Check out all the on-demand sessions from the Intelligent Security Summit here.

Cloudflare’s new data loss prevention offering adds zero trust controls to an organization’s data, regardless of where that information is stored.

Preventing data loss was hard enough when all of a company’s data was only stored on the corporate network, protected by a firewall. The challenge is even greater when so much of the application now lives outside the corporate network — whether that is in cloud infrastructure, software-as-a-service applications, or on devices used by employees working remotely. Defining rules for each application and configuring individual devices can be a time-consuming process that’s prone to error. The new Cloudflare Data Loss Prevention (DLP) looks at all the traffic passing through the network and applies security controls to protect sensitive information.

Organizations are already using Cloudflare’s infrastructure and global network to accelerate user traffic to the internet, as well as to inspect traffic regardless of how it enters the network and filter out malicious activity. Cloudflare has been gradually taking over the corporate network: web traffic filtering with Cloudflare Gateway, zero trust access to cloud and local applications with Cloudflare Access, protection from distributed denial-of-service attacks with Magic Transit, and centralized controls over what is allowed in and out of the network with Magic Firewall. The new Magic WAN lets organizations connect branch offices, datacenters, virtual private clouds, and individual remote employees to Cloudflare’s network to create virtual networks.

Almost all of the traditional data loss prevention products on the market ultimately force traffic to go through a central location, which impacts network performance, according to Cloudflare cofounder and CEO Matthew Prince. Cloudflare DLP takes advantage of the fact that an organization is already using Cloudflare’s infrastructure and applies network-wide data security policies to ensure sensitive information does not leave the network.


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

“[Everyone] knows they need a DLP solution, but the only options are expensive, hard to manage, and haven’t seen innovation in years,” Prince said. “We’re doing something new by rethinking data loss prevention as an extension of our network, instead of adding yet another point solution for CISOs to manage.”

DLP needs to do more than just look for specific types of data. The shift to remote work and software-as-a-service has meant administrators no longer have visibility into what kind of data they have and who is using it, making it harder to protect the data and prevent a data breach. The new tool takes advantage of the fact that all the traffic is passing through Cloudflare’s network and every DNS query, request, and file uploads/downloads are now logged. Cloudflare DLP builds on this increased visibility to identify specific types of personally identifiable information (such as credit card numbers and Social Security numbers) using prebuilt patterns, but that isn’t all it does. The new tool also gives administrators the ability to apply granular controls to applications to restrict access.

Expanding Cloudflare One

Cloudflare DLP is part of Cloudflare One, the secure access secure edge (SASE) solution the company introduced last October. With Cloudflare One, enterprises can implement network security controls over the entire network instead of defining different sets of controls for traffic passing through the corporate firewall, cloud servers, software-as-a-service products, and remote employees connecting to corporate assets via virtual private networks. The growing popularity of SASE is a direct result of enterprises increasingly adopting cloud computing infrastructure and software-as-a-service applications, as well as the recent shift to a remote workforce.

Cloudflare’s goal is to “help protect the application on the Internet, protect the infrastructure, and ensure that employees have access to the data they need to have to do their jobs,” Prince said.

When so much of an organization’s data lives on infrastructure it doesn’t control, such as SaaS applications, administrators are often restricted when it comes to controlling who can access the data or how it is used. In many cases, the default setting is that anyone on the team with access to the application has access to all the data stored in that application. Some applications allow administrators to define roles and role-based access controls (RBAC), but these are specific to the application. Configuring rules for every application can be tedious and doesn’t address the fact that some applications don’t allow any rules to be created.

“How do we extend the network when the threats come from all directions?” Prince asked.

Adding security controls

The first step was to give administrators visibility. The second was to give administrators the ability to build “need-to-know” rules for both internally-managed applications and SaaS applications in a single place. The rules can block users from accessing certain types of information, or allow users to view a record but prevent them from downloading the information. There are ways to add security controls to the application, such as requiring a hard key as a second factor authentication method. This way, enterprises aren’t restricted to using only the controls provided by the application.

For example, the administrator can apply rules to the organization’s customer relationship management (CRM) system to restrict who has access to which kind of information. Legal and finance can look at revenue information stored in the CRM, but marketing teams may not need that same level of access. This kind of control can prevent disgruntled employees from deleting information from SaaS applications, as happened two years ago when an IT contractor for a California-based company deleted over 80% of employee Microsoft Office 365 accounts after his contract was terminated.

Another step is to protect applications that may leak data through APIs. Administrators can now scan and block responses that contain data that was never intended to be sent out. When the application responds to an API query, Cloudflare will check to see if the response contains protected data such as credit card and Social Security numbers. There have been cases when certain types of data was being returned in response to an API call that was not part of the intended behavior. Another source of data leakage could be if the API wasn’t restricted to authenticated users. Cloudflare can now act as a “digital bouncer” and protect what data is being returned, Prince said, which is especially important for legacy APIs that can’t be changed to restrict what is returned in those results.

Cloudflare’s “corporate network of the future” reflects the reality of the hybrid model, where applications can be inside or outside the corporate network and employees can be working in the office or remotely, Prince. Regardless of where the data resides, where the workers are, or who is hosting the application, enterprises need to reconsider how they manage and protect the network.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.