A Zero Trust terminal in your web browser

Cloudflare for Teams gives organizations of any size the ability to add Zero Trust controls to resources and data while also improving performance with Cloudflare’s network. Starting today, your team can use that same platform to seamlessly connect to non-HTTP resources from inside of a browser with the same level of audit control available in web applications.

Cloudflare’s browser-based terminal renders a fully functional console that a user can launch with a single click. Users authenticate with their organization’s SSO and Cloudflare’s edge checks that they meet the team’s Zero Trust rules for the resource being accessed.

Once approved, users can run commands over SSH as if they were using their native command line without any client side configuration or agent. Cloudflare’s network will accelerate their connection, apply rules about what data transfers can take place, and record the session for administrators to audit as needed.

We built Cloudflare’s browser-based terminal based on conversations with customers who are struggling to secure and deliver applications that live outside of the browser. We heard from developers who had to deal with using, and supporting, existing workflows to connect over SSH into machines or extend legacy applications to large, remote workforces.

We’re starting with a terminal for SSH use cases, but Cloudflare’s platform will provide a browser-based interface for nearly any application that your team needs. Your security team can create Zero Trust rules to determine who can reach those resources and how — while logging every connection. You'll be able to add advanced security features to record sessions and inspect and filter data to stop incidents from starting in non-HTTP connections like SSH and soon RDP.

The platform also makes applications faster for your end users. Cloudflare’s network accelerates connections from your services to your team in any region. Existing team members can migrate to a Zero Trust model without any client-side configuration. New hires can find every resource they need, not just web applications, in a single location and launch them with a single click.

Challenges with non-web applications

Zero Trust controls

The work for an IT department to add Zero Trust controls to a web application is made easier thanks to web browsers, reverse proxies, and browser cookies. Web applications that used to live on a private network can be deployed behind a reverse proxy, like Cloudflare, and users can visit a public DNS address in any web browser while the reverse proxy checks for identity. Cloudflare Access builds on these tools to give your team the ability to add Zero Trust rules to any web application in less than 10 minutes.

Non-web applications introduce challenges. Most traditional applications that require a thick client rely on private networks. The client software expects to reach a private IP, over a specific protocol, and making that IP public is a non-starter for almost all organizations because of the risk of data loss. Even if it were public, end users would still need to run client software on their device.

Authentication to those applications also relies on legacy approaches. Developers hold long-lived SSH keys to reach machines and business users keep usernames and passwords on sticky notes for RDP sessions. These types of resources make it difficult or impossible to integrate with your SSO provider and other controls like device posture.

Data security and logging

You can also use Cloudflare to log every authentication event and HTTP request and response without any server-side code changes. Teams can deploy a comprehensive logging layer for any web application alongside Zero Trust controls without any server-side code changes.

We’ve heard from our customers that a data control and logging gap remains in “every other application” outside of the browser. While teams invest in significant improvements in web applications, anything outside of the browser becomes a blind spot.

User experience

Web browsers make almost any SaaS application accessible to any user on any device. A user can pick up any laptop from any manufacturer and edit an Excel spreadsheet in Microsoft 365 or update a customer record in Salesforce.

That ease-of-use begins to break down for any other combination that includes a mobile device or an application that does not run in the browser. Some organizations ship dedicated hardware with a specific OS to certain team members that need it. More teams rely on expensive virtualization platforms that slow down user workflows.

Regardless of client-side approach, the connectivity between the user and the resource also suffers from the same problems of any traditional private network. Traffic is backhauled through centralized appliances and users suffer through slow performance to complete mission-critical workflows like managing production machines or enterprise resource planning.

Client-side configuration

Migrating to a Zero Trust model can become a chore when end users have to change their local configuration for non-web applications. When our own team first deleted our VPN, the most popular chat room became a thread where engineers would share SSH configuration files and answer questions about which environment variables to set to reach Kubernetes workloads.

Application discovery also becomes a problem. Organizations have to update wiki pages with inventories of IP addresses and ports for commonly used services. End users have to ask other team members for help connecting to a specific resource.

Launching the auditable, browser-based, terminal

We’re excited to help your team address all four of these challenges with today’s announcement. Like web application flows, the solution takes minutes to deploy, requires no end-user configuration, and consists of just three components:

  1. Your service running in an on-premise environment or public cloud
  2. A secure connection from that service to Cloudflare’s edge using a lightweight daemon called cloudflared
  3. A user’s browser, where Cloudflare renders the SSH session

Apply Zero Trust controls to any resource

We’ve talked to enterprises who have compliance requirements to add second factor authentication to all of their self-hosted applications, but they estimated that doing so would take months of development time. With Cloudflare Access, your team can use the second factor authentication of your identity provider as a requirement to reach applications of any type in a matter of minutes.

You can layer these types of identity-based rules with other signals, like the country where the user sits or the health of the device using integrations with Tanium, Carbon Black, Crowdstrike, and other providers. Organizations can require that users only connect from corporate devices or build login flows that support enterprise providers like Okta and Azure AD alongside public authentication options like GitHub and Google.

Cloudflare’s Zero Trust platform also helps your team get rid of outdated authentication processes like long-lived SSH security keys. The solution takes the JSON Web Token issued during the login and converts it to short-lived certificates that authorize the user’s session on a machine.

Audit sessions and secure data in every application

Cloudflare Zero Trust Apps platform gives your team the same level of control over files, data, and even commands that you have today in Cloudflare Gateway and applies it to any supported application type in your enterprise.

First, your team can now build rules that control who in your organization can transfer data to or away from a machine over an SSH connection or to a remote desktop over RDP. Build rules by machine, user and group identity, or country and device. Keep data on the machines or desktops in your environments and off of the roaming devices outside of your organization.

Coming soon, deploy a high visibility solution with low effort by enabling session recording for any connection type. Cloudflare Zero Trust Apps will record the screen of any session, batch the recordings in intervals, and send them to a storage location you have configured. We’ll be adding structured command logging and keyboard input to this flow as well.

Launch any app with a single click

Today’s launch not only improves security for any application in your organization, it also makes life easier for all of your users.

The browser-based interface of Cloudflare Zero Trust Apps can be launched from a single dashboard that is tailored to the permissions of each end user. Users login to a home page that your organization controls and Cloudflare displays each application they can reach — web, SSH, RDP, and others.

Users can click on any tile in their view to launch the interface for a given application without leaving their browser. Cloudflare’s Zero Trust login flow authorizes them to the session and they can begin doing their work without modifying SSH configuration files or editing RDP clients locally.

Mobile also just works. Cloudflare can render the session in any common browser on tablets and phones, making it possible for technicians on a job site or users away from their desk to reach any service as seamlessly as they can connect to a web application.

Accelerate user experience

Like any product in Cloudflare One, this solution does not force your team to pick between security and performance. Cloudflare Zero Trust Apps makes the applications that your team needs faster.

The approach starts by building on the remote browser isolation technology that powers Cloudflare Browser. Cloudflare Zero Trust Apps renders the application in the browser as if it were a native application. Users can highlight, copy-and-paste, and use shortcuts.

Next, the solution uses Cloudflare’s network to accelerate traffic from the server to your end user. Cloudflare determines the fastest path across our global backbone and delivers the experience to your team from a data center nearby in more than 200 cities in over 100 countries.

What’s next?

Today’s launch begins with support for SSH. We plan to continue to add support for additional application types over the next few months, in addition to structured command logging and filtering for SSH. Does your team have a resource that has been painful to use? Let us know as we prioritize the expansion.

If your team uses Cloudflare Access for SSH flows, you can begin using Zero Trust Apps immediately with a single configuration change. To get started, follow the instructions here.

As part of Cloudflare for Teams, your organization can start using Cloudflare Zero Trust Apps at no cost for up to 50 users as part of the Cloudflare for Teams free plan. Advanced security features, like session recording, will be available on the Cloudflare for Teams Standard plan.