Zero trust for everybody: 3 ways to get there fast

Agenda
1. The Zero Trust framework, and our recommended ZT security model
1. 3 quick wins for Zero Trust transformation
1. How 3 organizations of differing sizes are using ZT strategy to secure
and accelerate their business

Problem: users and data live outside our
walls
Consequences for security teams:
● Excessive implicit trust to ‘insiders’
● Defense in depth = increased complexity
● Limited visibility into data flows
Business trends accelerating challenges:
● Rapid Cloud & SaaS adoption
● Geographically dispersed users
● Prevalence of mobile

Breaches: no such thing as a ‘trusted’ insider
Baseline: 3,594 breaches confirmed by 629 security decision makers
Source: Forrester Analytics Global Business Technographics® Security Survey, 2019
Nearly 46% of breaches of sensitive data
were caused by internal actors (employees
+ 3rd party partners)
And of these internal threats...
● 48% attributed to malicious intent
● 43% attributed to inadvertent misuse
● 9% attributed to a combination

Remote work straining already-challenged
VPNs
VPNs are engineered for implicit trust
“Hacker leaks passwords for 900+
enterprise VPN servers” (Aug. 2020)
VPN servers are under constant attack
NSA advisory on VPN and
IPsec-based access (July 2020)
CISA: Continued Exploitation of
Pulse Secure VPN Vulnerability
(April 2020)

Solution: Zero Trust architecture
Core principles:
● “Never trust, always verify”
● Access based on identity
and context (not network
location)
● Least privilege by default
Key assumption: Your users and
network are likely already
compromised.

The Zero Trust buzz can be frustrating
...but it doesn’t have to be!

Help Build a Better Internet
9
25M+
Internet properties
42 Tbps
Of network capacity
200+
Cities and 100+ countries
72B
Cyber threats blocked each day in Q2 ‘20
99%
Of the Internet-connected population in the
developed world is located within 100
milliseconds of our network

Cloudflare’s promise: Zero Trust for Everyone
Cloudflare for Teams makes Zero Trust security
transformation radically approachable for all
organizations, of any size and maturity.
No Trade Offs
Security +
Performance
Network
Scale
Shared
Intelligence
Ease
of Use

How Cloudflare for Teams works
Please see the Appendix for more information.

...to apply “never trust, always verify”
policies to all users and devices
connecting to your resources.
Zero Trust security journey with Cloudflare for Teams
Implement ZT with
Identity
Extend Zero Trust
with context
Zero Trust for the
Internet
You need....
...a standardized knowledge of “who
is who” as a foundation to inform
Zero Trust verification.
...to enable secure connections to the
Internet for a distributed workforce.
Key
product
capabilitie
s
● Contractor access with multi-
SSO integrations
● Granular policy controls
● Secure encrypted tunnel
● Device posture check
● Single pane-of-glass for
visibility across your network
● Isolated browsing
● Inline inspection of outbound
requests
● Data Loss Prevention via
integration with apps
1 2 3
“Extend and enrich
identity verification
for internal and
external users.”
“Secure access to
cloud and SaaS
resources”
“Isolate your users
from attacks by
‘never trusting’
connections on the
public internet”

Legacy Problem Cloudflare Solution
Cloudflare Access

Access: Zero Trust Network Access
Complete control of access to applications
Enforce Zero Trust access for ALL
applications on a per-user basis with easy-
to-create and manage rules.
Extend identity based security with more
signal
Improve security with context awareness
such as device posture. Enforce more
granular policies such as hard key
requirements for your most sensitive
applications.
Deliver fast applications to devices
anywhere
Users get secure and seamless access to
all applications faster from anywhere
thanks to Argo Smart Routing.
15

16
Cloudflare for Teams
Getting Started

Zero Trust for your Network
17
CONGRATS! WE JUST ADDED OUR
FIRST APPLICATION
● A top secret gifts page
● igivecoolgifts.com
● /secretgifts
NOW, LETS INTEGRATE OUR FIRST
IDENTITY PROVIDER
● G Suite, GitHub, or
OTP rules
● Exclude Antarctica
LET’S SEE HOW OUR POLICY IS
PERFORMING
● Blocked
● Authenticated
● Allowed
● Customized

Legacy Problem Cloudflare Solution
Cloudflare Gateway

Gateway: Secure Web Gateway Solution
© 2018 Cloudflare Inc. All rights reserved.
Complete visibility from a single pane of glass
Log and monitor all internet traffic, on and off your network for
unprecedented levels of granular visibility that can be viewed in the
dashboard or integrated to your SIEM.
Simplify internet security and compliance
Easily apply DNS and URL filtering rules to protect your users on the
open internet and enforce compliance.
Eliminate threats on our edge not in your environment
Gateways policy engine blocks threats on our network before they
reach yours and you can leverage our proprietary threat intelligence
to inform those policies.
Deploys quickly and easy to manage
Setup can be performed in minutes with easy to configure policies
that do not require security expertise to operate.
Never compromise on performance
End-users get an amazing experience leveraging the world’s fastest
public DNS resolver.

21
Getting Started

Zero Trust on the Internet
22
CONGRATS! WE JUST ADDED OUR
FIRST NETWORK
● Kaizen ✌️
NOW, LETS INTEGRATE OUR FIRST
POLICY
● Nine to Five ⌚️
○ Security
○ Content
○ Custom
LET’S SEE HOW OUR POLICY IS
PERFORMING
● Overview
○ Top Allowed
○ Top Blocked

Zero Trust works for teams of all sizes
Unique
challenges
Sample use
cases
Why start ZT
now?
Small business:
ZT for Underdogs
● Limited IT / security
resources to fight fires
● Expand remote access
● Secure BYOD programs
● Avoid legacy network
security investments
Growth & scaling stage:
ZT for Scaling
● Growth expands attack
surface without visibility
● Secure contractor access
● Secure DevOps
● Supports ambitions to scale
in secure manner
Large enterprise:
ZT for Digital Transformation
● Pressure to transform
complex, legacy IT stack
● Secure access for supply
chain partners
● Support M&A integration
● Enables cloud migration
● Reign in control over
sprawling IT

A small team of
volunteers launches a
free online classroom and
resource hub for
students. Cloudflare
Access allows teachers
and developers to build
and QA lessons
seamlessly.
220K daily visits
20M lessons delivered
Oak National Academy: Zero Trust
overnight
25
CHALLENGES
● Group of former school teachers set up an online school for children affected by
COVID-19 school closings, to ensure “no child misses a lesson” during the
pandemic
● Needed to provide a team of developers access to pre-production infrastructure
across multiple sub-domains
● Large groups of teachers from different organizations needed to be able to log in
to the platform to review and edit lesson plans
SOLUTION
Implemented Cloudflare Access for Zero Trust access to GCP infrastructure and internally
developed apps - virtually overnight.
VALUE
● Teachers can review and edit lesson plan materials by logging into the content
management system with Google credentials
● Developers access pre-production environment without needing to use a VPN
● Scales seamlessly to the number of users needed

“[Access has] been amazing.
[Our previous solution] was
like trying to use a computer
that froze every 10 seconds.
Right now, support
departments don’t notice
any difference between
accessing customer
environments on-prem or
through Access.”
- Sybren van Wijk, Technical
Product Owner, TOPdesk
TOPdesk: Enabling 24x7 customer
support
26
CHALLENGES
● Dutch service management SaaS with expanding workforce across 11 countries
● Customer support engineers needed 24x7 remote access to an on-premise remote
support app; application was configured for office-only access due to GDPR
● Existing on-prem solution was slow, unresponsive, and designed when TOPDesk
had 100 employees, not 750+
SOLUTION
TOPDesk put Cloudflare Access in front of internal support apps to ensure technicians
could address pressing customer needs at any time, from anywhere. Access integrates
with Workers to ensures engineers can connect to only the customer environments they
have specific permission to reach, in compliance with GDPR.
VALUE
● Allowed TopDesk to supply true 24x7x365 support to customers
● Preparedness for remote work: Expanding Access usage in the weeks prior to the
pandemic helped prevent interruptions in customer support
● Replaced slower, less secure VPN access with Zero Trust access to key dashboards

A large re-insurance firm
CHALLENGES
● Massive European financial services firm with 25K+ global employees
● Over half of employees are contractors and rely on different identity providers
● Needed to improve security model by replacing IP-list and VPN controls with
Zero Trust access
KEY RESULTS
SOLUTION
Used Cloudflare Access to secure access to internal, legacy Customer Relationship
Management (CRM) apps for 1,000 employees initially. They will expand their
deployment to 20,000+ employees and contractors for countless applications by end
of this year.
VALUE
Deploying Cloudflare Access helps the reinsurance firm move toward Zero Trust
security to their corporate resources. They are able to simplify and secure the process
of giving contractors, interns and other temporary employees (consultants) access to
critical data with a more streamlined user experience.
A global reinsurance
firm relies on
to move from legacy
access controls and
traditional network
perimeter security to
Zero Trust security,
starting with their
large contractor
workforce.

Cloudflare Access: Our origin story
CHALLENGES
● ‘On call’ engineers were fed up with clunky VPN login experience to access
internal apps like Grafana during time-sensitive assignments
● Setting access control policies on the VPN was onerous for the IT team
● Our standalone VPN was becoming a performance bottleneck and a single point
of failure for a rapidly expanding global workforce
28
SOLUTION
Our engineers first built Access in 2015 to speed up their logins, and we have
progressively shifted authentication for the majority of our internal applications onto
our global network edge. Today, all employees onboard onto Access (not our VPN)
and benefit from a fast and consistent login experience to every application.
VALUE
● Get employees access to the resources they need without friction
● Modernize our security posture with Zero Trust best practices
● Improved employee productivity:
○ ~80% reduced time spent servicing VPN related tickets
○ ~70% reduction in ticket volume
○ 300+ annual hours of unlocked productivity during onboarding
“As a CIO, I'm proud that I
don't have to worry about
our colleagues getting
frustrated with reaching the
basic tools they need to stay
productive. With Access,
Cloudflare does not have to
make any trade-offs
between improving security
and creating an amazing
user experience.”
- Juan Rodriguez, Chief
Information Officer

RECAP: Zero Trust with Cloudflare for Teams
1. Set up a Cloudflare for Teams account at cloudflare.com/teams-home -
your first 50 users are free!
1. Start a Zero Trust Access pilot with a small group of users at your
company.
1. Measure the impact on the business - and then keep going!

Zero trust for everybody: 3 ways to get there fast

More Related Content

What's hot (20)

Similar to Zero trust for everybody: 3 ways to get there fast (20)

More from Cloudflare (20)

Recently uploaded (20)

Zero trust for everybody: 3 ways to get there fast