Fun with Cloudflare Zero Trust

I signed up for Cloudflare Zero Trust recently, to kick the tires :) There is a free tier (up to 50 users!) and it can be turned on instantly via self-service signup. I had used other Cloudflare products to protect and cache several websites before, and thus was excited to see if Cloudflare Zero Trust matches that experience.

Scope

I am using Cloudflare Zero Trust to create a SWG (Secure Web Gateway) and CASB (Cloud Access Security Broker) where I can enforce access, acceptable use and device posture policies.

Least privilege per-request access decisioning is one of the strongest points of the operative definition of zero trust (see NIST Special Publication 800-207 for more details). AUPs (Acceptable Use Policy) enforced technically like this is also better than manual enforcement such as with a static document. Similarly, device posture policies are a great way to ensure that only healthy devices that you accept are able to gain access to resources.

WARP

After creating an initial Cloudflare Zero Trust environment, I installed the Cloudflare WARP client on the devices.

The Cloudflare WARP client can be used as a standalone app that optimizes the device's internet connectivity via the Cloudflare network. It can also be used to enrol user devices to the Secure Web Gateway.

There are a few ways to do this as described in Cloudflare's WARP setup documentation. I went with the One-time PIN login method.

There are two fundamental things to watch out for here. On the Gateway side, make sure you add the user to your team. The user's e-mail is particularly important to get right. On the client side, make sure you specify the right Team name. This can be glimpsed on Settings > General > Team domain.

Once done, you should be able to see something similar to this on your WARP client:

Device posture

Once the devices are enrolled, device posture checks can be added in Settings > WARP Client > Device posture:

A variety of checks are possible such as checking OS versions, if a specific application is installed or the presence of specific files. Integration with device posture providers such as Microsoft Endpoint Manager and CrowdStrike is possible too.

Gateway policies

The Device posture checks that are put in place can be used for firewall and egress policies at the Gateway level. Here's an example policy scope for Twitter users that are on iOS:

In the above example, we scope by domain, but scoping by applications are possible too:

When applied, the devices will see the effect on the network. Here's an example of Twitter blocked:

Access policies

Closer to the tenets of Zero Trust, application access policies can be a lot more detailed. Some of the possible settings and features:

• Session duration
• Restriction by user identity, emails, auth method, IP ranges, country, etc.
• Require purpose justifications with customized justification prompt
• Require approvers
• Temporary access

Up next: API

The next feature that I will be exploring in Cloudflare Zero Trust is the API. The availability of a secure API should be one of the core criteria when evaluating architectural solutions. Quoting Evan Gilman & Doug Barth's Zero Trust Networks:

Zero trust networks do not require new protocols or libraries. They do, however, use existing technologies in novel ways. Automation systems are what allow a zero trust network to be built and operated

API is an enabler of Automation. The possibility of managing Cloudflare Zero Trust via Terraform and the comprehensive API coverage of Cloudflare services does make it quite exciting. Watch this space!