🎂 The First Zero Trust SIM

Hi everyone. My name is James Howarth. I head up innovation here at Cloudflare and we have a very special announcement today around the first Zero Trust SIM. Joining me to discuss a little bit more about this is Matt Silverlock. Matt's a director of products in our emerging technology and incubation team. Matt, thanks for joining. Of course. Thank you, James, for hosting. So for those of us who maybe haven't had a chance to read the blog post, how about we start off by describing the offering? Yeah. So, So obviously today we want to talk a little bit about the Zero Trust SIM, which is for many folks, probably something they never heard of before. And also some of the work we're doing related to that around securing Internet of Things. But I'm going to presume you probably just woke up, you just got online, maybe you made coffee, hopefully you read the blog post, but maybe that was sort of lined up. So. I'm going to talk to a little bit just about sort of what we're thinking about here, and then we can dive in. But, you know, all of us, I think these days use our phones for part of our work. I like to sort of the line between a personal phone and a work phone has been getting blurry and blurry and blurry over the years. This concept of BYOD or bring your own device, it has been a a huge change. I think in many cases, good. We've all been using the phones. We actually enjoy not having to carry two devices, the age of having a really average corporate phone or pager is kind of long gone. It's great, but it also means that things are much harder to secure. Right? I'm accessing web resources on my phone. We've also seen these tremendous efforts to compromise and phish employees, get them to click on links and enter their credentials and get access to corporate resources via their phones, via their personal numbers, often taken from a breach elsewhere. And we'll talk about some of those cases shortly as well. And so we've been sitting around and wondering how do we how do we defend against this? Right. We've got a lot of these protections in our zero trust platform that from your laptop PCs to some of our mobile operating offerings as well, and Warp. But how do we bring this the lay it down to the stack? How do we keep building defenses here? And so what we've been working on are what we announced today is, is fundamentally our Zero Trust SIM, right? It's a SIM card, effectively a cellular service built into Cloudflare One, which is our sort of all encompassing platform that helps you protect your organization. Right? That allows your employees to have cellular data that is that is protected by Cloudflare's network, so that when you click on that link that maybe you don't realize as efficiently, to be honest, those things are getting more and more sophisticated. You click on that link, you visit those websites, there is a new threat that's just come out right. You can be protected against that even if you are on your personal device. Fantastic. So a lot of a lot of the zero trust offerings in this space rely heavily on software to do it. And the big differentiator here is it's not just relying on the software, it's actually relying on the network as well to do some of the some of the Zero Trust security protections. Does this replace the software or is this in addition to the software that many Zero Trust solutions have? Yeah, it's a good question. I think a lot of folks, especially internally, have asked the same question as well. We think it's an augment to this in many ways. It's a great way to get started very quickly. It's really easy to roll out what we're building here. So scanning a QR code or using sort of some of the basic MDM tools you have already to deploy eSIMs especially. And we'll talk a little bit more about why Esims as well, but really, really to get started. But certainly an augment on top of what we have today with our sort of mobile clients, having the cellular traffic go through our network by default and only the cellular data is really, really powerful. And then again, you could augment that with the Warp agent, right? If you need things like device posture, additional sort of signals around the device, you can layer that on top. And so making those complementary is really important for us as well. Okay. So it's complementary. So let's say you're a CIO or a CISO. So thinking about security in this space or thinking about rolling this out across an organization, why is it a good idea? Yeah. So there's probably a couple of factors here. I think one of the more obvious ones in some ways is even cost, right, is if you can help your employees reduce their cellular data bills by potentially providing that service for them. Right. It certainly makes it easy to adopt. And I think one of the things that you probably hear us say a lot is this stuff has to be easy to adopt and deploy. Right. You can have the best security solution in the world. If it's not easy to roll out to your organization, it's not easy to manage. If you're a CIO or a CISO, right, you've been through this pain. It is pointless. Right. The friction is there. It turns out that it does not get adopted. It does not get adopted universally or it's hard to get new employees enrolled or they have frustrations and. Right. And if you're a growing organization, that can be even worse. And so poorly deployed security is really not security at all. So again, cost part is certainly one thing. On the other part, again, it's really, really easy to get started. And again, it's about trying to find all of those weak. Points. Know in that sort of device security perspective. So you've got cloud infrastructure that you might secure with other parts of Cloudflare One like Magic Wand, Magic Transit. You've got your existing fleets of like particularly laptops and desktop machines or fixed locations that you're using a lot of our core sort of network access as part of Zero Trust. And again, we sort of see this as this next this next part as well. And by sort of having sort of capabilities at the SIM card level, we can do more interesting things, especially in the IoT space as well. Right. We've got this really core foundation now that lets us secure employees and organizations, but also their Internet of Things infrastructure. Yeah. I want to touch on IoT, but not quite yet. I mean, there were 130 organizations and we were one of them that recently were subjected to a pretty sophisticated phishing attack. We've written about this extensively. The interesting thing for me was it was this idea of lots and lots of layers of protection and security. And it seems really cool to me that we've added another layer here, and it's a layer that no one else is offering. I think it's fantastic. So tell me a little bit more about what else we're thinking about in this space, like in terms of device management capabilities, particularly from a security perspective and also analytics, incredibly important for organizations when they're thinking about a holistic Zero Trust point of view on their security. Yeah. So maybe now is actually a good time for me to talk a little bit about why and what an eSIM is and in fact, why this sort of rolls into some of this security as well. And sort of the analytics and so many of you probably if you're watching, you've probably heard about the eSIM. I think, James, you probably have used eSIMs when traveling as well as have I, right? Obvious convenience is that I don't have to physically go and grab something that's nice when I'm traveling as a consumer. But when I'm organization, it has another benefit, right? If I can securely deliver this eSIM. It's incredibly hard to clone. There is a whole new layer of security that are embedded SIMs fundamentally provide more formally called Unix like integrated circuits, but we'll just call them eSIMs to keep it simple. But you know, there's this whole class of like supply chain attacks, right? And so I was just reading the other day from a reporter, Corrine at the Verge. Who their wife basically installed this physical SIM while traveling. And moments later, he, the reporter, got a text pretending to be his wife, trying to phish him into sending money, pretending this sort of classic scam of like, hey, I'm stuck and - No way. I need an urgent sort of money order. Right? And it came from his wife's effectively physical SIM number, the one that he'd just been talking to her on that she had in this other country. Right. These kind of threats exist for organizations as well. Imagine if you had physical SIMs or particularly if you're in the financial services or technology industry. Right. These threats are becoming more and more sophisticated and advanced. Right. If someone could send your employees physical SIMs and have them install them, right, that becomes a problem. What if they if they're pre cloned, already compromised and those things can be non-trivial today, particularly on a physical layer. Those are big problems. And so. This is sort of, you know, something way to really thinking deeply about, right. It's great to have these SIMs, it is really sort of a powerful zero trust capability. But how do we avoid opening customers up to a new set of threats that they may be not prepared for? So by having eSIM-based deployment, which you can do through simple as a QR code and authenticated mobile device management, so if you're using already that for your organization and doing some form of MDM for your employee devices already both iOS and Android already have eSIM deployment APIs. So it takes just a few minutes to go and roll those out and install them on all of your employees. A subset of your employees. Really easy to get started and over time obviously build that into the WARP app as well. So if a user is logged in on their mobile device, they can add the eSIM as another layer of protection right in the app and have the OS install it automatically. So that's a that's a huge part of that. That kind of goes along with that device management capability is like, how do I just get this installed and started? But then once you've got the SIM installed, then we're getting additional security signals, right? So you know, even just knowing and again in a privacy ensuring way, know what country or a device is connecting into is important, right? For many of your employees, they probably don't travel that much outside of their home country. Or if they do. It's a known business event or it's an own event. Right. We want to make sure that both from a employee security perspective, that they're actually okay and or from a corporate security operative, that you're only seeing them connecting from one location at any time. And if anything anomalous happens, being able to detect that and prevent that or mitigate it from happening. The way we look at a lot of the security and that particularly in spaces. There's no way for you to fundamentally manage or look at the analytics for every individual employee. What you want to really understand and what we're trying to build here is how do I look at the ones that are different? Well, I've got 500 employees, 3000 employees, 10,000, 120,000 employees. How do I go and identify the ones that are behaving differently, either from the way they were behaving over the last few weeks, maybe they're doing ten times the traffic, or for some certain reason the number of blocked requests or the amount of block traffic is a multiplier. What previously was that? That could be the sign of something's off, or they're suddenly in a country that they shouldn't be or appearing to come from two countries. All of those things that are at least the fundamental signals that we can pile in and then obviously expose to security teams as well to CISOs so they can have these kind of controls again on top and sort of underneath the software layer we already have today. One of the things I love about Cloudflare is it takes things that typically have an order statement in between them and puts an end instead. And the big one of those is security. It used to be security or performance. And one of the wonderful things about Cloudflare is it turns that into security and performance. It sounds like this one is typically a tradeoff between security or privacy, but that previous answer kind of hinted as to how we might put an and in there instead of an or. Yeah, very much. I think, again, as I think as we've all thought about as the area between sort of what a work device is and what a personal device is is already being super blurry. And for many organizations. Right. And again, that leads to a level of distrust as well from employees. Right. Like you want to be sure that you can keep your personal life separate from your work life, but you also as an employee, you also want to make sure that your employees aren't compromised outside of the organization. And then that compromise sort of comes in. That's again, going back to sort of the the Twilio breach and sort of the attempt on Cloudflare. Right. Many employees and family members and others, they were phone numbers were scraped from whatever other breaches had happened out in the wild, texted to our personal numbers. And that becomes a real problem. And so how do you how do you kind of. Maintain privacy while still securing employees. And so this is this is super important for us. I think it's important for me personally. But also, I think for everyone I have spoken to, the organization is like we aren't going to adopt it ourselves if it's not, it doesn't provide a sort of a private solution. So a lot of the ways we think about this is how do we. Make sure that employers and employees have transparency around what's being blocked, what's being observed. If I have a device that has a Cloudflare in it as part of my employees zero trust organization. Right. How do I have visibility to the current state of logging? How do I just make sure that things that are just blocked and only the threats that are actually actively blocked are logged. And that other traffic I visit is not. And those things I think are going to be really, really key for this being successful. I think that's that's an area that I think will. Yeah. No, that makes a ton of sense to me. So, you know, like one of the things and you kind of hinting about it being deployed internally and the questions you're receiving internally, I'm sure viewers would be interested in a little bit more of the origin story. This obviously is probably not just as a result of the attempted breach of Cloudflare the Twilio phishing campaign. It's it's probably a little bit more in the making than that. So the folks listening, would you mind sharing a little bit more of the origin story of how this all came about? Yeah, so it's a great question. So we've definitely been thinking about this for quite some time. I think years in total. It's always been the sort of, I think. Area that we've looked at and wondered, how does this help secure our customers? We've looked at this sort of this space, and it's always felt a little bit lacking, like we purchase a lot of these services ourselves for our own organization. And I don't think we've been supremely happy with how they have worked out or the amount of glue we've had to put in to make it work. We keep, obviously, when we have employee devices, particularly corporate devices, protected, that's great. But how do we get tighter integration with zero trust platform so that traffic on the devices is going out through our platform is secured implicitly? And then again, in this world of BYOD, bring your own device is again, how do we do that? And particularly over the last couple of years as we've grown to be a effectively a remote first organization with employees in tens of countries, even hotter. Right. Even harder to choose to make that work. There's the challenges of physically sending people things as well is always tricky, making sure everything arrives and onboarding. So again, it goes back to kind of that same idea that we sort of had been percolating. And then the other part that this kind of came from was the IoT space. And so we actually sort of looked at that as one of the first places to touch as well. Right. And we said, well, hold on. If we're going to support seller connectivity. for. IoT, which is tens of millions of devices that you're probably using every day, all these payment terminals are typically cellular powered, let alone logistics industries and manufacturing or your car pretty much every car these days, ships with a SIM card embedded in it as well. What else could we do? What else could we do if we had this connectivity and it became really, really obvious and again obvious in hindsight that this sort of employee security part is organization security, part was another fantastic application of this. And again, a big problem to be solved. That makes sense. I mean, we touched on it once and now it seems like we've touched on it again. So maybe it's time to talk a little bit more about how does it how does it fit into this story overall? Yeah. So I think we've talked about this, I think a little bit as well. I think a lot of us when we say IoT and I love this example, you know, always thinking about like light bulbs and pet detection sensors. We bought one the other day for our cat while we're traveling and it's great, but that's a different class of IoT device. That's something that's typically consumer low power, super, super cheap. It has to be incredibly cheap. It's normally on your home network, so it's a little bit different. But there's a whole class of IoT devices again, that we interact with every day. So like I said, payment terminals, if you're in the UK in particular or if you're in the US and using one of those square based terminals. Nearly all of them are cellular devices and for a huge reason is they are way easier to secure from the payment provider side. Right I can give these merchants who maybe have a wi fi network that's unreliable. I can't ask them to go and set up wi fi and get it right and make sure the firewall is configured and make sure all its trustworthy. I want to ship them a device that can be turned on and is ready to go. The same goes for a car. Exactly the same thing. You can't connect your car to wi fi. If you had to bring your own cell phone plan, that would be complicated. And what a nightmare. And so they build it in as the cost of delivering the service. And again, more and more with things like infotainment and mapping services. And then, you know, every time the USBs or UPS or USBs or DHL rocks up at your door, the vehicles and the terminals are using a role cellular devices as well. Right. And they need to be reliable. They need to be secure. Again, on the payment side, certainly so. And so it turns out that there are tens of millions of cellular IoT devices. We saw we said that as industrial IoT, but many people don't associate a payment terminal as industrial. But it is. And when we looked at a lot of these spaces as well, we realized that it's really easy to buy an IoT SIM, but it's surprisingly hard to make it secure. And over the last decade, we've been defending against IoT based botnets that have been dosing everybody and everyone, things like Mirai as a huge case of that. Right. And so the motivation there is like, how do we how do we help secure this stuff, right? How do we how do we make sure that a device can only talk to, especially an IoT device? You only talk to the APIs, the backend, the compute it needs to and not just the open Internet, but still be really easy to turn on, still be cheap at scale. And this is sort of made doubly so because the cost of a cellular modem in the IoT space continues to drop. And so it's been even more accessible for organizations who maybe once. We're debating about whether they could afford in their set of building materials to ship a device that was sort of based on cellular. That's become even more obvious now. So we're expecting to be a big explosion in that space as well. If you can ship a device again that just works and the user at the other end or the merchant, whoever they are, doesn't have to think about it. That's that's really, really powerful. And so support variety today. Talk a little bit more about that for folks who are listening and might be interested. Yeah, so it's a good question. I think it's also it's definitely worth saying we have support for IoT devices on a network today. We have hundreds of thousands of devices connecting in with mutual TLS, which is a pretty common approach for that over existing networks. We call that API shield. And then recently, just a few months ago, we announced Pops Up, which is our MQTT that's a very popular messaging protocol in the Iot space and beyond pops up beta a few months ago. So we've got this really great foundation for these two things and a lot of folks using us for IoT now but. As we looked at the cellular space, as we've looked at how to improve that and listen to a lot of customer feedback is really building this into sort of a device management platform as well so that I can provision cellular devices or I can provision MPLS devices, I can get better per device analytics. Again, going back to that anomaly detection pace, understanding when devices are acting awry. So why is this device doing a gigabyte in the last week when every other device is done, ten megs of telemetry, that's a big difference. How do we cull that out? I think the thing that is going to be the most useful for customers is adopting this what we call a positive security model. And so it's almost always the case for these IoT devices. You know what you need to talk to? It's not a human or a web browser where I can there's new sites popping up all the time. I can't say to my employees, you can only visit this list of websites and no other things that we know that doesn't really work. People will find ways to circumvent that, but in the IoT space. I want to talk to my Metrics API. I want to talk to my back end APIs for my firmware. I want to download blobs. I have this finite set of endpoints and so flipping that around and saying this device can only talk to those things and everything else is denied and all of that using a zero trust platform. So the same foundation that we use for securing organizations and bringing that to IoT. And so a lot of the work over the coming months is because basically tying those two things together and giving customers a much better device management platform. Lots of opportunities in this space. But let's bring it back to the Zero Trust in. When are we thinking about this being available? Like I see a lot of global SIM services out there on the consumer side or like they my experience is a majority of them tend to be slow and painful. Like if you're thinking about something like this, thinking about rolling it out inside your organization, when do you think what's the timeline looking like? Yeah, and it's a great question. I think also a good point around a lot of these sort of existing consumer based services. So as you sort of said earlier, right, we were talking about security and privacy, but we could have also mentioned security and performance. We know that it's really important to get this right. The reality is, is like slow security is, again, particularly useless security. And so getting that performance profile to be as expected so that if I change from my existing cell phone data plan to zero trust sim, I should expect and ideally get the same performance as I would be in my home country and ideally fantastic performance abroad as well. And so we're always taking a pretty curated approach to get that right. We expect that we're probably not in the US over the coming months and so probably sort of in the first half of next year and start rolling it out to some of our earliest beta customers and in the meantime using it pretty aggressively. Internally. And then continuing to sort of roll that out and bring new countries into the fold as well. You know, I'm very interested in talking to a lot of customers from different places. I think that's going to be as many things at Cloudflare, right? We want to understand where our customers are, what kind of problems they have, and we can go and solve those problems in those locations. Ultimately, we want to be in a place where we can have global service. But again, we want to make sure that Performance Bar is where customers expect it to be. Again, if I have this to assume that doesn't work as I would expect or is a significant downgrade from what I have today that's insecure. That's not a fair estimate to have customers make or it's not a sustainable product. Yep. If there are folks listening from the carriers right now and they're interested in finding out more potentially working with us, what should they do? Yeah, so a good question. So we talked about three things today. So we talked about the Zero Trust and we talked about IoT. And this last one is sort of this announcing what we're calling our Zero Trust for mobile operators program. And so there are a ton of hundreds of mobile operators out there today. Right, trying to build in security to the platforms as well. And so we'd obviously love to talk to a lot of those folks. And we have been talking to others already around how we can bring our Zero Trust technology to their networks as well. And so very, very keen to chat to those folks, very keen to sort of understand particularly those in markets that are looking for more of these things as well to sort of work with them as well to sort of build our networks together. And so there's a blog post that we just pushed out this morning with the other two. We have a sign up form there. We'd love to talk to a lot of operators in that space so we can help them solve those problems for their subscribers as well. So we've talked a little bit about these consumer offerings. The pricing is never as good as like the plan I get when I'm in my home country and sign up with my own carrier. How are we thinking about pricing here? Is this going to be the traditional per gigabyte? Like you pay 20 bucks a gigabyte or something terrible like that? Yeah, we fundamentally want to avoid that. I think as we've talked about in the other parts of our organization, things like to sort of this concept of gregarious regress where you just pay these tremendous per gigabyte fees. It is a little bit different in the operating space, but I think it's really important for us to really avoid this sort of per gigabyte charge, right. As What do you what do you do. When. An employee reaches some arbitrary cap? Do you file open and no longer secure them that feels inappropriate or do you let them rack up some tremendous bill? And how does that kind of work? Right. And again, over time, we do more and more and more data through our through our phones. And we use phones more. Right. In fact, I was just talking to my boss, Jane, and we're talking about how much data we do monthly. And he thought it was a couple of gigabytes and it turns out it was 11 gig a month. Then I do about a gig a month. And I think many of you would be surprised if you're if you're watching as well, go and check in your phone in the last 30 days of data usage and it's probably quite a bit higher than you used to expect because you might remember a number back when your phone plan was a gig. And as the plans have allowed more, we've consumed more, particularly in the video space. And so this brings me back to I think we want to really avoid that per gigabyte charge. We want to basically build it into our existing sort of per seat pricing. And so we're talking to a lot of customers over the next few months to try to get that right, to try to make sure that we are addressing this sort of cost concerns, making sure it works for the organization as well. But again, I think that sort of world of charging by the gigabyte is sort of being and gone. That music to my ears. So where do we expect to launch first here? We've talked about we've talked about the SIM card for Zero Trust. We've talked about IoT. Are there any limitations folks should be thinking of as well or be aware of the early on? Yeah. So on the IoT side, I think our expectation and what we're looking to is obviously to provide as much sort of global access as we can from the from the beginning. Again, as we talk to specific customers, we'll try to sort of make sure that we have the right connectivity where they have their devices and where they're actually deployed. But on the IoT side, that makes a ton of sense. And again, that's probably the early part of next year. So we're already sort of prototyping that my desk is covered in SIM cards at home and then on the Zero Trust. Yeah, I have so many versions of SIM cards just like and like IoT devices all over my desk from testing. And then on the Zero Trust side, again, as I mentioned, probably focusing on the US first. But again, we're really keen to talk to customers who aren't located in the US, who are located in other regions. Right. Those things are not set in stone. I think what's really important is we try to meet customers where they are rather than having arbitrary gating, but again, expect that sort of in the first half of 2023 as we roll things out and we'll be reaching out to folks who've signed up. Again, the sign up forms at the end of the blog post, reach out to those folks and obviously working with them pretty early on to try to find the right folks to testing. Awesome. I'm just keeping an eye on time. We're down to the last 60 seconds. So just finishing up here a little bit about the roadmap, like what's the future look like when, like, love to hear a little bit more about what's around the corner. Yeah. So I think we'd really. Love to get our IoT support out as quickly as we can. We've been speaking to tons of folks who are already using our network for securing devices, some of them already bringing their own cellular connectivity elsewhere. And we keep hearing that they're not particularly happy with the way it's priced with the security model of it, that it's not quite what they would expect. And so that's going to be a definite priority for us as well. But in parallel, we are working pretty hard to get the zero trust stuff working. I have that if you look at my Twitter in these last 10 seconds, you'll find that I have some stuff working on my personal phone already. We dug through this stuff pretty aggressively and so yeah, really excited again, early 2023.