Late add to Cloudflare writeup

Cloudflare can’t even take a break for the holidays (or give me a day off from thinking about them).

The day after I originally published my latest piece, Cloudflare announced that Access is more tightly integrating with Gateway. THIS IS A BIG DEAL, so I added this update to the blog post.…

Gateway + Access - Together is Better

At the end of the year, Cloudflare announced that they are more closely integrating Access with Gateway. This feature allows enterpries to enforce that its Zero Trust users in Access must also be accessing the service through Gateway SWG. The 2 sides of Teams - Access for authentication & authorization (Zero Trust), & Gateway for the web traffic protection (SWG) - are now tying together more closely – with the effect of greatly improving (hardening) enterprise security.

Zero Trust users can now be forced to be on the ‘protected enterprise network’ when accessing either internal services and external SaaS tools, and be using a device controlled and monitored by the enterprise. This prevents enterprise users from end-running around enterprise security by using the “Zero Trust SSO” in Cloudflare Access from other non-protected devices. If Gateway is forced, the access MUST be from an endpoint that the enterprise has installed Gateway on (meaning a device that the enterprise controls & has visibility over). And overall in Cloudflare One, if the enterprise uses an EPP partner (like CrowdStrike or Tanium), they can add device posture rules to Zero Trust – so not only must the enterprise user be on an enterprise controlled device (using Gateway), but that device must also be registered in EPP and currently showing as healthy. Beyond the device ramifications, this more-secure combination also assures all access to internal services and external SaaS is properly logged and monitored by Gateway, which also forces use of any Magic Firewall rules. Enterprises can now have their eyes over all external SaaS usage, and can be enforcing rules over it!

This immediately exposes a fanastic new feature. Gateway can allow or disallow access to any part of these exposed services (via URL routes), and tie it to certain Access roles. So as Zero Trust users are accessing SaaS tools, enterprises can restrict specific sections within those tools to certain roles in Zero Trust. Example: All users can access Workday, but an enterprise can add rules so that only HR users can access the Reports & Admin routes within it. This requires setting up granular rules per SaaS tool, but, ends up being very potent.

These are all great steps towards a stronger enterprise network, and is made possible by having Zero Trust protect not just internal services, but also all external SaaS services as well. Combining Access more directly with Gateway strengthens the capabilities of both. By now allowing granular security & monitoring over an enterprise’s use of all external SaaS tools, Cloudflare One is making heavy moves towards being a Cloud Access Security Broker (CASB).

Updated article:

long NET



Thanks fir the extensive NET writeup. What a great resource that I will need to read a couple of times. I am wondering what impact NET will have on ZScaler. Do companies using net no longer need another zero trust duplication?

Thanks in advance,
Long ZS and Net