Multiline Expressions in Ansible Playbooks
Another week, another Ansible quirk đ¤ˇââď¸ Imagine you have a long Jinja2 expression, and you want to wrap it into multiple lines to improve readability. Using multiline YAML format seems to be the ideal choice:
---
- name: Test playbook
hosts: localhost
tasks:
- set_fact:
a: >
{{ 123 == 345 or
123 > 345 }}
It works every time 50% of the time (this time depending on your Ansible version).
HS067: The Right People to Have on Your Tech Strategy Team
Exactly who should be on your technology strategy team? From inside your organization, who should represent the areas that come into play: Business, development, operations, etc? And what about outsidersâwhat kind of external consultant do you want for your strategy team? Do you even need one? Johna and Greg cover it all in todayâs episode.... Read more »
HW022: So You Want to be a Sales Engineer
Thinking about a career in Sales Engineering (SE)? In this episode, youâll hear straight from an experienced SE, Stewart Goumans. Stewart talks about what kind of background you need to be an SE, what the day-to-day looks like, and what itâs like to see a customerâs eyes light up when they realize you have a... Read more »The Risks of Using an Unsecured Network and the Best Way to Protect Your Users and Company
IT departments and individual users must practice safe, trusted, and secure Internet habits to avoid the risks of unsecured networks and keep cyber villains out.PP004: Exploiting Vulnerabilities, Not Customers: How to Pick Good Pen Testers
When youâre picking a penetration tester to poke at your security infrastructure, how do you know if youâre picking a good one? Is pen testing even the right service for your needs? Pen tester, SANS course creator, and OWASP board member Kevin Johnson joins the show to share tips for what to look for in... Read more »Secure your unprotected assets with Security Center: quick view for CISOs
We understand that one of the significant hurdles faced by our customers, especially larger organizations, is obtaining a clear view of the deployment of Cloudflare services throughout their vast and complex infrastructures. The question isn't just whether Cloudflare is deployed, but whether it's fully optimized across every asset and service. Addressing this challenge head-on, we're rolling out a new feature set designed to provide better visibility and control over your security posture.
The problem we are addressing
The core problem we're tackling is the growing complexity of cyber threats and the expanding attack surface, which complicates maintaining a strong security posture for our customers.
It's not uncommon for organizations to deploy a variety of security solutions, including ours, without fully optimizing and implementing their configurations. This results in a false sense of security, underutilized investments and, more critically, exposed vulnerabilities. Our customers frequently express concerns about not having a clear picture of their security posture across their entire infrastructure, uncertain if critical assets are adequately protected or if specific Cloudflare security features could be better leveraged.
We want to bring users comprehensive visibility into their security configurations and the state of their deployments across Cloudflare's suite of products. By providing Continue reading
Securing Cloudflare with Cloudflare: a Zero Trust journey
Cloudflare is committed to providing our customers with industry-leading network security solutions. At the same time, we recognize that establishing robust security measures involves identifying potential threats by using processes that may involve scrutinizing sensitive or personal data, which in turn can pose a risk to privacy. As a result, we work hard to balance privacy and security by building privacy-first security solutions that we offer to our customers and use for our own network.
In this post, we'll walk through how we deployed Cloudflare products like Access and our Zero Trust Agent in a privacy-focused way for employees who use the Cloudflare network. Even though global legal regimes generally afford employees a lower level of privacy protection on corporate networks, we work hard to make sure our employees understand their privacy choices because Cloudflare has a strong culture and history of respecting and furthering user privacy on the Internet. Weâve found that many of our customers feel similarly about ensuring that they are protecting privacy while also securing their networks.
So how do we balance our commitment to privacy with ensuring the security of our internal corporate environment using Cloudflare products and services? We start with the basics: We Continue reading
Simpler migration from Netskope and Zscaler to Cloudflare: introducing Deskope and a Descaler partner update
Today, Cloudflare is launching early access to the Deskope Program, a new set of tooling to help migrate existing Netskope customers to Cloudflare One for a faster and easier security experience. In addition, weâre also thrilled to announce the expansion of the Descaler Program to Authorized Service Delivery Partners, who will now have exclusive access to the Descaler toolkit to help customers move safely and quickly to Cloudflare.
Introducing Deskope â Migrate from Netskope to Cloudflare One
To set the stage, Cloudflare One is our Secure Access Service Edge (SASE) platform that combines network connectivity services with Zero Trust security on one of the fastest, most resilient, and most composable global networks. The Descaler Program was announced in early 2023 as a frictionless path to migrate existing Zscaler customers to Cloudflare One. Today, we are announcing the Deskope Program as a new and equally effortless path to migrate existing Netskope customers to Cloudflare One.
The Deskope Program follows the same approach as the Descaler process, including the tools, process, and partners you need for a frictionless technical migration. This program is completed through architecture workshops, technical migration tooling, and when requested, trusted partner engagements.
Deskope's approach is based on Continue reading
Protecting APIs with JWT Validation
Today, we are happy to announce that Cloudflare customers can protect their APIs from broken authentication attacks by validating incoming JSON Web Tokens (JWTs) with API Gateway. Developers and their security teams need to control who can communicate with their APIs. Using API Gatewayâs JWT Validation, Cloudflare customers can ensure that their Identity Provider previously validated the user sending the request, and that the userâs authentication tokens have not expired or been tampered with.
Whatâs new in this release?
After our beta release in early 2023, we continued to gather feedback from customers on what they needed from JWT validation in API Gateway. We uncovered four main feature requests and shipped updates in this GA release to address them all:
| Old, Beta limitation | New, GA release capability |
|---|---|
| Only supported validating the raw JWT | Support for the Bearer token format |
| Only supported one JWKS configuration | Create up to four different JWKS configs to support different environments per zone |
| Only supported validating JWTs sent in HTTP headers | Validate JWTs if they are sent in a cookie, not just an HTTP header |
| JWT validation ran on all requests to the entire zone | Exclude any number of managed endpoints in a JWT validation rule |
Continue reading
Announcing two highly requested DLP enhancements: Optical Character Recognition (OCR) and Source Code Detections
We are excited to announce two enhancements to Cloudflareâs Data Loss Prevention (DLP) service: support for Optical Character Recognition (OCR) and predefined source code detections. These two highly requested DLP features make it easier for organizations to protect their sensitive data with granularity and reduce the risks of breaches, regulatory non-compliance, and reputational damage:
- With OCR, customers can efficiently identify and classify sensitive information contained within images or scanned documents.
- With predefined source code detections, organizations can scan inline traffic for common code languages and block those HTTP requests to prevent data leaks, as well as detecting the storage of code in repositories such as Google Drive.
These capabilities are available now within our DLP engine, which is just one of several Cloudflare services, including cloud access security broker (CASB), Zero Trust network access (ZTNA), secure web gateway (SWG), remote browser isolation (RBI), and cloud email security, that help organizations protect data everywhere across web, SaaS, and private applications.
About Optical Character Recognition (OCR)
OCR enables the extraction of text from images. It converts the text within those images into readable text data that can be easily edited, searched, or analyzed, unlike images.
Sensitive data Continue reading
The state of the post-quantum Internet
Today, nearly two percent of all TLS 1.3 connections established with Cloudflare are secured with post-quantum cryptography. We expect to see double-digit adoption by the end of 2024. Apple announced in February 2024 that it will secure iMessage with post-quantum cryptography before the end of the year, and Signal chats are already secured. What once was the topic of futuristic tech demos will soon be the new security baseline for the Internet.
A lot has been happening in the field over the last few years, from mundane name changes (ML-KEM is the new name for Kyber), to new proposed algorithms in the signatures onramp, to the catastrophic attack on SIKE. Plenty that has been written merely three years ago now feels quite out of date. Thus, it is high time for an update: in this blog post weâll take measure of where we are now in early 2024, what to expect for the coming years, and what you can do today.
The quantum threat
First things first: why are we migrating our cryptography? Itâs because of quantum computers. These marvelous devices, instead Continue reading
Navigating the Network: The Quest for Innocence in a World of Complexity
Welcome to the digital age, where the marvels of self-driving cars and sophisticated AI like ChatGPT grace our everyday lives. Yet, amidst these advancements, a battleground often goes unnoticed, hidden within the layers of our network infrastructures. It's a world where network teams are the unsung heroes, tirelessly working behind the scenes to keep our digital lifelines seamless and uninterrupted. Today, I want to take you on a journey through Network Observability, a beacon of hope in the relentless quest to avoid outages, understand the impact of change, and quickly and accurately root cause complex situations.
Enterprise Security Gets Personal: Enter the Human Firewall
Rather than focusing on technology, threats, or the security of a site, a human firewall approach seeks to make the end user a full participant in ensuring enterprise security.Rant: Multi-Vendor EVPN Fabrics
Daniel Dib tweeted about an old comment of mine a few days ago, adding1:
Not surprisingly, that was bound to upset a few people, and Roman Dodin quickly pointed out the EVPN interoperability tests:
Rant: Multi-Vendor EVPN Fabrics
Daniel Dib tweeted about an old comment of mine a few days ago, adding1:
Not surprisingly, that was bound to upset a few people, and Roman Dodin quickly pointed out the EVPN interoperability tests:
The AI Wave Finally Starts Lifting Dell And HPE
It is beginning to look like the Dell Technologies and Hewlett Packard Enterprose, the worldâs two biggest original equipment manufacturers, are finally going to start benefitting from the generative AI wave, mainly because they are finally getting enough allocations of GPUs from Nvidia and AMD that they can start addressing the needs of customers who donât happen to be among the hyperscalers and largest cloud builders. …
The AI Wave Finally Starts Lifting Dell And HPE was written by Timothy Prickett Morgan at The Next Platform.
NB 468: Broadcom Checks SASE Box; Spirent Announces AI Traffic Emulator For Ethernet Networks
Take a Network Break! Johna Till Johnson joins as guest host while Greg Ferro enjoys some time off. We start with follow-up regarding damage to subsea cables in the Red Sea, and then dive into news. AT&T deals with the fallout of a major US outage, Vodafone also suffers outages in the UK, and Elisa... Read more »Forget High Availability; Modern Enterprises Need Always-on Services
To ensure their applications are always on, redundant networking connections are critical for businesses that need to avoid downtime and outages.Changing the industry with CISAâs Secure by Design principles
The United States Cybersecurity and Infrastructure Agency (CISA) and seventeen international partners are helping shape best practices for the technology industry with their âSecure by Designâ principles. The aim is to encourage software manufacturers to not only make security an integral part of their productsâ development, but to also design products with strong security capabilities that are configured by default.
As a cybersecurity company, Cloudflare considers product security an integral part of its DNA. We strongly believe in CISAâs principles and will continue to uphold them in the work we do. Weâre excited to share stories about how Cloudflare has baked secure by design principles into the products we build and into the services we make available to all of our customers.
What do âsecure by designâ and âsecure by defaultâ mean?
Secure by design describes a product where the security is âbaked inâ rather than âbolted onâ. Rather than manufacturers addressing security measures reactively, they take actions to mitigate any risk beforehand by building products in a way that reasonably protects against attackers successfully gaining access to them.
Secure by default means products are built to have the necessary security configurations come as a default, without additional Continue reading