Context & History
Cloudflare One began as a network‑level traffic shield, protecting inbound and outbound flows for enterprises. Over the years the platform expanded to include web gateways, zero‑trust access, and cloud‑based CASB services. As remote work and AI‑driven tools grew, the focus shifted to securing data wherever it travels-on the network, in SaaS apps, on user devices, and even when it is typed into large language models. This evolution created a single security model that follows data across all stages, rather than applying isolated controls.
Implementation & Best Practices
Deploying the full endpoint‑to‑prompt protection in Cloudflare One follows a four‑step roadmap: (1) enable clipboard controls for browser‑based RDP, (2) activate operation‑mapping to enrich logs, (3) turn on Endpoint DLP in the Cloudflare One client, and (4) configure API‑CASB scanning for AI assistants such as Microsoft 365 Copilot. Each step builds on the previous one, allowing administrators to start with visibility, then add precise enforcement, and finally extend protection to AI prompts. Follow the sequence to avoid gaps and ensure policy consistency.
Clipboard Controls for Browser‑Based RDP
Browser‑based Remote Desktop Protocol lets users connect without installing a client. The new clipboard setting lets administrators decide if copy or paste is allowed between the local device and the remote session, and in which direction. Typical use cases include allowing copy into a support portal while blocking copy out of the session to keep sensitive records off unmanaged machines.
To configure, open the Access Application Policies for the RDP app, locate the Clipboard option, and select the desired directionality. Test the policy with a low‑risk user group before rolling out organization‑wide.
Operation Mapping and Enriched Logging
Operation mapping translates raw HTTP requests into high‑level actions such as SendPrompt or Upload. Cloudflare One now adds these mapped actions to log events automatically, giving security teams instant insight into how SaaS tools are used. This visibility speeds up investigations and helps fine‑tune policies without guesswork.
Review the enriched logs in the dashboard, look for unexpected SendPrompt events from AI services, and adjust controls accordingly.
Endpoint DLP Enforcement
Endpoint DLP extends data loss prevention to the users clipboard and other local interactions. When a protected SaaS app copies data to the OS clipboard, the Cloudflare One client inspects the content against DLP profiles and blocks any disallowed transfer. This works without deploying an additional agent, keeping the stack simple.
Start by enabling Endpoint DLP in the client settings, then define high‑signal DLP rules (e.g., credit‑card patterns, PII). Monitor the enforcement logs and refine the rules to balance security and productivity.
AI Prompt Scanning via API‑CASB
Cloudflare Ones API‑CASB can now scan interactions with Microsoft 365 Copilot. The service pulls chat and upload events through the Microsoft Graph API, matches them against DLP signatures, and returns findings with file references and user context. This prevents accidental leakage of confidential data into generative AI models.
Configure the Copilot integration by adding the Microsoft 365 app to the CASB list, enable DLP scanning, and set alert thresholds. Review alerts in the security console and educate users on safe prompt practices.
Key Takeaways
- Visibility first: Use operation mapping to see exactly what users are doing in SaaS apps.
- Granular enforcement: Clipboard controls and Endpoint DLP let you block data movement at the point of use.
- AI safety: API‑CASB scanning catches risky data before it reaches large language models.
- Iterative rollout: Apply the roadmap steps in order, testing each policy layer before expanding.
For deeper insight into policy modeling, see the GitHub subissues guide. A comparable workflow for command‑line tools is described in the triangular workflows article. Additional technical background on data loss prevention can be found on Wikipedia.