Last October, we announced Cloudflare One, our comprehensive, cloud-based network-as-a-service solution that is secure, fast, reliable, and defines the future of the corporate network. Cloudflare One consists of two components: network services like Magic WAN and Magic Transit that protect data centers and branch offices and connect them to the Internet, and Cloudflare for Teams, which secures corporate applications, devices, and employees working on the Internet. Today, we are excited to announce new integrations with VMware Carbon Black, CrowdStrike, and SentinelOne to pair with our existing Tanium integration. Cloudflare for Teams customers can now use these integrations to restrict access to their applications based on security signals from their devices.

When the COVID-19 pandemic unfolded, many of us started to work remotely. Employees left the office, but the network and applications they worked with didn’t. VPNs quickly began folding under heavy load from backhauling traffic and reconfiguring firewalls became an overnight IT nightmare.

This has accelerated many organizations' timelines for adopting a Zero Trust based network architecture. Zero Trust means to mistrust every connection request to a corporate resource, and instead intercept and only grant access if criteria defined by an administrator are met. Cloudflare for Teams does exactly that. It replaces legacy VPNs with our global network running in 200+ locations, and validates a user's identity via their identity provider and cross-checks for permissions to the requested application. Only if the user successfully verifies their identity and has sufficient access privileges are they granted access. The result: better performance due to our global network, and a security model that relies on verification rather than trust.

Remote work threw companies another curveball. As the lines between work and leisure time blurred, users started to work from a variety of devices, including their personal ones. Personal or unsecured devices are often more exposed to threats like malware, simply because they’re not protected by anti-malware or more sophisticated endpoint security providers. Using an unsecured device to access company email, deploy code to a production system, or access applications containing sensitive information is risky and could result in violation of a company’s compliance rules, or worse, compromise a system if an infected device spreads malware.

Starting today, Cloudflare for Teams customers can configure new policies that rely on device security signals provided by their endpoint security vendor to allow or deny connections to their applications. The terms endpoint security, device security, device health, or device posture are often used interchangeably, but all mean the same — they are a collection of signals that help decide whether a particular device, say a laptop or a mobile phone, is secure or not. This includes signals and attributes like version of the operating system, date of the last patch, disk encryption status, inventory of installed applications, status of anti-malware or endpoint security provider, and date of the last malware scan.

Understanding these signals, especially across all company issued devices — also known as the device fleet — is important and allows security and IT teams to find devices that are outdated and require patching, or when a malware infection has occurred and needs remediation. Using Cloudflare for Teams, these signals can also be used to make network access decisions. For example, to restrict non-company issued devices from accessing sensitive applications, an access policy can be created that compares the device’s serial number with the company’s device inventory. Only if the serial number matches is the user granted access.

Our WARP client already checks for some of these attributes, like serial number and device location, and ensures traffic is encrypted with WARP. With our new integrations, customers get an additional layer of security by requiring that a device runs, for example, a CrowdStrike or VMware Carbon Black agent before granting the device access to a resource protected by Cloudflare. By combining signals from WARP and our partners’ endpoint security platforms, we can ensure that a device is both company sanctioned and free of malware, and therefore considered a secured device.

In today’s work-from-anywhere business culture, the risk of compromise has substantially increased as employees and their devices are continuously surrounded by a hostile threat environment outside the office walls. Through our integration with Cloudflare, organizations can leverage the power of the CrowdStrike Falcon platform to accurately allow dynamic conditional access to applications, delivering end-to-end Zero Trust protection across endpoints, workloads and applications to stop attacks in real-time.— Patrick McCormack, Senior Vice President, Cloud Engineering, CrowdStrike

The VMware Carbon Black Cloud consolidates multiple endpoint and workload security offerings into a single, cloud native platform. Leveraging VMware Carbon Black Cloud, Cloudflare can help customers secure and manage devices connecting to their cloud and Zero Trust networks.— Tom Corn, Senior Vice President, Security Business Unit, VMware

Enterprises have come to terms with the notion of a disintegrating traditional perimeter. The distributed and dynamic perimeter of today requires a fundamentally new approach to security. In partnership with Cloudflare, our AI-powered cybersecurity platform offers modern enterprises a more robust zero trust security solution that spans the devices, the network, and the mission critical applications enterprises rely on.— Chuck Fontana, SVP Business & Corporate Development, SentinelOne

Zero Trust security architectures started at the network level with segmentation and enforcement, but as corporate resources and data increasingly live on endpoints, a zero trust architecture must take both the endpoint and the network into consideration. Knowing the identity of the endpoint, as well as knowing that it’s up-to-date, hardened against security threats and hasn’t been compromised, is paramount in ensuring secure access to an organization's resources.— Pete Constantine, Chief Product Officer, Tanium

Our integrations are simple. The first step is to secure your applications with Cloudflare Access. The integration between Access and your endpoint security provider varies slightly depending on your vendor.

Tanium does not require any additional software installed on a user’s machine. Simply input your Tanium certificate in the Cloudflare for Teams Dashboard and enable Endpoint Identity in your Tanium instance. Then, you can add Tanium as a policy check in the Teams Dashboard for any application to ensure that a user’s device is company-sanctioned and free of malware.

Unlike Tanium, these vendors require that the WARP client is deployed on a device. Before you configure these providers on the Teams Dashboard, we recommend deploying WARP via an MDM solution — alternatively, users can download the WARP client directly.

Once the WARP client is deployed for your team, you can configure your endpoint security provider on the Teams Dashboard. To get started, log in to your Teams Dashboard and navigate to My Team→Devices, then click on the new tab “Device posture”. For our partners, we’ve pre-configured values that should work for most installations.

Now that you have completed configuration, you can build rules based on the provider of your choice and apply them to your applications as you would any other Access policy. Once the rules are in place, WARP will check to see if the endpoint security software is running on the device and communicate the status to Access. Access will then use the status of the device’s endpoint security software to either allow or deny access to the secured application. If the device is running your organization's endpoint security software, access will be granted.

These Zero Trust checks can be layered with features like MFA and User Identity to thwart stolen credentials or other malicious access attempts.

In future releases, we will integrate additional security signals from our newly launched partners — such as CrowdStrike’s and VMware Carbon Black’s risk scores — to provide even more fine-grained control over which devices can get access to protected applications. We will also continue partnering with more vendors to provide flexibility to our customers in using their vendor of choice.

If you’re using Cloudflare for Teams today and are interested in using our integrations, visit our developer documentation to learn about how you can enable them. If you want to learn more or have additional questions, please fill out the form on our Endpoint Security Partnerships page, and we'll get in touch with you shortly.

Cloudflare’s mission is to help build a better Internet. We’ve been at it since 2009 and we’re making progress — with approximately 25 million Internet properties being secured and accelerated by our platform.

When we look at other companies that not only have the scale to impact the Internet, but who are also on a similar mission, it’s hard to ignore Automattic, maintainers of the ubiquitous open-source WordPress software and owner of one the web’s largest WordPress hosting platforms WordPress.com, where up to 409 million people read 20 billion pages every month.¹

When we started brainstorming ways to combine our impact, one shared value stood out: privacy. We both share a vision for a more private Internet. Today we’re excited to announce a number of initiatives, starting with the integration of Cloudflare’s privacy-first web analytics into WordPress.com. This integration gives WordPress.com publishers choice in how they collect usage data and derive insights about their visitors.

Figure 1) Cloudflare Web Analytics tracking code integrated in the WordPress.com dashboard

Figure 2) An example of Cloudflare Web Analytics in the Cloudflare dashboard.

This is not the first time we’ve launched a WordPress-focused product. In October, we introduced Automatic Platform Optimization for WordPress sites, a service that our testing has shown to improve the TTFB by up to 72%!  This feature has been incredibly popular with our shared customer base and so we continued to look for ways to bring our two platforms closer together.

Starting today, Cloudflare Web Analytics settings will appear under the Marketing area of the WordPress.com dashboard, meaning users can simply paste in the analytics code snippet and WordPress.com will take care of injecting the code into their site at runtime. Users will also see links throughout the dashboard to Cloudflare APO and Cloudflare’s CDN, which they can enable within the Cloudflare dashboard.

Figure 3) Additional links to Cloudflare performance and security features in the WordPress.com dashboard

WordPress.com + Cloudflare has always been a best-of-breed collaboration, combining security and performance on one hand, with the world’s leading content management and publishing platform on the other. Integrating privacy-first web analytics with native support in the WordPress.com platform is just the latest step towards a better Internet.

To learn more and get started, visit our landing page.

¹https://wordpress.com/activity/

Cloudflare insights in the tools you're already using

Data analytics is a frequent theme in conversations with Cloudflare customers. Our customers want to understand how Cloudflare speeds up their websites and saves them bandwidth, ranks their fastest and slowest pages, and be alerted if they are under attack. While providing insights is a core tenet of Cloudflare's offering, the data analytics market has matured and many of our customers have started using third-party providers to analyze data—including Cloudflare logs and metrics. By aggregating data from multiple applications, infrastructure, and cloud platforms in one dedicated analytics platform, customers can create a single pane of glass and benefit from better end-to-end visibility over their entire stack.

While these analytics platforms provide great benefits in terms of functionality and flexibility, they can take significant time to configure: from ingesting logs, to specifying data models that make data searchable, all the way to building dashboards to get the right insights out of the raw data. We see this as an opportunity to partner with the companies our customers are already using to offer a better and more integrated solution.

To address these complexities of aggregating, managing, and displaying data, we have developed a number of product features and partnerships to make it easier to get insights out of Cloudflare logs and metrics. In February we announced Logpush, which allows customers to automatically push Cloudflare logs to Google Cloud Storage and Amazon S3. Both of these cloud storage solutions are supported by the major analytics providers as a source for collecting logs, making it possible to get Cloudflare logs into an analytics platform with just a few clicks. With today's announcement of Cloudflare's Analytics Partnerships, we're releasing a Cloudflare App—a set of pre-built and fully customizable dashboards—in each partner’s app store or integrations catalogue to make the experience even more seamless.

By using these dashboards, customers can immediately analyze events and trends of their websites and applications without first needing to wade through individual log files and build custom searches. The dashboards feature all 55+ fields available in Cloudflare logs and include 90+ panels with information about the performance, security, and reliability of customers’ websites and applications.

Ultimately, we want to provide flexibility to our customers and make it easier to use Cloudflare with the analytics tools they already use. Improving our customers’ ability to get better data and insights continues to be a focus for us, so we’d love to hear about what tools you’re using—tell us via this brief survey. To learn more about each of our partnerships and how to get access to the dashboards, please visit our developer documentation or contact your Customer Success Manager. Similarly, if you’re an analytics provider who is interested in partnering with us, use the contact form on our analytics partnerships page to get in touch.