Warp Client overview

Secure Remote Access Overview (Cloudflare Zero Trust)

Article Type: Service Overview
Service Offering: Network Access and Remote Connectivity
Technology: Cloudflare Zero Trust (ZTNA)
Audience: Faculty, Staff, Tier‑1 Support, IT Administrators

Overview

SUNY Canton uses Cloudflare Zero Trust to provide secure remote access to internal systems and applications. This modern approach replaces traditional VPN access with identity‑based, device‑aware, application‑level access controls.

Secure Remote Access ensures that only authorized users on compliant, managed devices can access SUNY Canton resources—regardless of location.

What Is Cloudflare Zero Trust?

Cloudflare Zero Trust is based on a “never trust, always verify” security model. Access decisions are made continuously based on:

• User identity
• Device posture and compliance
• Network context
• Application access policy

Unlike traditional VPNs, Zero Trust does not grant broad network access.

✅ Users connect only to applications they are explicitly allowed to use
✅ Internal networks are never fully exposed

How Secure Remote Access Works

1. Device Enrollment

Devices must be:

• SUNY Canton–managed
• Enrolled in Intune (Windows) or JAMF Pro (macOS)

2. Cloudflare WARP Client

The Cloudflare WARP client:

• Establishes a secure, encrypted tunnel
• Enforces device posture checks
• Applies DNS and network controls
• Enables Zero Trust application access

WARP is required for:

• Accessing internal web apps
• Accessing private networks
• Enforcing split‑tunnel and routing policies

3. Identity‑Based Access

Access is granted based on:

• SUNY Canton account authentication
• Group membership
• Role‑based access policies

4. Application‑Level Authorization

Each application or resource has:

• Explicit allow/deny rules
• Least‑privilege access
• Continuous evaluation

Why SUNY Canton Uses Zero Trust

Supported Use Cases

Secure Remote Access is required for:

• Internal administrative systems
• Restricted web applications
• Private network access
• Off‑campus access to SUNY Canton resources
• Secure access on unmanaged networks

Supported Platforms

Personal or unmanaged devices are not supported.

User Responsibilities

Users must:

• Keep WARP installed and running
• Use only managed SUNY Canton devices
• Maintain device compliance
• Avoid uninstalling or disabling WARP
• Report access issues to IT Support

Common User Questions

“Is this a VPN?”

No. Cloudflare Zero Trust replaces traditional VPNs with application‑specific, identity‑based access.

“Do I need to connect manually?”

In most cases, WARP connects automatically and enforces policies silently in the background.

“Why can’t I access something?”

Possible reasons include:

• WARP not connected or not managed
• Device is non‑compliant
• Account not authorized for that resource
• Network restrictions

Refer to the Client Connection Troubleshooting article.

Security Benefits

Cloudflare Zero Trust provides:

• Reduced attack surface
• Protection against credential misuse
• Enforced device security standards
• Centralized logging and auditing
• Strong foundation for audit and compliance

When to Use This Service

Use Secure Remote Access when:

✅ Working remotely
✅ Accessing sensitive or restricted systems
✅ Connecting from untrusted networks
✅ Enforcing SUNY Canton security standards

Getting Help

If you experience issues with Secure Remote Access:

1. Review the following KBs:
   • Install Cloudflare WARP (Windows)
   • Install Cloudflare WARP (macOS)
   • Client Connection Troubleshooting
2. Contact IT via TeamDynamix
   • Service: Network Access and Remote Connectivity

Policy Alignment

Secure Remote Access supports compliance with:

• SUNY Information Security Policy (Policy 6900)
• SUNY Canton Data Classification and Access Policy (04‑013)

These policies require secure, authenticated, and monitored access to institutional systems.

Revision History