Cloudflare just announced a new service, Cloudflare Access, what it bills as “a perimeter-less access control solution for cloud and on-premise applications”. It is modelled on Google’s BeyondCorp; however, rather than just serving Google’s employees (the initial intent behind BeyondCorp), anyone can use Cloudflare Access. It fits well into Cloudflare’s self-proclaimed mission of wanting to “democratize the tools of the Internet giants”.
Cloudflare Access “acts as an unified reverse proxy to enforce access control” by ensuring that each request is authenticated, authorized and encrypted. There is no need for a VPN because Cloudflare makes the connections secure using HTTPS.
Access authentication works by connecting your existing identity provider to Cloudflare (it integrates with most of the major identity providers) so that you can gate access to web applications via already existing groups and users. In addition, it’s possible to limit connections solely to devices that have a unique client certificate using TLS with Client Authentication.
The service configures access policies for groups and individual users that the new company has already created with its identity provider, allowing for easy protection of application resources.
IT teams can control and monitor applications via the dashboard and APIs through the following features:
- Easily change access policies
- Modify session durations
- Revoke existing user sessions
- Centralized logging for audit and change logs
Cloudflare Access is free to try for up to one user and then costs $3 per seat per month.
A rival service is the ScaleFT Zero Trust Access Management Platform, similarly “inspired by the principles of BeyondCorp for real-time authentication and authorization of users and devices” to create a perimeterless security architecture to “better manage access to protected resources”.
BeyondCorp started as an internal initiative at Google “to enable every employee to work from untrusted networks without the use of a VPN”. Many corporate networks require remote employees to either work on the corporate network (from within the physical office) or to use a VPN, however, this tends to slow down workflow as every page load necessitates an extra round trip to the VPN server. Furthermore, users are still susceptible to hacking attempts. Once an attacker breaches the company’s firewall defence, they have relatively easy access to a company’s privileged intranet.
Google’s BeyondCorp got rid of the concept of being in or outside the network. Instead of a private intranet, everything was on the Internet, and everyone had to prove his or her own identity. Employees provide user and device based authentication and must prove they have authorization to use Google’s core infrastructure. Its zero trust model has been under development for over five years.
In 2016, Google deliberately released a paper that described how BeyondCorp worked in detail in order to help other organizations follow suit.
“We believe that BeyondCorp has substantially improved the security posture of Google without sacrificing usability, and has provided a flexible infrastructure that will allow us to apply authorisation decisions based on policy unencumbered by technological restrictions,” the team said.
“While BeyondCorp has been quite successful with Google systems and at Google scale, its principles and processes are also within the reach of other organisations to deploy and improve upon.”
Indeed, Cloudflare Access’ new service proves this is just what is happening.