Cloudflare has been steadily expanding its portfolio of security services over the last several years. One thing that has been missing, however, is cloud security posture management (CSPM), which is a class of security tools that helps organizations to understand and evaluate the current state of application and infrastructure security in the cloud. That’s now changing with today’s debut of Cloudflare Security Posture Management.
The new offering aims to help security teams discover assets they might not know about, including cloud applications, API endpoints and even AI-powered services. It also provides a unified dashboard with insight across known assets, enabling organizations to both prioritize and remediate identified risk.
Key capabilities the new solution offers include:
- Real-time asset discovery and inventory across SaaS and web applications
- A unified dashboard providing visibility across all technology assets
- Continuous asset-aware threat detection and risk assessment
- Protection for SaaS applications containing sensitive information
- API posture management with seven new risk scans
- Email security posture management integration
“The magic here is a customer onboards to CloudFlare, they start proxying traffic to our network, and then within that traffic, we can discover all the things,” Michael Tremante, senior director of product at Cloudflare, explained to Network World in an exclusive interview.
Taking a network-first approach to posture management
Cloudflare’s security posture management solution operates fundamentally differently from traditional tools that typically require either agents installed on endpoints or API connections to cloud environments. Its network-based approach enables two distinct discovery paths:
- Through reverse proxy services protecting public-facing cloud applications
- Via forward proxy capabilities through Cloudflare Zero Trust for employee traffic
When traffic passes through Cloudflare’s network, whether it’s incoming requests to an organization’s applications or outgoing traffic from employees, the platform performs deep packet inspection after decryption. The system classifies discovered assets automatically, identifying API endpoints, login pages, checkout forms and even AI-powered services—all without requiring configuration by security teams.
“We’re a full Layer 7 proxy. We decrypt and re-encrypt at the edge of everything,” Tremante explained.
For employee traffic, the discovery mechanism works through either DNS resolution or full proxy capabilities. “Once we’re proxying traffic, we don’t actually differentiate who’s on the other end of that connection,” he said. “It can be a SaaS application, a custom-built internal application… as long as they’re speaking the protocols we understand.”
Why the network has upper hand for security posture management
Managing SaaS-based application security can be particularly complex. Most SaaS vendors already have integrated various access and security controls, but there is still more that can be done at the network layer.
Tremante noted that, for example, if an organization is using Microsoft 365, there are a series of specific controls within the provided dashboard which are more specific to that environment.
“If you’re in a security team and you want to make sure that only a subset of your employees are accessing Outlook or Microsoft 365, and that no content going towards Outlook is malicious so you want to block it upfront before I even reach the Outlook service, the network has an upper hand, because we’re the full proxy,” he said.
Getting ready for PCI DSS 4.0 compliance
The platform also addresses compliance requirements by automatically identifying potential issues.
Security posture management is particularly important for regulatory compliance. One concern that many organizations will be facing this month is being compliant with version 4.0 of the Payment Security Industry-Data Security Standard (PCI DSS), which comes into effect as of March 31.
“As part of security posture management, we now discover all external facing web assets loaded in web apps,” Michael said. That capability is a key component of PCI DSS 4.0 compliance.
Not quite a full CSPM, but that’s coming
It’s important to note that the Cloudflare Security Posture Management technology is not at launch a full CSPM, as it is limited to discovery of assets that are already protected by Cloudflare’s network. Looking forward, the company already has plans to expand.
“This is step one, and we are definitely inching towards the full secure posture management space,” Tremante revealed. “We have plans to start performing active scanning of assets, not even onboarded onto the Cloudflare network.”
This expansion would position Cloudflare more directly against traditional security posture management vendors, while maintaining its network-centric approach as a key differentiator.
“Sometimes customers think they are fully onboard onto Cloudflare, and yet, there’s this other network somewhere that they completely forgot about,” Tremante added.