The Shift from Network Controls to Data-Centric Security
For years, enterprise security was about locking down the network perimeter. But as work moved to SaaS, unmanaged devices, and AI assistants, the perimeter dissolved. Cloudflare One started as a network security solution, but the core problem it solves hasn't changed: protecting sensitive data wherever it moves.
Most security programs, regardless of their branding, are trying to answer the same three questions:
- Who should have access to what?
- What are they doing with that access?
- How do we stop data from leaving the organization?
Cloudflare One's vision is a single policy model that follows data across endpoints, browsers, SaaS apps, and AI prompts. This post unpacks four major updates that bring that vision closer to reality.
Source: Cloudflare Blog - Unified Data Security
1. Browser-Based RDP Clipboard Controls
Remote access for contractors and partners often means using browser-based RDP. The biggest data leak vector? The clipboard. Users copy customer records, code snippets, or financial data from the remote session to their local machine.
New feature: Administrators can now control clipboard directionality and context in browser-based RDP sessions.
# Example policy logic (pseudo-code)
if session.source == "customer-support-portal":
allow copy/paste INTO session # productivity
block copy/paste OUT of session # prevent data exfiltration
else:
allow both directions
This granularity avoids the productivity-security tradeoff. Users can still paste data into the session for their workflow, but sensitive data can't be copied out to an unmanaged endpoint.
2. Operation Mapping in Logs
Visibility into what users actually do inside SaaS apps is critical. Cloudflare One's operation mapping converts raw HTTP requests into meaningful actions like SendPrompt, Upload, or Share.
New update: These operations now appear directly in log events without any extra configuration.
{
"operation": "SendPrompt",
"application_control": "AI Interaction",
"app": "ChatGPT",
"user": "alice@company.com",
"timestamp": "2025-04-10T14:32:00Z"
}
This makes forensic analysis faster. Instead of guessing what a user did, you see exactly: "Alice sent a prompt to ChatGPT at 2:32 PM."
3. Endpoint DLP in the Cloudflare One Client
Data doesn't stop being sensitive when it leaves a browser tab. If a user copies a customer record from Salesforce and pastes it into a personal LLM, the data is already exfiltrated.
New feature: On-device DLP enforcement in the Cloudflare One client, starting with clipboard monitoring.
# Conceptual DLP rule for clipboard monitoring
if clipboard_content.contains("SSN" or "credit_card"):
if destination_app in ["personal_llm", "unmanaged_chat"]:
block_paste()
log_alert("Sensitive data blocked from pasting into unauthorized app")
else:
allow_paste()
This closes the gap between browser-based controls and endpoint actions. No second agent required.
4. M365 Copilot Scanning via API CASB
AI assistants are the new data exfiltration channel. Copilot can reference sensitive files in its responses, and users can upload documents directly.
New integration: Cloudflare One's API CASB now scans Microsoft 365 Copilot activity for DLP matches.
| Detection Type | Example | Action |
|---|---|---|
| Prompt contains PII | "Email me the customer list" | Alert + block |
| Copilot response includes confidential data | Summary of M&A document | Alert + redact |
| File upload with sensitive content | Spreadsheet with SSNs | Block upload |
This gives security teams rich context (file references, profile matches) without digging through raw audit logs.
Limitations & Considerations
- False positives: Clipboard DLP may block legitimate workflows if rules are too broad. Start with monitoring mode before enforcing blocks.
- Copilot coverage: Currently only M365 Copilot. Other AI assistants (Google Gemini, Claude, ChatGPT) are planned but not yet supported.
- Browser dependency: Browser-based RDP controls require users to use the browser client, not a native RDP client.
Conclusion: The Future of Data Security Is Unified
The updates in this post share a common direction: policy follows data, not product boundaries. Whether data is in transit, at rest, in use, or at the prompt, Cloudflare One aims to provide consistent visibility and enforcement.
Next Steps for Learning
- Start with monitoring mode for endpoint DLP to understand data movement patterns.
- Review your SaaS app inventory and enable operation mapping for high-risk apps (ChatGPT, Copilot, etc.).
- For teams new to data security, check out this guide on Critical React Server Components RCE Vulnerability (CVE-2025-55182) Immediate Action Guide to understand how data security intersects with supply chain risk.