Unified Data Security Across the Enterprise
Cloudflare One has evolved to address a fundamental shift in enterprise security: data security is enterprise security. Rather than enforcing isolated controls at different network layers, the platform now follows data across its entire lifecycle—from network transit to SaaS applications, endpoints, and AI interfaces. The core mission centers on answering three critical questions: Where is sensitive data? Who can access it? What paths allow it to move where it shouldn't?
Browser-Based RDP Clipboard Controls
Cloudflare is adding granular clipboard controls for browser-based RDP sessions, allowing administrators to configure whether users can copy or paste information between local devices and remote sessions. This feature addresses a key data exfiltration vector: users accessing sensitive systems (like customer support portals) can now be restricted from copying data outbound while retaining inbound copy/paste for productivity. The controls are implemented as policies within Cloudflare One's Access Application settings, enabling context-aware restrictions that reduce unauthorized data movement without completely blocking workflow capabilities.
Enhanced Visibility: Operation Mapping in Logs
Cloudflare is extending its operation mapping system to logging, providing automatic visibility into specific user actions within SaaS applications. The system translates granular HTTP requests into human-readable operations (e.g., "SendPrompt" for ChatGPT) and application control groups (e.g., "Share," "Upload"), which now automatically appear in log events. This eliminates the need for manual configuration and accelerates forensic analysis and policy tuning by showing exactly what users are doing in SaaS tools.
Endpoint DLP Enforcement
A major addition is on-device DLP enforcement now available in the Cloudflare One Client. This closes a critical gap: sensitive data copied from protected SaaS applications previously had no policy enforcement once it reached the OS clipboard. Starting with clipboard movement, Endpoint DLP prevents sensitive snippets (like proprietary code or customer records) from being pasted into unauthorized LLMs or personal tools. This requires no additional agents or complex integrations, completing the data protection chain from network through application to endpoint.
Comprehensive Coverage Model
These updates reflect a layered approach to data protection: protection in transit (internet and SaaS access via Gateway), visibility and control at rest (SaaS data via CASB), enforcement in use (endpoint DLP), and coverage at the prompt (AI security scanning). The vision treats these as one connected system where policy follows data movement, not product boundaries, addressing the reality that sensitive information moves faster than traditional security silos can protect.