Subscribe to receive notifications of new posts:

Welcome to Cloudflare Security Week 2021!

2021-03-21

4 min read
This post is also available in 简体中文, 日本語, Indonesia, ไทย and 繁體中文.

Today kicks off Cloudflare's 2021 Security Week. Like all innovation weeks at Cloudflare, we'll be announcing a dizzying number of new products, opening products that have been in beta to general availability, and talking to customers and through use cases on how to use our network to fulfill our mission of helping build a better Internet.

In Cloudflare's early days, I resisted the label of being a "security company." It seemed overly limiting. Instead, we were setting out to fix the underlying "bugs" of the Internet. The Internet was never built for what it's become. We started Cloudflare to fix that. Being more secure was table stakes, but we also wanted to make the Internet faster, more reliable, and more efficient.

But a lot of what we do is about security. Approximately half our products are security related. And that makes sense because some of the Internet's deepest flaws are that it specifically did not engineer in security from the beginning.

Security: The Internet’s Afterthought

John Graham-Cumming, Cloudflare's CTO, gives a terrific talk about how the Internet we all have come to rely on wasn’t designed to have the security we all need. In Tim Berners-Lee's original proposal for the web he wrote: "Authorisation and accounting systems for hypertext could conceivably be designed which are very sophisticated, but they are not proposed here." Instead, the web was designed to prioritize information exchange over secrecy.

Foundational protocols the Internet relies upon also omitted security concerns. BGP, the protocol that stitches networks together, in its specifications document (known as an RFC) specifically called this out, stating: "Security issues are not discussed in this memo." Terrifyingly, the word "security" never appears in the RFC for DNS.

All that would be fine if the Internet had remained the academic science project it started out as. But, given its importance, today it's critical that security be “designed in” at every level. And so much of Cloudflare's product roadmap over the last 10 plus years has been designing and implementing the security the Internet needs given what it has become.

Cloudflare’s Historical Roadmap: Reverse Engineering In Security

Encrypting all web traffic for free, encrypting DNS, working to sign every BGP route, encrypting SNI, eliminating DDoS attacks as a risk, automatically patching network software vulnerabilities, adding access management to the network. When we say our mission is to help build a better Internet, a big portion of that is helping build a fundamentally secure Internet.

And this week, we're announcing more ways we're taking things that have been fundamentally broken in terms of Internet security and fixing them.

A Week of Foundational Security Announcements

On Monday, we start with MPLS. It's the foundational network technology that many organizations use to power their networks. Unfortunately, it's expensive, slow to implement, hard to administer, and has no real security by default. Remember that NSA document from the Snowden leak describing Google's network with the smiley face next to "SSL added and removed here." That smiley face was fundamentally a flaw in the security model of MPLS. On Monday we fix it, while making it faster and less expensive at the same time.

On Tuesday, we shift to the browser. If you think about it, browsers are the stuff of CISO's nightmares. Random code is automatically downloaded and run locally on every web page you visit. We've talked about how Remote Browser Isolation is a solution to this problem. On Tuesday we'll be opening it to everyone and also adding more features to our Gateway product to help address the same fundamental issue.

On Wednesday, we're taking a fresh look at an important space that has been underinvested in by security vendors. Ever been unsatisfied with the permissions and controls a SaaS application provides by default? Ever worry about your application's APIs leaking more data than intended? Security isn't always about keeping attackers out, it's also about ensuring data stays in. We're investing to help our customers solve these universal challenges.

On Thursday, we're going to help deal with the complexity of the modern Internet and web. The Internet itself is a collection of networks. And a modern web page is a collection of content and applications. Unfortunately, the old adage that you're only as strong as your weakest link holds true online. On Thursday, we'll announce a set of tools that watches for signs of trouble in third parties from network level all the way down to the individual code on your web pages.

On Friday, we’re bringing some technology to protect against automated bots, which were previously only made available to our largest customers, to a broader audience. At the same time, we’ll be introducing more tools to identify and protect your APIs, which had historically been more difficult to protect against bot attacks.

Partnerships and Practicality

There's a reason the word "help" is a part of our mission statement: we can't build a better, more secure Internet alone. We don't sell network hardware. We don't own the core data centers where our customers store their data and run their applications. And there are companies that are deep specialists in things like identity management and endpoint security. And so, throughout the week, we'll be announcing a number of partnerships with the leading companies in adjacent areas, so our mutual customers build complete solutions around our secure, fast, and reliable global network.

One of the reasons that I never wanted to be described as a security company was because of how the industry tends to sell products on fear, uncertainty, and doubt. So, this week, we wanted to flip that script. Instead of the usual scary messaging around hackers in hoodies and fingerless gloves, we'll be looking at a handful of recent, high-profile hacks and talking about how you can use our products as well as others in order to protect yourself.

Throughout the week on CloudflareTV we'll be talking to security experts we admire as well as hosting interviews with the product managers and engineers behind the products we'll be announcing. The schedule has been posted, and you can tune in live and ask questions.

A Week Is Not Enough

And that's not even close to everything. We almost declared it Security Fortnight because there are so many new products and capabilities we'll be announcing. So don't be surprised if the announcements roll through the weekend and even into next week.

While cybersecurity headlines often seem grim, we're incredibly optimistic. It is possible to build a more secure network. We can fix the underlying flaws of the Internet. We've been doing it for the last 10 plus years. And, this week, we're incredibly excited to take another big leap forward.

Enjoy Cloudflare Security Week 2021!

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
SecurityProduct NewsSecurity Week

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

October 24, 2024 1:00 PM

Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues

Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version....

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

October 06, 2024 11:00 PM

Enhance your website's security with Cloudflare’s free security.txt generator

Introducing Cloudflare’s free security.txt generator, empowering all users to easily create and manage their security.txt files. This feature enhances vulnerability disclosure processes, aligns with industry standards, and is integrated into the dashboard for seamless access. Strengthen your website's security today!...

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....