真にプログラム可能なSASEプラットフォーム
Cloudflareは、単なるAPI提供にとどまらず、セキュリティイベントのリアルタイムな補強と意思決定を可能にする「本格的なプログラム可能性」を持つSASEプラットフォーム「Cloudflare One」の構築について説明している。
キーポイント
プログラム可能性の再定義
従来のAPIやWebhookによる通知機能を超え、セキュリティイベントをインターセプトし外部コンテキストで強化してリアルタイムに判断を下す能力こそが真のプログラム可能性であると定義する。
グローバルネットワークとSASEの統合
330都市以上のグローバルネットワーク上で、セキュリティプラットフォームと開発者プラットフォームが同じインフラで動作し、コンポーザビリティとプログラム可能性を両立させている。
カスタムロジックによるポリシー拡張
顧客は外部リスクAPIの呼び出しや動的ヘッダーの注入、ブラウザ属性の検証などを通じて、ポリシー判断をカスタムロジックで拡張し、リアルタイムにトラフィックをルーティングできる。
カスタムロジックによる動的なポリシー実行
固定された許可/ブロックアクションに加え、ユーザーIDに基づくヘッダー注入や外部リスクエンジンとの連携など、リアルタイムでカスタムロジックを適用できる。
Cloudflare OneとDeveloper Platformの統合強化
既存のSASEサービスにプログラム可能な拡張機能をネイティブ統合し、エッジでミリ秒単位の意思決定やスケジュールベースのポリシー更新を可能にする。
管理アクションとカスタムアクションの提供
一般的なシナリオ向けのテンプレート(管理アクション)に加え、Cloudflare Workerを直接呼び出して完全なカスタムロジックを定義できる(カスタムアクション)仕組みを提供する。
既存セッション制御の限界
Cloudflare Oneの標準的なセッション管理はアプリケーションごとのポリシーに基づいており、グローバルな時間ベースの有効期限切れ(定期的な再認証)には対応していない。
影響分析・編集コメントを表示
影響分析
この記事は、セキュリティアーキテクチャにおける「自動化」の次の段階として、単なるトリガー発動ではなく、外部データとの連携による動的な意思決定プロセスの重要性を提起している。Cloudflareのような大規模インフラプロバイダーが、開発者フレンドリーなプログラミングモデルをセキュリティ製品に組み込む動きは、ゼロトラスト環境における運用の柔軟性とセキュリティポテンシャルを高める重要な示唆となる。
編集コメント
セキュリティベンダーが謳う「プログラム可能性」の定義を明確に区別した点は評価できる。ただし、これはCloudflare自身の製品宣伝色が強く、他社ソリューションとの比較検証が含まれていない点に注意が必要である。
セキュリティチームにとって、当社のプラットフォームは議論のあり方を変えるものとなるでしょう。機能リクエストを提出し、ロードマップに載るのを待つ代わりに、今日の正確な要件に対応するカスタムソリューションを構築できるようになります。
当社のパートナーおよびマネージド・セキュリティ・サービス・プロバイダー(MSSP)にとって、当社のプラットフォームは、特定の顧客基盤向けのソリューションを構築・提供する能力を切り開きます。それは業界固有のソリューションや、特定の規制環境にある顧客向けの機能を意味します。カスタム統合は、プロフェッショナルサービスの契約事項ではなく、競争優位性そのものとなります。
そして当社の顧客にとっては、導入が容易でありながら、最も複雑で変化するニーズにも根本的に対応可能なプラットフォーム上で構築していることを意味します。お客様のセキュリティプラットフォームは共に成長します ― 足かせにはなりません。
次は何か
私たちは始まったばかりです。2026年を通じて、Cloudflare Oneと当社のDeveloper Platform間の統合をさらに深化させていく様子をご覧いただけます。まず、Cloudflare Gatewayで動的ポリシー適用をサポートするカスタムアクションの作成から始める計画です。これらのアクションは、組織の既存データベースに保存された補助データを活用でき、そのデータをCloudflareに移行する管理上やコンプライアンス上の課題は発生しません。これらの同じカスタムアクションは、リクエスト拡張もサポートし、Cloudflareの属性を内部システムに渡して、ダウンストリームシステムでのより良いロギングとアクセス判断を可能にします。
一方で、構成要素は既にここにあります。外部評価ルール、カスタムデバイスポスチャチェック、Gatewayリダイレクト、そしてWorkersの全機能は今日利用可能です。どこから始めればよいかわからない場合は、当社の開発者向けドキュメントに、Cloudflare Oneを拡張するためのガイドとリファレンスアーキテクチャがあります。
私たちは、セキュリティは驚くほど使いやすいべきだという信念でCloudflareを構築しましたが、「簡単」が「画一的」を意味しないことも知っています。それは、必要なものを正確に構築するためのツールを提供することを意味します。それがSASEの未来だと信じています。
原文を表示
Every organization approaches security through a unique lens, shaped by their tooling, requirements, and history. No two environments look the same, and none stay static for long. We believe the platforms that protect them shouldn't be static either.
Cloudflare built our global network to be programmable by design, so we can help organizations unlock this flexibility and freedom. In this post, we’ll go deeper into what programmability means, and how Cloudflare One, our SASE platform, helps customers architect their security and networking with our building blocks to meet their unique and custom needs.
What programmability actually means
The term programmability has become diluted by the industry. Most security vendors claim programmability because they have public APIs, documented Terraform providers, webhooks, and alerting. That’s great, and Cloudflare offers all of those things too.
These foundational capabilities provide customization, infrastructure-as-code, and security operations automation, but they're table stakes. With traditional programmability, you can configure a webhook to send an alert to Slack when a policy triggers.
But the true value of programmability is something different. It is the ability to intercept a security event, enrich it with external context, and act on it in real time. Say a user attempts to access a regulated application containing sensitive financial data. Before the request completes, you query your learning management system to verify the user has completed the required compliance training. If their certification has expired, or they never completed it, access is denied, and they are redirected to the training portal. The policy did not just trigger an alert — it made the decision.
Building the most programmable SASE platform
The Cloudflare global network spans more than 330 cities across the globe and operates within approximately 50 milliseconds of 95% of the Internet-connected population. This network runs every service on every server in every data center. That means our industry-leading SASE platform and Developer Platform run side by side, on the same metal, making our Cloudflare services both composable and programmable.
When you use Cloudflare to protect your external web properties, you are using the same network, the same tools, and the same primitives as when you secure your users, devices, and private networks with Cloudflare One. Those are also the same primitives you use when you build and deploy full-stack applications on our Developer Platform. They are designed to work together — not because they were integrated after the fact, but because they were never separate to begin with.
By design, this allows customers to extend policy decisions with custom logic in real time. You can call an external risk API, inject dynamic headers, or validate browser attributes. You can route traffic based on your business logic without adding latency or standing up separate infrastructure. Standalone SASE providers without their own compute platform require you to deploy automation in a separate cloud, manually configure webhooks, and accept the round-trip latency and management overhead of stitching together disconnected systems. With Cloudflare, your Worker augments inline SASE services like Access to enforce custom policies, at the edge, in milliseconds.
image
What programmability unlocks
At its core, every security gateway operates on the same fundamental model. Traffic flows from sources, through policies, to destinations. The policies are where things get interesting, but in most platforms, your options are limited to predefined actions: allow, block, isolate, or quarantine.
We think there is a better way. What if you could invoke custom logic instead?
Rather than predefined actions, you could:
Dynamically inject headers based on user identity claims
Call external risk engines for a real-time verdict before allowing access
Enforce access controls based on location and working hours
Today, customers can already do many of these things with Cloudflare. And we are strengthening the integration between our SASE and Developer Platform to make this even easier. Programmability extensions, like the ones listed above, will be natively integrated into Cloudflare One, enabling customers to build real-time, custom logic into their security and networking policies. Inspect a request and make a decision in milliseconds. Or run a Worker on a schedule to analyze user activity and update policies accordingly, such as adding users to a high-risk list based on signals from an external system.
We are building this around the concept of actions: both managed and custom. Managed actions will provide templates for common scenarios like IT service management integrations, redirects, and compliance automation. Custom actions allow you to define your own logic entirely. When a Gateway HTTP policy matches, instead of being limited to allow, block, or isolate, you can invoke a Cloudflare Worker directly. Your code runs at the edge, in real time, with full access to the request context.
How customers are building today
While we are improving this experience, many customers are already using Cloudflare One and Developer Platform this way today. Here is a simple example that illustrates what you can do with this programmability.
Automated device session revocation
The problem: A customer wanted to enforce periodic re-authentication for their Cloudflare One Client users, similar to how traditional VPNs require users to re-authenticate every few hours. Cloudflare's pre-defined session controls are designed around per-application policies, not global time-based expiration.
The solution: A scheduled Cloudflare Worker that queries the Devices API, identifies devices that have been inactive longer than a specified threshold, and revokes their registrations, forcing users to re-authenticate via their identity provider.
export default {
async scheduled(event, env, ctx) {
const API_TOKEN = env.API_TOKEN;
const ACCOUNT_ID = env.ACCOUNT_ID;
const REVOKE_INTERVAL_MINUTES = parseInt(env.REVOKE_INTERVAL_MINUTES); // Reuse for inactivity threshold
const DRY_RUN = env.DRY_RUN === 'true';
const headers = {
'Authorization': Bearer ${API_TOKEN},
'Content-Type': 'application/json'
};
let cursor = '';
let allDevices = [];
// Fetch all registrations with cursor-based pagination
while (true) {
let url = https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/devices/registrations?per_page=100;
if (cursor) {
url += &cursor=${cursor};
}
const devicesResponse = await fetch(url, { headers });
const devicesData = await devicesResponse.json();
if (!devicesData.success) {
console.error('Failed to fetch registrations:', devicesData.errors);
return;
}
allDevices = allDevices.concat(devicesData.result);
// Extract next cursor (adjust if your response uses a different field, e.g., devicesData.result_info.cursor)
cursor = devicesData.cursor || '';
if (!cursor) break;
}
const now = new Date();
for (const device of allDevices) {
const lastSeen = new Date(device.last_seen_at);
const minutesInactive = (now - lastSeen) / (1000 * 60);
if (minutesInactive > REVOKE_INTERVAL_MINUTES) {
console.log(Registration ${device.id} inactive for ${minutesInactive} minutes.);
if (DRY_RUN) {
console.log(Dry run: Would delete registration ${device.id});
} else {
const deleteResponse = await fetch(
https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/devices/registrations/${device.id},
{ method: 'DELETE', headers }
);
const deleteData = await deleteResponse.json();
if (deleteData.success) {
console.log(Deleted registration ${device.id});
} else {
console.error(Failed to delete ${device.id}:, deleteData.errors);
}
}
}
}
}
};
Configure the Worker with environment secrets (API_TOKEN, ACCOUNT_ID, REVOKE_INTERVAL_MINUTES) and a cron trigger (0 */4 * * * for every 4 hours), and you have automated session management. Just getting a simple feature like this into a vendor’s roadmap could take months, and even longer to move into a management interface.
But with automated device session revocation, our technical specialist deployed this policy with the customer in an afternoon. It's been running in production for months.
We’ve observed countless implementations like this across Cloudflare One deployments. We’ve seen users implement coaching pages and purpose justification workflows by using our existing redirect policies and Workers. Other users have built custom logic that evaluates browser attributes before making policy or routing decisions. Each solves a unique problem that would otherwise require waiting for a vendor to build a specific, niche integration with a third-party system. Instead, customers are building exactly what they need, on their timeline, with logic they own.
A programmable platform that changes the conversation
We believe the future of enterprise security isn't a monolithic platform that tries to do everything. It's a composable and programmable platform that gives customers the tools and flexibility to extend it in any direction.
For security teams, we expect our platform to change the conversation. Instead of filing a feature request and hoping it makes the roadmap, you can build a tailored solution that addresses your exact requirements today.
For our partners and managed security service providers (MSSPs), our platform opens up their ability to build and deliver solutions for their specific customer base. That means industry-specific solutions, or capabilities for customers in a specific regulatory environment. Custom integrations become a competitive advantage, not a professional services engagement.
And for our customers, it means you're building on a platform that is easy to deploy and fundamentally adaptable to your most complex and changing needs. Your security platform grows with you — it doesn’t constrain you.
What's next
We're just getting started. Throughout 2026, you'll see us continue to deepen the integration between Cloudflare One and our Developer Platform. We plan to start by creating custom actions in Cloudflare Gateway that support dynamic policy enforcement. These actions can use auxiliary data stored in your organization's existing databases without the administrative or compliance challenges of migrating that data into Cloudflare. These same custom actions will also support request augmentation to pass along Cloudflare attributes to your internal systems, for better logging and access decisions in your downstream systems.
In the meantime, the building blocks are already here. External evaluation rules, custom device posture checks, Gateway redirects, and the full power of Workers are available today. If you're not sure where to start, our developer documentation has guides and reference architectures for extending Cloudflare One.
We built Cloudflare on the belief that security should be ridiculously easy to use, but we also know that "easy" doesn't mean "one-size-fits-all." It means giving you the tools to build exactly what you need. We believe that’s the future of SASE.
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み