Subscribe to receive notifications of new posts:

Build Zero Trust rules with managed devices

2021-03-30

3 min read
This post is also available in Indonesia and ไทย.
Build Zero Trust rules with managed devices

Starting today, your team can use Cloudflare Access to build rules that only allow users to connect to applications from a device that your enterprise manages. You can combine this requirement with any other rule in Cloudflare’s Zero Trust platform, including identity, multifactor method, and geography.

As more organizations adopt a Zero Trust security model with Cloudflare Access, we hear from customers who want to prevent connections from devices they do not own or manage. For some businesses, a fully remote workforce increases the risk of data loss when any user can log in to sensitive applications from an unmanaged tablet. Other enterprises need to meet new compliance requirements that restrict work to corporate devices.

We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today. Keep reading to learn how Cloudflare Access solves this problem and how you can get started.

We’re excited to help teams of any size apply this security model, even if your organization does not have a device management platform or mobile device manager (MDM) today.

The challenge of unmanaged devices

An enterprise that owns corporate devices has some level of control over them. Administrators can assign, revoke, inspect and manage devices in their inventory. Whether teams rely on management platforms or a simple spreadsheet, businesses can treat corporate devices as their own.

That visibility and management does not apply to a personal device — and we are all glad that is true. However, that same value causes problems when enterprises need to restrict data or access to applications to only a corporate device. If I’m able to login to a system and download data on a personal device, I have created a new headache for IT and security.

Single sign-on (SSO) providers and SaaS applications make it easier to make that mistake, intentionally or not. Users can login to a corporate application by simply reusing their passwords. Even if the organization enforces multifactor methods like hard key authentication, a user can just plug their key into a personal device.

Cloudflare’s Solution

We’re excited to give any team the ability to maintain control over data by ensuring it stays on corporate devices. Cloudflare Access is a comprehensive Zero Trust platform that administrators can use to build rules by identity and other signals. Teams can build rules for self-managed and SaaS applications. Every request and login is captured and all of it is made faster for end users on Cloudflare’s global network.

You can now use Cloudflare’s Zero Trust platform to build a new type of rule: only allow connections or logins from a corporate-owned device. You can use your own inventory system, whether it is a simple spreadsheet or API from an MDM platform. Our Cloudflare for Teams agent runs on the device and gathers details about the hardware, checks it against your inventory, and Cloudflare’s edge makes a decision instantly.

How it works

Enforcing corporate devices in Access takes about 20 minutes to set up and only requires that you have a list of corporate devices’ serial numbers.

The first step is to establish and import your list of managed device serial numbers. Serial number lists can be uploaded in bulk or created manually directly in the Teams Dashboard. Many inventory and asset management tools provide a straightforward way to export device serial numbers.

It is also possible to to upload new serial numbers over the API allowing for automation when new devices are purchased.

The next step is to deploy the WARP client across your corporate machines. Users can download and install the client themselves or it can be installed via an MDM solution.

That’s all that is required to begin enforcing Zero Trust access for only corporate devices! You will now be able to build Access rules that check if a device’s serial number is in the managed devices list.

You will now be able to build Access rules that check if a device’s serial number is in the managed devices list.

Now even if a user moved their hard-key over and installed WARP on their personal device, they would still be blocked because they’re not in the corporate serial number list.

Getting Started

If you would like to start locking down applications to only corporate devices, sign up for a free Teams account up to 50 users. If you are an existing customer, this is available in your Teams Dashboard today and can be set up with the following guide.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Security WeekCloudflare AccessZero TrustTeams DashboardCloudflare Zero TrustSecurity

Follow on X

Kenny Johnson|@KennyJohnsonATX
Cloudflare|@cloudflare

Related posts

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....

September 27, 2024 1:00 PM

Advancing cybersecurity: Cloudflare implements a new bug bounty VIP program as part of CISA Pledge commitment

Cloudflare strengthens its commitment to cybersecurity by joining CISA's "Secure by Design" pledge. In line with this commitment, we're enhancing our vulnerability disclosure policy by launching a VIP bug bounty program, giving top researchers early access to our products. Keep an eye out for future updates regarding Cloudflare's CISA pledge as we work together to shape a safer digital future....

September 27, 2024 1:00 PM

AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection

This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot blocking capabilities...