Cloudflare DLP brings zero trust to corporate network data

Cloudflare’s new data loss prevention offering adds zero trust controls to the organization’s data, regardless of where that information is stored.

Preventing data loss was hard enough when all the data was stored only on the corporate network, protected by the firewall. The challenge is even harder when so much of the application now lives outside the corporate network–whether that is cloud infrastructure, software-as-a-service applications, or on devices used by employees working remotely. Defining rules for each application and configuring individual devices can be time-consuming and prone to error. The new Cloudflare Data Loss Prevention (DLP) looks at all the traffic passing through the network and applies security controls to protect sensitive information.

Organizations are already using Cloudflare’s infrastructure and global network to accelerate user traffic to the Internet as well as to inspect traffic traffic regardless of how it enters the network to filter out malicious activity. Cloudflare has been gradually taking over the corporate network: web traffic filtering with Cloudflare Gateway, zero-trust access to cloud and local applications with Cloudflare Access, protection from distributed denial-of-service attacks with Magic Transit, and centralized controls over what is allowed in and out of the network with Magic Firewall. The new Magic WAN lets organizations connect branch offices, data centers, virtual private clouds, and individual remote employees to Cloudflare’s network to create virtual networks.

Almost all of the traditional data loss prevention products on the market ultimately forced traffic to go through a central location, which impacts network performance, according to Matthew Prince, Cloudflare’s co-founder and CEO. Cloudflare DLP takes advantage of the fact that the organization is already using Cloudflare’s infrastructure and applies network-wide data security policies to ensure sensitive information does not leave the network.

“[Everyone] knows they need a DLP solution, but the only options are expensive, hard to manage, and haven’t seen innovation in years,” Prince said. “We’re doing something new by rethinking data loss prevention as an extension of our network, instead of adding yet another point solution for CISOs to manage.”

Cloudflare DLP is part of Cloudflare One, the secure access secure edge (SASE) solution the company introduced last October. With Cloudflare One, enterprises can implement network security controls over the entire network, instead of defining different sets of controls for traffic passing through the corporate firewall, cloud servers, software-as-a-service products, and remote employees connecting to corporate assets via virtual private networks. The growing popularity of SASE is a direct result of enterprises increasingly adopting cloud computing infrastructure and software-as-a-service applications, as well as the recent shift to a remote workforce.

DLP needs to be more than just looking for specific types of data. While Cloudflare DLP does utilize prebuilt patterns to identify specific types of personally identifiable information (such as credit card numbers and Social Security numbers), the new tool also gives administrators visibility into how data moves through the network and the ability to apply granular controls to applications to restrict access.

The shift to remote work and software-as-a-service meant administrators no longer had visibility into what kind of data it had and who was using it. The lack of visibility made it difficult to put in the necessary controls to prevent a data breach. With all the traffic passing through Cloudflare’s network, every DNS query, request, and file uploads/downloads are now logged, giving administrators the ability to uncover potential breaches or data exposures.

When so much of the organization’s data lives on infrastructure they don’t control, such as SaaS applications, administrators are often restricted in how they can control who can access the data or how it is used. In many cases, the default setting is that anyone on the team with access to the application has access to all the data stored in that application. Some applications allow administrators to define roles and role-based access controls (RBAC), but they are specific to the application. Configuring rules for every application can be tedious, and that doesn’t address the fact that there are some applications that don’t allow any rules to be created.

Cloudflare now gives administrators the ability to build “need-to-know” rules for both internally-managed applications and SaaS applications in a single place.

Cloudflare taking over the corporate network reflects the reality of the hybrid model, where applications can be inside or outside the corporate network, and workers can be working in the office or remotely. Regardless of where the data resides, where the workers are, or who is hosting the application, enterprises need to reconsider how they manage and protect the network.