Earlier this week, we announced Cloudflare One™, our comprehensive, cloud-based network-as-a-service solution. Cloudflare One improves network performance and security while reducing cost and complexity for companies of all sizes.
Cloudflare One is built to handle the scale and complexity of the largest corporate networks. But when it comes to network security and performance, the industry has focused all too often on the largest of customers with significant budgets and technology teams. At Cloudflare, we think it’s our opportunity and responsibility to serve everyone, and help companies of all sizes benefit from a better Internet.
This is Zero Trust Week at Cloudflare, and we’ve already talked about our mantra of Zero Trust for Everyone. As a quick refresher, Zero Trust is a security framework that assumes all networks, devices, and Internet destinations are inherently compromised and therefore should not be trusted. Cloudflare One facilitates Zero Trust security by securing how your users connect to corporate applications and the Internet at large.
As a small business network administrator, there are fundamentally three things you need to protect: devices, applications, and the network itself. Below, I’ll outline how you can secure devices whether they are in your office (DNS Filtering) or remote (WARP+ and Gateway), as well as applications and your network by moving to a Zero Trust model of security (Access).
By design, Cloudflare One is accessible to teams of any size. You shouldn't need a massive IT department or a Fortune 500 budget to connect to your tools safely. On Tuesday, we announced a new free plan which provides many of the features of Cloudflare One, including DNS filtering, Zero Trust access, and a management dashboard - for up to 50 users at no cost.
Starting now, your team can begin deploying Cloudflare One in your organization in just a few simple steps.
Step 1: Protect offices from threats on the Internet with DNS Filtering (10 minutes)
Step 2: Secure remote workers connecting to the Internet with Cloudflare WARP+ (30 minutes)
Step 3: Connect users to applications without a VPN with Cloudflare Access (1 hour)
Step 4: Block threats and data loss on devices with a Secure Web Gateway (1 hour)
Step 5: Add Zero Trust to your SaaS applications (2 hours)
1. Start blocking malicious sites and phishing attempts in 10 minutes
The Internet can be a dangerous place with malware and threats lurking everywhere. Protecting employees from threats on the Internet requires a way to inspect and filter their traffic. That starts with DNS-level filtering that can quickly and easily eliminate known malicious sites as well as restrict access to potentially dangerous neighborhoods on the Internet.
When your devices connect to a website, they start by sending a DNS query to a DNS resolver to find the IP address of the hostname for that site. The resolver responds and the device initiates the connection. That initial query creates two challenges for your team’s security:
- Most DNS queries are unencrypted. ISPs can spy on DNS queries made by your employees and corporate devices while they work from home. Even worse, a malicious actor could modify responses to launch an attack.
- DNS queries can resolve to malicious hostnames. Team members can click on links that lead to phishing attacks or malware downloads.
Cloudflare One can help keep that first query private and stop devices from inadvertently requesting a known malicious hostname.
Start by signing up for a Cloudflare account and navigating to the Cloudflare for Teams dashboard.
Next, set up a location. You’ll be prompted to create a location which you can do if you want to protect the DNS queries of an office network. Simply deploy Gateway’s DNS filtering for your office by changing your network’s router to point to the assigned Gateway IP address.
Cloudflare operates 184.108.40.206, the world’s fastest DNS resolver. We’ve built Cloudflare Gateway’s DNS filtering tools on top of that same architecture so that your team has faster and safer DNS.
Now you can easily create a Gateway DNS policy to filter security threats or specific content categories.
Then use the Gateway dashboard to monitor queries that are allowed or blocked.
Then navigate to the dashboard on the “Overview” tab and see your traffic including what you are blocking and allowing.
2.Next, protect all of your remote employees and send all traffic through Cloudflare over an encrypted connection
Employees who used to connect to the Internet through your office network now connect from hundreds or thousands of different home networks or mobile hotspots to do their jobs. That traffic relies on connections that might not be private.
You can use Cloudflare One to route all team member traffic over an encrypted, accelerated path to the Internet with Cloudflare WARP. Cloudflare WARP is available as an application that your team members can install on macOS, Windows, iOS, and Android. The client will route all of their device’s traffic to a nearby Cloudflare data center over Cloudflare’s implementation of a technology called WireGuard.
When they connect, Cloudflare One uses WARP+, our implementation of WARP that uses the Argo Smart Routing service to find the shortest path through our global network of data centers to reach the user’s destination.
Your team can begin using Cloudflare WARP today. Navigate to the Cloudflare for Teams dashboard and purchase the Cloudflare Gateway or Cloudflare for Teams Standard plan. Once purchased, you can create a rule to determine who in your organization can use Cloudflare WARP.
Your end users can launch the client, input your team’s organization name, and login to begin using WARP+. Alternatively, you can deploy the application with settings preconfigured using an device management solution like JAMF or InTune.
Cloudflare WARP seamlessly integrates with Gateway’s DNS filtering to bring secure, encrypted, DNS resolution to roaming devices. Users can input the DoH subdomain of a location in your Cloudflare for Teams account to begin using your organization’s DNS filtering settings wherever they work.
3. Replace your VPN with Cloudflare Access
When we were a smaller team and relied on a VPN, our IT help desk received hundreds of tickets complaining about our VPN. Some of these descriptions might look familiar.
We built Cloudflare Access as a way to replace using a VPN as the gatekeeper to applications. Cloudflare Access follows a model known as Zero Trust security where Cloudflare’s network, by default, does not trust any connection. Every user attempting to reach an application has to prove they should be allowed to access that application based on rules that administrators configure. With our new Teams free plan, up to 50 seats of Access are available at no cost.
That sounds like adding a burden, but Cloudflare Access integrates with your team’s identity provider and single sign-on (SSO) options to make any application feel as seamless as a SaaS application with SSO. Even if your team does not have a corporate identity provider, you can integrate Access with free services like GitHub and LinkedIn, so your employees and partners can authenticate without adding cost.
For hosted applications, you can connect your origin to Cloudflare’s network without opening holes in your firewall using Argo Tunnel. Cloudflare’s network will accelerate the traffic from that origin to your users along fast lanes using our global private backbone.
When your team members need to connect to an application, they can visit it directly or start from a custom app launcher for your team. When they arrive, they’ll be prompted to login with your identity provider and Access will check their identity, and other characteristics like country of login, against rules that you create in the Cloudflare for Teams dashboard.
Cloudflare’s free plan includes up to 50 seats of Cloudflare Access at no cost so that your team can begin
4. Add a Secure Web Gateway to block threats and file loss
With Cloudflare WARP, all of the traffic leaving your devices now routes through Cloudflare’s network. However, threats and data loss can hide inside of that traffic. You can add Cloudflare Gateway’s HTTP filtering to your team’s Cloudflare WARP usage to block threats and file loss. For example, if your team uses Box you can restrict all file uploads to other cloud based storage services to ensure everything stays in one, approved place.
To get started, navigate to the Policies section of the Cloudflare for Teams dashboard. Select the HTTP tab to begin building rules that inspect traffic for potential issues like known malicious URLs or files being uploaded to unapproved destinations.
To inspect traffic, you’ll need to download and install a certificate on the enrolled devices. Once installed, you can enable HTTP filtering from the Policies tab to begin enforcing the policies that you created and capturing event logs.
5. Bring Zero Trust rules to your SaaS applications
If you don’t have self-hosted applications, or also use SaaS applications, you can still bring the same Zero Trust rules to the SaaS applications that your team uses with Cloudflare Access for SaaS - wherever they live. With Access for SaaS, companies can now centrally manage user access and security monitoring for all applications.
You can integrate Cloudflare Access as an identity provider to any SaaS application that supports SAML SSO. That integration will send all login attempts through Cloudflare’s network to your configured identity providers and enforce rules that you control.
Access for SaaS still includes the ability to run multiple identity providers simultaneously. When users login to the SaaS application, they’ll be prompted to pick the identity provider they need, or we’ll send them directly to the only provider you want to use for that application.
Once deployed, Access for SaaS gives your team high visibility, with low effort, into every login to both internal and SaaS applications. You can use the new Access for SaaS feature as part of the Cloudflare for Teams free plan for up to 50 users.
6. Soon: Protect small business office networks
Cloudflare’s Magic Transit™ product takes everything we learned protecting our own network from IP-layer attacks and extends that security to our customers who operate their own IP address space. By protecting that network, customers also benefit from performant and reliable IP connectivity to the Internet.
Today, some of the largest enterprises in the world rely on Magic Transit to keep their business safe from attack. We plan to extend that same protection and connectivity to teams who operate smaller networks in upcoming releases.
Cloudflare One represents our vision for the future of the corporate network, and we’re just getting started adding products and features that help teams move to that model. That said, your team shouldn’t have to wait to begin connecting through Cloudflare and securing your data and applications with our network.
To get started, sign up for a Cloudflare account and follow the steps above. If you have any questions on setting up Cloudflare One as a small business, or large enterprise, please let us know in this community forum post.