Cloudflare CASB for AI Governance: Securing Claude Usage
This article discusses Cloudflare's extension of its Cloud Access Security Broker (CASB) to support Anthropic's Claude Compliance API, providing security and compliance teams with enhanced visibility and control over AI application usage. It highlights the architectural approach of integrating out-of-band with AI provider APIs to monitor data at rest and in transit, enforce policies, and detect sensitive data leakage without requiring endpoint agents or inline traffic inspection. This system design focuses on securing the full lifecycle of AI interactions, from API calls to data handling and storage.
Read original on Cloudflare BlogThe rapid adoption of AI applications introduces new security and compliance challenges, as traditional SaaS security models are insufficient. AI tools are conversational, persistent, and generate data, posing risks like sensitive data leakage in prompts or generated content. Cloudflare's CASB integration with the Claude Compliance API addresses these challenges by offering a unified platform for AI governance.
Architectural Approach to AI Security
Cloudflare's strategy for securing AI usage involves multiple interconnected services, operating on a unified platform to avoid performance bottlenecks and ensure comprehensive coverage. Key components include:
- Cloudflare AI Gateway: Observability into requests, token spend, and model performance. Enables rate limiting, response caching, and fine-grained routing.
- Cloudflare Gateway & Data Loss Prevention (DLP): Inspects AI traffic to block prompts containing sensitive data before reaching the model.
- Cloudflare Access with MCP server portals: Centralizes agent connections, controlling user/agent access to corporate tools and logging all requests for audit.
- Cloudflare CASB: Scans data at rest within AI applications (like Claude) for misconfigurations and sensitive data using API integrations, eliminating the need for endpoint agents or inline inspection.
Out-of-Band vs. Inline Security
The CASB's out-of-band API integration approach for scanning data at rest (e.g., in Claude) provides visibility without impacting user experience or requiring complex network reconfigurations. This contrasts with inline solutions like DLP, which actively inspect and potentially block traffic in real-time. A robust security architecture often combines both, where inline components handle real-time traffic, and out-of-band components manage data at rest and configuration posture.
Integration with Claude Compliance API
The Claude Compliance API provides programmatic access to security-relevant data within Claude organizations. Cloudflare CASB consumes this API to surface actionable security findings. This integration enables monitoring of:
- Projects (shared across organizations)
- Project attachments and chat files that violate DLP policies
- User prompts and provider responses (chat messages) containing sensitive data
- Provider-generated artifacts violating DLP policies
This allows security teams to use existing detection and remediation workflows within the Cloudflare dashboard, effectively extending their governance capabilities to AI interactions. Findings can trigger automated actions, such as blocking uploads to Claude or restricting application access via Cloudflare Gateway policies, demonstrating a composable and programmable security framework.