This launch marks a huge advancement for Cloudflare’s Cloud Access Security Broker (CASB). Since its release, Cloudflare’s API-based CASB has focused on providing robust, comprehensive visibility and detection. It also connects to the SaaS tools your business runs on, surfacing misconfigurations, and flagging overshared data before it becomes tomorrow’s incident.

With today’s release of Remediation – a new way to fix problems with just a click, right from the CASB Findings page – CASB begins its next chapter, and moves from telling you what’s wrong to helping you make it right.

_{An example of a Remediation Action (Remove Public File Sharing) in a CASB Finding.}

Inside Cloudflare One, our SASE platform, CASB connects to the SaaS and cloud tools your teams already use. By talking to providers over API, CASB gives security and IT teams:

• A consolidated view of misconfigurations, overshared files, and risky access patterns across apps like Microsoft 365, Google Workspace, Slack, Salesforce, Box, GitHub, Jira, and Confluence (CASB Integrations).

• Continuous scanning for new issues as users collaborate, share, and adopt new tools.

• Findings that are organized, searchable, and exportable for triage and reporting.

But until now, the actual fixing usually happened somewhere else, whether it’s inside each app’s admin UI, or through a ticket to the team that owns that tool. Remediation closes that loop.

The launch of CASB Remediation marks a major shift forward for the product and Cloudflare One, and we have a ton of big updates planned for the next year. 

With today’s release, we focused on fixing file-share issues in Microsoft 365 and Google Workspace.

With Remediation, you can fix the highest-impact, most common file risks we see across customers, including:

• Public links that let anyone on the Internet view or edit a file.

• Files shared company-wide across your tenant or domain, even when just a handful of people should have access.

• Files shared outside your organization to personal accounts and external domains.

• All of the above, when they also match a DLP Profile. For example, a document full of customer records, credentials, or financial details.

When you trigger the ‘Remove sharing’ Remediation action on a supported finding, CASB immediately moves to remove the risky sharing configuration (for example, the public link or organization-wide access) from the file in question. And crucially, Remediation only removes risky sharing; it doesn’t delete files or change who owns them.

_{A new page to track the progress and success of Remediated CASB findings.}

We chose to start with Microsoft 365 and Google Workspace because, for many organizations, that’s where the bulk of their business-critical documents live: internal financials, product roadmaps, customer contracts, HR notes, and more.

They’re also where “temporary” sharing tends to linger too long:

• A spreadsheet shared “Anyone with the link can edit” for a quick review.

• A doc made company-wide for an all-hands, then quietly forgotten.

• A sheet of customer records shared to a contractor’s personal email.

For Microsoft 365, that means cleaning up risky shares in places like OneDrive and SharePoint. For Google Workspace, it means tightening sharing on Docs, Sheets, Slides, and other files stored in Drive.

Instead of exporting a CSV of risky files out of CASB, sending it to app owners, and hoping everyone gets around to fixing their share settings, you can drive the clean-up directly from CASB and know when those risks have actually been addressed.

And when you and your team use CASB Remediation, every action is logged in Cloudflare One’s Admin logs, so you can see who took action on which files and when, or export that activity to your security information and event management tool (SIEM).

When architecting the system that supports CASB Remediations, we knew it had to do three things really well:

• Be fast, even at scale

• Durable execution to handle surprises gracefully

• Be easy for our customers to use 

To meet these goals, we built a system using several Cloudflare products: Workers, Workflows, Queues, Workers KV, Secrets Store, and Hyperdrive. 

When a remediation job is initiated, an API call is made to a Worker. That Worker writes the job to a Queue which is consumed by a second Worker to kick off a Workflow. Workers KV and Secrets Store are used to securely distribute credentials for use in the Workflow. The Workflow runs a series of steps to collect information and execute third-party API calls to complete the remediation. The final outcome of the action is recorded in a database via Hyperdrive. 

At scale, we are guaranteed to encounter 429s from vendor APIs. Workflows’ native retries simplify handling this, and built-in step logging gives visibility into each retry. This means that there was no need for us to build a complex, single-purpose, state-tracking system or dozens of serverless functions for each action.

Performance results from load testing and early access customers have shown strong performance even under heavy load. The average (p50) end-to-end job completion time is 48 seconds, and the p90 is 72 seconds. Durable Execution (via Workflows) has made job management completely hands-off for our team, even when the Workflow encounters issues with third-party APIs. The simplicity of the final system has made troubleshooting issues fast and straightforward.

File-sharing Remediation for Microsoft 365 and Google Workspace is just the first step.

In the near term, we’re working on bringing our customers new Quarantine actions, which can move or isolate high-risk files to safer locations. We are also introducing Custom Webhook actions, hooks that let you trigger downstream workflows, like ticket creation, chat notifications, or your own automation.

And more broadly, we’re excited to explore ways to make CASB even more of an active control plane:

• Autoremediation policies for carefully scoped, policy-driven fixes where you’re comfortable letting CASB take action automatically.

• Custom CASB findings so you can define the exact patterns, data types, or access conditions that matter most to your organization.

• Bulk Remediation that allows you to remediate many similar findings in a single operation.

• Extending Remediation to additional SaaS integrations beyond Microsoft 365 and Google Workspace, so the same experience applies to tools like Box, Dropbox, Salesforce, GitHub, Slack, Atlassian, and more over time.

CASB Remediation requires a paid CASB license, but don’t let that stop you from trying CASB out today!

• For existing Cloudflare One / CASB customers: Integrate your Microsoft 365 or Google Workspace tenant (or update your existing integration to Read-Write), and start remediating risky shares directly from the side panel within your file sharing-related finding types.

• New to Cloudflare One? Sign up now for 50 free seats to begin using CASB immediately. For larger deployments, request a consultation with our experts.

From there, talk to our team about enabling CASB with Remediation for your Microsoft 365 and Google Workspace tenants so you can find and fix overshared files in one place.

We’re excited to see how you use Remediation to clean up long-lived file-sharing risks — and to help shape what CASB’s next generation of remediation capabilities looks like.

This announcement takes us to Cloudflare’s SASE platform, Cloudflare One, used by enterprise security and IT teams to manage the security of their employees, applications, and third-party tools, all in one place.

Starting today, Cloudflare One users can now use the CASB (Cloud Access Security Broker) product to integrate with and scan Amazon Web Services (AWS) S3 and Google Cloud Storage, for posture- and Data Loss Prevention (DLP)-related security issues. Create a free account to check it out.

Scanning both point-in-time and continuously, users can identify misconfigurations in Identity and Access Management (IAM), bucket, and object settings, and detect sensitive information, like Social Security numbers, credit card numbers, or any other pattern using regex, in cloud storage objects.

Over the last few years, our customers — predominantly security and IT teams — have told us about their appreciation for CASB’s simplicity and effectiveness as a SaaS security product. Its number of supported integrations, its ease of setup, and speed in identifying critical issues across popular SaaS platforms, like files shared publicly in Microsoft 365 and exposed sensitive data in Google Workspace, has made it a go-to for many.

However, as we’ve engaged with customers, one thing became clear: the risks of unmonitored or exposed data at-rest go far beyond just SaaS environments. Sensitive information – whether intellectual property, customer data, or personal identifiers – can wreak havoc on an organization’s reputation and its obligations to its customers if it falls into the wrong hands. For many of our customers, the security of data stored in cloud providers like AWS and GCP is even more critical than the security of data in their SaaS tools.

That’s why we’ve extended Cloudflare CASB to include Cloud DLP (Data Loss Prevention) functionality, enabling users to scan objects in Amazon S3 buckets and Google Cloud Storage for sensitive data matches​.

With Cloudflare DLP, you can choose from pre-built detection profiles that look for common data types (such as Social Security Numbers or credit card numbers) or create your own custom profiles using regular expressions​. As soon as an object matching a DLP profile is detected, you can dive into the details, understanding the file’s context, seeing who owns it, and more. These capabilities provide the insight needed to quickly protect data and prevent exposure in real time.

And as with all CASB integrations, this new functionality also comes with posture management features, meaning whether you’re using AWS or GCP, we’ll help you identify misconfigurations and other cloud security issues that could leave your data vulnerable​, like buckets that are publicly-accessible or have critical logging settings disabled, access keys needing rotation, or users without multi-factor authentication (MFA). It’s all included.

Cloudflare CASB and DLP are simple to use by default, making it easy to get started right away. But it’s also highly configurable, giving you the flexibility to fine-tune the scanning profiles to suit your specific needs.

For example, you can adjust which storage buckets or file types to scan, and even sample only a percentage of objects for analysis​. The scanning also runs within your own cloud environment, so your data never leaves your infrastructure​. This approach keeps your cloud storage secure and your costs managed while allowing you to tailor the solution to your organization’s unique compliance and security requirements.

Looking ahead, our roadmap also includes expanding support to additional cloud storage environments, such as Azure Blob Storage and Cloudflare R2, further extending our comprehensive, multi-cloud security strategy. Stay tuned for more on that!

From the start, we knew that to deliver DLP capabilities across cloud environments, it would require an efficient and scalable design to enable real-time detection of sensitive data exposure.

An early design decision was made to leverage a serverless architecture approach to ensure sensitive data discovery is both efficient and scalable. Here’s how it works:

• Compute Account: The entire process runs within a cloud account owned by your organization, known as a Compute Account. This design ensures your data remains within your boundaries, avoiding costly cloud egress fees. The Compute Account can be launched in under 15 minutes using a provided Terraform template.

• Controller function: Every minute, a lightweight, serverless controller function in your cloud environment communicates with Cloudflare’s APIs, fetching the latest DLP configurations and security profiles from your Cloudflare One account.

• Crawler process: The controller triggers an object discovery task, which is processed by a second serverless function known as the Crawler. The Crawler queries cloud storage accounts, like AWS S3 or Google Cloud Storage, via API to identify new objects. Redis is used within the Compute Account to track which objects have yet to be evaluated.

• Scanning for sensitive data: Newly discovered objects are sent through a queue to a third serverless function called the Scanner. This function downloads the objects and streams their contents to the DLP engine in the Compute Account, which scans for matches against predefined or custom DLP Profiles.

• Finding generation and alerts: If a DLP match is found, metadata about the object, such as context and ownership details, is published to a queue. This data is ingested by a Cloudflare-hosted service and presented in the Cloudflare Dashboard as findings, giving security teams the visibility needed to take swift action.

The DLP pipeline ensures that sensitive data never leaves your cloud environment — a privacy-first approach. All communication between the Compute Account and Cloudflare's APIs are initiated by the controller, also meaning there is no need to perform any extra configuration to allow ingress traffic.

To get started, reach out to your account team to learn more about this new data security functionality and our roadmap. If you want to try this out on your own, you can login to the Cloudflare One dashboard (create a free account here if you don’t have one) and navigate to the CASB page to set up your first integration.