Starter Hub Starter Hub
SASE SASE

Cloudflare One — SASE & Zero Trust Cloudflare One — SASE & Zero Trust

ZTNA, SWG, Access, Tunnel, CASB, DLP, RBI ZTNA, SWG, Access, Tunnel, CASB, DLP, RBI

Tóm tắt điều hành Executive summary

Cloudflare One là NaaS Zero Trust trên kiến trúc SASE — thay thế tập hợp appliance và WAN bằng một mạng cloud: bảo mật, hiệu năng và kiểm soát qua một giao diện. Cùng nền tảng với WAF/CDN/DDoS nên gom vendor, threat intelligence thời gian thực và policy nhất quán cho user di động, SaaS và hybrid cloud. Cloudflare One is Zero Trust NaaS on SASE architecture — replacing appliances and WAN sprawl with one cloud network: security, performance, and control through a single interface. Built on the same platform as WAF/CDN/DDoS, it consolidates vendors, delivers real-time threat intelligence, and enforces consistent policy for mobile users, SaaS, and hybrid cloud.

Mục tiêu kinh doanh Business objectives

  • Migrate chức năng mạng on-prem sang cloud theo chiến lược SASE, policy thống nhất tại edge Migrate on-prem networking to cloud per SASE strategy with consistent edge policy
  • Single-pass encrypted inspection — Zero Trust, visibility dữ liệu nhạy cảm, threat awareness Single-pass encrypted inspection — Zero Trust, sensitive-data visibility, threat awareness
  • Gom dịch vụ, giảm độ phức tạp, trải nghiệm trong suốt cho end-user Consolidate services, reduce complexity, transparent end-user experience
  • Dịch vụ toàn cầu, SLA hợp đồng, scale theo chi nhánh / cửa hàng Global service, contractual SLAs, scale with branches and stores

Cách tiếp cận Our approach

  • Giảm excessive trust — policy theo identity/context, RBI cho web không tin cậy Reduce excessive trust — identity/context policies, RBI for untrusted web
  • Loại bỏ phức tạp — ít VPN và point product, một bộ control cho mọi traffic Eliminate complexity — fewer VPNs and point products, one control set for all traffic
  • Khôi phục visibility — log DNS, HTTP, login, in-app; audit trail điều tra Restore visibility — DNS, HTTP, login, in-app logs; investigation audit trail

Thành phần giải pháp & dashboard Solution components & dashboard

ZTNA — Cloudflare Access ZTNA — Cloudflare Access

Thay VPN castle-and-moat: default-deny theo IdP, bảo vệ app self-hosted, SaaS, SSH/RDP, IP nội bộ. Replace VPN castle-and-moat: default-deny via IdP, protect self-hosted apps, SaaS, SSH/RDP, internal IPs.

Zero Trust > Access > Applications, Networks > Tunnels

  • Tích hợp Okta / Azure AD / Google Workspace + MFA Integrate Okta / Azure AD / Google Workspace + MFA
  • App Launcher: teamname.cloudflareaccess.com App Launcher: teamname.cloudflareaccess.com
  • Tunnel (cloudflared) outbound — không mở port inbound Tunnel (cloudflared) outbound — no inbound firewall ports

SWG — Cloudflare Gateway SWG — Cloudflare Gateway

Kiểm soát DNS/HTTP/network cho mọi user qua WARP; malware, category, DLP inline. DNS/HTTP/network control for all users via WARP; malware, categories, inline DLP.

Zero Trust > Gateway > Firewall policies

  • Firewall policies DNS & HTTP DNS and HTTP firewall policies
  • Remote Browser Isolation (RBI) Remote Browser Isolation (RBI)
  • DLP profiles cho upload/download DLP profiles for uploads and downloads

CASB & DEX CASB & DEX

CASB: posture SaaS (M365, Google). DEX: giám sát trải nghiệm digital workforce. CASB: SaaS posture (M365, Google). DEX: digital experience monitoring for workforce.

Zero Trust > CASB

  • Phát hiện shadow IT và misconfiguration Detect shadow IT and misconfiguration
  • Kết hợp data-at-rest (CASB) + inline DLP (Gateway) Combine data-at-rest (CASB) with inline DLP (Gateway)

WARP & Network Services WARP & Network Services

WARP client, device enrollment, Cloudflare WAN (trước đây là Magic WAN) / on-ramp (theo phạm vi proposal), threat intelligence chung. WARP client, device enrollment, Cloudflare WAN (formerly Magic WAN) / on-ramp (per proposal scope), shared threat intelligence.

Zero Trust > Settings > WARP Client

  • Settings: team domain, authentication, device profiles Settings: team domain, authentication, device profiles
  • Journey to SASE: phase VPN offload → ZTNA → SWG → CASB Journey to SASE: VPN offload → ZTNA → SWG → CASB phases

Điểm khác biệt Differentiators

  • Một nền tảng SASE + Application Security — không silo policy One platform for SASE and Application Security — no policy silos
  • Mạng anycast nhanh hơn nhiều VPN truyền thống Anycast network faster than traditional VPN backhaul
  • Roadmap “Journey to SASE” 5 phase — consolidate orange, Zero Trust blue Five-phase “Journey to SASE” roadmap — consolidate (orange), Zero Trust (blue)

Triển khai Implementation

  • Phase 1: Offload VPN cho nhóm pilot (contractor, dev, M&A) Phase 1: Offload VPN for pilot groups (contractors, dev, M&A)
  • Phase 2–3: Access + Gateway cho remote/hybrid workforce Phases 2–3: Access + Gateway for remote/hybrid workforce
  • PoC mẫu và tích hợp SIEM (theo proposal) Sample PoC and SIEM integrations (per proposal)

Hỗ trợ & dịch vụ Support services

  • Bảng Support Services theo tier Enterprise — 15 phút initial response (nếu trong hợp đồng) Support Services table per Enterprise tier — 15-minute initial response (if contracted)
  • Customer Success điều phối roadmap SASE transformation Customer Success orchestrates SASE transformation roadmap

Tiếp tục trong hub Continue in this hub