How Cloudflare uses Cloudflare Access to secure our global team

Back in 2015, Cloudflare's approach to authentication looked similar to many other companies: all of Cloudflare’s internally-hosted applications were reached via a hardware-based VPN.

When one of our on-call engineers received a notification (usually on their phone), they would fire up a clunky client on their laptop, connect to the VPN, and log on to Grafana. It felt a bit like solving a combination lock with a fire alarm blaring overhead.

A small team of Cloudflare engineers started wondering: why was a cloud network security company relying on clunky on-premise hardware? They thought we could do better. And thus, Cloudflare Access was born.

A Culture of Dogfooding

Many of the products Cloudflare builds are a direct result of the challenges our own team is looking to address, and Access is a perfect example. Development on Access originally began in 2015, when the project was known internally as EdgeAuth.

Initially, just one application was put behind Access. Engineers who received a notification on their phones could tap a link and, after authenticating via their browser, they would immediately have access to the key details of the alert in Grafana. This was a much better experience than going through the old VPN.

Access solved a variety of issues for our security team as well. Using our identity provider of choice, we were able to restrict access to internal applications at L7 using Access policies. This once onerous process of managing access control at the network layer with a VPN was replaced with a few clicks in the Cloudflare dashboard.

After Grafana, our internal Atlassian suite including Jira and Wiki, and hundreds of other internal applications, the Access team began working to support non-HTTP based services. Support for git allowed Cloudflare’s developers to securely commit code from anywhere in the world in a fully audited fashion. This made Cloudflare’s security team very happy. Here’s a slightly modified example of a real authentication event that was generated while pushing code to our internal git repository.

It didn’t take long for more and more of Cloudflare’s internal applications to make their way behind Access. As soon as people started working with the new authentication flow, they wanted it everywhere. Eventually our security team mandated that we move our apps behind Access, but for a long time it was totally organic: teams were eager to use it.

Incidentally, this highlights a perk of utilizing Access: you can start by protecting and streamlining the authentication flows for your most popular internal tools — but there’s no need for a wholesale rip-and-replace. For organizations that are experiencing limits on their hardware-based VPNs, it can be an immediate salve that is up and running after just one setup call with a Cloudflare onboarding expert (you can schedule a time here).

That said, there are some upsides to securing everything with Access.

Supporting a Global Team

VPNs are notorious for bogging down Internet connections, and the one we were using was no exception. When connecting to internal applications, having all of our employees’ Internet connections pass through a standalone VPN was a serious performance bottleneck and single point of failure.

Cloudflare Access is a much saner approach. Authentication occurs at our network edge, which extends to 200 cities in over 90 countries globally. Rather than having all of our employees route their network traffic through a single network appliance, employees connecting to internal apps are connecting to a data center just down the road instead.

As we support a globally-distributed workforce, our security team is committed to protecting our internal applications with the most secure and usable authentication mechanisms.

With Cloudflare Access we’re able to rely on the strong two-factor authentication mechanisms of our identity provider, which was much more difficult to do with our legacy VPN.

On-Boarding and Off-Boarding with Confidence

One of the trickiest things for any company is ensuring everyone has access to the tools and data they need — but no more than that. That’s a challenge that becomes all the more difficult as a team scales. As employees and contractors leave, it is similarly essential to ensure that their permissions are swiftly revoked.

Managing these access controls is a real challenge for IT organizations around the world — and it’s greatly exacerbated when each employee has multiple accounts strewn across different tools in different environments. Before using Access, our team had to put in a lot of time to make sure every box was checked.

Now that Cloudflare’s internal applications are secured with Access, on- and offboarding is much smoother. Each new employee and contractor is quickly granted rights to the applications they need, and they can reach them via a launchpad that makes them readily accessible. When someone leaves the team, one configuration change gets applied to every application, so there isn’t any guesswork.

Access is also a big win for network visibility. With a VPN, you get minimal insight into the activity of users on the network – you know their username and IP address. but that’s about it. If someone manages to get in, it’s difficult to retrace their steps.

Cloudflare Access is based on a Zero Trust model, which means that every packet is authenticated. It allows us to assign granular permissions via Access Groups to employees and contractors. And it gives our security team the ability to detect unusual activity across any of our applications, with extensive logging to support analysis. Together, more granular control and enhanced visibility enable us to manage our attack surfaces more comprehensively, which is especially critical with so many users working from home today. Put simply: Access makes us more confident in the security of our internal applications.

Reaping the Benefits in Everyday Work

Today, only a few niche tools remain behind our VPN, and this migration to Access has helped our employees be more productive in quantifiable ways.

For example, our IT teams were previously fielding VPN-related support requests constantly, which inconvenienced them from more important tasks. These days, we have seen ~80% reduced time spent servicing VPN-related tickets and ~70% reduction in ticket volume. We estimate that these time savings have unlocked over $100K worth of productivity.

Moreover, employees no longer set up VPN during their onboarding. This saves upwards of 300 hours annually across all new hires and the IT staffers that have to train them.

Other benefits are less quantifiable, but no less important, such as happier employees and more confident security teams. In fact, one thing that excites us about Access is that the benefits it delivers will continue to evolve as our company grows.

"Cloudflare Access was born out of a simple desire: to escape the unnecessary pains of our VPN. Over time, Access has become a pillar of our remote work strategy and journey towards Zero Trust security, and we are so proud to share those benefits with our customers,” said Juan Rodriguez, Chief Information Officer.

“One quality I especially admire about Access is the incredibly fast and frictionless login experience that our edge network delivers. Working from home as an individual is stressful enough without having to remember old passwords or fixing broken VPN connections,” he continued. “As a CIO, I'm proud that I don't have to worry about our colleagues getting frustrated with reaching the basic tools they need to stay productive. With Access, Cloudflare does not have to make any trade-offs between improving security and creating an amazing user experience."

But It’s Not Just for Us

With the massive transition to a remote work model for many organizations, Cloudflare Access can make you more confident in the security of your internal applications — while also driving increased productivity in your remote employees. Whether you rely on Jira, Confluence, SAP or custom-built applications, it can secure those applications and it can be live in minutes.