How to Create a Hardened Cloudflare Account
Zatik Security moved all of our domains and DNS infrastructure onto the Cloudflare platform in early 2024. We made this decision after completing a review of 5 commonly used domain registrars security features. We selected the Cloudflare platform based on the security features available on their intro tier without requiring an upgrade to the enterprise tier. These features are strong two factor authentication, support for multiple users with role-based access controls, in-account audit trails, and the ability to log out other users. Support for these features is included in the intro tier, but still needs to be configured. Follow along below as we create and harden a Cloudflare account in April 2024. If you just want the step by step without the narrative you can skip right there.
The setup for Zatik Security on Cloudflare is a root account which will be the parent of all other accounts. This root account will only be used during the creation and setup of the account. You should never use the root account as your day-to-day account. Any staff who need access to Cloudflare will log in with child accounts which are invited to the root account. Their invitations are scoped to only have the minimum permissions required to complete their tasks. For example, a member of the finance team could have an account which is only able to manage payment in Cloudflare but not alter any technical settings. Or a contractor hired to work on a marketing website can be granted access to manage the DNS records of that website only.
