This post is also available in 简体中文, 繁體中文, 日本語, 한국어, Español, Bahasa Indonesia and ไทย.
Last October, we announced Cloudflare One, our comprehensive, cloud-based network-as-a-service solution that is secure, fast, reliable, and defines the future of the corporate network. Cloudflare One consists of two components: network services like Magic WAN and Magic Transit that protect data centers and branch offices and connect them to the Internet, and Cloudflare for Teams, which secures corporate applications, devices, and employees working on the Internet. Today, we are excited to announce new integrations with VMware Carbon Black, CrowdStrike, and SentinelOne to pair with our existing Tanium integration. Cloudflare for Teams customers can now use these integrations to restrict access to their applications based on security signals from their devices.
Protecting applications with Cloudflare for Teams
When the COVID-19 pandemic unfolded, many of us started to work remotely. Employees left the office, but the network and applications they worked with didn’t. VPNs quickly began folding under heavy load from backhauling traffic and reconfiguring firewalls became an overnight IT nightmare.
This has accelerated many organizations' timelines for adopting a Zero Trust based network architecture. Zero Trust means to mistrust every connection request to a corporate resource, and instead intercept and only grant access if criteria defined by an administrator are met. Cloudflare for Teams does exactly that. It replaces legacy VPNs with our global network running in 200+ locations, and validates a user's identity via their identity provider and cross-checks for permissions to the requested application. Only if the user successfully verifies their identity and has sufficient access privileges are they granted access. The result: better performance due to our global network, and a security model that relies on verification rather than trust.
BYOD—Bring Your Own Destruction
Remote work threw companies another curveball. As the lines between work and leisure time blurred, users started to work from a variety of devices, including their personal ones. Personal or unsecured devices are often more exposed to threats like malware, simply because they’re not protected by anti-malware or more sophisticated endpoint security providers. Using an unsecured device to access company email, deploy code to a production system, or access applications containing sensitive information is risky and could result in violation of a company’s compliance rules, or worse, compromise a system if an infected device spreads malware.
New policies based on device security
Starting today, Cloudflare for Teams customers can configure new policies that rely on device security signals provided by their endpoint security vendor to allow or deny connections to their applications. The terms endpoint security, device security, device health, or device posture are often used interchangeably, but all mean the same — they are a collection of signals that help decide whether a particular device, say a laptop or a mobile phone, is secure or not. This includes signals and attributes like version of the operating system, date of the last patch, disk encryption status, inventory of installed applications, status of anti-malware or endpoint security provider, and date of the last malware scan.
Understanding these signals, especially across all company issued devices — also known as the device fleet — is important and allows security and IT teams to find devices that are outdated and require patching, or when a malware infection has occurred and needs remediation. Using Cloudflare for Teams, these signals can also be used to make network access decisions. For example, to restrict non-company issued devices from accessing sensitive applications, an access policy can be created that compares the device’s serial number with the company’s device inventory. Only if the serial number matches is the user granted access.
Our WARP client already checks for some of these attributes, like serial number and device location, and ensures traffic is encrypted with WARP. With our new integrations, customers get an additional layer of security by requiring that a device runs, for example, a CrowdStrike or VMware Carbon Black agent before granting the device access to a resource protected by Cloudflare. By combining signals from WARP and our partners’ endpoint security platforms, we can ensure that a device is both company sanctioned and free of malware, and therefore considered a secured device.
In today’s work-from-anywhere business culture, the risk of compromise has substantially increased as employees and their devices are continuously surrounded by a hostile threat environment outside the office walls. Through our integration with Cloudflare, organizations can leverage the power of the CrowdStrike Falcon platform to accurately allow dynamic conditional access to applications, delivering end-to-end Zero Trust protection across endpoints, workloads and applications to stop attacks in real-time.
— Patrick McCormack, Senior Vice President, Cloud Engineering, CrowdStrike
The VMware Carbon Black Cloud consolidates multiple endpoint and workload security offerings into a single, cloud native platform. Leveraging VMware Carbon Black Cloud, Cloudflare can help customers secure and manage devices connecting to their cloud and Zero Trust networks.
— Tom Corn, Senior Vice President, Security Business Unit, VMware
Enterprises have come to terms with the notion of a disintegrating traditional perimeter. The distributed and dynamic perimeter of today requires a fundamentally new approach to security. In partnership with Cloudflare, our AI-powered cybersecurity platform offers modern enterprises a more robust zero trust security solution that spans the devices, the network, and the mission critical applications enterprises rely on.
— Chuck Fontana, SVP Business & Corporate Development, SentinelOne
Zero Trust security architectures started at the network level with segmentation and enforcement, but as corporate resources and data increasingly live on endpoints, a zero trust architecture must take both the endpoint and the network into consideration. Knowing the identity of the endpoint, as well as knowing that it’s up-to-date, hardened against security threats and hasn’t been compromised, is paramount in ensuring secure access to an organization's resources.
— Pete Constantine, Chief Product Officer, Tanium
How does it work?
Our integrations are simple. The first step is to secure your applications with Cloudflare Access. The integration between Access and your endpoint security provider varies slightly depending on your vendor.
Tanium does not require any additional software installed on a user’s machine. Simply input your Tanium certificate in the Cloudflare for Teams Dashboard and enable Endpoint Identity in your Tanium instance. Then, you can add Tanium as a policy check in the Teams Dashboard for any application to ensure that a user’s device is company-sanctioned and free of malware.
VMware Carbon Black, CrowdStrike, and SentinelOne
Unlike Tanium, these vendors require that the WARP client is deployed on a device. Before you configure these providers on the Teams Dashboard, we recommend deploying WARP via an MDM solution — alternatively, users can download the WARP client directly.
Once the WARP client is deployed for your team, you can configure your endpoint security provider on the Teams Dashboard. To get started, log in to your Teams Dashboard and navigate to My Team→Devices, then click on the new tab “Device posture”. For our partners, we’ve pre-configured values that should work for most installations.
Now that you have completed configuration, you can build rules based on the provider of your choice and apply them to your applications as you would any other Access policy. Once the rules are in place, WARP will check to see if the endpoint security software is running on the device and communicate the status to Access. Access will then use the status of the device’s endpoint security software to either allow or deny access to the secured application. If the device is running your organization's endpoint security software, access will be granted.
These Zero Trust checks can be layered with features like MFA and User Identity to thwart stolen credentials or other malicious access attempts.
In future releases, we will integrate additional security signals from our newly launched partners — such as CrowdStrike’s and VMware Carbon Black’s risk scores — to provide even more fine-grained control over which devices can get access to protected applications. We will also continue partnering with more vendors to provide flexibility to our customers in using their vendor of choice.
If you’re using Cloudflare for Teams today and are interested in using our integrations, visit our developer documentation to learn about how you can enable them. If you want to learn more or have additional questions, please fill out the form on our Endpoint Security Partnerships page, and we'll get in touch with you shortly.