Government Cloudflare Tunnel Zero Trust Access

Taqeem replaced VPN with Zero Trust Access and zero public IPs.

How Brixio replaced VPN-based access at Taqeem (Saudi Authority of Accredited Valuers) with Cloudflare Zero Trust: 6 dedicated tunnels, OTP authentication, and granular access policies.

Saudi Arabia Internal applications · regulator workforce 4 min read
Taqeem
TUNNELS6Cloudflare Tunnels, one per internal application for segmentation
EXTERNAL IDP0Cloudflare's built-in OTP replaces external identity infrastructure
VPN100%Eliminated and replaced by Cloudflare Zero Trust Access
AUDITFullEvery access attempt and policy decision logged for compliance

The challenge

Taqeem, the Saudi Authority of Accredited Valuers, regulates the valuation profession in Saudi Arabia. The organisation needed a secure way to provide access to internal applications without the complexity, performance issues, and security risks of traditional VPN.

Several risks were unmanaged in the existing setup:

  • VPN dependencies. Slow performance and broad credential exposure if any account was compromised.
  • No granular access control. The existing system could not restrict access based on user identity, role and device security posture.
  • Internal applications exposed via private IPs. A solution was needed to allow secure external connectivity without exposing services on the public internet.
  • Difficult user management. Manual onboarding, not scalable for a growing regulator workforce and external auditors.

What Brixio deployed

6 Cloudflare Tunnels for application segmentation

  • Each tunnel mapped to a different internal application.
  • Applications accessible without public internet exposure.
  • Better segmentation and security than a single VPN connection.

Cloudflare Access with built-in OTP

  • Instead of integrating an external Identity Provider, Taqeem opted for Cloudflare's built-in One-Time Password authentication.
  • Simple, secure login via email OTP without additional identity infrastructure.
  • Granular access policies based on user identity, device posture, and location.

Role-based access and MFA

  • High-risk applications restricted to authorised users only.
  • Multi-factor authentication enforced for all access.

Cloudflare WARP for network access

  • Split tunneling configured for access to internal private IP addresses.
  • Encrypted remote connectivity without traditional VPN.

Firewall and logging

  • Firewall rules validated to allow Cloudflare Edge servers to communicate with internal systems.
  • Detailed access logs providing real-time monitoring of authentication attempts and application access.

Architecture

Internal users and external auditors authenticate against Cloudflare's built-in OTP and reach internal apps through one tunnel per application — no public IPs, no VPN.

Internal staff Regulator workforce
External auditors Scoped access
Mobile users WARP enrolled
Cloudflare Zero Trust
TUNNELACCESSWARPOTP
Internal apps 6 dedicated tunnels
Private IP services WARP split tunnel
Audit logs Real-time

Results

After rollout, Taqeem operates without VPN: every internal application sits behind its own tunnel, every access goes through identity-aware OTP, and every decision is logged.

VPN eliminatedAll remote access now routes through Cloudflare Zero Trust, with no VPN client and no public IP exposure.
Per-application segmentation6 dedicated Cloudflare Tunnels isolate each internal application instead of granting broad network access.
Identity-based access without external IDPCloudflare's built-in OTP authentication replaces external identity infrastructure for staff and external auditors.
Audit-ready visibilityFull audit trail of access attempts, policy decisions and authentication events for compliance review.
Sector perspective

Regulators can adopt Zero Trust without rebuilding identity infrastructure.

Government regulatory bodies handle sensitive data and require strict access controls, but often lack the IT resources for complex identity infrastructure. This deployment shows that Zero Trust does not require an enterprise IDP: Cloudflare's built-in OTP provides a simple, secure authentication path that can be deployed in weeks, not months. NCA in KSA expects identity-aware, auditable access for regulator-grade systems, and this architecture meets that bar without external dependencies.

NCA KSA SAMA SDAIA
Zero Trust case studiesGovernment industry
Other client stories

More Brixio × Cloudflare deployments

Transport Zero Trust Access Gateway / SWG

Identity-based access for 2,000+ airport operations users

Identity-based access replaces legacy VPN for 2,000+ operations users on Cloudflare Zero Trust and Gateway.

Read the case study
Education Zero Trust Access Gateway / SWG

Zero Trust, Gateway and DLP for academic and research data

Zero Trust Access, Gateway and DLP protect academic and research data for a Makkah university.

Read the case study
Entertainment WAF Bot Management

Zero-downtime WAF migration with KSA data residency

Zero-downtime WAF migration across 80+ hostnames and 5 TLDs, meeting Saudi data sovereignty requirements.

Read the case study
Replacing VPN with Zero Trust?

Find out where your Zero Trust posture stands today.

Run a free Snapshot to map your current remote-access exposure, identify VPN-dependent applications and get a prioritised migration roadmap from a Cloudflare ASDP partner.

Get a free Cloudflare audit Talk to a specialist