Skip to content

SYSTEM Cited by 2 sources

Cloudflare One (SASE)

What

Cloudflare One is Cloudflare's SASE (Secure Access Service Edge) product suite: the set of zero-trust / network-security / enterprise-access products built on top of the Cloudflare edge — delivering ZTNA, SWG, CASB, DLP, email security, remote browser isolation, and Magic WAN/Transit under one umbrella. Positioned as the "enterprise network" layer of the Cloudflare product catalogue, distinct from the developer platform (Workers / R2 / D1) and the DDoS / CDN layer.

Relevant to this wiki via its post-quantum authentication milestone — Cloudflare's roadmap flags Early 2028 as the point when Cloudflare One's SASE suite receives PQ authentication support, completing the PQ-secure posture for enterprise network traffic. Full PQ security across Cloudflare's product suite is then targeted for 2029. (Source: sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security)

Products in the Cloudflare One umbrella

  • Zero Trust Access — identity-aware app proxy gating internal + platform applications.
  • Cloudflare Tunnel — outbound-only encrypted tunnel from customer infrastructure to Cloudflare edge; removes the need for inbound firewall rules.
  • Gateway (SWG) — secure web gateway for egress traffic filtering.
  • Magic WAN / Magic Transit — enterprise WAN + L3 DDoS protection with anycast ingress.
  • CASB / DLP / email security / browser isolation / device posture — the broader SASE component set.

Why PQ authentication matters for SASE specifically

Cloudflare One gates enterprise access to internal systems. A compromised authentication key in this layer:

  • Forges device-posture assertions → attacker's device treated as enterprise-enrolled.
  • Forges user-identity assertions → attacker impersonates any user across the entire internal app fleet.
  • Forges tunnel endpoint auth → attacker diverts internal-network traffic through controlled exit.

Under PQ authentication threat model, any classical-signature component in Cloudflare One's auth path is a live forgery target post- Q-Day. The Early-2028 PQ upgrade specifically addresses this.

Cloudflare's assurance to Cloudflare One customers:

Corporate network traffic on Cloudflare need not worry: Cloudflare One offers end-to-end protection when tunnelling traffic through our post-quantum encrypted infrastructure. (Source: sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security)

The framing: PQ encryption already protects tunnel traffic (2022 PQ-for-all deployment covered this); PQ authentication is the Early-2028 milestone that makes the corporate-network posture fully PQ-secure.

Relationship to other Cloudflare systems

  • Zero Trust Access — a specific Cloudflare One sub-product already indexed in this wiki; same JWT / identity surface gets the PQ signature upgrade in Early 2028.
  • OPKSSH / OpenPubkey — OIDC-SSO-backed ephemeral SSH keys (see sources/2025-03-25-cloudflare-opkssh-open-sourcing) slot into the Cloudflare One identity story for SSH access; independent of the 2028 PQ milestone but adjacent in Cloudflare's zero-trust posture.

Raw-scope caveats

This wiki page is scoped to what the Cloudflare 2026 post names about Cloudflare One:

  • Named as the SASE suite getting PQ authentication in Early 2028.
  • 2029 PQ-fully-secure target applies to the full product suite including Cloudflare One.
  • Cloudflare One's existing PQ-encrypted-infrastructure claim for tunnelled traffic.

Detailed Cloudflare One product architecture, per-sub-product PQ-migration plans, and specific PQ-primitive choices for identity / tunnel / posture components are not in the 2026 post; future Cloudflare One-specific ingests may deepen this page.

Seen in

Last updated · 200 distilled / 1,178 read