Zero Trust

Question 1

Cloudflare Zero Trust comprises two major components of the SASE framework:

Answer 1

1) Secure Web Gateway

2) Zero Trust Network Access

Question 2

“How do I get my users secure access both to the Internet and private applications without backhauling their traffic or sacrificing security posture?”

Answer 2

This fits SASE architecture because it offloads traditionally datacenter-centric security services to a ‘distributed’ network, so the datacenter doesn’t need to be involved in every user’s request if unnecessary.

Question 3

CASB

Answer 3

Cloud Application Security Brokers (CASB) began rising in popularity as a response to the growing use of SaaS apps that did not live within the datacenter and may not be ‘controlled’ by the IT organization. Cloudflare provides one — soon two — delivery methods associated with CASB.

Within Gateway, we provide ‘in-line’ CASB functionality and Shadow IT, which can control how users on corporate machines interact with SaaS tools (controlling who can upload/download to which apps, what they should access, etc.).

Question 4

What problems does CASB solve?

Answer 4

They typically solve one of two problems (in three different ways), either (1) documenting, auditing, and restricting which SaaS apps can be used by users on corporate devices, or (2) auditing and securing data either at rest or in motion ‘through’ SaaS apps.

Question 5

VPN

Answer 5

Cloudflare Access replaces corporate VPNs with Cloudflare’s network. Instead of placing internal tools on a private network, customers deploy them in any environment, including hybrid or multi-cloud models, and secure them consistently with Cloudflare’s network.

Question 6

What is a Secure Web Gateway?

Answer 6

A Secure Web Gateway is traditionally a piece of hardware within a businesses security stack. It evaluates requests destined from a corporate environment or remote user for content inspection, it typically provides URL filtering, SSL inspection, and may allow for controlling the ‘http’ elements of a website (blocking uploads, blocking posts, etc). In the past few years, many of these functions have been offloaded to platform providers, but some still exist in the datacenter.

Question 7

Cloudflare Gateway

Answer 7

Cloudflare provides a secure web gateway called Gateway to filter user or network traffic which can provide all the major functions of a hardware appliance, but has the added benefit of being available on our network (everywhere, close to users for low latency) and is endlessly scalable and extremely performant. This improves user experience by not having to backhaul or use a less available cloud provider, and allows businesses to streamline policy creation across their global workforce.

Question 8

Authentication as a tenet of Zero Trust

Answer 8

A core tenet of Zero Trust is moving from a ‘location’ or ‘IP’ based authorization model to an identity-driven one, and having a mechanism for ‘continuous’ authentication. Having a central or accepted method of identity and authorization is critical to building a zero trust strategy. It is important to know who the subject (user or device) is requesting access to an object (application or services), this helps in providing the least privileged access for the user or device to just perform its business, enriches the security reporting and provides visibility to the network.

Question 9

Cloudflare authentication

Answer 9

Cloudflare’s Zero Trust platform works with all major SSO providers that support SAML 2.0 and OpenID Connect (OIDC), supports 2FA as well. Once users authenticate to their SSO service, Cloudflare enforces consistent access controls across cloud and on-premise applications.

Question 10

Primary drivers of zero trust adoption

Answer 10

Primary reasons to drive adoption of Zero Trust have been to reduce the risk of remote work and insider threats, mitigate third-party risk and manage cloud risk. This has all become increasingly difficult as more and more users and services exist outside of the corporate perimeter. The model of “user and service in same location” no longer applies in a majority of access requests.

As businesses start to adopt new remote access models, Zero Trust security is critical to ensure that their global base of applications and users are secured with the same consistent methodology. It also has a big impact on user experience - most zero trust models feel more Internet native than traditional VPN-based remote access, and therefore provide a better, more predictable and easily managed experience for the end-user, which is very important to CIOs.

Question 11

5 methodologies for Zero Trust

Answer 11

1. Define what you need to protect (Data, Applications, Services)
2. Map transactions flows (Get visibility)
3. Add controls (Architecture - know what to protect)
4. Define Policies (Using Kipling method - Who, What, When, Where, Why)
5. Monitor & Maintain

Question 12

3 main pain points that Cloudflare Zero Trust addresses:

Answer 12

Lack of visibility, complexity, and excessive trust

Question 13

Describing Cloudflare Zero Trust

Answer 13

Cloudflare Zero Trust reduces risks, increases visibility, and eliminates complexity as employees connect to applications and the Internet.

Zero Trust runs on the world’s fastest edge network to deploy faster and perform better than other providers.

Cloudflare verifies, filters, inspects and isolates user traffic in one lightning-fast single pass inspection, with single-pane management.