Mobile and cloud computing have challenged the concept of perimeter security. There is no longer an easily definable perimeter to defend. VPNs are a traditional, but not ideal solution. Neither approach addresses the attacker who gets through the perimeter or into the VPN. Google long ago recognized the problems and introduced BeyondCorp as an alternative to perimeters and VPNs for its own worldwide employees.
BeyondCorp replaces the need for VPNs. Instead it focuses on authenticating the device (which it provides and identifies with a device certificate) and its user, and then imposes tiered authentication around its applications. In effect, it removes the distinction between a trusted network and an untrusted network, and focuses on authenticated access from any location.
It is a good security model, but one that is beyond the reach of companies that don’t have Google’s resources. Now Cloudflare has announced a new service for its customers that it calls Cloudflare Access and describes as ‘democratizing’ the BeyondCorp model. It allows employees to operate outside of the corporate network without requiring them to use a VPN, “which,” writes Cloudflare engineer Venkat Viswanathan in an associated blog post Wednesday, “slows down work because every page load makes extra round trips to the VPN server. After all this hassle, users on the VPN are still highly susceptible to phishing, man-in-the-middle and SQL injection attacks.”
“VPNs are slow, and clunky, and frankly, don’t make sense for an increasingly mobile workforce accessing increasingly cloudified apps,” said Matthew Prince, co-founder and CEO of Cloudflare. “Cloudflare Access gives centralized application access control for legacy or cloud apps without slowing down connections, regardless of where someone is working around the world.”
Unlike BeyondCorp, however, Cloudflare cannot provide corporate devices for the users. Customers remain responsible for the security of the remote devices. “We don’t insist on clients providing company devices to employees,” Prince told SecurityWeek, “but we recommend that they tick some sort of identity provider. That could be Google, Microsoft Active Directory, Okta or something they’ve built themselves. How much they use that service and lock down the individual devices is up to them, but we would recommend that they use multi-factor authentication on those devices.”
Cloudflare’s role in this model is to protect the customer’s individual applications within separate authentication wrappers. “While perimeter defense is based on the idea of a moat around the castle,” said Prince, “this new model puts each application (the castle’s individual crown jewels) into separate safes. We don’t care whether the customer uses a combination lock safe, or a physical key safe or an electronic keypad safe. We’ll support any of the different mechanisms for unlocking the safe — but what we provide is the safe itself. We provide the thing that wraps around wherever the crown jewels are located and protects them. It is the customers that decide how they want to verify if the device and user are legitimate and authorized to open the door that we provide.”
Cloudflare’s Access product does not defend the user’s device, but it does defend the company’s applications. “Even if an attacker manages to get into a device, every access to the company network is logged by Cloudflare. The customer can monitor for anomalies. So, the model of wrapping authentication around each application not only adds friction to any attack, it also provides a central repository where the security team can look for anomalies, track bad behavior and quickly respond accordingly. The customer’s administrator for the Cloudflare service would have a single view of every employee’s device — when it logged into and used each of the different services — on a service by service basis. If anything anomalous happens, the administrator can withdraw the user’s Access instantly.”
The logs are accessible through a Cloudflare API, so anomaly detection can be automated using anomaly detection tools in-house. “Over time,” said Prince, “as Access matures, there will be additional tools that we provide to allow customers to look for things that might be anomalous. For example, if a device has only logged into three services in its entire history, and then suddenly logs into five new services, we would surface that in the logs and show it to the admins. This is not currently available,” he added. “You could build it through our APIs, but it’s something we are likely to make available in future versions of our product.”
Cloudflare’s new Access product is a replacement for corporate VPNs using much of Google’s BeyondCorp model.
“When a user accesses an individual application,” explained Prince, “it would be like passing through a VPN on a per application basis. Users would hit a Cloudflare data center which prompts for proof of identity and authorization to access a particular application. If that authorization proves ‘true’, then the user gets a fast lane back to the actual application, which could be running anywhere on the internet, whether in-house or a third-party such as Salesforce. The user gets a much faster experience through not having to back haul everything through some centralized VPN server.” Like a VPN, all traffic is protected by encryption.
“If you think of the problems that VPNs are trying to solve, they’re simply trying to let the good guys in and keep the bad guys out. Access solves that exact same problem, but does it in a way that is more robust. It supports cloud environments, it supports remote workers without slowing down their connection, and it actually provides a better security model where you have individuals being logged as they pass through authentication checkpoints to use each different application.”
Cloudflare Access is being sold on a per seat basis: $3 per person, per month. There is no limit to the number of applications that can be accessed by each user via the service. Volume discounts are available for large deployments.
San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 — the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.