Cloudflare CASB: From Seeing Risk to Fixing It

Closing the Loop: CASB Remediation

Cloudflare's introduction of Remediation to its CASB offering marks a substantial evolution, transforming it from a purely visibility and detection tool into an active security control. The ability to directly fix risky file-sharing configurations within Microsoft 365 and Google Workspace from the Cloudflare One dashboard significantly streamlines security operations and reduces the time to mitigate threats. By closing the loop between identifying a risk and resolving it, Cloudflare addresses a critical pain point for security teams, who often struggle with the manual effort and delays associated with remediating issues across disparate SaaS application admin consoles. The technical implementation, leveraging Cloudflare Workers, Workflows, and other internal services, is a testament to their platform's capabilities and demonstrates a robust, scalable, and durable approach to executing these critical actions. The focus on high-impact, common file-sharing risks like public links and over-sharing to external domains is a smart starting point, targeting the most prevalent threats.

However, the current limitations are worth noting. The initial release is confined to file-sharing issues within Microsoft 365 and Google Workspace. While these are critical platforms, the broader enterprise ecosystem relies on a multitude of other SaaS applications (Box, Salesforce, Slack, GitHub, etc.). The extensibility to these platforms is a stated future goal, but the current scope might leave organizations using other key tools feeling underserved. Furthermore, the 'paid CASB license' requirement, while standard for enterprise security solutions, means that smaller organizations or those new to Cloudflare might not immediately benefit from this advanced capability without an upfront investment. The 'Remediation' actions themselves are currently focused on 'Remove sharing' and planned 'Quarantine' actions. While powerful, the absence of more granular or customizable remediation actions (beyond future custom webhook actions) might limit its applicability in highly specialized security policies. The reliance on API integrations also means that the effectiveness and speed of remediation are inherently tied to the performance and rate limits of the integrated SaaS providers, even with Cloudflare's robust internal architecture.

Key Points

• Cloudflare CASB now offers Remediation, allowing users to fix identified risks directly from the Cloudflare One dashboard.
• Initially, Remediation focuses on file-sharing issues in Microsoft 365 (OneDrive, SharePoint) and Google Workspace (Drive).
• Supported remediation actions include removing public links, organization-wide shares, and external shares for identified files, especially when matching DLP profiles.
• The system is built on Cloudflare's internal stack, including Workers, Workflows, and Queues, for speed, durability, and scalability.
• Future plans include Quarantine actions, Custom Webhook actions, autoremediation policies, custom findings, bulk remediation, and extending support to more SaaS integrations.

---

📖 Source: See risk, fix risk: introducing Remediation in Cloudflare CASB