🎂 Zero Trust + Mobile Operator Program
Presented by: Mike Conlow, Matt Silverlock
Originally aired on April 9, 2023 @ 6:00 PM - 6:30 PM EDT
Join Cloudflare Director, Network Strategy Mike Conlow and Director, Product Management Matt Silverlock to learn about Zero Trust and the Mobile Operator Program.
Read the blog post:
Visit the Birthday Week Hub for every announcement and CFTV episode — check back all week for more!
English
Birthday Week
Transcript (Beta)
Hi everyone. Welcome to Birthday Week. This is the second set of session today that I've been in, but super excited to sort of talk more about mobile connectivity.
And so for those of you that knew me, I'm Matt Silverlock, director product here at Cloudflare in our emerging technology organization.
And today I'm joined by my colleague, a director of network strategy who I work really closely with and a lot of things behind the scenes as well.
And so today, obviously, we've been talking about a lot and this is a really busy week ahead.
And we really want to talk to you about our Zero Trust mobile operators program.
But Mike, maybe just for the folks that haven't had a chance to kind of read through the blog after their morning coffee, do you want to just give us a quick one on one on what it's about at a high level?
Sure.
Thanks, Matt. And so again, my name is Mike Conlow.
I'm a director of network strategy.
I work within our infrastructure group and I spend a lot of time thinking about where and how we deploy our data centers and how the Internet is performing all across all across the globe.
And so what we what we announced today is an expansion of our mobile operator partner program.
And what that means is we really think there's an opportunity for mobile network operators, minnows, as they're sometimes called to, to use Cloudflare as platform of zero trust and network security services in a way that is really going to make the Internet safer and more resilient and also will be great for the subscribers of these mobile networks.
But before we get into more details of that, as you said, you've been at this all morning.
Why don't you give us a little bit more background on the two other mobile related announcements that we made this morning?
Yeah.
That's a great idea.
So we talked about three things this morning. And so the big sort of major announcement that underpins this is our Zero Trust sort of the first Zero Trust in And in a nutshell, it's the sort of the way we've been looking at just help secure organizations, right?
Blending the sort of the network layer, the hardware layer and the software layer.
So we've been doing this for a while with zero trust platform that we sort of under the umbrella of Cloudflare One and we've constantly be looking at ways to sort of plug some of these gaps.
Right, making sure that it's harder and harder to breach organizations.
We've seen so many of these attempts, they get consistently more sophisticated.
And so by deploying security at sort of the same layer helps organizations bring some of these protections to the employees.
Again, especially in a world of bring your own device, which I think is as I'm sure the same is as same with me.
Mike.
It's fundamentally just how the world is, though. It's the norm we're not using for the most part, you know, company owned devices.
Most of us want to use our personal phones. We don't want to carry two phones.
We still do a ton of work on those devices, even when they are managed.
And so having this sort of security at the same layer is a huge improvement.
We also announced building off the same technology under the covers now to the new IoT platform.
And so again, you know, so many IoT devices these days and increasing amounts of powered by stellar connectivity again payment terminals every vehicle you buy pretty much these hey is has a SIM card embedded in it for the infotainment system, for telemetry for for mapping data.
And we were looking at these and one of the key thoughts is, is the mobile operators, right?
How do we sort of work with them and how do we bring some of these capabilities to their customers?
And so, Mike, for those folks that are watching, you know, we keep hearing this zero trust term that we keep saying you're going to give folks a bit of an overview of what sort of the major components of Zero Trust are and what it's about.
Sure.
Yeah. So Zero Trust and we say this a lot, but it's not one particular thing that you do or buy or enable, but it's more a way to think about security.
And so the way the way I think about it a lot is, isn't it great?
And wouldn't it be great if all of our devices and all of our servers and everything can talk to each other and they can all see they're all on the same and the wide area network and that's one.
Good, important first step.
But there's there's a problem with that, which is that attackers, if they get to one device, could now see all the devices.
And so I like to think of the Zero Trust component as adding an SD wan and then adding Zero Trust on top of it.
So if I have access to one server, I have access to only that one server.
And so Zero Trust is the framework in industry speak.
There's a whole lingo about this in the telecom world.
It's all been rolled up into this term, sassy, but they're kind of the same thing.
It is enabling cloud enabled security that's delivered from a cloud edge instead of having devices on the network side that are doing all of this security.
And is there anything you'd add to that map?
No, I think that I think that's key.
And I think for folks wondering, you know, how does this sort of play out in practice?
I think we've both sort of seen the model. And I think from your experience working in government and as well, like this sort of VPN based security, right.
And that has failed us.
You compromise VPN credentials, you're on.
And then you somehow have lateral access to everything in that network.
It's just not enough of a barrier.
And so sort of, as you say, moving to this sort of identity based model where everyone has a strong identity.
Right.
And thus it's not just being inside the VPN that gives you access, but it's actually you, Michael, me, Matt, or someone in our engineering team or in our legal group have access to the specific and explicit things they should have access to.
That is fundamentally the change. And again, we see organizations run into so many issues and security incidents when they're not moving to this new model.
It's one of the things that obviously we're trying to make and we'll talk about is making it easier to do that.
And so, Mike, I think hopefully folks now have a good understanding of Zero Trust and Sassy is sort of a bigger part.
Where do mobile operators come into this, particularly from our perspective?
Yeah.
So I think we've all seen how much, how much talk there is and how much investment there has been by mobile network operators in new 5G networks.
And both in the US and globally, there's a lot of mobile networks that are making big investments into the quality of their network.
And so we're getting to the point where you have great connectivity in your home on wi fi, if you have a good wired connection.
But also when you're outside of your home on cellular networks, you also have a really capable good connection.
And the line is even starting to become blurred between your home connection and your cellular connection.
If you use things like the fixed wireless offerings that are that are becoming more, more popular and more capable.
And so where they come in is the mobile networks are have made big investments into the connectivity.
What the Cloudflare One platform adds on to that is what are the great things that you can do with great connectivity.
And, and so we are really excited about this because you can take the Cloudflare One platform, which is software delivered security services from the edge of the network and pair it with really great enterprise connectivity from mobile carriers or ISPs and have a really capable kind of end to end security solution.
So we really think that there's a good a good fit here also. I mean, that makes a ton of sense.
And so you mentioned at the beginning as well, sort of and you touched on it in the blog post around this 5G fifth generation technology.
You know, how does 5G and how does sort of Zero Trust relate?
What are some of the shared concepts that you sort of see?
Yeah, we use the term 5G line and 5G is the fifth generation of cellular technology.
But it's come to mean a lot, a lot more than that. You know, it's come to mean all of the spectrum that wireless companies have access to now and are bringing online, right, right this minute that allow high bandwidth connections.
But it's not just that.
It's also it's also really low latency connections so that you have the speed, meaning the time that data takes to travel from your device to where it is going is, is really great.
And so when we talk about 5G, we mean more than just the new generation of cellular technology.
But we really mean the experience of using a cellular phone on a cellular network in this day and age.
And so.
In addition to really high bandwidth and being able to download a movie very fast, we think a lot on Cloudflare about how to make sure that the applications that you are accessing, the APIs in the services and now the security that you are accessing is really, really fast and we really, really want latency to be definitely under 50 milliseconds from your device to where it's getting to hopefully even better than that in kind of the 10 to 20 millisecond range for you to be able to, from your device, say to content, to services, to security, a security service, this is who I am.
Can I, can I get through to this service?
And that logic is what we have built into the Cloudflare Edge.
That's the security service that we have on the Cloudflare Edge.
Yep.
No, that makes a ton of sense. I think again, this big push towards low latency, I think for those of us that have used third generation and sort of 4G tech sort of to sort of blur the lines a little bit.
But those massive increases in speed and a lot of that was also just driving down latency.
And I remember it was pretty normal back in the days of sort of 3G and 4G to see 100, 120 milliseconds latency even higher end to end, right, just on your cell phone connection.
And so it made it feel slow, right?
Everything felt a little bit slower.
Everything took a bit longer.
It does that concept of bandwidth delay product as well, where the higher the latency, the less effective bandwidth is.
And so you're seeing those, those 20, 30 milliseconds sort of roundtrip times on 5G.
It's been great and it feels it feels like my desktop connection, which is always kind of great.
One thing that I do, I probably shouldn't do it, but I'm in my car, I'm ordering my coffee, I'm ordering my salad or something while I'm driving.
And this is, I guess, an occupational hazard, but I'm thinking about what the latency is as I'm waiting for this page to load, as I'm waiting for this transaction to go through.
And I'm thinking about what I'm on a good connection.
But if there's still a bunch of delay there, I'm thinking about where is that application hosted?
What is the API that I'm interacting with when I'm on this cellular network?
And, and how can we make that faster by putting that application closer to, to my device physically, geographically, how can we put the application closer to my device so I spend less time waiting for the page flow, less time waiting for the API call to go through.
And so those are some of the things that I think these these new networks are going to be able to do is put the device put the application logic super close to the end user.
Yeah.
That makes it that makes a lot of sense. And I think that kind of is probably a good point for us to talk a little bit about some of like what we consider sort of edge compute, sort of compute running on our network.
And so we talk about this a lot on the space of IoT, but it applies to pretty much any developer and use that is.
How do you get that?
How do you get that compute? How do you get those APIs?
How do you get that content as close to the device or the user as possible?
Right.
Not everybody is just in the United States, on the west coast of the US.
You've got folks all over the world and how do we sort of make the that Internet experience more equitable?
I grew up in Perth, Western Australia.
Right.
So everything was slow. It's 250 milliseconds, round trip time to the west coast of the US to the sort of the core of the internet.
Certainly back in the early 2000 and when I moved to San Francisco to work for Cloudflare all those years ago.
It was remarkable.
I remember how strongly I realized this, how fast everything felt because every DNS query, every API, every IP request I was making, every website I was visiting was now 10 milliseconds, 20 milliseconds away.
Even if it was in the US's infamous US East one, it was still 50 milliseconds away, not 200 to 320 milliseconds away.
It made a huge difference.
I could play video games that I that I couldn't play before in a way that I wanted to as well.
It wasn't lagging or was able to play with more folks.
And so I think as we've looked at this and as you mentioned around that 5G pod is bringing that computer close to the edge of the network as possible.
Getting it right on top of that mobile network.
Since more and more of us are effectively using mobile devices, I think eyebrows probably more my phone than I do on my desktop these days.
Yeah.
I've been looking at research recently about how throughput and latency affect your ability to load web pages, how fast they load.
And it's really surprising that we spend so much time thinking about throughput, but after about 20 megabits per second of throughput, you're not loading a web page very much faster.
The marginal gain of more throughput after about 20 megabits per second, it really starts to go down to almost nothing.
Whereas if you can make the, if you can cut the latency of an Internet connection in half, you can basically load a web page about twice as fast as you could before, is a linear relationship.
And if you keep having the amount of latency, you can keep increasing the page load time.
And so it's about gaming, it's about web page loads, it's about APIs.
It really is the whole Internet that needs really, really low latency connections that we're now starting to see with these 5G networks.
But like we've been talking about, another part of it is where the where the infrastructure sits, where the servers sit, where the services and APIs sit.
And so we spend a ton of time on this.
We have 275 and growing data center locations, cities where we have data centers all across the world.
And so those serve all of these applications in APIs.
But the other thing that we can do for for mobile networks and, and fixed networks that, that care about performance like this is we can embed our our nodes inside of their network.
And so if it's an important for a mobile network to have the speed, really good speeds in a local market so that the data request doesn't even need to leave the market, it doesn't need to leave their network boundary.
And so we can embed our services inside the network so that they are really, really fast.
Yeah, I mean that's such a huge part of it.
I think what we've been working on achieving with Workers is a serverless platform.
I think that vision of having compute as close to the eyeball to the user as possible, to the, to the mobile network subscribers as possible.
And then similarly looking at the way we build everything else, right, looking at the way we build things like R2 object storage, having this sort of issuing this global, this sort of this regional model and moving to a global model where we can co-locate data closer to users where they actually access it, things like durable objects.
When I've asked sort of coordination elements in our storage platform, very similar as well.
Again, I think it just brings me back to like it never felt like the internet was equally distributed when I was using it outside of the US.
And I'm sure tons of folks in Asia, in large parts of sort of Eastern Europe and Africa probably feel the same way, if not stronger, because everything is sitting still somewhat centralized, particularly behind some of the large cloud providers in the east coast of the US, west coast of the US, core parts of Western Europe.
And it just doesn't feel and also I think it's hard for app developers and application developers to distribute their stuff even if they do want to.
Building a global distributed application is still pretty hard and so I think it's been great that we've been working to make that a lot easier with stuff like Workers.
And again, I think it plays into that sort of 5G concept of low latency. Now I wonder if you could talk just for a minute about the developer experience of using Workers, because sometimes when we say there's a new 5G market and when you use the Cloudflare Workers platform, you're you're not thinking about each market individually.
I wonder if you could just talk for a minute about kind of the experience to deploy an application to a network?
Yeah, that's a great question.
So I think one of the really cool things and I say this like I'm not I'm not part of that team.
And so I've used it for a ton of projects and we've used it for a ton of products we've actually shipped.
We built a lot on Workers is when you're building something out on a cloud provider, say, like Amazon or GCP, the first question presented with is like, what's the region of this service?
And it's such an impossible thing to answer.
Sometimes he's like, Well, I've got users in more than one coast or more than one market, and so do I.
I guess I just have to start where most people are and everybody else suffers a little bit.
And then help me help me sort of understand now I have to replicate this debt.
I have to pay those egress costs between regions like it ends up being really hot.
And so from when you sort of start with Workers, it's like a breath of fresh air.
You fundamentally get presented with one region. We actually say a region earth, and I think it's both cute but also real.
We deploy the application globally, fully, we replicate it globally.
We ought to scale it globally across our edge.
And this hit, just as you said, have said, you know, we've got 175 plus cities.
They hit the city closer to them.
The code runs there.
We return that response.
If we need to go back to a slightly more centralized database, we have those options and developers and again with things like RD one, our SQL database offering, we're bringing those things to the edge as well.
But yeah, not having to choose a region and pin yourself to your geography.
From day one is, I think, a revelation again.
As a developer myself outside of work, it's fantastic.
Again, how are you supposed to answer that when you are just testing an idea or prototyping idea or you already run a global organization?
It's painful.
And again, adding one more region, adding two more regions. If you've ever done that on a cloud provider, you know how painful that can be.
If anyone's watching this and has a multi region set up on any of the major cloud providers, it is expensive and it is hard and it is a huge reason why so many sites go down.
When US East one on us goes down is because the reality is.
Most sites are happy to take a few hours of downtime every year versus paying the price operationally and in cost for trying to distribute the applications.
And so yeah, I think that's such a fundamental part of work is and again, it ties back to that low latency part as well.
If we can distribute it easily, you can get the latency down and then users can actually realize the benefits of stuff like 5G.
It can be great if you have 5G, all of this sort of again, this goals of high bandwidth, low latency, close to the user are awesome.
But if you're still accessing services that are hyper centralized, then you've kind of missed it.
And so I think that's a super important connection. I think that's exactly it.
So, Mike, we're almost out of time.
Any last thoughts?
If I'm a mobile operator and I'm thinking of like, hey, this, this sounds really powerful, how do I work with Cloudflare to bring Zero Trust into my network?
Or how do I understand more about Cloudflare's edge compute capabilities?
Many of these operators probably already have Cloudflare Infrastructure sitting within their networks as well.
Like, Where do I go?
Where do I start to learn more?
Yeah, I would definitely encourage people to read through the full blog post.
I think we covered the highlights of it here, but take a read to that and right there at the end is a sign up form that anyone can use to get in touch and just reach out.
And we would love to have a discussion about how our security services might match with the connectivity that a mobile network operator is providing.
I think anyone who works in and around the space, there's a lot of attention right now towards enabling some of these kind of cloud security services.
And so we just feel like there's a really good fit here to bring on more, more partners between us and mobile networks.
And so we're really excited about it.
Awesome.
Well, Mike, thank you so much for your time. Thanks for watching and stay tuned for the rest of the day.
Great.
Thanks, Matt. And. Mindbody specifically focused on the health and wellness space and was built by people who are passionate about health and wellness.
We serve health and wellness businesses all over the world.
We allow our customers to spend more time focusing on the parts of their business that they love and less time worrying about scheduling, software and payroll and other day to day administrative work.
We want to protect customers from attacks that could hurt their business and their brand.
And at Mindbody, we're passionate about ensuring that our customers' data is secure.
When we first approached Cloudflare, we had a lot of different tools in our security stack and there was a lot of management overhead associated with all that kind of complexity.
I think at one point we had four different WAFs, a separate tool for bot management and TCNs, and we basically managed to consolidate all of that into using just Cloudflare without losing any of the functionality or any of the protections that we had in place.
It was the kind of tool I could hand to junior analysts or senior engineers, and they would all know how to manage it pretty quickly.
With our old environment, we were constantly fighting botnets and attempts to scrape our inventory Credential stuffing attacks.
When we moved Cloudflare we were able to mitigate a lot of these kinds of attacks much easier and more consistently.
Using Cloudflare bot management, we see a lot fewer false positives with actual valid end users using our application and being flagged as a bot.
We've gone from dealing with several per day to only a few per week.
With the Cloudflare access solution, we are able to provide Zero Trust access to sensitive internal applications to contractors and third party vendors.
It puts our internal applications behind strong authentication protocols and allows us to ensure that only authorized users are able to even see the service.
The health and wellness industry is only going to grow.
I think mindbody is going to be part of that rising tide that floats all boats.
Cloudflare will help us scale and grow and secure all those services as.
The industry.
Expands.
Q2 customers love our ability to innovate quickly and deliver what was traditionally very static old school banking applications into more modern technologies and integrations in the marketplace.
Our customers are banks, credit unions and fintech clients.
We really focus on providing end to end solutions for the account holders throughout the course of their financial lives.
Our availability is super important to our customers here at Q2.
Even one minute of downtime can have an economic impact.
So we specifically chose Cloudflare for their Magic Transit Solution because it offered a way for us to displace legacy vendors in the Layer 3 and their force base, but also extend Layer 7 services to some of our cloud native products and more traditional infrastructure.
I think one of the things that separates Magic Transit from some of the legacy solutions that we had leveraged in the past is the ability to manage policy from a single place.
What I love about Cloudflare for Q two is it allows us to get ten times the coverage as we previously could with legacy technologies.
I think one of the many benefits of Cloudflare is just how quickly the solution allows us to scale and deliver solutions across multiple platforms.
My favorite thing about Cloudflare is that they keep development solutions in products.
They keep providing solutions. They keep investing in technology.
They keep making the Internet safe.
Security has always been looked at as a friction point, but I feel like with Cloudflare doesn't need to be you can deliver innovation quickly, but also have those innovative solutions be secure.
We're about to fashion platform has become the number one fashion platform in Europe in the Generation Y and Z.
It has been tremendously successful because we have built the technology stack from a commerce perspective, then decided to also make it available to leading fashion brands such as Marco Polo, Tom Tailor, the Founded and many other.
And that's how scale was born.
What we see in the market is that the attack vectors are becoming increasingly more scaled, distributed and complex as a whole.
We decided to bring on Cloudflare to ultimately have the best possible security tech stack in place to protect our brands and retailers.
We use the Cloudflare support management, rate limiting and WAF as an extra layer of protection for our customers by tackling the major cyber threats that we see in the market.
DDoS attacks, credential stuffing and scalping bots. What we see with a scalping bot here is that they're targeting high end products and then buying them up within a few seconds.
That leaves the customer dissatisfied.
They will turn away and purchase somewhere else the product and thereby we have lost a customer.
Generally, before it could take maybe up to half an hour for a security engineer to handle the DDoS attacks.
Now we are seeing that Cloudflare could help us to stop that in an automatic way.
Cloudflare helps us to bring the site performance to the best and ultimately therefore create even more revenue with our clients.