Cloudflare One has grown so much through the years. What began with securing visitors on the community now spans the endpoint and SaaS functions – as a result of that’s the place work occurs.
However because the market has advanced, the core mission has change into clear: knowledge safety is enterprise safety.
Right here’s why. We don’t implement controls simply to implement controls. We do it as a result of the downstream outcomes are pricey: malware, credential theft, session hijacking, and ultimately the factor that issues most: delicate knowledge leaving the group. What seems to be like a easy entry coverage may be the primary hyperlink in a series that ends in incident response, buyer impression, and reputational injury.
So once you take a step again, most safety applications – even those that look completely different on paper – try to reply the identical questions:
That’s the spine of our knowledge safety imaginative and prescient in Cloudflare One: a single mannequin that follows knowledge throughout the locations it strikes, not a pile of siloed controls. Meaning:
Safety in transit (throughout Web + SaaS entry)
Visibility and management at relaxation (inside SaaS)
Enforcement in use (on endpoints)
And now, protection on the immediate (as AI turns into a brand new interface to enterprise knowledge)
Consider these as one linked system: visibility tells you what’s occurring, controls constrain the place knowledge can transfer, and enforcement closes the last-mile gaps when content material leaves an app. That’s the endpoint-to-prompt downside: knowledge strikes quicker than product boundaries, so coverage must comply with the information, not the software.
On this put up, we’ll stroll by means of a set of updates that push that imaginative and prescient ahead – from browser-based Distant Desktop Protocol (RDP) controls, to operation-level logging, to endpoint knowledge loss prevention (DLP), to AI safety scanning for Microsoft 365 Copilot.
Distant entry with out knowledge sprawl: browser-based RDP clipboard controls
Browser-based RDP is a sensible approach to supply distant entry when you may’t assume a managed endpoint or put in consumer – frequent for contractors, companions, and occasional entry workflows. Cloudflare One’s browser-based RDP provides visibility and coverage controls to that entry. However when you’re delivering a full RDP expertise within the browser, the query turns into easy: how granular are your controls over the place knowledge can transfer, particularly by way of the clipboard?
Right now, we’re including a setting that instantly protects knowledge: clipboard controls for browser-based RDP. With this new characteristic, safety and IT directors will now be capable to determine whether or not their customers can copy or paste data between their native machine and the browser-based RDP session.
Clipboard restrictions are an ideal instance of the productivity-security tradeoff. If customers can’t copy and paste within the workflow they depend on, they’ll route across the management, whether or not it’s by taking screenshots, retyping knowledge, or shifting work to unmanaged instruments. Clipboard controls allow you to be exact: permit the workflow the place it’s protected, and block it the place it isn’t.
With clipboard controls in browser-based RDP, directors can allow the copy/paste workflow customers anticipate whereas imposing granular management over directionality and context. For instance, if customers entry a buyer assist portal that incorporates delicate buyer data, you would possibly permit copy/paste into the session for productiveness, however block copy/paste out of the session to stop knowledge from touchdown on unmanaged endpoints.
This performance is now accessible in Cloudflare One and may be configured as a brand new setting inside Entry Utility Insurance policies for browser-based RDP apps.
Visibility with out guesswork: operation mapping in logs
Whereas distant entry controls cut back threat, to tune them nicely, you additionally want to grasp the particular actions customers are taking inside SaaS apps.
We use a course of known as operation mapping (detailed in a current weblog put up) to provide visibility to those actions and simplify the best way clients write insurance policies for SaaS providers. Our mapping course of takes numerous components of an HTTP request and interprets them as a single operation, e.g. ‘SendPrompt’, within the instance of ChatGPT. We accumulate a number of operations that carry out comparable actions into an Utility Management, e.g., ‘Share’ or ‘Upload’. The [what?] is viewable in our HTTP coverage builder, permitting for easy coverage authoring.
Right now, we’ve taken that course of a step additional to complement logs and supply higher visibility over how SaaS functions are being utilized in your group – by extending that mapping into logging. With none extra configuration, operations and utility controls will now seem in log occasions for visitors that matches our operation maps.
In log particulars, you’ll now see each the applying management group and the particular operation (e.g., SendPrompt for ChatGPT). This makes investigations and coverage tuning quicker.
The added context helps you perceive utilization patterns, speed up forensic evaluation, and spot probably dangerous conduct, so you may tune coverage with much less guesswork and disruption to customers.
Visibility is the first step. To guard knowledge in use, particularly what strikes by means of the clipboard, you additionally want enforcement on the endpoint.
Higher endpoint safety: on-device DLP within the Cloudflare One Consumer
In a contemporary enterprise, delicate data routinely strikes from managed functions into unmanaged contexts – typically by way of the clipboard. The chance isn’t solely a file leaving the group; it may be a snippet of proprietary code or a buyer document pasted into an unauthorized massive language mannequin (LLM) or private software.
Cloudflare One already helps defend knowledge in transit with Gateway and DLP, and supplies visibility and management at relaxation by means of CASB and its API integrations. Now we’re extending protection to knowledge in use by bringing Endpoint DLP enforcement to the Cloudflare One Consumer, beginning with high-signal workflows like clipboard motion, so knowledge safety doesn’t cease the second content material leaves a browser tab.
Meaning delicate knowledge copied from a protected SaaS app doesn’t instantly change into “policy-free” content material the second it hits the OS clipboard. With Endpoint DLP, groups can lengthen knowledge safety to customers’ fingertips with out deploying a second agent or stitching collectively complicated integrations.
For groups already utilizing Cloudflare One for knowledge safety, Endpoint DLP completes the mannequin by including a constant enforcement layer for knowledge in use.
That is the endpoint-to-prompt downside: if delicate knowledge may be copied domestically, it may be pasted into an AI assistant simply as simply. When you defend knowledge in use, the subsequent query turns into unavoidable – what occurs when that very same knowledge is remodeled on the immediate?
AI visibility with out blind spots: M365 Copilot scanning with API CASB
Final yr, Cloudflare One and API CASB grew to become the first to supply API integrations with OpenAI ChatGPT, Anthropic Claude, and Google Gemini choices – and we’re not completed but.
Beginning as we speak, clients utilizing Cloudflare One’s API Cloud Entry Safety Dealer (CASB) – which scans SaaS apps by way of API for frequent, but dangerous safety points – can now analyze Microsoft 365 Copilot exercise for knowledge safety points, together with chats and uploads that match DLP detection profiles.
Copilot findings floor with wealthy context (file references, profile matches, and interplay metadata) so groups can triage rapidly as a substitute of ranging from uncooked audit logs.
A CASB Discovering exhibiting detection of a file utilized in M365 Copilot that matches an enabled DLP Profile
Clients can now see when Copilot exercise contains delicate knowledge. For instance, person prompts, Copilot responses, and uploaded information that match DLP detection profiles.
Microsoft 365 Copilot findings can be found by default as a part of the Microsoft 365 integration. If you happen to already use this integration, go to Integrations within the Cloudflare One dashboard, replace your Microsoft 365 connection, and begin receiving Copilot findings. If you happen to’re new to the combination, join your Microsoft 365 tenant to achieve visibility into Copilot utilization and related knowledge safety findings.
As AI product sprawl continues, we’ll be massively increasing protection throughout extra AI assistants and core SaaS platforms all through 2026 – keep tuned!
What’s subsequent: unified knowledge safety in Cloudflare One
Over the previous couple of years, enterprise safety has expanded throughout extra surfaces: SaaS, unmanaged endpoints, distant entry patterns, and now AI assistants. However the goal – defending delicate knowledge – hasn’t modified. The updates on this put up mirror a single path: constant visibility and enforcement throughout knowledge in transit, at relaxation, in use, and on the immediate. So coverage follows knowledge, not product boundaries.
Trying ahead, our imaginative and prescient is broader than “data security features in data security products.” Over time, each Cloudflare One product will change into extra data-security-aware, with extra data-oriented configurability, visibility, controls, and guardrails, constructed instantly into the workflows groups already use throughout Entry, Gateway, endpoint enforcement, and SaaS integrations. The objective is straightforward: wherever your customers work and wherever knowledge strikes, Cloudflare One ought to be capable to clarify what’s occurring and enable you management it.
As the trendy perimeter spreads throughout functions, browsers, endpoints, and AI prompts, patching collectively level options turns into more durable to function and simpler to bypass. By constructing knowledge safety instantly into Cloudflare One – from entry controls to endpoint enforcement to AI visibility – and persevering with to unify these layers, we’re serving to groups construct a clearer, extra full image of their knowledge threat and their knowledge safety posture from the endpoint to the immediate.
To get began, discover Cloudflare One or contact our crew to study extra concerning the platform and these new options.
