Recent events are bringing cybersecurity to the forefront of many conversations.
Governments around the world are encouraging businesses to go “shields up” following Ukraine’s invasion. The current threat is significantly higher than before and any organization with Internet-facing infrastructure should put security as a top priority for the year.
To help keep services online, Cloudflare is also participating in the Critical Infrastructure Defense Project ensuring teams can get the best help to secure networks and applications more vulnerable to cyber threats, such as those in the medical, water and energy sectors.
As another example, not too long ago, Log4J, a high-severity vulnerability affecting many Java-based applications, also highlighted how important good security is on the Internet as attackers immediately started scanning for vulnerable applications within hours of the attack vector becoming public.
Unfortunately, these events are almost certainly not going to be our last reminders.
Security, however, is also hard, and you never know when “you’ve done enough”. The importance of good security practices should never be underestimated. Reliable and secure applications ensure the Internet operates properly: from keeping sites online in order to ensure access to essential information, to protecting user data from being stolen and misused.
But not everyone is a security expert.
To that point, Cloudflare has always been about applying technically sophisticated solutions to tricky problems, and making those solutions generally accessible. During this week, you will also hear about a mix of product enhancements, new offerings, and audacious ideas and partnerships, including some great new features we will be providing to all Cloudflare users, for free.
Before we jump in, the best way to understand where we are headed is to take a step back and revisit our story. And that’s what I hope to do in this post. As you read the story, I will call out which days of the week will have relevant announcements, so you know when you should tune in.
Welcome to Security Week.
Back to the beginning: securing websites
When I first joined Cloudflare seven years ago, our security offerings were mostly targeted at website owners: DNS, DDoS mitigation, Web Application Firewall (WAF) and SSL/TLS. As an HTTP reverse proxy, Cloudflare could secure traffic and keep malicious payloads at bay. At the same time, we immediately started working on making the underlying protocols faster and safer. With one deployment, we could upgrade the TLS version for a large portion of Internet properties, block volumetric DDoS attacks on non-HTTP ports and write rules to protect millions of WordPress admin pages.
Security Week: Protecting websites is still a core part of our business. During the first half of the week (Monday-Wednesday) you will learn about a number of major enhancements to technologies we all use every day when browsing the web, from TLS, to our Web Application Firewall (WAF) and Custom rules. We have some great announcements for everyone, including our free plan users.
Applications > Websites
It became clear pretty quickly that a good portion of Internet traffic was automated. Bots take up 30% or more of total traffic at any given time, with peaks above 40%. This led us to develop more advanced tools on the Cloudflare platform like Bot Management.
Many of those bots are connecting to and consuming data from applications not designed to be accessed by humans, opening up a whole set of new security challenges compared to a standard website. APIs are now commonplace and account for about 54% of all web HTTP requests through the Cloudflare network.
Security Week: Building upon existing products that help our customers manage automated traffic and protect API endpoints, we have some great new advancements to share in this space on Wednesday as we cover a fast-growing set of API security and management use cases Cloudflare can help with.
Covering all protocols
The focus was always to keep expanding the network while improving reliability for our core services. The next clear step was to open up the proxy for other protocols. After all, HTTP is just one of many protocols used on the Internet.
We currently have many customers securing arbitrary TCP/UDP-based applications and endpoints using our Spectrum product. We took it a step further by allowing customers to interconnect with Cloudflare and secure raw IP traffic from the Cloudflare edge.
Game servers, custom IoT protocols, streaming services, and financial applications can now all receive DDoS mitigation and Magic Firewall filtering capabilities that scale infinitely and work seamlessly.
Security Week: Our teams have been working hard on improving these products, so if you are proxying non-HTTP traffic through Cloudflare, Thursday will have some exciting updates for you.
Most of these customers are proxying traffic at layers 3-4 of the OSI model. But we are now also working on going back up the stack. The most effective security solutions need to understand the data at the application layer, and one big gap for Cloudflare has historically been email traffic - the number one vector for compromises.
Security Week: You may have heard about our recent intent to acquire Area 1 - stay tuned on Monday as we have some exciting news to share in this area.
Flipping the proxy, protecting users
The realization that we could flip the Cloudflare proxy on itself and open it up to a forward proxy use case seems obvious in hindsight, but it was far from it. By focusing on a forward proxy security strategy, all of a sudden, we could protect users, not just applications and servers.
Any user connecting to the Internet can now configure Cloudflare as their DNS resolver and forward proxy, allowing them to experience the Internet with an additional safety shield. Enter Cloudflare Zero Trust.
It was at this moment that proxy was no longer a term that clearly identified what we were building. Network was a much better term. In fact, as many things in computing repeat themselves, the network became the computer, again.
The network effects (no pun intended) are not immediately obvious. Think about a user setting up Cloudflare as a DNS resolver accessing an application itself behind Cloudflare: the entire transaction can happen at the closest data center to the end user, starting from DNS to HTTP. That’s also why we are not going to stop expanding our network anytime soon. The benefits are immeasurable and security is baked in at every single step, without compromising performance.
If that user is a team member from the same organization that runs the application, Zero Trust concepts become accessible and easy to deploy for anyone. Old systems like VPNs become obsolete as you no longer need clunky, complex infrastructure to secure your network, bringing us one step closer to democratizing security.
Security Week: If you are using Cloudflare Zero Trust and are trying to secure internal networks, tune in on Friday - we have some great product improvements to share.
Cloudflare is a smart secure network
This brings us to today. Security used to be about creating secure environments — castle and moat. But mobile and the cloud have cracked the paradigm. Nowhere is presumed secure anymore, and even if there was somewhere secure, your users and applications probably wouldn't stay there for long anyway. They're working from… home? Across the country? Across the world? Your applications are also constantly moving.
In this paradigm, the logical way to think about security is by not creating a physical enclave. Instead, you need to create a virtual one by focusing on the one fundamental component of the Internet: the network.
In other words, you need to make sure every device, every office, every server that you have is connected to a secure network. At Cloudflare, we are building just that - a network that connects your users to your applications and vice versa, wherever they are, and provides security and privacy as a core fundamental.
To make it better, we also need to lead
Having great technology is not enough. Easy-to-use and innovative ideas come from people. That’s also why we are our first users, by dogfooding all our products. At Cloudflare, one of our most demanding customers is our internal security team. We also can’t do it alone. It is incredibly important for all of us to work together, and we’ve been putting a lot of effort in partnering with other cybersecurity companies to share insights, data and integrate our products for a better experience for our users.
We will end this week sharing best practices, insights gained from securing the Cloudflare network and a number of projects that our security team has been working on. We are also going to make some new partnership announcements with other highly regarded companies in this space.
Security Week: We will end this week on Saturday sharing best practices, insights gained from securing the Cloudflare network and a number of projects that our security team have been working on. We are also going to make some new partnership announcements with other highly regarded companies in this space.
A week is still not enough
We had over 75 announcements put forward for Security Week, and although we have not committed to a fortnight just yet, we definitely could not pack them all in six days. We are optimistic that we are making big steps forward, not only over the next week, but throughout 2022.