KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
I'm the chief security officer at CloudFlare. I've been here at the company for three and a half years. And I'm gonna take you on the next 15 minutes or so on the journey that I've had in building out security at CloudFlare and thinking through how, how I use CloudFlare to secure CloudFlare and some of the lessons I've learned along the way of building out a team. And hopefully this will be helpful for others in the audience is as you're thinking about how you fit into your security team, how you grow your career and how you think about cloud security.
So CloudFlare, when I joined three and a half years ago was a pretty small company. And I took over a security team that had just about 10 people and we've built it up to over 70, over 70 now. And our company has grown at the same kind of pace. We were a small private company. We're now a public company in the United States trading on wall street. And our customer base has become really global.
We have a, a team that is global. I have members of my team about 25% of my team missing Europe, and I have employees in Asia as well. And when I started thinking about securing CloudFlare, I, I think about what we always talk about insecurity is that we needed to understand our customers, but be part of the development life cycle as well inside the company. So a lot of our product and engineering team spent a lot of time talking to customers about what they need. And I wanted to make sure that I understood that side of it as well.
My first week at CloudFlare, I was actually asked to stand up in front of the company and talk about my vision for security. And I said, my vision is to be the voice of our customer. I want to understand exactly how our customers use our products. I want to make sure that our products can't be abused, that they're always gonna be in the right place for our customers to help them. And I felt the best way to do it was, you know, to, to think about it strategically, to spend a lot of time with customers, to build a strong team.
And we have a lot of people on the team, but more importantly, I wanted to do a lot of automation. The other thing I would say is when you're on, when, when you're in security, we often neglect one thing and that's relationships.
We, we get bogged down in the technical details of what's on the product roadmap and you know, our software development life cycle. One thing I've learned is it's really important to, to build relationships. There's this, I saw a really good speaker recently say that that the role of the security professional is changing where we need to become more business oriented. So I spent a lot of time trying to understand all the other functions inside my company.
We have to, we have to understand where everybody who uses our product, everyone who builds our product, where they sit, what they're coming from, where they want to go with it. And the other thing I would say is really important in terms of, of building relationships and understanding people is make sure that you have diversity on your team too. This is a, we have a public blog post that, that Susan, my deputy and I wrote a year and a half ago talking about how we were committed to building a diverse security team. There's a lot of data that says that diverse teams do better.
And I really believe that's the case. When it comes to security, we have to bring so many different perspectives to bear, to make sure that we anticipate all the risks. And if we don't, if we don't really represent all the potential customers we might serve around the world ourselves, we will miss the things that are critical. So as a team that I mentioned about 70 people, we're I think 40% women and over 30% underrepresented minorities on our team around the world.
And so we're trying to be a team that is, that is not, you know, just homogenous that we're, we are a group of people who look at the same problem and, and actually disagree on the solution because it's through the disagreement and dialogue that we, we get to better outcomes and everything. The next thing I would share about our team is we're structured a lot, like any other security team, except for a couple of things.
When I started in 2018, I had to pick priorities and every, and I think that's the hardest thing we do in security, because we could make a list of a, a hundred things to do every day. And on my team, we got together at the beginning and we decided we had two top priorities. And I actually kept those two top priorities as the same priorities for three years. The first priority was we needed to secure our edge. If you step back and think about CloudFlare from a customer perspective, if you decide to implement our products, what are you gonna worry the most about?
That's what I tried to think through. And I think my customers worry the most about their data, their traffic flowing through our network. So when you implement CloudFlare in front of your organization, you're oftentimes giving us your keys.
You're, you're giving us full visibility into your network traffic. And where does that happen? It happens on our edge servers all over the world. And so my top priority has been and will never stop being securing that edge. So we actually have a dedicated edge security team in here. You can see it's right in the dead center of this slide, because that's so important to us. It's part of infrastructure security, but it's, it deserves a standalone thing for us.
And as a result, we've gotten really good at focusing on hardware security and software security in those servers, we implemented secure boot. We got it to a hundred percent. We have enabled our TPMS. We're doing a whole bunch of different things around memory encryption. We focus on getting really strong visibility onto what's happening on our edge.
We've, you know, implemented all the different security certifications and brought our edge into, into the middle of that. We started, we, when I started, we just had PCI, but we now have ISO 27,001 and 27,018 from a privacy standpoint, we, we, then we got our SOC two ticket to SOC two type two with a year, look back on, including our edge. And then we're in the process right now getting the C five in Germany. And so we've continued to go down that path really focused on the edge.
But the, the other thing that I think every security team should be prioritizing is identity and access management in this cloud world identity and access management, I think is the biggest risk. And it's also a usability issue that we can help make a lot better for our companies. When we think about security, we should always think about usability. And so in our org chart here, we actually put it security under product security, which is not very typical thing to see.
But when you think about identity and access management, as a core commitment to your, for your organization and how you're gonna try and get it in place, you really wanna have alignment on how identity flows. And, and in my company, you know, we have the enterprise it environment, which is, you know, the, you know, the general employee base and all the tools we need for productivity, whether it's, you know, getting access to our email or Salesforce or internal wikis, what have you, we wanted to make sure that the way identity work there would also seamlessly transition.
If you try to move into our production environment as an engineer, or you are in customer support and you need to dedicate to internal tools, access and things like that. So we, we wanted to have the team that was responsible for how code runs in production, also be overseeing how people access that code. So that worked out really well for us. And it's a good example of how you need to make you, you need to evolve your org chart to, to support your, your top priorities. You know, I, there's always this kind of narrative about like, what's the deal? What is the cloud?
I think we're all on our, on, on variations of our cloud journey for us, we're like every other company we are, you know, every company that's more than five years old, isn't just a hundred percent of the cloud from birth. They're a company that started out with some on-prem things. Obviously for us, we run a whole network of data centers around the world. So we live in the world of on-prem security and we use all the cloud products. Like I mentioned, you know, from an employee productivity standpoint on email, a lot of productivity tools are SAS apps.
So, you know, we had, we always have to think about, and, and experience the same paints that our customers do, you know, and the reality is it's, you can't go back to that world that we used to live in those of us who've been in security for more than 10 years, you know, it was, it was a simpler threat model when we could just build a hard perimeter with a VPN and everything that my employees wanted to access.
You know, I always jokingly say that when I worked, when I was the CSO at Facebook, I was the CSO of an old school company because at Facebook, when I was the CSO from, from the early days until 2015, we had a hard network perimeter. And we, you know, our it team ran everything internally. And we were, we were starting that journey to cloud. And it was a challenge because we, we had that, you know, VPN with the strong perimeter.
And we did a lot of enforcement and we had a lot of hardware that was tuned against, you know, the two or three places that all of our company traffic had egress to the internet. What, what I've done at CloudFlare is implemented a lot of our products.
I, I have a mantra which is we use CloudFlare to secure CloudFlare. And so the, the fascinating thing is a lot of the products that we have now are things that we implemented first, internally ourselves. So for example, right now, there's a really kind of striking trend that's happening. We see a lot of DDoS ransom when I joined CloudFlare three and a half years ago, de DDoS almost seemed like a solve problem.
I would, I would call it a commodity problem at that time. Meaning if, if you, if you saw DDoS attack against your website, you could just turn on CloudFlare really easily with a couple of clicks or, or one of the competitors of ours and the traffic, you know, the bad traffic would, would be diffused since the pandemic. We've seen a lot of different companies getting attacked with very different types of DDoS and in particular DDoS for ransom.
So it, it, it's almost been like a weekly occurrence on a Friday that I will get a call from a CISO somewhere in the world. And they'll say, Joe, we just got taken offline for 20 minutes. And we got the ransom message, and they're gonna take us offline on Monday for good. If we don't pay them now, why is this DDoS different? It's because it's targeting the infrastructure side of the company. So it's maybe trying to take down your VPN, maybe trying to take. And so what we saw at the beginning about a year ago of these, of this new trend was a lot of attacks on basic corporate infrastructure.
The stuff that we were relying on with all of our employees remote, and it was really targeting a lot of large financial institutions in particular organizations that thought they had due to solved had big security teams were. And, and, and so we had to implement our, our magic transit product on weekends for a lot of customers over the last year. And it's evolved now where we see much more targeted types of attacks where they're going after different types of traffic, the most recent trend that's been happening over the last three or four weeks in particular has been void providers.
So because VO traffic comes in and out in, in, in a unique and different way, it is something that can be targeted and you can really disrupt not just the, the company in that case, but the, all of their customers as well. So we've had to onboard some of the large providers pretty, pretty aggressively over the last few weekends. And the one area that I, that I wanna highlight.
I said, we really, really prioritized identity and access management. And I said, we must have one thing. And one thing only if you're gonna access any internal asset at CloudFlare, it needs to go through our single sign-on provider. And you have to have a second factor of authentic education. That is a security key. Now people said, well, it's really hard to get employees to use those security keys as their second factor of authentication.
Well, I'll tell you, it's gotten a lot easier in the last couple years. It actually works. It. Here's how we implemented it. You have our single sign on, in the middle with the hard keys. We put CloudFlare access behind it, and that allowed us to roll it out in a gradual way. And so in the beginning, our employees were using, we, we never allowed SMS as a second factor as part of our single sign-on, but we did allow soft tokens initially because employees were used to that. And then we eventually moved a hundred percent to hard keys. And I'll tell you, it has already paid off incredibly well.
We had a really large social engineering attack targeting us earlier this year and a company of, of 2000 employees. The attackers called 90 of our employees. We know that 90 different employees reported to my team that they received social engineering calls over the course of this month and a half period. And the callers knew the personal mobile phone number of our employee knew the employee's manager's name knew their role at the company.
And they tried to social engineer and into thinking it was our it help desk calling those employees and they, and every time they got an employee on the phone, they, they told the employee, Hey, you know, this is the it help desk. And we're trying to update our, our single sign on. I'm gonna take you to an Okta login page right now. So you can add a new authentication factor. And the scary thing is, you know, if you call 90 employees, a couple are gonna fall for it in this case, three fell for it.
But because we had hard keys implemented that attackers couldn't get in, we were able to, especially for the second and third of those, we were able to be, we had really good monitoring in place, and we were able to watch in real time and we could see the attackers trying to get in. And they were using something called evil and Xs, which allows them to steal the second factor if it's a soft token, second factor. So if we didn't have a hard piece, we would've, we would've been compromised significantly.
You know, we always talk about understanding the business. You know, we have to all the time have that conversation. You know, I had to have the conversation with my CEO and the rest of the, the company about implementing hard keys as an example. And it was, you know, a conversation that didn't happen just one day.
I, I did things like I had a red team attack us, and, and I showed the company that hard keys would be a better second factor than the soft token. And we shared that story with the whole company. And then the last thing I wanna leave you with, I know I've been talking quickly, but I wanted to get through a lot in, in 18 minutes and leave a minute or so for questions was, you know, nobody's perfect. When it comes to security, we did a blog post earlier this year because we had cameras in some of our offices and those cameras got compromised when Karta themselves, as the company got compromised.
And the thing that I've seen that my company does so well, that it was one of the things that attracted me to the company is the commitment to transparency. We put out a block post in real time, almost detailing our investigation and how we responded to it and what we found. And I think we all wanna strive for more of a commitment to transparency, because if we share our worst stories, then everyone else can learn from them and not repeat them.
And so I, I think that, you know, security is a combination of technical things, things that involve implementing policies, but it's also about connecting with people and telling stories like we're doing here so that we learn the lessons and, and, and help each other. So with that, I'll wrap up.
I think I, I might have a couple of minutes to take questions, but I'll to defer to our hosts on that.
