New security service from Cloudflare hopes to kill the VPN once and for all

Caerlaverock Castle, in Scotland. (Wikimedia Commons Photo / cc2.0)

Remote workers or business travelers have long been familiar with the travails of working through virtual-private network software, but Cloudflare thinks it can use its vast network of servers to help authenticate network traffic and make life a little easier.

The company is launching Cloudflare Access Wednesday, a new service that allows companies to let their employees log in once to their corporate network without having to install and run VPN software on the laptops or mobile devices. It works with a variety of popular identity-management software providers, and lets system administrators monitor login and network activity to better detect actual security threats.

“Traditional VPN (software) just doesn’t make sense in an increasingly mobile, increasingly cloudified world,” said Matthew Prince, CEO of Cloudflare. Cloudflare first built Access for itself, so it could allow employees to authenticate themselves only once when they needed to access corporate data or applications on the go, but is now releasing the product after some beta testing with new and existing Cloudflare customers, he said.

Cloudflare CEO Matthew Prince (LinkedIn Photo)

Cloudflare built and currently maintains a massive network of servers that is primarily used to detect and prevent distributed denial of service attacks, in which attackers attempt to force a website offline with a flood of bogus traffic. It uses that network for other enterprise computing services, including performance tuning and other security services.

Access is based on a tool called BeyondCorp developed at Google and outlined in a set of academic papers published in 2014. The traditional approach to cybersecurity before that wasn’t that much different than the traditional approach to castle security: build a moat around the castle, giving anything inside the castle free reign but preventing anyone outside the moat from getting in.

When people worked from inside the network all day at the office, that made a certain amount of sense, but we left that world behind a decade ago. Modern workers need to be able to securely access corporate applications from outside the core network, and VPN software designed long ago to give them that access tends to be slow and somewhat painful to use, especially on mobile devices, Prince said.

And VPN users still have to log into whatever application they want to access separately. To top it all off, treating devices inside the network as free and clear raises the risk that an employee’s device could be compromised at the coffee shop, and then used inside the internal network under the assumption it was a trusted device, Prince said.

An overview of how Cloudflare Access works. (Cloudflare Image)

So BeyondCorp was the result of an idea that companies should treat all attempts at logging into their networks as hostile, forcing all users to authenticate themselves to access corporate resources but giving them a fairly easy way to do that. Access runs with that idea, giving administrators a method for forcing remote logins to run through the Cloudflare network and using the identity management product of their choice — Google, Microsoft Active Directory, Okta, and others are supported — give end users a secure way to access any application with a single login.

“We’ve built, kind of, a safe,” Prince said. “And the customer can choose, do they want a key to unlock the safe? Or a keypad? Or a tumbler combination lock?”

Application gateway hardware and software from companies like F5 can also give companies a way to enable remote access without VPN software, but Prince believes that Access offers better performance than some of those options thanks to Cloudflare’s server network.

Cloudflare Access costs $3 for every end user that uses the service, and there is no limit on the number of corporate or third-party applications that can be used with the service, Prince said.