You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,13 +31,12 @@ By the end of this guide, you will be equipped to implement granular access poli
31
31
32
32
## Prerequisites
33
33
34
-
This section covers the essential architectural components and concepts to understand before you can design granular access policies.
34
+
This section covers the essential architectural components and concepts to understand before you can design granular access policies.
35
35
36
-
:::note[Header]
36
+
:::note[Note]
37
37
We recommend reading the [SASE reference architecture](/reference-architecture/architectures/sase/) to get a deeper understanding of connecting applications, identity providers, and device posture providers.
38
38
:::
39
39
40
-
41
40
Cloudflare allows organizations to facilitate application access using our [connectivity cloud](https://www.cloudflare.com/connectivity-cloud/), which securely connects users, applications and data regardless of their location. Core to the platform is Cloudflare's [extensive global network](https://www.cloudflare.com/network/) which delivers low-latency connectivity for users worldwide. By running every service in every data center, Cloudflare applies networking, performance and security functions in a single pass, eliminating the need to route traffic through multiple, specialized security servers, and therefore reduces latency and avoids performance bottlenecks.
42
41
43
42
![Figure 1 shows the basic components involved in remote access with Cloudflare's ZTNA service.](~/assets/images/reference-architecture/designing-ztna-access-policies-for-cloudflare-access/figure1.svg"Figure 1 shows the basic components involved in remote access with Cloudflare's ZTNA service.")
@@ -300,7 +299,7 @@ Now we define the first policy in the application. First, select the Access Grou
300
299
|**Additional settings**||
301
300
| Isolate Application | No |
302
301
303
-
This policy ensures that users can gain full access to your company wiki only if they have passed the following requirements:
302
+
This policy ensures that users can gain full access to your company wiki only if they have passed the following requirements:
304
303
305
304
- They are full-time employees on devices with the latest operating system.
306
305
- Users have authenticated using MFA.
@@ -436,7 +435,7 @@ Other posture elements here include:
436
435
437
436
- Requiring the latest OS.
438
437
- The user's device is joined to a Microsoft Active Directory domain.
439
-
- The user's device is explicitly a company-managed device (shown by referencing a list of managed device serial numbers).
438
+
- The user's device is explicitly a company-managed device (shown by referencing a list of managed device serial numbers).
440
439
441
440
These combined posture checks ensure that only up-to-date, company-controlled devices within your managed environment can access the database, further reducing the attack surface and the risk of access from potentially compromised or uncontrolled endpoints.
442
441
@@ -474,6 +473,7 @@ Inside the policy, we have made this application available to our new access gro
474
473
[External evaluation](/cloudflare-one/policies/access/external-evaluation/) means we have an API endpoint containing some sort of [access logic](https://github.com/cloudflare/workers-access-external-auth-example) — in this case, time of day access. We are making an API call to this endpoint, and defining the key that Cloudflare is using to verify that the response came from the API. This is useful for several reasons:
475
474
476
475
External evaluation allows users to create bespoke security posture checks based on criteria that may not be covered by the default set of posture checks. For this example, we will be using a service built on [Cloudflare Workers](https://workers.cloudflare.com/).
476
+
477
477
- Restricting access to the terminal outside of business hours implements a form of time-based access control. This adds an extra layer of security by limiting the window of opportunity for potential attackers.
478
478
479
479
Now, you will learn how to secure RDP access as a private IP application:
0 commit comments