You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/reference-architecture/design-guides/zero-trust-for-saas.mdx
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -84,10 +84,10 @@ Organizations that already use IP allow lists to secure access to SaaS applicati
84
84
85
85
Organizations add the new dedicated egress IPs to the existing SaaS IP allow lists for the Cloudflare sourced traffic to be allowed into the SaaS application. This way, organizations can maintain legacy connectivity methods in parallel with Cloudflare and migrate users gradually. Once all users are migrated to access via Cloudflare, the SaaS IP allow lists can be updated by removing the IPs corresponding to legacy infrastructure.
86
86
87
-
There are several advantages to using Cloudflare’s dedicated egress IPs when compared with using IPs from on-prem infrastructure:
87
+
There are several advantages to using Cloudflare's dedicated egress IPs when compared with using IPs from on-prem infrastructure:
88
88
-[Dedicated egress IPs can be geolocated](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#ip-geolocation) to one or more Cloudflare data centers in a geography of your choosing, instead of being restricted to the geographic locations of your existing Internet breakout data centers.
89
89
- Users will always connect to Cloudflare [via the closest Cloudflare Data Center and Cloudflare will optimize the path towards the SaaS application](/cloudflare-one/policies/gateway/egress-policies/dedicated-egress-ips/#egress-location).
90
-
- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/policies/gateway/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/identity/devices/) checks. Otherwise, traffic will be sourced from Cloudflare’s public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage.
90
+
- Dedicated egress IPs are assigned to user traffic using policies that follow zero trust principles. [Egress policies](/cloudflare-one/policies/gateway/egress-policies/) can be defined that will only assign a dedicated egress IP to a user if they belong to the correct IdP group and/or pass [device posture](/cloudflare-one/identity/devices/) checks. Otherwise, traffic will be sourced from Cloudflare's public IP range, which may not be part of the SaaS IP allowlist, preventing access to the SaaS application while still allowing Internet usage.
91
91
- Dedicated egress IPs imply that traffic needs to flow through Cloudflare before reaching the SaaS application. This makes it easy to add secure web gateway policies to protect data in the SaaS applications once users have authenticated.
92
92
93
93
![Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.](~/assets/images/reference-architecture/zero-trust-for-saas/zero-trust-saas-image-03.svg"Figure 3: Enforce only traffic that has been secured by Cloudflare is accepted by the SaaS application.")
@@ -105,9 +105,9 @@ Most organizations initially use Cloudflare's [ZTNA service](/cloudflare-one/pol
105
105
106
106
IT teams will also benefit from a consistent and automated process for onboarding and offboarding users from applications. Since all access policies leverage authentication from existing IdPs, changes in a user's status will automatically affect the outcome of access requests for both self hosted applications as well as SaaS.
107
107
108
-
Consider a scenario where a user moves to a different group or team within an organization. As soon as the user group information is updated on the IdP, Cloudflare’s ZTNA policies will dynamically enforce these changes, ensuring that the user’s access to the SaaS applications is immediately adjusted based on their new role. This also helps in SaaS applications’ license optimization, for instance, if an employee is transferred from the sales team, which uses Salesforce, to a team that doesn’t require access to Salesforce, the ZTNA policies will revoke their access to the application. This automated process helps in reclaiming the license that was previously assigned to the user, ensuring that only those who actually need the application have access to it.
108
+
Consider a scenario where a user moves to a different group or team within an organization. As soon as the user group information is updated on the IdP, Cloudflare's ZTNA policies will dynamically enforce these changes, ensuring that the user's access to the SaaS applications is immediately adjusted based on their new role. This also helps in SaaS applications' license optimization, for instance, if an employee is transferred from the sales team, which uses Salesforce, to a team that doesn't require access to Salesforce, the ZTNA policies will revoke their access to the application. This automated process helps in reclaiming the license that was previously assigned to the user, ensuring that only those who actually need the application have access to it.
109
109
110
-
Finally, SaaS applications are accessible over the Internet, allowing any device to access them if a user authenticates successfully. However, with Cloudflare’s ZTNA service, IT teams can ensure that only managed devices access a SaaS application by enforcing device posture checks, in addition to identity checks. A common use case [is verifying the presence of an IT-deployed device certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/#client-certificate) before granting application access.
110
+
Finally, SaaS applications are accessible over the Internet, allowing any device to access them if a user authenticates successfully. However, with Cloudflare's ZTNA service, IT teams can ensure that only managed devices access a SaaS application by enforcing device posture checks, in addition to identity checks. A common use case [is verifying the presence of an IT-deployed device certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/#client-certificate) before granting application access.
111
111
112
112
#### Deployment guidelines
113
113
@@ -135,7 +135,7 @@ Read more about securing data in transit in our [reference architecture center](
135
135
136
136
#### Data at rest
137
137
138
-
Cloudflare’s [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/) integrates with [popular SaaS applications](/cloudflare-one/applications/scan-apps/casb-integrations/) via APIs. Once integrated, Cloudflare continuously scans these applications for security risks. This enables IT teams to detect incidents of authorized users oversharing data, such as sharing a file publicly on the Internet. For Google Workspace, Microsoft 365, Box, and Dropbox, the API CASB can also utilize DLP profiles to detect the sharing of sensitive data. Read more about securing data at rest in our [reference architecture center](/reference-architecture/diagrams/security/securing-data-at-rest/).
138
+
Cloudflare's [Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/) integrates with [popular SaaS applications](/cloudflare-one/applications/scan-apps/casb-integrations/) via APIs. Once integrated, Cloudflare continuously scans these applications for security risks. This enables IT teams to detect incidents of authorized users oversharing data, such as sharing a file publicly on the Internet. For Google Workspace, Microsoft 365, Box, and Dropbox, the API CASB can also utilize DLP profiles to detect the sharing of sensitive data. Read more about securing data at rest in our [reference architecture center](/reference-architecture/diagrams/security/securing-data-at-rest/).
139
139
140
140
In addition to the previous measures, IT teams should also consider introducing [User Entity and Behavior Analytics (UEBA)](https://www.cloudflare.com/en-gb/learning/security/what-is-ueba/) controls. Cloudflare can assign a [risk score](/cloudflare-one/insights/risk-score/) to users when detecting activities and behaviors that could introduce risks to the organization. These risk behaviors include scenarios where users trigger an unusually high number of DLP policy matches. By implementing these measures, organizations can significantly reduce the risk of data leaks from managed SaaS applications, even by authorized users.
141
141
@@ -169,7 +169,7 @@ While SaaS email solutions offer native security capabilities, their popularity
169
169
170
170
Integrating Cloudflare into the existing email infrastructure is both flexible and straightforward, with deployment options available in [/email-security/deployment/inline/](/email-security/deployment/inline/) and [/email-security/deployment/api/](/email-security/deployment/api/) modes.
171
171
172
-
In an inline deployment, Cloudflare’s Email Security will evaluate email messages before they reach a user’s inboxes (by pointing the email domain MX record to Cloudflare). This allows Cloudflare to [quarantine messages](/email-security/email-configuration/admin-quarantine/) so they never reach the user’s inbox or [tag messages via email headers](/email-security/reference/dispositions-and-attributes/#header-structure) to inform the email provider how emails should be handled (for example, [by redirecting bulk emails directly to the spam folder](/email-security/deployment/inline/setup/office-365-area1-mx/use-cases/one-junk-admin-quarantine/)). Cloudflare can also [modify the subject and body of email messages](/email-security/email-configuration/email-policies/text-addons/) to inform a user to be more cautious about a suspicious email and [rewrite links within emails and even isolate those links behind a remote browser](/email-security/email-configuration/email-policies/link-actions/).
172
+
In an inline deployment, Cloudflare's Email Security will evaluate email messages before they reach a user's inboxes (by pointing the email domain MX record to Cloudflare). This allows Cloudflare to [quarantine messages](/email-security/email-configuration/admin-quarantine/) so they never reach the user's inbox or [tag messages via email headers](/email-security/reference/dispositions-and-attributes/#header-structure) to inform the email provider how emails should be handled (for example, [by redirecting bulk emails directly to the spam folder](/email-security/deployment/inline/setup/office-365-area1-mx/use-cases/one-junk-admin-quarantine/)). Cloudflare can also [modify the subject and body of email messages](/email-security/email-configuration/email-policies/text-addons/) to inform a user to be more cautious about a suspicious email and [rewrite links within emails and even isolate those links behind a remote browser](/email-security/email-configuration/email-policies/link-actions/).
173
173
174
174
In an API deployment, Cloudflare's Email Security will see the email messages only after they have reached the users' inboxes by setting up Journaling/BCC rules in the email provider or via API scan. Then, through integrations with the email provider, Cloudflare can [retract phishing emails](/email-security/email-configuration/retract-settings/) from user's inboxes. Unlike the Inline mode, this deployment method does not support quarantining emails or modifying the email messages, however, it is an easy way to add protection in complex email infrastructures with no changes to the existing mail flow operations.
175
175
@@ -185,7 +185,7 @@ Cloudflare also helps ensure the availability of cloud email services. It auto-s
185
185
186
186
Organizations using Microsoft 365 can enhance protection against sensitive information leaks via email by integrating a Cloudflare add-in into their environment. This integration enables IT administrators to establish [outbound Data Loss Prevention (DLP) policies](/cloudflare-one/email-security/outbound-dlp/) that leverage the same DLP profiles used with the Secure Web Gateway (SWG) and API Cloud Access Security Broker (CASB).
187
187
188
-
Moreover, organizations that utilize [Microsoft Purview Sensitivity Labels](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/) for classifying and safeguarding sensitive documents can incorporate these labels into Cloudflare’s DLP profiles. This capability allows the creation of targeted policies, such as blocking emails containing Microsoft Office documents marked as 'Highly Confidential' in Microsoft Outlook from being sent to external recipients. These DLP profiles can also be applied across SWG and API CASB.
188
+
Moreover, organizations that utilize [Microsoft Purview Sensitivity Labels](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/integration-profiles/) for classifying and safeguarding sensitive documents can incorporate these labels into Cloudflare's DLP profiles. This capability allows the creation of targeted policies, such as blocking emails containing Microsoft Office documents marked as 'Highly Confidential' in Microsoft Outlook from being sent to external recipients. These DLP profiles can also be applied across SWG and API CASB.
189
189
190
190
## Regain control over unmanaged SaaS applications
0 commit comments