Zero Trust Services

Outcomes

---

Engagement Phases

---

What Changes After Zero Trust Implementation

• Internal applications no longer exposed to public IP
• Access controlled per identity and application
• Vendor access becomes scoped and auditable
• VPN dependency reduced or eliminated
• Clear policy map and enforcement logic

---

Reference Architecture: Cloudflare Zero Trust

Our delivery model commonly uses Cloudflare Zero Trust as the control plane for:

• Identity-aware application access (Cloudflare Access / ZTNA)
• Private application publishing (Cloudflare Tunnel)
• DNS and web controls (optional, depending on scope)
• Device posture requirements (optional, based on risk tolerance)
• Logging and audit visibility for access decisions and admin changes

The objective is not “deploy a tool,” but to define:

• Who should access what
• Under what identity condition
• From what device posture (if enforced)
• Under what logging and review model

---

Implementation Components

---

Operational Model

Every implementation includes:

• Access matrix documentation
• Policy map and decision logic
• Change control procedure
• Validation checklist
• Handover documentation

Zero Trust is not a product install. It is policy architecture.

---

Common SMB Starting Points (Real Risk Scenarios)

Many small and mid-sized organizations share similar access and security pain points before adopting a Zero Trust model. These are genuine, documented scenarios that we address with Cloudflare’s Zero Trust products:

• Traditional VPN reliance
  Legacy VPNs often grant broad network access once connected, increasing lateral movement risk. Cloudflare Access (ZTNA) replaces or augments VPNs with identity-bound access.

• Exposed internal resources (RDP, SSH, Apps)
  Services like RDP or SSH exposed to the Internet increase attack surface. We use Cloudflare Tunnel to publish these safely without public IPs.

• Unfiltered Internet browsing
  Remote users and vendors accessing the Internet without filtering are vulnerable to phishing, malware, and ransomware. Cloudflare Gateway (Secure Web Gateway) provides DNS and HTTP controls to block malicious content.

• Third-party/vendor access without controls
  Contractors and vendor teams often get wide access through shared credentials or VPN tunnels. With Cloudflare Access, you can enforce per-application policies and identity verification.

• Shadow SaaS usage and unmanaged apps
  Cloudflare’s CASB capabilities help you gain visibility into SaaS usage and shadow IT, helping enforce consistent access policies.

Before vs After — Access Control (Zero Trust vs. Traditional)

Traditional Security (Before)

• Broad network access once inside the perimeter
• VPN opens full subnet access
• Internal app access based on location or IP
• No granular application policy per role
• Lateral movement possible after initial compromise
• Unfiltered Internet browsing

Zero Trust with Cloudflare (After)

• Identity-bound access per application (Cloudflare Access)
• Native ZTNA without relying on VPN for service access
• Zero public IPs for internal apps via secure tunnels (Cloudflare Tunnel)
• Least-privilege policies enforced at the edge
• Controlled third-party/vendor access per identity and policy
• Safe Internet browsing with DNS/HTTP filtering (Cloudflare Gateway)
• Optional isolation of risky browser sessions (Browser Isolation)

Validation & Proof

This is where many deployments fail — policies exist, but proof is missing.

Validation typically includes:

• Unauthorized user denied access test
• Expired/invalid session behavior confirmation
• MFA enforcement confirmation (where required)
• Tunnel uptime verification and redundancy review (where applicable)
• Access decision logging verification
• Admin change visibility review

Proof precedes sign-off.

---

Designed For

• 10–300 employee organizations
• Small IT teams
• Companies without dedicated security staff
• Businesses needing controlled remote access
• Organizations handling sensitive client data

---

Ideal Customer Profile (SMB 10–50+ Users)

This service is designed for organizations that:

• Have 10–50 (or up to 150) employees
• Operate a small office with remote or hybrid users
• Rely on SaaS (Microsoft 365, Google Workspace, etc.)
• Provide vendor or contractor access to internal systems
• Do not have a dedicated security team
• Currently use VPN or exposed services for remote access

Typical environments include:

• Professional services firms
• Small BPO / outsourcing companies
• Accounting and legal offices
• Engineering and consulting firms
• SMB technology companies

The focus is practical access control, not enterprise-level complexity.

---

What This Is Not

• A generic firewall deployment
• A “checkbox security” installation
• A high-friction SOC model
• A full SIEM buildout
• Tooling without documentation and handover

Security must align with operational reality.

---

Engagement Scope & Boundaries

What We Implement

• Cloudflare Access (Zero Trust Network Access)
• Cloudflare Tunnel for private application publishing
• Identity provider integration (SAML / OIDC)
• Policy design and enforcement
• Optional Secure Web Gateway (DNS / HTTP filtering)
• Optional device posture checks
• Logging configuration and validation

What We Do Not Replace

• Your existing firewall infrastructure
• Your entire identity provider
• Your endpoint protection stack
• Your SIEM (unless scoped separately)

Zero Trust implementation is focused on access control and exposure reduction — not full-stack security replacement.

---

Engagement Terms & Operating Model

Platform Ownership

The client maintains full ownership of the Cloudflare account and subscription.

We configure Cloudflare Zero Trust (Cloudflare One platform) within your tenant.
No shared administrative accounts are retained after project completion.

This ensures:

• Full control remains with your organization
• Clean separation of responsibilities
• Long-term operational independence

---

Scope of Implementation

The engagement focuses on:

• Cloudflare Access (Zero Trust Network Access)
• Cloudflare Tunnel configuration
• Identity provider integration (SAML / OIDC)
• Policy architecture and enforcement
• Logging validation
• Optional Secure Web Gateway configuration (if scoped)

Infrastructure outside the defined access model (e.g., firewall replacement, endpoint security overhaul, SIEM deployment) is not included unless explicitly agreed.

---

Security & Administrative Boundaries

• All access policies are defined collaboratively.
• Administrative privileges follow least-privilege principles.
• MFA enforcement is recommended where supported.
• Post-deployment validation includes access-denial testing.

We do not store credentials or maintain hidden backdoor access.

---

Operational Handover

Upon completion, you receive:

• Access matrix documentation
• Policy map overview
• Administrative runbook
• Validation checklist summary

Optional ongoing support can be defined separately.

---

Ongoing Support (Optional)

For SMB environments without dedicated security staff, we offer structured review support:

• Policy updates for new users or vendors
• Periodic access review
• Configuration validation after major changes

This is optional and scoped separately from initial implementation.

---

Engagement Model

Pricing is structured per engagement scope.

Initial projects begin with an Access Architecture Assessment to define environment complexity and enforcement model.

Implementation scope and cost are determined based on validated architectural requirements.

---

What Changes After Implementation

• Internal applications no longer require public IP exposure
• Access is enforced per identity and per application
• Vendor access becomes scoped and revocable
• VPN dependency is reduced or eliminated
• Logging aligns with identity and session visibility

---

Technical Notes

If you want the architectural reasoning behind the model, these are the supporting notes:

• Why VPN Increases Lateral Movement Risk in SMB Environments
• How Cloudflare Tunnel Eliminates Public IP Exposure for SMB Environments
• Designing Vendor Access Architecture for SMB Environments

---

Frequently Asked Questions (Cloudflare Zero Trust for SMB)

What is Cloudflare Zero Trust?

Cloudflare Zero Trust is a security model delivered through Cloudflare’s global network that enforces identity-based access control to applications, rather than relying on network location. It includes products such as Cloudflare Access (ZTNA), Cloudflare Tunnel, and Cloudflare Gateway.

Is this the same as a VPN?

No. Traditional VPNs grant broad network access once connected.
Cloudflare Access (Zero Trust Network Access) restricts access per application and per identity, reducing lateral movement risk.

Do we need to remove our firewall?

No. Cloudflare Zero Trust complements existing firewalls. It controls identity-based access and application exposure while your firewall continues to protect network boundaries.

How does Cloudflare Tunnel improve security?

Cloudflare Tunnel allows internal applications to be published without exposing public IP addresses or opening inbound firewall ports. Connections are outbound-initiated, reducing attack surface.

Can we control vendor or contractor access?

Yes. Policies can restrict access to specific applications, require MFA, and limit access duration — all enforced at the identity level.

Does this include web filtering?

If required, Cloudflare Gateway (Secure Web Gateway) provides DNS and HTTP filtering to block malicious domains and enforce browsing policies.

Do users need an agent installed?

Not always. Cloudflare Access can work browser-based. Device posture checks or Gateway enforcement may require an agent depending on the chosen enforcement model.

Is this suitable for small organizations (10–50 users)?

Yes. Cloudflare Zero Trust is especially effective for SMBs with limited security staff because it reduces infrastructure complexity while improving access control.

---

Last updated: March 2026

Node99 is an independent Cloudflare Zero Trust implementation specialist focused on identity-based access architecture for SMB environments.

---