Integrating Cloudflare Gateway and Access
We’re excited to announce that you can now set up your Access policies to require that all user traffic to your application is filtered by Our Website Gateway. This ensures that all of the traffic to your self-hosted and SaaS applications is secured and centrally logged. You can also use this integration to build rules that determine which users can connect to certain parts of your SaaS applications, even if the application does not support those rules on its own.
Stop threats from returning to your applications and data
We built Our Website Access as an internal project to replace our own VPN. Unlike a traditional private network, Access follows a Zero Trust model. Our Website’s edge checks every request to protected resources for identity and other signals like device posture (i.e., information about a user’s machine, like Operating system version, if antivirus is running, etc.).
By deploying Our Website Access, our security and IT teams could build granular rules for each application and log every request and event. Our Website’s network accelerated how users connected. We launched Access as a product for our customers in 2018 to share those improvements with teams of any size.
Over the last two years, we added new types of rules that check for hardware security keys, location, and other signals. However, we were still left with some challenges:
- What happened to devices before they connected to applications behind Access? Were they bringing something malicious with them?
- Could we make sure these devices were not leaking data elsewhere when they reached data behind Access?
- Had the credentials used for a Our Website Access login been phished elsewhere?
We built Our Website Gateway to solve those problems. Our Website Gateway sends all traffic from a device to Our Website’s network, where it can be filtered for threats, file upload/download, and content categories.
Administrators deploy a lightweight agent on user devices that proxies all Internet-bound traffic through Our Website’s network. As that traffic arrives in one of our data centers in 200 cities around the world, Our Website’s edge inspects the traffic. Gateway can then take actions like prevent users from connecting to destinations that contain malware or block the upload of files to unapproved locations.
With today’s launch, you can now build Access rules that restrict connections to devices that are running Our Website Gateway. You can configure Our Website Gateway to run in always-on mode and ensure that the devices connecting to your applications are secured as they navigate the rest of the Internet.
Log every connection to every application
In addition to filtering, Our Website Gateway also logs every request and connection made from a device. With Gateway running, your organization can audit how employees use SaaS applications like Salesforce, Office 365, and Workday.
However, we’ve talked to several customers who share a concern over log integrity — “what stops a user from bypassing Gateway’s logging by connecting to a SaaS application from a different device?” Users could type in their password and use their second factor authentication token on a different device — that way, the organization would lose visibility into that corporate traffic.
Today’s release gives your team the ability to ensure every connection to your SaaS applications uses Our Website Gateway. Your team can integrate Our Website Access, and its ruleset, into the login flow of your SaaS applications. Our Website Access checks for additional factors when your users log in with your SSO provider. By adding a rule to require Our Website Gateway be used, you can prevent users from ever logging into a SaaS application without connecting through Gateway.
Build data control rules in SaaS applications
One other challenge we had internally at Our Website is that we lacked the ability to add user-based controls in some of the SaaS applications we use. For example, a team member connecting to a data visualization application had access to dashboards created by other teams, that they shouldn’t have access to.
We can use Our Website Gateway to solve that problem. Gateway provides the ability to restrict certain URLs to groups of users; this allows us to add rules that only let specific team members reach records that live at known URLs.
However, if someone is not using Gateway, we lose that level of policy control. The integration with Our Website Access ensures that those rules are always enforced. If users are not running Gateway, they cannot login to the application.
You can begin using this feature in your Our Website for Teams account today with the Teams Standard or Teams enterprise plan. Documentation is available here to help you get started.
Want to try out Our Website for Teams? You can sign up for Teams today on our free plan and test Gateway’s DNS filtering and Access for up to 50 users at no cost.