Kit Wai Chan - Fotolia

Cloudflare Access takes on VPNs with reverse proxy approach

Cloudflare takes inspiration from Google's BeyondCorp with a new service called Cloudflare Access, which aims to replace corporate VPNs and embrace perimeter-less security.

Cloudflare is aiming to replace VPNs with a new cloud-based service that follows in the footsteps of Google's...


Cloudflare Access, which the company launched Wednesday, takes a different approach to securely connecting remote or traveling employees with corporate environments and applications. Instead of using individual VPN clients, customers can connect to both on premise and cloud applications with Cloudflare Access' reverse proxy system; before connecting client devices to the corporate network or third-party cloud services, the connections are run through Cloudflare's network. The Cloudflare Access platform secures all connections with HTTPS and then authenticates and authorizes each device with customized enterprise access control policies, single-sign on offerings from leading identity providers and/or TLS client certificates.

Cloudflare Access was inspired by Google's BeyondCorp, which began as an internal project in 2011 to help Google employees work securely from any location without having to use a VPN. BeyondCorp, which is part of Google's effort to build zero trust networks, features what the company calls a front-end "Access Proxy" that provides centralized enforcement for all access control policies (Google began offering a variation of BeyondCorp called Cloud Identity-Aware Proxy or Cloud IAP to customers last spring).

Like BeyondCorp's Access Proxy, Cloudflare Access acts as a unified reverse proxy that authenticates every request made. The reverse proxy approach has been used by other security vendors such as Skyhigh Networks, which obtained a patent for its reverse proxy method of connecting to cloud services.

Taking a page from BeyondCorp

Cloudflare CEO Matthew Prince said his company began looking at BeyondCorp's approach three years ago after Google published research papers about the service. "We knew perimeter security doesn't work anymore," Prince said. "We set about asking how we could build something like BeyondCorp for Cloudflare employees."

Prince said Cloudflare tested the Access platform internally and began rolling the service out to employees in 2016. "We think the traditional VPN market is pretty broken," he said. "I travel all over the world, and having to log into a VPN that's slow and difficult to use is a pain. We've been using Access ourselves over the last year and a half, and it's been a lifesaver."

Instead of slow connections and degraded performance that often accompany VPNs, Prince said, "Connections are accelerated behind Cloudflare's network so instead of an app running slower on a VPN, it's actually running faster through Access" via its content delivery network and offerings like its Argo smart routing.

There are security benefits with Cloudflare Access as well, Prince said. The cloud-based service gives customers better visibility into their traffic and authentication activity, as well as the ability to quickly revoke authentication if a device is compromised. In addition, instead of patching VPN clients when new bugs or vulnerabilities emerge, the company can update Access in an instant for every single Cloudflare customer. "We're going to stay ahead of the next vulnerability better than anyone else can," he said.

Prince said his company will continue to branch out into perimeter-less security offerings using its Anycast network. "Cloudflare's core asset is this giant network that spans the globe. As of today, we have 120 locations around the world with gear running that network," he said. "You'll see us do a lot more with that network and we'll continue to look at ways to deliver cloud services through it to our customers."

Cloudflare Access is available to enterprises today and priced at $3 a seat per month.

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues