CF Zero Trust architecture

For those of you using CFZT in an enterprise, I have a few questions.
Where does it fit in your organization? (Ownership, maintenance, support, and initial on-boarding)
What is your IdP, and how deeply have you integrated the two platforms?
How are you using it?
Aside from security, how have your users benefitted from this?

I am just starting a test drive to replace a client VPN but I can see so many options to secure my applications that I’m a bit overwhelmed.

Having helped a large number of enterprise customers adopt Cloudflare’s Zero Trust I’ll share my observations FWIW.

It depends on the organization, which group in the organization is leading the initiative(s) and a lot of other factors. In general there needs to be some sort of senior executive level sponsorship (not required, but helps smooth out some things) as it can potentially cross multiple traditional group boundaries and high level support / direction can keep everyone rowing in the same direction.

Some organizations might start with Access related policies which can often have no involvement with desktop or network teams. Others might start with DNS at a site level which can be done by a DNS / Infrastructure team. Others still might start with Warp as a VPN replacement which might involve infra and desktop. And the level of adoption (and plan for adoption over time) can involve different stakeholders and responsible parties.

I’ve integrated everything from email address only (OTP) to pretty much every major IdP and a few I hadn’t heard of until 10 minutes before we were configuring them. Sometimes we took advantage of unique IdP specific features (like Azure Conditional Access) or group membership. It depended on the needs of the organization for the asset(s) in question.

Cloudflare commissioned a report with Forrester on the subject:

It can be a powerful tool, I’ve seen some organizations do some pretty creative things. From protecting guest WiFi to unlocking geo/content restricted resources for international development teams.

My general guidance it to start with a small trusted team of testers and/or a set of applications where they are either low impact or where the team using them is tech savvy. Or approaching new new applications with a different/new security paradigm. And then expanding over time.


Excellent information! Thank you for taking time to respond!