The Cloudflare One SASE product builds off of the well-established global backbone that Cloudflare built for their content delivery and cloud security products. When compared against other secure access service edge (SASE) competitors, Cloudflare One can be considered the best option for entry-level SASE based on its free tier for 50 users or fewer.
For more details explore the following sections of this review:
- Who Is Cloudflare
- Cloudflare One
- Pricing & Delivery
- Features
- Pros
- Cons
- Alternatives to Cloudflare One
- How We Evaluated Cloudflare One
- Bottom Line: Best for Entry-Level SASE
To compare Cloudflare One SASE against their competition, see the complete list of the top SASE solutions.
Who Is Cloudflare?
Founded in 2004, Cloudflare initially wanted to determine the source of email spam and became dedicated to building a better, more secure internet. Cloudflare became a public company in 2019 when it listed under the stock symbol “NET” on the NYSE.
Cloudflare One
Cloudflare released their initial SASE offering in October 2020 and continues to add features and capabilities. Cloudflare One satisfies the six key capabilities to be considered part of the SASE category:
- Centralized control through a consolidated management console, Cloudflare for Teams, that provides a single interface to manage users, resources, and policies
- Monitored network status through the Cloudflare One integrated network-as-a-service (NaaS) reports, analytics and control over network operations performance issues such as VPN routing and load balancing
- Monitored user activity and device posture pulled from connected third-party endpoint detection and response (EDR) tools (Tanium, Crowdstrike, etc.), the Cloudflare endpoint agent, and optional data loss prevention (DLP) analysis
- Inspected and decrypted traffic through integrated secure web gateway (SWG), Firewall-as-a-Service (FWaaS), and optional email security capabilities
- Controlled access to data and resources based upon user, device, and permissions through zero trust network access (ZTNA), cloud access security broker (CASB), and domain name service (DNS) security capabilities
- Secured cloud-based assets such as applications, websites, and Software-as-a-Service (SaaS) through FWaaS, CASB, SWG, and ZTNA capabilities as well as optional remote browser isolation.
Cloudflare’s SASE solution consists primarily of the following components:
- Magic Transit and the Magic WAN network-as-a-service provides zero-trust network access (ZTNA), traffic acceleration, network and application management, and distributed denial of service (DDoS) protection
- Magic Firewall permits granular rules to allow or deny traffic in or out of the network
- Cloudflare Gateway provides recursive DNS filtering, traffic inspection, and a zero-trust browser between any users and any resource
- Cloudflare browser isolation (optional) uses lightweight draw commands to display web content on local devices and execute code within a headless browser
- Cloudflare WARP client inspects endpoints and enables secure WAN connections for devices using Windows, macOS, iOS, Linux, Android, and ChromeOS
Although these different components are available separately, the Cloudflare One SASE solution bundles all components into one solution with a single centralized SaaS controller.
Pricing & Delivery
Cloudflare One is available in three pricing tiers: free, pay-as-you-go, and contract.
Cloudflare One Free Tier
All three tiers include the basic SASE package to connect users and assets securely. The free tier includes application connector software, device client (agent) software, ZTNA, SWG, and in-line CASB.
The lowest tier of Cloudflare One provides support for 50 users maximum, 24 hours of activity logging, and up to three network locations for office-based DNS filtering. For technical support, the organization must rely upon community forum support.
Cloudflare One Pay-as-you-go Tier ($7–$17 per User)
This tier starts at $7 per user per month and is billed month-to-month. Upgrading to the pay-as-you-go tier eliminates any user maximum and provides 30 days of activity logging and 20 office-based DNS filtering network locations. For support, a customer on this tier will have email and chat support with a four-hour response.
For an additional $10 per user ($17 per user total), Cloudflare also adds the option for remote browser isolation. Remote browser isolation hosts all work activities in a virtual environment isolated from the endpoint for more stringent data control and anti-malware protection.
Cloudflare One Contract Tier (Custom Pricing)
Upgrading to a contract tier SASE solution will result in annually billed custom pricing. At this tier, there is no limit to the number of users, and customers enjoy up to six months of activity logging and can enable up to 250 network locations for office-based DNS filtering. Support is automatically upgraded to priority phone, email, and chat with a one-hour initial response time.
Customers on this tier will receive Logpush to security incident and event management (SIEM) tools or cloud storage and certificate-based mTLS Authentication for internet of things (IoT) devices. There is also the option to add on features such as remote browser isolation, multi-mode CASB, cloud email security, dedicated egress IP addresses, and DLP.
Features
- Full SASE features, including centralized control, monitored user activity, inspected and decrypted traffic, controlled access, secured cloud-based assets, and monitored network status and operations control
- Private backbone with for than 200 access points in more than 100 countries
- 100% uptime guarantee in the service level agreement (SLA) with 67 TBps of network capacity
- Multiple identity provider integration allows for a variety of ways to confirm users
- Verified device security posture and contextual features built into all SASE tiers
- Make rules easily through the control dashboard or through APIs
- Clientless access option for web apps and browser-based SSH on devices not under corporate control
- Recursive DNS filtering options through device clients or via routers for specific locations (network-level policies for physical locations)
- Shadow IT discovery built into all tiers of service
- PII log redaction to obscure personally identifiable information (PII) from security logs is available in the Custom Tier
- Managed deployment and self-enrollment options through MDM tools or through direct access to Cloudflare
- FedRAMP Moderate Agency authorization maintained for performance, security, and zero trust solutions
- Certified security and compliance for SOC 2 Type II and PCI DSS 3.2.1 and several other standards
- Agent OS Options include Windows, macOS, iOS, Android, Linux, and even ChromeOS
Pros
- ZTNA by default applies to all traffic, users, and devices
- 100% consistency with all features for all tiers available from all locations
- Split tunneling supported
- Top-rated DDoS protection through a variety of FWaaS capabilities built into the Magic Transit NaaS incorporated into the SASE product
- Direct container support using tunnel connections
- Robust automation for traffic routing and distributed denial of service (DDoS) protection
- IoT Isolation through the Magic Transit NaaS to protect the IoT and other network resources against attack
- Physical network connections direct to Cloudflare’s PoP supported in addition to tunneling connections to Cloudflare’s network
- Robust free tier for up to 50 users
Cons
- 520 errors and API errors can be sent instead of tangible error messages to complicate troubleshooting
- Lacks direct network controls that software defined wide area network (SD-WAN) owners may be used to managing directly
- Lacks email notifications desired by some customers for rule violations
- More third-party integrations desired by customers for device posture check
- Feature improvements sought by customers comparing against more established CASB and firewall vendors
Alternatives to Cloudflare One
Customers attracted to Cloudflare One likely need simple, easy solutions to install and implement and likely have limited SD-WAN infrastructure investments. Key competitors to Cloudflare One to consider are:
- Barracuda SecureEdge: Organizations unintimidated by hardware installation requirements can opt for the strong Barracuda brand and its integration of top-tier email security into their SASE offering
- Cato SASE Cloud: Organizations that might need more help with installation may prefer the full-service options available through the cloud-native but less prominent solution from Cato Networks
How We Evaluated Cloudflare One
Cloudflare One is rated and ranked against seven other SASE competitors in our top SASE providers article. That article explains the overall ranking, and here we provide details specific to Cloudflare One:
- Overall Rating: 4.23 / 5 (#1)
- Licensing Information: 3.55 out of 5 possible criteria
- Monitoring and Managing: 7 out of 7 possible criteria (#1)
- Asset Control: 4 out of 4 possible criteria (tie for #1)
- Implementation and Administration: 3.9 out of 5 possible criteria
- Customer Support: 2.56 out of 4 possible criteria
Cloudflare is the only top SASE vendor that publishes pricing. This transparency and the relative simplicity of their lowest tier offerings help Cloudflare One earn strong ratings for the Licensing Information and Implementation and Administration categories. Cloudflare also stands out with ZTNA by default, IoT Isolation, and automated traffic controls and anti-DDoS capabilities.
Bottom Line: Best for Entry-Level SASE
Organizations with established SD-WANs and CASB solutions may not find the number of options they want. However, organizations looking to secure remote users for the first time will certainly be satisfied with the capabilities in the lower tiers.
Small businesses with under 50 people, organizations with a small number of remote employees (manufacturing, hospitals, etc.), and companies that just want to try SASE should consider Cloudflare’s free tier. As companies grow, the strong capabilities of Cloudflare’s higher tiers will facilitate future growth and expansion without compromising security or SASE capabilities.