In line with other hosted ZTNA solutions, Cloudflare Access trades significant performance, reliability, and privacy concessions for the convenience of offering a hosted solution. As a result, we only recommend Cloudflare Access as a VPN replacement over Pomerium if your organization cannot self-host.
If performance issues or retaining full control over your data to meet compliance and auditing requirements is a priority, Pomerium is the better solution.
- VPN-alternative — Cloudflare Access provides a VPN alternative which allows your organization to manage access to your applications based on your existing identity provider.
- Part of Cloudflare — Cloudflare Access benefits from being built on Cloudflare’s existing CDN, which should offer better speeds than other VPNs.
- IdP ready — Cloudflare Access supports SAML and OIDC-compliant IdP providers for SSO.
- A trail of breadcrumbs — Cloudflare Access has basic auditing and logging, stored depending on your payment plan.
- Your fate is in their hands — Cloudflare Access’s role as logger, auditor, and policy enforcer makes it a single point of failure for networks and applications relying on it.
- Expansion of information boundary — Cloudflare decrypts data for inspection in order to enforce policy. Your data is exposed in clear-text on a third-party network, resulting in privacy issues. Turning it off means no enforcement of policy.
- Service chaining — The reference documentation lists each service combined with service chained to deliver Cloudflare Access: ZTNA, DNS, WAF, DDoS protection, and more. This is not the first time Gartner warned against service chaining as it is indicative of vendors trying to reduce time to market.
- Pay for that too — Not only does Cloudflare nest a lot of their best features behind paid plans, their CDN system means introducing extra hops that incur increased latency and bandwidth costs. Cloudflare is happy to tack these costs on to your bill.
Evaluators Should Know
We base our evaluation on a strict four-pillar criteria when evaluating access control solutions:
- Usability: Cloudflare Access passes the usability test by providing clientless access when not tunneling. However, clients and agents are required when tunneling.
- Speed: Users will find Cloudflare Access to be slower than Pomerium due to data backhauling. This is separate from Cloudflare’s performance degradation as a result from service chaining.
- Security: Cloudflare Access passes the continuous verification test with severe caveats. Additionally, using a third party hosted solution opens your organization up to third-party compromise.
- Context-aware access: Cloudflare Access lacks institutional context and cannot implement context-aware access as it would require users to give them access to extremely sensitive data.
There is Additional Commentary below specifically related to the shortcomings about Cloudflare’s architecture.
Cloudflare Access offers clientless access with limited scope.
Many of our competitors fail the usability test by providing client-based access — we’re glad to see that Cloudflare has provided an avenue for clientless access for applications.
However, Cloudflare distinguishes their access in two manners: Agent-based ZTNA vs service-based ZTNA, one resulting in client-based access and one for clientless access. In their own words:
Agent-based ZTNA requires the installation of a software application called an “agent” on all endpoint devices.
Service-based or cloud-based ZTNA is a cloud service rather than an endpoint application. It does not require the use or installation of an agent.
Organizations looking to implement a Zero Trust philosophy should consider what kind of ZTNA solution best fits their needs. For example, if an organization is concerned about a growing mix of managed and unmanaged devices, agent-based ZTNA may be an effective option. Alternatively, if an organization is primarily focused on locking down certain web-based apps, then the service-based model can be rolled out swiftly.
Comparatively, Pomerium offers clientless access without agent-based requirements. Cloudflare’s clientless access (service-based) comes with significant tradeoffs covered in the next section.
Cloudflare Access provides a slower solution with performance and reliability concessions.
This is where Cloudflare starts to fall behind: while they have a world-class CDN, backhauling data through their infrastructure adds unavoidable latency. Pomerium is deployed at edge directly in front of the applications it secures, meaning the data does not need to traverse any additional hops and users have the fastest latency possible.
Again, in their own words:
Another consideration is that service-based ZTNA may integrate easily with cloud applications but not as easily with on-premise infrastructure. If all network traffic has to go from on-premise endpoint devices to the cloud, then back to on-premise infrastructure, performance and reliability could be impacted drastically.
This significantly limits the use-case of their service-based ZTNA to a cloud application-only solution. However, on-premise infrastructure has its place for data tenancy and security.
Evaluators beware: not your infrastructure, not your data. As a hosted solution, Cloudflare Access requires significant data privacy concessions.
These two aspects should never pass technical and security muster:
- Cloudflare exposes your private data in clear-text on their network to enforce policy
- Your data security is in Cloudflare’s hands, with no remedy if Cloudflare is breached
Cloudflare uses HTTPS inspection for ensuring each action is verified before allowed to execute. However, being a hosted product adds an extra layer of complication to Cloudflare’s inspection that disqualifies Cloudflare for industries that care about data privacy.
In short: How comfortable is the organization with Cloudflare having clear-text access to all data transferred over their service? This would include passwords, cookies, and more visible to Cloudflare as a third-party.
Security-focused companies like ExtraHop chose Pomerium over Cloudflare citing this issue: The only way to benefit from HTTPS/SSL inspection without exposing your data to third-parties is to self-host the reverse proxy.
Cloudflare Access cannot be true zero trust without integrating institutionally relevant context.
And they never will be because they are a hosted solution. Context-aware access would require giving Cloudflare an uncomfortable amount of information.
Context-aware access integrates institutional context into policy for making access control decisions.
It is no longer reasonable to make access decisions based on user identity alone. Instead, access control solutions should have access to data that would better inform the context surrounding otherwise legitimate user activity. The authorization policy should integrate that data into access decisions when deciding if an impending user request should be allowed or denied, completing the full circle of all four pillars to your access solution.
As this involves feeding institution-specific data to the access control system, that system and the information it has access to should never leave the organization’s control given the sensitive nature of that data. Even if Cloudflare were to offer this integration as a feature, no security-conscious company would ever use it given the fallout of that data being leaked or misused in unintended ways.
The tragedy of the SASE and ZTNA market
The industry is cutting corners to bring a SASE and ZTNA product to market with service chaining. We’ve written about the current tragic state of SASE before and Cloudflare Access is a victim of this problem.
But first, what is service chaining? Service chaining is creating a chain of connected network services to allow one solution to provide a variety of services. Think of an automated car wash, if you will. Is the result actually detailed and clean?
From a technological perspective, the solution needs to pass on the data from one service to another with each additional service acting as a small stop. Encrypted data would need to be encrypted and re-encrypted at each step, requiring each service to have a copy of the encryption key.
Even though Cloudflare presumably owns and operates each of the services they’ve chained together, the correct decision should have been to architect a solution from the ground up that accomplished all the functions they wished to offer. Instead, their engineers were most likely mandated by management to take their existing services and glue them together with service chaining.
Cloudflare Access is therefore not a solution created from solid engineering decisions but by hasty management decisions chasing a market. These decisions will reflect in its value as a product.
Go Self-Hosted, Try Pomerium
Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and limits lateral movement to sensitive resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:
- Easier with clientless access.
- Faster by being tunnel-free and deployed where your apps and services are.
- Safer because every single action is verified before allowed to execute.
- Tailored to your organization’s needs by integrating institutionally relevant data for context-aware access.
Check out our open-source Github Repository or give Pomerium a try today!