Video: Maximizing Microsoft 365 Security: How Cloudflare Enhances Protection And Adds Value | Duration: 3396s | Summary: Maximizing Microsoft 365 Security: How Cloudflare Enhances Protection And Adds Value | Chapters: Introduction and Overview (11.04s), Cloudflare One Platform (160.245s), Cloudflare Access Integration (398.19s), Cloudflare Access Policies (861.075s), Device Compliance Integration (1363.6549s), Securing Office 365 Access (1637.43s), Advanced Security Integrations (1874.63s), DLP Policy Integration (2950.13s), Outbound DLP Policies (3052.4302s), Advanced Egress Policies (3139.8198s), Authentication Customization Options (3214.515s), Conclusion and Farewell (3343.46s)
Transcript for "Maximizing Microsoft 365 Security: How Cloudflare Enhances Protection And Adds Value":
Hi. Good morning, everyone. Thank you a lot for joining us today on this webinar. I'm Jose Dors, and I'm a solutions architect here at Cloudflare. Today, I will talk a little bit about how we can support organizations adopting the Cloud and hybrid work while keeping them secure by combining the capabilities of two leading Cloud platforms, Microsoft and Cloudflare. During this webinar, if you have any questions, please feel free to drop them in the q and a chat box. We really appreciate your questions, and we plan to have enough time at the end of the presentation to go over them. Yeah? Alright. So let's talk about how Cloudflare can enhance protection and add value to organizations using So we know that many organizations are turning to Microsoft for the cloud micro they modernize their environment and adopt hybrid work. However, it's also acknowledge that the popularity of Microsoft services increases the exposure to a wider range of threats. So many organizations start relying on Microsoft services for hosting critical applications and sensitive data and rely on Microsoft for critical services like identity. They become a very attractive target for attackers. We see attackers trying to exploit Microsoft customers via phishing and DC emails attempting to do privilege escalation and bypassing multifactor authentication controls, and also scanning for misconfigurations, all with the objective of to resources and data within Microsoft environments and carry on data exfiltration and ransomware attacks. To make things even more complex, Cloud adoption really means managing a combination of SaaS, self hosted, and non web applications. Because Cloud migration is a journey and most organizations will end up in a hybrid Cloud environment, where the enterprise perimeter has essentially disappeared. So, ultimately, what this means is that securing and controlling access to these resources using legacy technologies such as VPNs can create security gaps and frustrate employees. So in short or in summary, we need a new approach to enable this Cloud migration initiatives, one that allows organizations to benefit from the advantages of the Cloud and adopt hybrid work while keeping the organization and its employees safe regardless of where they are. So that is exactly where CloudFlare comes in. So we partner closely with Microsoft. We have a wide scope of integrations as we will see on this webinar. So using these touch points between our cloud platforms, I think we really can combine the best of both worlds. So Microsoft brings cloud applications and services that support hybrid work and deliver essential protection for identities, devices, data, apps, and infrastructure, while CloudFlare layers on top, those zero trust services that deliver fast and secure application access with comprehensive protection against misconfigurations, malware, and targeted phishing attacks. So these these zero trust services are delivered using the SaaSy capabilities of Cloudflare's network. So our SaaS services put together are what we call Cloudflare One. So Cloudflare One is really our platform for zero trust security and network transformation. And the main use cases that we cover with display formats are the ones that you can see here on the right side of the slide. So one of the things we focus on is really securing access. So simplifying and securing connecting any user to any resource. That's what commonly known in the industry as zero trust network access. Then we also want to keep users safe, over any protocol and and port from all threats that are out there. So that's our threat defense use case. And those, we we do them essentially through our secure web gateway capabilities, which you can combine with other techno techniques such as browser isolation and using all the threat intelligence data that Cloudflare has. Then we also allow you to simplify policy compliance and regulatory compliance and protect your organization from having expensive data leaks. That we also do through our secure web gateway in combination with browser isolation and data loss prevention capabilities. So these data loss prevention capabilities, you can use them for data in motion with the Secure Web Gateway, but also for data at rest within SaaS applications, which is also a big part of our focus to really improve the security of SaaS applications, giving organizations more visibility into those. So typically, the shadow called the shadow IT challenge, and give you more control over these applications, even when we are talking about email, which we can do through our cloud email security. But Cloudflare One is not just a platform to secure a hybrid or a remote workforce. Actually, with Cloudflare One, you can connect all sorts of sites to to our SASE platform. So you can connect your offices, your headquarters, branches, manufacturing sites, on prem data centers, and public clouds, all to Cloudflare. So Cloudflare can essentially become your wide area network with security across it with our firewall as a service capabilities. So Cloudflare one actually is a platform for network modernization. Through our platform, you can really improve productivity of your employees and simplify the life of IT with simpler operations while reducing the attack surface. We can do all of this because everything that I'm going to show you and all these use cases are managed and configured from a unified dashboard. And behind that dashboard is also a unified API if you want to automate things, addressing the API or using things like infrastructure as code with our Terraform provider. All these services are also delivered in a consistent way from our, single global network, and Cal Fire is always closed where users and applications are. So right now, we are present in more than 300 cities over more than 100 countries, so we can really provide these SASE services everywhere that you are. So now if we start to think about all the ways that our platform can better secure organizations that use Microsoft extensively, I think a good place to start is by looking at the zero trust network access or Cloudflare access. So this one is the part of our solution that really simplifies remote access, allowing organizations to replace legacy VPNs. So, independent of if this an organization uses Microsoft a lot or not, our, let's say, architecture for CloudFlare access is what you see here on the left. Okay? So we start by connecting all sorts of applications to CloudFlare. If we are thinking about, applications that you self host on an on prem data center or in a public cloud like Azure, then we are talking about this one over here. So we can connect self hosted applications, entire subnets, and infrastructure services like servers to CloudFlare. We have different ways of being able to do that. So, essentially, we want to create, encrypted panels to the closest points of presence of CloudFlare, and we support app connectors, which are called the CloudFlare tunnel or more traditional IPsec site to site connections with MagicWAN. So users, if they want to get to these applications, they need to go through one of these tunnels. And that's where we start to implement policies to say who and what can access these applications. So we can verify the identity. For this, we we can support any identity provider that supports SAML or OIDC. We can do user and group synchronization. We can enforce multi factor authentication, and we can integrate with more than one at the same time. Then we can also check what is the state of the devices that users are using to access the applications. So here we can get signals directly from our agent on the on the device, the work client, but we can also integrate with third party solutions like CrowdStrike or Intune. And then we can also get contextual clues from, these access. Is the access coming from the right country or from the sort source IP addresses that we expect? The users themselves, we support connecting to applications in multiple ways. So we support accessing applications without any clients. It's called the clientless access. And when doing so, we support accessing every sources, but we can also render on the browser SSH sessions or a VNC terminal. In the near future, we'll also support clientless RDP in the browser. Now for any other protocol or that you want to have a native experience on the device, we can use the work client. So that will create an encrypted tunnel between the our endpoint and CloudFlare. And through this tunnel, we can, tunnel any UDP, TCP ports. When using the work client. And we can also get that device posture that I just mentioned. One final thing I didn't mention on this on this diagram is that we can also connect SaaS applications to Cloudflare. So So we can do this in multiple ways. But for the one that I'm going to show you regarding Microsoft, we can do it through egress policies. So essentially, we can say that a certain SaaS application can only be accessed from a certain set of IP addresses that are unique to your CloudFlare environment. And then you can specify again using these conditions, only the right people with the right devices that get assigned those IP addresses so that they can access those SaaS applications and no one and no one else. Alright? Okay. So now I'm just going to give you kind of a drill down into some use cases and demonstrations of what it looks like for a company that, is has invested extensively into Microsoft. So this is essentially the same diagram as before. So let's start first by checking how we can connect an Azure environment to Microsoft to to Cloudflare. So, essentially, we have those two ways. We have the app connector, which is our Cloudflare tunnel, or we can do those side to side connections to Azure Virtual One or a virtual network gateway. Okay? So let's see what that looks like. So if I go to the dashboard, here, you can wait. Hold on. Let's do a refresh here. Alright. So here we are in the section of the CloudFlare's dashboard that deals with all the zero trust capabilities. So if I go over here to networks, you'll see that I have these tunnels here. Right? I have tunnels spread across multiple cloud environments and on prem sites. And so for Azure, essentially, I have this one. So if I go into edit and if you would create a new tunnel, you would see this page that will show up here. Essentially, what we need to do is basically specify where we want to deploy a tunnel. It can be in one or multiple virtual machines within your Azure VNets or a container within the VNet. So let's say, for example, it's a Debian, type VM. I'd select the type of VM, and then I get the command. So this command is unique to your environment. And so if you click it and paste it on that VM or container, it will create automatically these tunnels outbound from your VM towards. If you would go and copy this command and paste it in more virtual machines within your environment, essentially, they are still all the same tunnel, but they become replicas of this tunnel. So if one replica goes down, traffic still goes through the other replica. So this is a mechanism for both high availability, but also for higher scale. So it gets as simple as it is. You just need to do this in some some VMs, and then Cloudflare now has access to your environment. Now, of course, then you need to specify what is accessible through those tunnels. This is we can do through these public host names and private networks. So public host names is especially used for the clientless scenarios. And what we do in this, method is that you map internal resources within your Azure environment to a public host name, so a URL that will be resolvable on the Internet, resolvable by CloudFlare, and proxied by CloudFlare. If you see, we can map a public host name to something which is on the local host, so on the same VM or container where we deploy the tunnel, but also in other VMs that the VM that has the tunnel can access. Okay? So we can do both. Then for a more traditional kind of VPN type of access, we can also expose internal subnets from your Azure environment through the tunnel. And this is essentially what we will use if you want to tunnel any type of non browser type protocol. So this is the app connector. Like I mentioned, we can also do the magic one, the site to site IPsec connection. And so for that one, we also have, integrations already available with all major public cloud providers, including Azure. So when we do a cloud integration between CloudFlare and Microsoft, we will be continuously checking what is configured within your environment. So if I go here and I do a filter for Azure, this is everything that I have configured on my Azure environment. So Cloudflare knows what has been configured, so it can configure additional resources. So I can then very easily go to MagicWAN, cloud on ramps. As you will see, I already have an on ramp to Azure, and I could add a new one. So if I add a new one, I could do some call it the name. Let's say webinar. I say continue. In this case, I'll say that I want to deploy this on Azure, and then it will show me, like, the virtual networks that are available within Azure. And then I could select them, continue, and it would create these site to site connections to, Azure. It would create automatically on Azure side the virtual network gateway. We've created the the endpoints on Cloudflare side and do the IP seconds between them automatically. So I won't do this now because it takes, some some minutes for it to be set up, but I have already created one prior to the webinar. So if you see, if I go to configuration, I have here a tunnel that has been configured by the Cloud on ramp automation, and it also configured the routes for me because it knows what's inside that environment. Alright? So as you see, it's it's quite easy to connect an Azure environment to CloudFlare. So now that we have an Azure environment connected to CloudFlare, we can start building the policies to say, which devices and which users can actually access this environment. Right? So we can start, creating this policy based on identity, posture, and context. So let's start by identity. So on identity, we can easily integrate CloudFlare with IntraID. And through this integration, we will get all the user and group information from from IntraID, and we can also do multifactor authentication enforcement. So this multifactor authentication enforcement is actually quite critical. So when companies are adopting, these new cloud environments, one of the threats that might exist is that the attackers are trying to get access to these environments. They can do, for example, social engineering tricks where they manage to get access to some accounts within Microsoft. They can one of the things they might try to do is to disable multifactor authentication so that they can have easier access to a Microsoft environment. So, if we follow principles like defense in-depth, this is really helpful. Because even if your organization would be compromised and someone would disable multi factor authentication, CloudFlare would still be checking for for that. And if we see that multi factor authentication has been disabled, that it was not used, we would block access anyway. So it becomes much harder for an attacker to get, access to Microsoft's environment if we shouldn't. Right? So let's see what the simple policy based on identity looks like. So I already have the the tunnels as we've seen. So now I create the policies under access. So if I go to access, I have a very simple policy here, this one. Okay? So this is a a public host name that is available through one of my tunnels. Okay? So if I go into this one, I've already integrated my environment with, IntraID or AzureID. I have also other ID providers that I can use, but we see that Azure is one of them. So if I go to policies, I have a very simple policy here. Basically, what I've said is that all the users known to my environment should be able to access that particular web server. Okay? So no additional criteria. It's really just identity. So now if I try to go to that web server like this, instead of getting direct access to the server, I first need to authenticate through CloudFlare. So I'll go through the intro ID one. Let's do this user. So this user requires multi factor authentication. That's good. So let me just put the code very quickly. Okay. Alright. And because, this user is from one of those groups that you saw, then I can get access to that web server, which is behind the CloudFlare tunnel. So as expected according to the policy. We also make it easier for a user to know what applications he can access. So following zero trust principles, we only want to give access to the applications that the user needs and nothing else. So this page will show all the applications that that user can access based on his identity. So what happens if he tries to access an application which is not on this list? So if I go, for example, to this one, which is a separate application that I do have behind the tunnel, I get the call center access prompt. I'll try to authenticate, and I won't be able to get access to it. So let's figure out why this user didn't have access to this one. So if I go back to the dashboard and I go to this application, you will see that I have more conditions in this case. The policy that mostly falls that what that user was trying to do is this one. So if I go to this one, you'll see that it area to access the application. So the user needs to be from one of these groups. That user that I used is part of those groups, so that is fine. The access needs to be coming from Portugal. That's also fine. I'm based in Portugal right now, so that's good. Multi factor authentication, we are doing enforcement of it, but the user also did a multi factor authentication. Where the user failed or would not was not able to get is because we are also, integrating with Microsoft, conditional access policies, and this one failed. So what we can do on Cloudflare side is that when we send a request to, to enter ID to validate the identity, we can also tell Microsoft to check that user against certain conditional access policies. And in this case, I'm telling Microsoft that they should check the user against this high risk user's conditional access policy. And if I go to my Azure environment, I have created a conditional access policy, which on purpose, considers Adele, the user I used, as a high risk user, and it's why he couldn't access that application. So only the right people in the right conditions can access the application. So if I would, go and go to the same application with a with a different user that is not considered high risk, then access should be fine. So if I go here, I'll check a different user. Now try to access. I need to do multi factor authentication, so it's good that it's happening. Let's put the codes. If I didn't mess up the multi factor authentication, now I should be able to get access. I think I I had a problem with that. So let's give it one more try. Okay. So if I go to that application again, the user is the multifactor authentication. Okay. I might be messing up something here on the code. But, essentially, if the user is not considered high risk, then he would get access to the application. Alright? So going back to my diagram, essentially, what I'm saying is that I can verify identity. And in on top of it, I can check for additional contextual clues, like conditional access policies. Okay? But so far, I've only really showed you how to access application using this clientless model, so not using the agent, itself. So we can also use the agent, and that allows me then to access any type of application over any TCP UDP port. So when we talk about deploying the agents, then we have two additional integrations that are very useful for a customer that is using Microsoft extensively. So I can do a managed deployment of work, so, automate the deployment and software updates of the work client with Intune. And then I can get then I can get all the posture information coming from Intune as well. So we can get from Intune if the device is on a compliant or not compliant state. And these compliant, policies can also take into consideration information from, for example, Microsoft Defender for endpoints to check if the device has been compromised. Okay? So if I go back to my, environment so if I go here to the intern section, you'll see that I have already these applications over here configured so to deploy the work client in both Mac and Windows devices, but this also works for mobile devices like iOS and Android. And if I go to the devices side and I go to all devices, you will see that I have my Windows devices are in a compliant state, and my, macOS devices are in a noncompliant state. Okay? So through now the Intune integration, if I go to my, zero trust environment and if I go to, my team devices, you will see that my Windows device should be also in a compliance set. So if I go to posture checks service provider, you'll see that Intune compliance is passed. So it's synchronized with what we saw on the Azure side. And if I go to my, Mac VM or Apple VM, you'll see that it's on the failed state. Again, in sync with what we saw on the Intune side. So now I can use these, compliance checks as part of my policy too. So if I go to access applications, I have here a policy to access some SSH servers within Azure. So I have multiple targets. Some are on GCP. One is in on Azure. I'm specifying it is for SSH on port 22. And then I have a policy over here. And this policy is basically saying that if a user is running the work client and is coming from one of these groups, from Okta and and, intra ID, they can access those SSH servers, but only if their device is on a good state. So it is from a known managed device. So this one is a check that we can do directly with our work client if it's coming from the right country, Portugal in this case. And if the device posture checks are working as and telling us that the device is compliant. So I have I have integrated this both with CrowdStrike, checking if the device has been compromised, and also InTune to check if it's compliant. And in the case of SSH, then we can specify that, okay, if everything is okay, and they can access these servers, but only with these particular users. So if I go now to my Windows machine, so this is my managed device. It's running the work clients. And so these checks of postured, information are always ongoing. If I try to do SSH to a virtual machine on Azure, then I I'm able to get access to it. Okay? And and so as expected. However, if I go to my, MEC VM, which we just saw that it's on a non compliant state, if I try to do the same, it won't work. So it's saying that if the authorization has been denied. So, again, this only I am only able to access the resources if I have the if I'm the right user, but also if my device is in a good state. Alright. So let's go back to the slide. So this is what we've just checked, how we added device posture to the policies. Now let's see how we can better secure, Office three six five. So Office three six five works as a SaaS application. So if we don't put any additional controls, then, basically, anyone in the world, if the would be able to get access to Office three six five if they know the credentials or potentially if they do the MFA. Right? But in order to reduce the attack surface, we might want to make sure that only the corporate devices can access this environment. So this we can do very easily with CloudFlare using these egress policies. So, essentially, an organization gets a specific set of IP addresses that belong only to them and no one else, and then we will configure them on on Microsoft side. We'll create a a a conditional access policy saying that only those IP addresses are allowed to connect to your Office three six five applications. And then we can build policies saying who and what can get access to those IP addresses and and when, in what conditions. So if I go back to my web environment, you'll see that I have here a conditional access policy saying that only, users with the IP that ends in 207 can access, Office three six five. And then on, on the call slash dashboard, if I go to egress policies, then you'll see I have a policy over here that is basically saying that this group of users can connect to Office three six five, but they need to be on a known device, which is in a good state. So, again, it's, it's one of the known managed devices that appear posture checks such as CrowdStrike and Intune are all passing. And if that is true and only when that is true, then they will get that 207 IP address that should allow us them to connect. So if we remember, like, from before, the Windows devices are in a compliance state. So if I go back to my Windows device and I go check my IP, let's do a refresh. It has a 207, IP. So that means that if I try to access, Outlook, it should be possible from this device. K. So if I go over here and I try to connect, I'm able to get access to Outlook. However, if I try to do the same from my, Mac VM, it's on a noncompliant state. So instead of getting a two zero seven IP, I'm just getting a random CloudFlare public IP. And this one is will not be accepted by, the Microsoft side. So if I try to do the same and and go to Azure, the same user that just logged in from the Windows machine. In this case, it's not possible. So the sign in was successful, but it does not beat the criteria required. So it's not coming from the expected IP address. So this allows us to make sure that only devices from the right users on the goods and with a good state can access Microsoft three six five. And that means as well if I'm using just a random device, a non managed device, like my this machine where I'm on, it will also won't work. So personal laptops will no longer be able to access, the Microsoft environment too. So here again, if I try to do the same thing, I might know the credentials, but I cannot access again because I don't have that special, IP address. Alright. So if I, go back to the site, so we've seen all these different ways we can enforce security when accessing resources on Microsoft. But the other important thing about using a platform like CloudFlare is that IT gets much more visibility about what's going on. So every flow that crosses CloudFlare will be, logged, and then we can also export those logs to Azure. If you're using a tool like Microsoft Sentinel, then you can very easily consume these logs from an Azure Blob Storage so we can export them there. So if I go back to the dashboard and I go to logs, access So the things we've been doing, we will be able to see them on on the dashboard. So let's just wait a couple of seconds for the logs to populate. Alright. So we get, we get the visibility when access was granted. So for example, for this one, we can see that, it it happened the austenite was targeted, what time the request happened, from what country it was, what user tried to access. And we get this information both for for when access was granted, but also when access got denied. Okay. And, actually, so before, we we had that issue where we could not. I tried to, access that application, and it didn't allow me to to get through. And I can also see why this did did not, work. So if you see, the access is coming from The Netherlands in in this case, while the policy was saying that the access should be coming from Portugal. So what happened is that I think by using right now my corporate CloudFlare account, traffic is egressing from The Netherlands, and not Portugal, which was something I was not expecting when I was preparing the 11. I I tried this. And so that is the reason why I could get a previous use case failed before. So that's, again, the visibility part. It can help you both detect security incidents, but also help you troubleshoot things so much faster. So it's expected I should not be able to to get access to the application because, my access is being seen as coming from The Netherlands and not Portugal. So we also found that one. Alright. So I mentioned that we can see all these logs here on the dashboard, but we can also export them. So this is our log push capabilities. So if I go here, you'll see, that we can configure all these logs that I've showed you. We can configure them to be sent somewhere else. So I have integrations with Datadog in this case. I'm also sending them to a bucket on, s three, but, also, I can send them to Azure, which I've done before. So we support not just Azure. We support lots of different, themes and public cloud buckets. So it's very easy to export all the information to the tool of your choice. Alright. Let's go back to the slides. So, so this is all about all the different ways we can better secure access to, Microsoft resources. But as I've talked a little bit at the beginning, our platform goes beyond it. So a big thing is also doing threat protection, compliance protection, and getting more visibility on shadow IT. These are all things we can do through our secure web gateway. Okay? So here, we do the threat protection when users are browsing anything on the internet. This one leverages all the rich threat intelligence data of Cloudflare. So if you don't know, right now, Cloudflare protects around 20% of all websites on the Internet. And we also run one of the biggest DNS resolvers in the world, the one one one one, DNS resolver. So this also gives us very rich information about what traffic is going over the Internet every single day. And we use all that those insights to create threat intelligence data that then we can use to protect users going through Secure Web Gateway. And we also combine it with other technologies like antivirus scanning and malware sandboxing. So we can definitely protect users, when when they are browsing out to the Internet. Then we can also do access control. So if you have policies saying that certain sites cannot be accessed by corporate machines or employees, we can easily do that. And then we can also do data protection. So that is implementing techniques so that users cannot, for example, upload sensitive data. So on this topic of data protection, that's also where we integrate closely with Microsoft. So by doing our API integration with Microsoft, we can learn all the Microsoft's purview sensitivity labels that, might have been configured on Microsoft site. So for those who don't know, these are labels that can be assigned to Office documents, for example, to give them a highly confidential or confidential status. And now we can look for these labels in our policies. And if we see an event of these, documents being uploaded externally, then we can block those. So let me show you that on the dashboard. So if I go back to the dashboard, all these gateway functionality lives under the firewall policies. So we can protect users at the DNS layer. So we can build those policies to protect them from threats like this. So a very easy block action for users trying to go to any of these types of, domains. And this is where a lot of the threat intelligence data comes in. So we always updating what actually means malware domain and phishing domain and so on. Then you can do those, access control to certain categories of content. So let's say gambling websites should not be allowed, for example, and you can also block certain applications or domains from being accessed. So that's at the DNS layer. Then we also have network policies. So that's a more traditional layer three, layer four firewall policies. And then then we have the HTTP policies. That's where we inspect HTTP and HTTPS traffic, and that gives us much more granular control about what users can and cannot do. So we can, for example, allow certain YouTube videos but block all others. We can block file uploads or file downloads. We can protect users from malicious files by running them on a sandbox first. We can isolate users in a remote problem when they are going to, let's say, new or suspicious domains, but we can also implement those DLP policies that I mentioned. So here is an example. I have a block DLP uploads rule where essentially, for all the DLP profiles that I have configured, if I see them being uploaded somewhere, I will block those. And if you see one of these profiles is one for Microsoft three six five, and that one comes from that integration with Microsoft environment. So if I go to DLP and profiles and I I go over here, these are all the labels that I learned from the API integration with Microsoft. And in this case, I've enabled highly confidential and confidential files to to be so that the system is on the lookout for those and then blocks them if we have policies to block them. So if I go to my, manage device over here, I have here a highly confidential file. And so if I would try to upload it somewhere, you'll see that they will trigger the block. Right? And the file could not actually be uploaded. So from a user perspective, it's all very seamless, and we can give you information to the user if if he's trying to do something that he should not. And he can click for more information where we can display a page of your choosing explaining the, for example, the corporate policies. Alright. So that's kind of our DLP, integration. But, actually, our API integration goes beyond it. So we can integrate, a CloudFlare with Microsoft through APIs to check for many more things. So we can check for things like misconfigurations on Microsoft side for files that is being shared incorrectly. And so by we surface all these security risks that we find by con continuously scanning your Microsoft environment so that then you can take quick action on those and and correct them if there is a problem. So that one is also very simple to use and to configure. So, essentially, that's on the CASB side. I have certain integrations. We integrate with a lot of popular SaaS application, including Microsoft. And spoiler alert, we also integrate for email, but I'll show you that one in a little bit. And so after this integration through API is done, which is just doing next, next, next type of thing, you will see that, we start getting all these, security risk findings. So if I filter for Microsoft, you will see that I have some risks such as users that haven't updated their passwords or files that are accessible over the Internet with edit permissions. So for any of the security risks, I can always click and go check the details of, in this case, what files are trigger triggering this, security risk warning, who created the files, when were they created. In this case, I even have a link, so I can go to the file and correct the permissions if that need be. So this is all about giving you more visibility about security risks within your environment so that you can quickly address them, and the SaaS application is no longer a a black box. Finally, we also integrated Microsoft for email security. So Microsoft's email security is already very feature rich. It already gives you antivirus and spam protection. It also provides you with, standard authentication capabilities. It also allows you to do DLP policies for outbound emails and data management. But Cloudflare here provides additional value by really focusing on very targeted phishing campaigns and protecting you against a business email compromise attacks. So when we talk about targeted phishing, we have we have invested a lot in creating crawlers that go out to the Internet and find phishing campaigns being created. We also have all these AI machine learning algorithms that are able to crawl URLs that are on emails through multiple layers of redirection. And we also have a sandbox to detonate suspicious payloads to see if they are malicious. Our algorithms also have techniques such as computer vision where they can actually find links within QR codes or passwords within images to open encrypted attachments. So we've invested a lot in would be really being able to detect if an email has any malicious content on them, those being URLs or payloads. So that's a big focus of, our solution. The other big focus is, like I mentioned, protecting against business email compromise attacks. So these are emails that there is nothing malicious on the content. So there is no bad URL or bad payload. But they are written in a way to trick the organization or user within your organization to carry on an action that it shouldn't. So a a common example is to make an employee make a payment if he believes he's making a payment to a supplier, for example, but, actually, it's making a payment to to an attacker. Right? So these emails are really hard to spot because there is nothing apparently wrong on the email. So here, we really invested in things like machine learning to be able to get, understand what is being written on the email, understand the sentiment behind it, understand how it fits within a longer email thread. If this email is part of the known type of communications between your organization and your suppliers and partners. And then by combining all these signals, we can be very confident if this is a fraudulent email or is a legit email. And if it's fraudulent, then we will block it. Right? So this is really where the added value of Cloudflare is to really go that extra level of, unit extra level of protection against these very targeted and sophisticated email attacks. In order to implement this integration, it's actually quite simple, and we have flexibility on it so we can be deployed in line. So in this case, CloudFlare stands in front of your email infrastructure. And so emails before getting to your, user inboxes, they go through Cloudflare. And so we can stop emails right here, and we can also manipulate the emails, like rewriting the links or adding warnings to the emails if you want to according to the policies. The other alternative you can do is to, do the API integration with Microsoft. So this one is really super easy and super quick to do. This is what I have on my live environment. It's just giving you it's just a matter of granting Cloudflare some additional permissions to that API integration that I showed you for the CASB. So when we do that one, essentially, what happens is that whenever an email, reaches a user's inbox, CloudFlare will be scanning those emails. And if they find them to be malicious or not a good email, we can delete them or remove them from the user's inboxes. The great thing is that these options can actually be combined at the same time, what we call mixed mode. That really gives organizations, a higher level of protection with protection both pre delivery, so protecting the user before the email gets there, but also post delivery, protecting after an email has been delivered. So this helps against attacks where the attack is deferred on time. So now we are seeing email attacks where an attacker will send an email, for example, on a Sunday. This email is clean at the time of sending, so it has a URL that is clean. So it's not going to any malicious destination. But then on Monday morning, the attacker will weaponize the link. So the link no longer redirects to a a good website, but now it will redirect to a phishing domain, for example. The thing is is that CloudFlare will keep scanning all the URLs that we see of emails going through for the following days after delivery. So if an email is sent on Sunday and then it's weaponized on we we let it go through because it's clean. And then if it gets weaponized on a Monday, we can still go there and remove it from the inbox through our API integration. So having both, it's really optimal. So in terms of managing all of these, it's, again, super simple because it all lives in this our unified dashboard. So if I go to email security, by doing the API integration, I immediately start to get feasibility on all these additional emails that Microsoft was not able to detect, but Cloudflare was able to detect as malicious, spam, spoof, and so on. And we can very easily, do investigations where we can search for the the, non good emails and see the details between them. And we can also very easily set those rules that say if a device should be a device if an email should be removed from a user's inboxes. So on the API mode, that's a simple matter of defining for each category of email what should happen. For example, malicious, they should get deleted. A spoof shouldn't be sent to trash. A spam should be sent to junk. So this is all very easily configured directly from the dashboard. So very easy to deploy and very easy to to use and and manage. So, with it, I really got to to the end of this session. So thank you a lot for your time. I hope, you found it useful and and took some something away from it. The the really, really, the main point we want to to to pass to you is that, combining these two, cloud platforms together really helps an organization really adopt cloud and hybrid work in a much secure, way, and and we hope that you that you will take this into consideration. We also give you some additional resources on this slide, that go into the details of how, call first solution is and in much more depth than we we have done here on this webinar, and also how we integrate with Microsoft in detail. So the the deck will be available to you or is available to you directly on the webinar, or you can scan the QR codes on this side. So, again, thank you so much for your time, and, I think we still have some time. So now I'll basically see if we have any any questions over here so that I can I can answer them? Alright. So let me have a look. Alright. So the first question that I see from Ahmed, thank you for your question. So it's if DLP policies, when we create them on CloudFlare, if they support OCR. So the the answer to that is yes. We do support OCR, with the DLP policies. And then if work client can work can act as endpoint DLP and, also extend that support to USB and Bluetooth. No. So our solution is really cloud based and focus on, getting all these security controls on the cloud side. So our d DLP engine works on the cloud. So, no, you in our solution, there is no endpoint DLP, but we do support OCR. Okay. If we require to create DLP policy on Cloudflare, it'll pick up DLP policies on Purview. So right now, we for DLP, you need to build them on on CloudFlare. The only thing we can integrate is, the labels from Purview. That's the extent of the integration right now. There's this whole other thing that I haven't shown that can be done on Cloudflare, which is our developer platform. So you can build applications on Cloudflare directly. So something with some development effort could be done is to, using a Cloudflare worker to fetch, the DLP policies from Purview through the Microsoft APIs and then import them into Cloudflare. So that would be kind of a custom integration if you wanted to go that way. The other thing that I haven't mentioned on this presentation, which is a very recent development, is that now we can also do outbound DLP on email for Microsoft customers. So we have a, an add in. And in that case, when you want to send an email from, Outlook to the outside, Microsoft will check with our DLP policies first to see if they are okay. And if not, the email gets blocked. Now, another question from John. Okay. So about the egress policies, so the the question is if, how we how this would work, the egress policy that I showed you, if the user is coming from a noncompliant device or, or a device that is from an external user or guest. So so the scenario that I showed is when an organization wants to have a more tight control about accessing accessing these applications. So we essentially, to make sure that only the corporate devices in a good state can access. So in this use case, which is a common use case for organizations, this is we do not want users to be able to access the environment if their device is not compliant or if they are or if they are an external user. So that is by design. We want to prevent it. That being said, this is not a mandatory use case. Right? You implement it if you want, and you could be more granular about it. So an organization can have, can get assigned multiple IP addresses, not just one. So your CloudFlare account can have a set of IP addresses, not just one. And so instead of just having one egress policy like I showed you, you could have more that depending on the conditions will give you a different IP address. And so that then would be a matter of configuring on Microsoft side more granular conditional access policies, for different sets of IP addresses. So if my let's say, I might get an IP address, which is less restrictive on the type of conditions. Let's say my my, device does not need to be in a compliance state to to access Outlook, but it does need to be on a compliance state to reach, OneDrive. Okay? So that could be done. I could have differentiated policies that, link to different IP addresses and then link to different conditional access policies on Microsoft site. Alright. So I think I went through them. But, oh, there is one more from, Ahmed. There's a way to avoid the authentication for internal apps after authentication in Claford through it. Yes. So in this demo, I wanted to show you the flow. Right? So I wanted to trigger the authentication so that you see how it works. But, when you are on the dashboard, you can actually say per application, how frequent does the authentication, the authentication needs to happen. So I could authenticate, one time, and then I only need to authenticate in two days, for example. So that is customizable per application. The other thing we can also do, if you have a back end system, that that you don't want to log in again into that back end system, when a user authenticates to CloudFlare, it gets a JWT token, which, and some additional HTTP errors that I that are sent to the application behind. So if the application behind is able to read those errors, it it can extract the user identity from from that user. And so automatically authenticating into the application with no need to reauthenticate it again. So it's it's possible to do. Alright. Okay. So I guess I've answered all the questions on the chat. There is maybe just one more that I that I see here is a common question that we get is if there is any additional cost to use these Microsoft integrations with our platform. So I want to be clear about it. No. There is not. So as part of our CloudFlare solutions, if you have the the cloud, particular CloudFlare solution, those integrations that are available within that solution are all already there, with the solution itself. There is no need for any additional license on Cloudflare side. Of course, you need to have the corresponding licensing on Microsoft side. Right? If you want to use the Purview integration, you need to be entitled to use Purview on Microsoft side. But on Cloudflare's, our integrations are just part of our solution set, so no no additional costs there. Okay. So with that, I think, we've gone through everything. Again, thank you so much for your time. We hope the session was useful, And, please go through the resources that we've shared with you. And if you have any questions, please reach out to us. Or if you want to go into this in more depth, we would be very happy to follow through. So thank you so much, and and and have a great day. Thank you.