This post is also available in 简体中文, 繁體中文, 日本語, Bahasa Indonesia, ไทย.
Today, we’re excited to announce that your team can use Cloudflare’s network to build Zero Trust controls over the data in your enterprise - wherever it lives and however it moves.
Stopping data loss is difficult for any team and that challenge has become harder as users have left offices and data has left on-premise storage centers. Enterprises can no longer build a simple castle-and-moat around their data. Users now connect from any location on the planet to applications that live in environments outside that enterprise’s control.
We have talked to hundreds of customers who have resorted to applying stopgap measures to try and maintain that castle-and-moat model in some form, but each of those band-aids slow down their users or drive up costs - or both. Almost all the short-term options available combine point solutions that ultimately force traffic to back haul through a central location.
Part of Cloudflare One, Cloudflare’s approach to data loss prevention relies on the same infrastructure and global network that accelerates user traffic to the Internet to also perform inline inspection against all traffic regardless of how it arrives on our network.
We also know that enterprises need more than just scanning traffic for data strings. Keeping data safe also requires having visibility into how it moves and being able to control who can reach it. Cloudflare One gives your team the ability to build Zero Trust permissions in any workforce application and to log every request made to every data set without slowing users down.
Step 1: Start with a complete audit trail
Visibility into a corporate network used to be easy. All of a company’s services lived in a private data center. Users connected from managed office networks or virtual private network (VPN) clients. Security teams could monitor every request because everything took place inside a corporate network that resembled a castle-and-moat.
When users left offices and applications shifted away from the data center, organizations lost visibility into the connections to sensitive data. Organizations who wanted to adopt an “assume breach” model struggled to determine what kind of data loss could even occur, so they threw every possible solution at the problem.
We talk to enterprises who purchase new scanning and filtering services, delivered in virtual appliances, for problems they are unsure they have. These deployments force users to back haul all traffic to the Internet, slowing down the experience for every team member, in an attempt to rebuild the visibility offered in that castle-and-moat model.
Over the last year, we launched the first phase of Cloudflare’s DLP solution to help teams solve that problem. You can now use Cloudflare’s network to capture and log every DNS query, request, and file upload or download in your organization. Rather than slowing down your team, these features can accelerate how they can connect to both internally-managed and SaaS applications.
Building that level of visibility should not become a headache for administrators, either. Cloudflare’s DNS filter can be deployed to office networks and roaming devices in less than an hour. We built the DNS filtering solution on the same technology that powers 220.127.116.11, the world’s fastest DNS resolver, to accelerate end user experience too.
Next, teams can add context to all the traffic leaving their endpoints and devices by layering on Cloudflare’s Secure Web Gateway platform. Like the DNS filter and 18.104.22.168, we built our Gateway product after spending years improving a consumer equivalent, Cloudflare WARP.
We also added new tools to help prevent cases where connections skip the DNS filter or Secure Web Gateway. Your team can capture the HTTP method, URL path, and other metadata about every request without on-premise appliances or traffic back haul.
Your team can build rules that require every login to a SaaS application pass through Cloudflare’s network before a user signs in to your identity provider, ensuring you never have a blind spot over what data is being accessed. Finally, export all DNS query and HTTP logs to the SIEM provider that your team already uses.
Step 2: Add RBAC everywhere - even in the apps that lack it
Comprehensive logs help uncover potential breaches, but they also shine a light on how much data is available to everyone inside of your organization. We hear from customers who have information that lives in hundreds of applications and, in many cases, the default rule for most of those applications is to allow anyone in their team to reach any record.
With that rule as the default, every user account creates a larger attack surface for data loss - but the alternatives are hard or impossible. Configuring role-based access controls (RBAC) in every application is tedious. Even worse, some applications lack the ability to create RBAC rules altogether.
Today, you can deploy Cloudflare’s Zero Trust platform to build need-to-know rules in a single place - across all of your internally-managed and SaaS applications. In many cases, the first target for these rules is an organization’s customer relationship management (CRM) system. A CRM contains data about buyers, accounts, and revenue. Some of those records are much more sensitive than others but users on other teams - marketing, legal, and finance, for instance - can connect to anything in the application.
You can now use Cloudflare’s Secure Web Gateway to create rules that use your identity provider to restrict who can reach a specific part of any application, whether the application supports RBAC controls. If you want to allow team members to reach a record, but prevent users from downloading data, you can also control who has permission to save data locally with file upload/download policies.
Some applications support this level of identity-based RBAC, but we also hear from customers who need more scrutiny for certain datasets. One example is the requirement of a hard key as a second factor method. You can also use Cloudflare’s Zero Trust platform to add additional requirements when a user connects to certain applications, like forcing a hard key or specifying allowed countries.
We know that URL paths are not always standard and that applications evolve. Coming soon, your team will be able to apply these same types of Zero Trust controls to the data sets in any application. Read on to learn more about what’s next and how these rules integrate with Cloudflare’s data inspection.
Step 3: Build a data safety net for your external-facing applications
Controlling who can reach sensitive data assumes that the applications you control are not leaking data through other channels. Organizations try to solve this by assembling a patchwork of point solutions and processes to prevent accidental data loss from a forgotten API endpoint or a weak and reused password. These solutions require manual configuration for each application and cumbersome development practices that get ignored.
As part of today’s announcement, we’re launching a new feature in Cloudflare’s Web Application (WAF) to help teams solve this problem. You can now protect your application from external attacks and oversharing. You can use Cloudflare’s network to scan and block responses that contain data you never intend to send out from your application.
Administrators will be able to apply these new types of rules to any web resource protected by Cloudflare’s reverse proxy with just a few clicks. Once enabled, when your application responds to a request, Cloudflare’s network will check to see if the response contains data that should not leave that resource.
Unlike the point solutions this replaces, we do not want to burden your team with more work to manually classify data. At launch, we’ll provide patterns like credit card and social security numbers that you can enable. We’ll continue to add new patterns and the ability to search for specific data.
Step 4: Stop enterprise data from leaving in any direction
When applications and users left the walls of the enterprise network, security teams had to compromise on how to keep data itself safe. Those teams have been left with a few disappointing options:
- Back haul all traffic through on-premise hardware appliances that scan all traffic before sending it out to the Internet. Slow down the entire Internet for their teams.
- Purchase an expensive, out-of-band solution hosted in a handful of cloud environments that also scan for data and also slow down the Internet.
- Do nothing and let users and potentially any data set reach the Internet.
We’re excited to announce that, coming soon, you will be able to use Cloudflare’s network to scan all traffic leaving devices and locations for data loss without compromising performance. Cloudflare’s DLP capabilities apply standard, consistent rules around what data can leave your organization regardless of how that traffic arrived in our network.
Build rules in a single place that check data against common patterns like PII, against exact data sets that contain specific information you want to control, and using data labels. You can also combine these rules with other Zero Trust rules. For example, create a policy that prevents users outside a specific group from uploading a file that contains certain key phrases to any location other than your corporate cloud storage provider.
Unlike legacy point solutions to data loss, Cloudflare’s DLP runs inline on the same hardware that accelerates your traffic to the rest of the Internet. Cloudflare should not just help your team move to the Internet as a corporate network, it should be faster than the Internet. Our network is carrier-agnostic, exceptionally well-connected and peered, and delivers the same set of services globally. In each of these on-ramps, we can add better routing based on our Argo Smart Routing technology, which has been shown to reduce latency by 30% or more in the real-world.
When your users connect to an application on the Internet, Cloudflare’s WARP agent or our Magic Transit on-ramp establishes a secure connection to a Cloudflare data center in 200 cities around the world. That same data center checks the traffic against rules that block security threats, logs the event, and scans the data for patterns or exact criteria before using our global private backbone to accelerate that connection to its destination.
Your team can begin logging every request and applying RBAC controls to any application today within Cloudflare for Teams. Organizations on the Teams Free plan have every feature they need to get started for up to 50 users.
Interested in scanning all data flows? Data scanning will be added to Cloudflare for Teams later this year. Join the waitlist now to get started.
Data loss is just one risk to your organization that we’re using Cloudflare’s network to help solve. Stay tuned this week for daily announcements of new features that help your team stay secure without compromising performance or buying more hardware.