Cloudflare today launched two new services — and announced the surprise acquisition of a browser isolation technology startup, S2 Systems.

The services, dubbed Cloudflare Access and Cloudflare Gateway, are respectively an identity and access management (IAM) service, and a forward proxy service to secure and filter outbound Internet traffic for business users.

The company hopes to make a major dent in the classic enterprise firewall/VPN market with the services, which put a buffer between corporate networks and the internet via DNS-based filtering, audit logging and browser isolation.

The move comes after Cloudflare — which operates a network of 194 data centres in 90 countries that caches static content closer to users, and funnels dynamic content over the private backbone links — listed on the NYSE in September.

(The company said at the time that its network architecture allows it to layer on new services on as it grows in a “network flywheel” effect.)

See also: Cloudflare’s IPO: 5 Things to Know About the Company

Cloudflare CTO John Graham-Cumming told Computer Business Review: “We came across S2, and what I think was interesting was that they have a very different way of approaching the browser isolation problem that we felt was radically different.

“There are two approaches to browser isolation. One of them is a bit like a remote desktop: you actually have the browser running somewhere in the cloud; you send essentially a video stream to the user on their device. Everyone knows what that’s like, it can be laggy. The other approach is DOM reconstruction, which is where you build the webpage on the remote machine, and once you have decided you have the HTML and the CSS and everything all nicely sorted out, you send that to the end-user.

“That is an enormously complicated thing to do, and to do safely, whereas the ‘video’ version is actually much safer as the browser is never actually on the user’s device. What S2 have done which is radically different, is say ‘we’d like to keep all of the website running in the browser remotely, we don’t want it in the end-user device; but we don’t like the video approach’…

“They’re Using WebAssembly So it Looks Like Your Real Browser”

“There is a layer within the browser where the browser is deciding what needs to go on the screen and is sending a bunch of commands saying ‘draw this’, ‘out this image here, this text here’ and what S2 have done is say we’ll send those commands over the wire, then reproduce the page like that in the browser. They’re also using WebAssembly to do that, which means they can do it natively so it looks like your real browser.

“That gives you the security of the video style, and it gives you the speed of the DOM reconstruction style. When they first demonstrated it, I wasn’t sure that it was actually working as it was so fast; it felt like it was my native browser.”

Amit Mital, former CTO of Symantec and current CEO of Kernel Labs added in a release shared Tuesday: “The S2 technology… changes the fundamental calculus for remote browser isolation. When combined with the global Cloudflare network and edge compute capabilities of Cloudflare Workers, it represents a revolution of the browser and how we securely interact with the web.”

The S2 Systems team has joined Cloudflare and is located at Cloudflare’s new office in the Seattle metropolitan area. Terms were not immediately disclosed.

Cloudflare for Teams 

Two new products today (bundled together as “Cloudflare for Teams” and targeting the enteprise market) aim to bolster the company’s portfolio, in the wake of its release of lightweight VPN for mobile, WARP, and a less well-received network vulnerability scanner dubbed Flan Scan, which landed in November to a bruising reception.

The IAM space is a crowded one. Asked how Cloudflare can compete, Graham-Cumming told Computer Business Review: “We’re not trying to be the source of truth for who the users are. What we are doing is say if you have an application you want to put authentication in front of, we can do that… the end-user is seeing a Cloudflare login; they are using single sign-on that might have come from Okta or Active Directory and it really just makes it a single control plane for the different applications.”

The toolkit is intended to help system admins secure, authenticate, and monitor access per-user and by application instead of a “classic” VPN; it works with a range of existing identity providers including Okta, GitHub, Facebook, Google and more.

Cloudflare Gateway sits as a forward proxy. The aim is to replace firewall appliances in office. It includes DNS-based filtering, audit logging, and in its premium tier bundles in always-on browser isolation from S2 Systems.

“As more companies support employees who work on corporate applications from outside of the office, it is vital that they understand each request users are making. They need real-time insights and intelligence to react to incidents and audit secure connections,” said John Coyle, VP of Business Development, Sumo Logic.

He added: “With our partnership with Cloudflare, customers can now log every request made to internal applications and automatically push them directly to Sumo Logic for retention and analysis.”

Read this: This Hacker Got Turned Down by Cisco – Has Now Reported 120+ Bugs in a Single Data Centre Product

 

­­­