Cloudflare One helps enterprises build modern enterprise networks, operate efficiently and securely, and throw out on-premise hardware. It’s been more than a year since we announced the product suite, and we wanted to check in on how things are going.
We’re celebrating Chief Information Officers this week. Regardless of the size of their organization, they’ve had a challenging year. Overnight, their teams became responsible for years of digital transformation to prepare their networks and users to support work-from-home and to adopt new technologies. They worked with partners across security, engineering, and people teams to keep their critical infrastructure running.
Today, we want to focus on the problems that CIOs have been able to solve with Cloudflare One in the last year. Customers are using Cloudflare One at a scale we couldn’t have imagined a year ago to solve interesting problems that we didn't know existed yet. We’ll walk through some specific use cases later in the post, but first, let’s recap why we built Cloudflare One, what problems it solves, and some of the new things we’re launching this week.
What is Cloudflare One?
Cloudflare One allows companies to purchase, provision, and manage connectivity, security, and analytics tools needed to operate a corporate network from one vendor and one control plane.
Historically, CIOs purchased point solutions from dozens of hardware vendors. They assembled a patchwork of appliances and services to keep their organization connected and secure. The band-aids held together for a while, despite the cost and maintenance burden.
However, the growth of what needed to be connected broke this model. Office locations became more distributed and, more recently, remote work became widespread. Applications that only existed in the corporate data center moved to public cloud providers or SaaS models. As these shifts pushed the limits on what these band-aids could support, the attacks against networks and endpoints became more sophisticated.
We talked to customers who explained that these changes presented a hierarchy of problems: at its base layer, they need their users, offices, data centers and clouds connected to each other and to the Internet. Next, they needed to filter the traffic between these entities. Finally, they needed to log, diagnose, and analyze that traffic. Once those initial needs were met, the solution needed to be fast and reliable, and comply with local laws and regulations.
Cloudflare runs a global, programmable edge network. We use that network to improve the speed and security of some of the largest websites and services on the Internet. We built Cloudflare One to make that network available to corporate customers to solve their new challenges. Today, Cloudflare helps CIOs deliver connectivity, security, and visibility without sacrificing performance, no matter where a customer or their employees work.
How does it work?
Cloudflare One starts with connectivity. Your team can connect offices, data centers, devices and cloud properties to Cloudflare’s network. We’re flexible with how you want to send that traffic to us. Connect your offices and data centers to Cloudflare through SD-WAN partnerships or soon our Cloudflare for Offices infrastructure. New this week, you can start using IPsec Tunnels in addition to our existing GRE Tunnels.
Connect your internal resources and the rest of the Internet with a lightweight agent. Does your team rely on contractors and unmanaged devices? Connect them to internal tools in a fully agentless mode. We’ll also be announcing new improvements to Cloudflare Tunnel and our network interfacing provisioning to keep making it easier to connect your organization to our global network.
Once connected, Cloudflare’s network provides a comprehensive suite of security functions to protect your traffic. Customers can rely on our network for everything from IP-layer DDoS mitigation to blocking threats with remote browser isolation. Later this week, we’ll be sharing details of new network firewall features that help your team continue to rip out even more boxes.
Beyond securing your organization from threats on the Internet, Cloudflare One also provides your team with comprehensive Zero Trust control over who can access your internal resources and SaaS applications.
Now that traffic is connected and secured through Cloudflare, we can help make you faster. Cloudflare is building the fastest network in the world. You can read more about where we are the fastest today and how we’re working to be the fastest in any location. New this week, we’ll be sharing updates to our network performance and new features that intelligently accelerate packets in our network.
Just being faster is not enough. The network that powers your organization should also be reliable, even despite factors out of your control. Cloudflare’s network is peered with over 10,000 networks around the world. With one of the most interconnected networks, we can find lots of paths from point A to point B when disruptions elsewhere on the Internet occur.
Finally, we hear from more and more customers that they need a global network with localized compliance features. Cloudflare One makes compliance with local data protection regulations easy. Customers can choose where Cloudflare’s network applies security functions and how we store and export your logs. As part of CIO week, we’ll be previewing new features that give your team the ability to create metadata boundaries in our network.
All that said, we think the best way to understand how Cloudflare One works is to walk through the problems that our customers no longer have.
Customers defended 5x more traffic
Overall network traffic growth through Cloudflare One has increased by nearly 400% over the last year, with advanced traffic controls and filtering applied at wire-speed to each of those bits.
Cloudflare’s composable traffic filtering stack lets customers pick and choose which security controls to apply to which traffic, allowing for flexibility and specificity in how traffic is managed. Some customers are using simple “4-tuple” rules to allow or deny traffic to their networks based on IP addresses and port numbers, others are writing their own network filters in eBPF (more on this later this week!) to perform custom logic on hundreds of gigabits per second of traffic at a time, and others are using pure Zero Trust architectures with identity-based policy enforcement and endpoint protection integration.
Over a recent (and typical) stretch of 24 hours, customers prevented over 9.3 trillion unwanted packets, requests, and other network “nouns” from reaching their networks with custom rules. These rules can all be managed centrally, impose no performance penalty, and can be enforced on traffic no matter where it is coming from or where it is going, whether that is offices, data centers, or cloud providers.
The same rules and filtering logic are applied to traffic wherever it enters our network. Because our entire edge network is one giant firewall, there is no backhaul required to a central device or network location for a firewall policy to be applied.
We think Cloudflare One’s architectural advantages make for a pretty killer firewall, and the growth in usage we’ve seen bears that out. But what really sets our network and its integrated security functionality apart is our ability to offer Zero Trust controls from the same network, allowing CIOs to think about securing applications and users instead of IP addresses and TCP ports.
Customers protected over 192,000 applications
Legacy private networks and VPN clients provided brittle connectivity without real security. In most deployments, a user in the private network could connect to any resource unless explicitly prohibited. Security teams had no identity-driven controls and lacked visibility into their network while IT teams struggled with help desk tickets.
Cloudflare Access replaces private network security with a Zero Trust model that also makes any internal application feel like the Internet’s fastest SaaS applications. Customers connect their internal resources to Cloudflare’s network without poking holes in their firewall. Once connected, administrators can build global rules and per-resource rules to control who can log in and how they can connect. Users launch applications with a single click while Cloudflare’s network enforces those rules and accelerates their traffic around the world.
In the past year, customers have protected over 192,000 applications with Zero Trust rules in Cloudflare. These applications range from mission-critical tools that power the business to administrative panels that hold the company’s most sensitive data, and the next version of the new marketing website. Since announcing Cloudflare One last year, we’ve also brought non-HTTP use cases to the browser with SSH and VNC clients rendered without any additional client software.
Regardless of what’s being protected, customers can layer rules starting from “only my team can log in” all the way to “only allow access to this group of users, connecting from a corporate device, with a physical hardkey, from these countries.” We also know that sometimes security needs a second opinion. Earlier this year, we introduced new features that prompt users to input why they are connecting to a resource and require a second admin to sign off on the request in real time.
We also believe that security should never require a compromise in performance. The applications that customers secure with our Zero Trust products benefit from the same routing acceleration that some of the Internet’s largest websites use. We also bring security decisions closer to the user to avoid slowing them down — Cloudflare’s network enforces Zero Trust rules in every one of our 250 data centers around the world, made even faster by running on our own serverless compute platform.
Over 10,000 small teams are now safer
We launched Cloudflare One with the goal of making Zero Trust security accessible to organizations of any size. When we first released Cloudflare Access over three years ago, smaller teams had limited or no options to replace their VPN. They were turned away from vendors who only serviced the enterprise and had to stick to a legacy private network.
We’re excited that more than 10,000 organizations are now protecting their resources without the need to sign a contract with Cloudflare. We’ve also made these tools even more accessible to smaller organizations. Last year, we raised the number of free users that customers could add to their plan to 50 seats.
More than 5,500 organizations now secure their outbound Internet traffic
Zero Trust rules do not just apply to your internal applications. When your users connect to the rest of the Internet, attackers work to phish their passwords, get malware on their devices, and steal their data.
Cloudflare One provides customers with multiple layers of security filters and across multiple on-ramps that keep your organization safe from data loss and threats. Since last year’s Cloudflare One announcement, over 5,500 organizations secure the traffic leaving their devices, offices, and data centers.
In the last year, the security they deploy has improved every month. Customers rely on the world’s fastest DNS resolver and the intelligence from Cloudflare’s visibility into the Internet to filter DNS traffic for security threats and content categories. Cloudflare filters their network traffic with identity-based policies, block file transfers, and inspect HTTP traffic for viruses. Organizations control which tenants of SaaS applications employees can use and Cloudflare’s network generates a comprehensive Shadow IT report.
When organizations don’t trust anything on the Internet, they can connect to Cloudflare’s isolated browser. Customers can isolate all destinations or just specific ones, without requiring users to use a special browser client or to suffer through legacy approaches to browser isolation like pixel pushing and DOM manipulation. Cloudflare’s network can also add data control directly in the browser — blocking copy-paste, printing, or even text input by user and destination.
All this delivered over a growing global network engineered for scale
All of this functionality is delivered from our entire global network, on bare metal hardware Cloudflare owns and operates in over 250 cities around the world. There are no public clouds in the mix here, and all our services run on every server in every location in the world. There is no location selection of sizing of hardware, physical or virtualized. Every server is capable of processing every customer’s packet.
This unique architecture allows us to build reliable products quickly and efficiently. Our network is now handling more than 1.69Tbps of peak forward proxy traffic per day, our largest customers do traffic measured in hundreds of gigabits per second delivered over single virtual interfaces.
Customers are able to get value both from the connectivity, security and visibility products we offer, but also through the network of our customers themselves. Most Cloudflare One customers have significant interactions with other customer networks connected to Cloudflare, many of them through direct physical connections available in 158 peering facilities around the world.
How are customers using it?
Tens of thousands of customers solved problems at scale with Cloudflare One in the last year. We also want to highlight a few organizations and their specific journeys migrating to this model since last year’s announcement.
Protecting the United States Federal Government from attacks
Within the United States Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) works as “the nation’s risk advisor.” CISA partners with teams across the public and private sector to secure critical infrastructure across the federal government as well as State, Local, Tribal, and Territorial agencies and departments.
One risk that CISA has repeatedly flagged is the threat of malicious hostnames, phishing emails with malicious links, and untrustworthy upstream Domain Name System resolvers. Attackers can compromise devices and users by tricking those endpoints into sending a DNS query to a specific hostname. When users connect to the destination behind that resolved query, attackers can steal passwords, data, and put malware on the devices.
Earlier this year, CISA and the National Security Agency (NSA) recommended that teams deploy protective DNS resolvers to prevent those attacks from becoming incidents. Unlike standard DNS resolvers, protective DNS resolvers check the hostname being queried to determine if the destination is malicious. If the hostname poses a risk, the resolver blocks the connection by not answering the DNS query.
Earlier this year, CISA announced that they are not only recommending a protective DNS resolver — they are delivering one to their partner agencies. CISA selected Cloudflare and Accenture Federal Services to deliver a joint solution to help the government defend itself against cyberattacks.
Keeping the workforce of a hardware manufacturer safe and productive
Back in 2018, the developer operations team inside of one of the world’s largest telecom and network equipment companies lost patience with their legacy VPN. Developers in their organization relied on the VPN to connect to the tools they needed to do their jobs. The requirement slowed them down and created user headaches, eventually leading to IT help desk tickets.
The leadership team in that group decided to fix their VPN frustrations by getting rid of it. They signed up to use Cloudflare Access, initially with the personal credit of one of the administrators, to move their development tools to a seamless platform that made their internal applications just feel like SaaS applications for their users.
Over the next three years, more departments in the organization became jealous and asked to also deprecate the VPN usage in their group. As thousands of users across the organization moved to a Zero Trust model, their security team began to take advantage of the rules that could be created, and the logs generated without the need for any server-side code changes.
Last month, that security team began using Cloudflare One to build Zero Trust rules for the rest of the Internet. Their organization chose Cloudflare Gateway to replace their legacy DNS filtering solution with a faster, more manageable platform that keeps the 100,000+ team members safe from phishing attacks, malware, and ransomware in any location.
Securing the team building BlockFi
BlockFi’s mission is to bring financial empowerment to traditionally underserved markets. BlockFi’s interest accounts, cryptocurrency-backed loans, rewards cards and crypto trading platforms connect hundreds of thousands of users to new financial tools. As of June 30, 2021, BlockFi supports over 450,000 funded clients and manages more than $10 billion in assets.
Keeping their service available and secure presented new challenges as they grew. BlockFi started their Cloudflare One journey after experiencing a major DDoS attack on its sign-up API. The BlockFi team contacted Cloudflare, and we were able to help mitigate the DDoS and API attacks, getting their systems back up and running within a few hours. BlockFi was then able to block approximately 10 million malicious bots in the first day of the addition of Cloudflare’s Bot Management platform.
Once their public web infrastructure was up and running again, BlockFi started to evaluate how to improve the security of their internal users and applications. BlockFi relied on a private network that used IP addresses to block or allow users to connect, spending engineering time just maintaining IP lists. As users left the office, that model fell apart.
BlockFi solved that challenge by replacing their legacy network with Cloudflare One to bring identity-driven Zero Trust control to their internal resources. Team members connect from any location and authenticate with their single-sign on.
Their security team didn’t stop there. To protect their employees from phishing and malware attacks, BlockFi deployed Cloudflare One’s DNS filtering and Secure Web Gateway to stop attacks that targeted their entire workforce or specific employees.
Keeping phones ringing with Cloudflare’s network reach
Our last customer story involves a large VoIP and unified communications infrastructure company that recently came under ransom attack. They quickly (over the course of less than 24 hours) deployed Cloudflare Magic Transit in front of their entire Internet presence, including their corporate and production networks.
Given the nature of Internet telephony, they were very concerned about performance regressions and impact to call quality. Fortunately, deploying Cloudflare actually improved key network quality metrics like latency and jitter, surprising their network administrators.
Cloudflare’s network excels at powering and protecting performance critical workloads where milliseconds matter and reliability is paramount.
Over the course of this week, we’re going to share dozens of new announcements that solve new problems with Cloudflare One. We’re just getting started building the next-generation of the corporate network, so stay tuned to learn more this week.
We’re also grateful for every organization that trusted Cloudflare One to be your corporate network since last year’s launch. For teams who are ready to begin that journey, follow this link to get started today.