticate.
But if they the two policies matched or the user's identity passed the existing policy, we wouldn't prompt them for a re-authentication.
This makes sense in most cases, but if you do have distinct applications that live on the same subdomain but different paths, this could become a challenge or create a security issue.
So what we have recently launched, and this is available in the dashboard now, is support to populate the native cookie path field on on a browser cookie.
So instead of just being scoped at the subdomain level, you can also scope the access cookie to a specific path.
And what that will allow you to do is have distinct applications that live on the same subdomain, but a different path within the scope of access.
And that setting is live today, if you go into your Access application, open the edit view and then go all the way to the right into settings, scroll down, you'll see it in there with the other cookie security attributes like being able to enforce same site or HTTP only.
You're also now able to scope a specific access cookie to the particular path of that that application.
Awesome.
So that's that's kind of a quick overview of some of the recent things that we've shipped in Cloudflare Access.
We're not done. We're going to keep shipping more and more new features and I'll keep coming on Cloudflare and providing updates as well as stay tuned to the blog for new exciting things that we're launching in Cloudflare Access.
And think my final plug here is if you're are an existing Access customer, thank you so much for being a being a customer.
I really hope that the tool is helping you out a lot and making your lives a little bit easier.
And if you haven't tried it out, I cannot recommend it enough.
If you have your own self-hosted web applications and you want to get serious about either deprecating your VPN or having more stringent authentication requirements on those applications, give Access a try.
It's worth the 15 to 20 minutes to get it set up initially.
And we see a lot of people make a lot of great uses out of it. And with that, I will go ahead and conclude.
Happy Security Week! Enjoy the weekend out there and thank you so much for either being a Cloudflare customer or giving us a try.
Thank you so much and have a wonderful evening, afternoon or morning, depending on where you're at in the world.
Thank you. <v Cloudflare V.O.> Hi.
We're Cloudflare. We're building one of the world's largest global cloud networks to help make the Internet faster, more secure and more reliable.
Meet our customer, Book my show. They've become India's largest ticketing platform thanks to its commitment to the customer experience and technological innovation.
<v Viraj Patel> We are primarily a ticketing company.
The numbers are really big. We have more than 60 million customers who are registered with us.
We are around 5 billion screen views every month, 200 million tickets over the year.
We think about what is the best for the customer.
We know that if our customers, you know, experience well, then they are not going to come back again and Book my show is all about providing that experience.
<v Cloudflare V.O.> As Book My Show grew, so did the security threats it faced.
That's when it turned to Cloudflare.
<v Viraj Patel> From security point of view, we use more or less all the products and features that Cloudflare has.
Cloudflare today plays the first level of defense for us. <v Pranav Kapoor> One of the most interesting and a-ha moments was when we actually got a DDoS and we were seeing traffic bursts up to 50 gigabits per second, 50 GB per second.
Usually we would go into panic mode and get downtime, but then all you got was an alert and then we just checked it out and then we didn't have to do anything.
We just sat there, looked at the traffic peak and then being controlled.
<v Viraj Patel> It just took less than a minute for Cloudflare to kind of start blocking that traffic.
Without Cloudflare, we wouldn't have been able to easily manage this because even our data center level, that's the kind of pipe, you know, is not easily available.
<v Pranav Kapoor> We started with Cloudflare Security, and I think that was the a-ha moment.
We actually get more sleep now, because a lot of lot of the operational overhead is reduced.
<v Cloudflare V.O.> With the attacks safely mitigated.
Book My Show found more ways to harness Cloudflare for better security performance and operational efficiency.
<v Viraj Patel> Once we came on board on the platform, we started seeing the advantage of the other functionalities and features.
It was really, really easy to implement HTTP2 when we decided to move towards that Cloudflare Workers, which is the computing at the edge, we can move that business logic that we have written custom for our applications at the Cloudflare edge level.
<v Pranav Kapoor> One of the most interesting things we liked about Cloudflare was everything can be done by the API, which makes almost zero manual work.
That helps my team a lot because they don't really have to worry about what they're running because they can see they can run the test and then they know they're not going to break anything.
<v Viraj Patel> Our teams have been able to manage Cloudflare on their own for more or less anything and everything.
<v Cloudflare V.O.> Cloudflare also empowers Book My Show to manage its traffic across a complex, highly performant global infrastructure.
<v Viraj Patel> We are running on not only hybrid, we are running on hybrid and multi-cloud strategy.
Cloudflare is the entry point for our customers. Whether it is a cloud in the back end or it is our own data center in the back end.
Cloudflare is always the first point of contact.
We do load balancing as well as we have multiple data centers running Data center selection happens on Cloudflare.
It also gives us fine grained control on how much traffic we can push to which data center, depending upon what is happening in that data center and what is the capacity of the data center.
We believe that our applications and our data centers should be closest to the customers.
Cloudflare just provides us the right tools to do that.
<v Cloudflare V.O.> With Cloudflare, Book My Show has been able to improve its security, performance, reliability and operational efficiency.
With customers like Book My Show and over 20 million other domains that trust Cloudflare with their security and performance.
We're making the Internet fast, secure and reliable for everyone. Cloudflare.
Helping build a better Internet.
<v Connor Sherman> We are a food at work company.
We know the value of zero trust architectures. We also know the incredible difficulty it is.
So I know the only way I have a chance of implementing this well, that's scalable, that can support itself over time is having the right partners.
And that's why I'm so excited to have Cloudflare as a security partner, because they're able to give me that toolset to do zero trust well.
My name is Connor Sherman. I'm the head of security for EZ-Cater.
When you want to feed a workforce of people, we are the go-to shop to making sure you've got everything you need.
It's my job to make sure anywhere you are in the world, you can safely log into our internal toolset.
There's a lot of inherent risk with the traditional VPN structure.
Part of the success of Access for us is we were able to just bypass all that analysis and it was so easy just to get it going that we were able to save having to hire a specialized person to focus on VPNs.
As we are a marketplace, we have all the challenges, whether it be account takeovers, scraping bot activity.
So being able to have risk ratings based on who's arriving at that login page really helped us remove things that were clearly bots and then focus on dealing a more sophisticated attacks.
Bot management was a bit of a godsend for us. It gave us a level of precision where we could show up with a scalpel where historically we'd shown up with a sledgehammer.
We block over 1.5 million attacks a day through Cloudflare, Web application firewall and Bot management.
And if we didn't have Cloudflare, we'd have a very bad day.
<v Rames Sarwart Shaker> Cloudflare es uno de los proveedores COO utilizamos dentro de telefonica tech para proporcionar servicios avanzados de seguridad en la nube de nuestros clientes.
Hola yo soy Rames, soy director de Ventas para mercados Emergentes o Internacionales and Telefonica Cybersecurity and Cloud Tech.
<v Jesus D.
Muñoz Largo> Hola mi Nombre es Jesus Munoz. Soy Venta Especialista Dentro del Tech. <v Rames Sarwart Shaker> Grupo Telefonica es un Grupo Leader de Comunicaciones y con una base de Clientes .
Aproximadamente three millones. Telefonica Tech es parte de la estrategia de la nueva Telefonica para ayudar a los Clientes en la transformacion Digital realidad proporcionando servicios digitales tales como ciberseguridad, cloud IoT e bigdata a todos sus clientes.
<v Jesus D.
Muñoz Largo> Confiamos en nuestros sistemas integra Cloudflare dentro de nuestras medidas de seguridad no proporciona una manera.
Additional es muy efficient tanto de monitoring los ataques COO los portales proporcionar una continuidad en el servicio asegurado y sobre todo mejorar la calidad de las elecciones con los usuarios COO en el portal con la activation de Cloudflare en nuestros sistemas.
La velocidad de acceso a recursos Web incremento en mas de un porciento con respecto a la velocidad sin el uso de Cloudflare es por esto COO entre los ataques COO recibimos puede estar de cualquier indole de negocios de servicio intento de de negocio CTO distribuido.
Hasta el uso de malicious malware, ransomware etcetera.
Solo se conseguido detectar y para mas de eventos relacionados con la seguridad de eventos provocado por votes.
Hasta posibles ataques intentaban atacar a recursos dentro de los Portales de Telefonica CTO varios problemas en la Web la navigation se pudieron monetary arreglar solucionar gracias a la SEO Cloudflare.
<v Eric Pierce> Mindbody specifically focused on the health and wellness space and was built by people who were passionate about health and wellness.
We serve health and wellness businesses all over the world.
<v Adelyn Fears> We allow our customers to spend more time focusing on the parts of their business that they love and less time worrying about scheduling software and payroll and other day to day administrative work.
We want to protect customers from attacks that could hurt their business and their brand.
And at Mindbody, we're passionate about ensuring that our customers data is secure.
<v Eric Pierce> When we first approached Cloudflare, we had a lot of different tools in our security stack and there was a lot of management overhead associated with all that kind of complexity.
<v Adelyn Fears> I think at one point we had four different WAFS, a separate tool for bot management and two CDNs, and we've basically managed to consolidate all of that into using just Cloudflare without losing any of the functionality or any of the protections that we had in place.
<v Eric Pierce> It was the kind of tool I could hand to junior analysts or senior engineers, and they would all know how to manage it pretty quickly with our old environment.
We were constantly fighting botnets and attempts to scrape our inventory Credential stuffing attacks.
When we moved Cloudflare, we were able to mitigate a lot of these kinds of attacks much easier and more consistently.
<v Adelyn Fears> Using Cloudflare Bot Management, we see a lot fewer false positives with actual valid end users using our application and being flagged as a bot.
We've gone from dealing with several per day to only a few per week.
<v Eric Pierce> With the Cloudflare Access solution, we are able to provide Zero Trust access to sensitive internal applications to contractors and third party vendors.
It puts our internal applications behind strong authentication protocols and allows us to ensure that only authorized users are able to even see the service.
The health and wellness industry is only going to grow.
I think Mindbody is going to be part of that rising tide that floats all boats.
Cloudflare will help us scale and grow and secure all those services as the industry expands.
<v Eric Rescola> The real privilege of working at Mozilla is that we're a mission driven organization.
And what that means is that before we do things, we ask what's good for the users as opposed to what's going to make the most money.
<v Nick Sullivan> Mozilla's values are similar to Cloudflare.
They care about enabling the web for everybody in a way that is secure, in a way that is private and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
<v Eric Rescola> Mozilla and Cloudflare collaborate on a wide range of technologies.
The first place we really collaborated was the new TLS 1.3 Protocol, and then we followed it up with quick and DNS over HTTPS and most recently the new Firefox private network.
<v Selena Deckelman> DNS is core to the way that everything on the internet works.
It's a very old protocol and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize.
You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
<v Eric Rescola> When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.
<v Selena Deckelman> Cloudflare was a great partner with this because they were really willing early on to implement the protocol stand up, a trusted recursive resolver and create this experience for users.
They were strong supporters of it. <v Nick Sullivan> One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something and we write down the barest protocol sketch and they have it running in their infrastructure is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use or ten people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the Web, we're talking about bringing it not to millions, not to tens of millions.
We're talking about hundreds of millions to billions of people. <v Selena Deckelman> Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it.
And they've also been willing to throw those logs away. <v Eric Rescola> Really, users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the user that make them more secure and we're offering them via Cloudflare.
So that's like an immediate benefit the users are getting.
The indirect benefit the users are getting is that we're developing the next generation of security and privacy technology and Cloudflare is helping us do it and that will ultimately benefit every user, both Firefox users and every user of the Internet.
<v Nick Sullivan> We're really excited to work with an organization like Mozilla that is aligned with the users interests and in taking the Internet and moving it in a direction that is more private, more secure and is aligned with what we think the Internet should be.