Since its early days, One Mount Group has prioritized investing in cloud infrastructure and SaaS tools. However, it maintained its on-premise VPN, which enabled remote access to corporate resources. As the company grew and remote work became the norm, this appliance created frustrations that became too pressing to ignore.
The VPN was time-consuming for One Mount’s IT staff to configure and troubleshoot, and it could be unreliable or slow, particularly for traffic to SaaS apps. Applying controls to specific apps or user groups could be so tedious that admins sometimes granted “access to everything,” opening the organization up to the threats of lateral movement.
Longer term, One Mount Group recognized it had to reduce this excessive trust and adopt default-deny best practices that would better enable the organization to embrace remote work and bring-your-own-device (BYOD) initiatives.
One Mount Group had used Cloudflare’s performance services since its founding to protect its external web properties, and it saw an opportunity to extend security to its internal operations by implementing Cloudflare’s Zero Trust platform. Specifically, this platform -- called Cloudflare for Teams -- includes a Zero Trust Network Access solution to protect apps across cloud, on-prem, and SaaS environments, and a Secure Web Gateway solution to protect users from threats on the Internet.
Additionally, to facilitate code customizations that would further enhance performance and security, One Mount added Cloudflare Workers, which provides developers with a serverless execution environment that enables them to create entirely new applications or augment existing apps with custom code at the edge, without configuring or maintaining infrastructure.
One Mount started its Zero Trust journey by protecting internal web-based applications and over time, progressively secured a greater volume and variety of apps. Recently, this included leveraging Cloudflare’s forward-proxy capabilities to streamline authentication for traditional resources like file sharing that were previously accessible only “on-the-network” in a One Mount office.
Today, One Mount protects hundreds of applications for hundreds of employees, freelancers, and contractors and anticipates reducing its VPN usage entirely in the near future. Going forward, the organization is aiming to automate nearly all the workflows it takes to protect applications with an infrastructure-as-code approach that Cloudflare supports.
“Adopting Zero Trust was a very simple choice. Our vision is to be an ‘all-internet company’ and have everything in the cloud,” says Phạm Anh Liêm, Director of Cybersecurity. “We do not want to be limited by a corporate network perimeter. That’s why Cloudflare’s Zero Trust platform has been such a strong fit for us.”
One Mount has particularly valued Cloudflare’s flexibility to onboard multiple identity providers (IdPs) simultaneously. Cloudflare makes building group- and identity-based policies straightforward, particularly compared to the tedious, error-prone process of configuring a VPN.
“Cloudflare has saved us lots of time,” says Liêm. “Whenever we build a new application, it’s so simple and easy to add protections based on our IdP of choice.”
That same flexibility for IdP integration extends to integrations with endpoint protection (EPP) software. Specifically, One Mount uses Cloudflare’s integration with its preferred EPP provider to set up device-aware, least privilege access policies. Extending visibility and security with this integration is empowering One Mount to fully embrace BYOD, and One Mount plans to roll out Cloudflare’s device client to all employee endpoints by the end of 2021.
“With so many remote workers, you cannot trust every device, so we need to ensure that every request coming to our systems is validated with the right factors before granting them access,” says Liêm.
One Mount is extending this Zero Trust approach to Internet browsing by applying filters and extending visibility to their users’ outbound connections. Prior to Cloudflare, users were only protected from malware and risky Internet destinations while working in local offices.
“We want our employees to be secure on the Internet at any time and anywhere, not just when they’re on the corporate network,” says Liêm.
As the company grows, One Mount is excited to scale its cloud-based Zero Trust approach with Cloudflare.
“We are one of the first companies in Vietnam which offers fully public cloud-hosted financial services,” says Liêm,“ and Cloudflare is a crucial partner in achieving our Zero Trust aspirations.”
One Mount uses the Cloudflare Workers serverless platform for a variety of use cases, including offloading backend processing, handling uncommon but high-volume tasks, and building perimeter security solutions for dynamic access control, dynamic IP allow-listing, and fraud detection. Nearly all of these use cases are critical to the company’s internal operations.
“Workers provides us with the essential elements we need to tackle our toughest use cases,” notes Phạm Anh Liêm. “It’s a great choice for our serverless solutions needs.”
One Mount has integrated Workers with the Cloudflare WAF and DDoS mitigation to prevent fraud during special promotions. For example, One Mount holds virtual promotions where millions of users compete in a short period of time to obtain promotion vouchers or purchase limited-edition products. By using Workers to integrate custom code with the WAF and DDoS protection, One Mount ensures that attackers can’t use automated scripts to snap up the vouchers or products, leaving legitimate customers empty-handed.
Cloudflare Workers enables One Mount to easily utilize the processing power at the point nearest to end users to run the logic, then use the Cloudflare WAF to block abusive activity — all without concern about scaling the underlying infrastructure. Without Workers, it would be extremely difficult for One Mount to design, implement, and automatically scale these protections on their backend without impacting the user experience.
“Workers lets our developers write code and see results immediately,” notes Phạm Anh Liêm. “It’s dramatically reduced our development and operating costs and has made a big difference in the way we build our products.”
One Mount employees now have secure access to hundreds of internal applications.
Employees are protected from threats on the Internet, no matter where they are.
Cloudflare Workers dramatically reduces development and operating costs while enabling One Mount to solve complex problems.
“Adopting Zero Trust was a very simple choice. We want to be an ‘all-internet company’ and have everything in the cloud. We do not want to be limited by a corporate network perimeter. That’s why Cloudflare’s Zero Trust platform has been such a strong fit for us.”
Phạm Anh Liêm
Director of Cybersecurity
“We are one of the first companies in Vietnam which offers digital financial services fully hosted on public cloud, and Cloudflare is a crucial partner in achieving our Zero Trust aspirations.”
Phạm Anh Liêm
Director of Cybersecurity