ℹ️ CIO Week: Cloudflare Log Storage; Customer Metadata Boundary; Cloudflare Browser Isolation
Presented by: Tim Obezuk, Tanushree Sharma, Ben Yule
Originally aired on April 2, 2022 @ 2:30 AM - 3:00 AM EDT
In this CIO Week segment, Cloudflare product managers and engineers will take a deep dive into the products and features we launched today.
Read the blog posts:
- Store your Cloudflare logs on R2
- Control input on suspicious sites with Cloudflare Browser Isolation
- Introducing the Customer Metadata Boundary
Visit the CIO Week Hub for every announcement and CFTV episode — check back all week for more!
English
CIO Week
Transcript
Hello everyone. Welcome to CIO Week.
We are in day two and we're excited to talk to you about the products that we've announced today.
Let's start off with some introductions. My name is Tanushree.
I am the product manager for the Longs Team.
Tim, do you want to go next?
Sure.
Everyone. Nice to meet you.
My name is Tim. I'm the product manager for Browser Isolation and I'll be speaking about secure browsing in the workplace.
Awesome.
And my name is Ben Ewell. I'm an engineering manager here at Cloudflare and I help build various parts of the metadata boundary, which we'll talk about in a minute.
Cool.
So we all know Cloudflare is a big company. We offer a broad range of solutions and there's always new things in the works.
And so the announcements today are from products that are around the org, but with a focus on security, both internal security, which we'll dive into as well as where data is stored, and then we'll dive into the data sovereignty aspect.
And then I can discuss Cloudflare Log Storage today.
Awesome.
Well, Tanushree, why don't you go ahead and kick us off and tell us all about blog storage and what we launched today.
Cool.
Yeah. So something we're currently building out is for giving customers the ability to store their Cloudflare logs on our too.
And this fits into CIO Week because CIOs and security teams care a lot about the data that Cloudflare produces, whether it's for the application services that we offer or for our network services or the teams data.
And so with log storage on Cloudflare, it opens up the ability for organizations to consolidate their infrastructure and store logs in and store their data in less places and also save money.
And this has been something customers have been asking for, even with the recent announcement of R2.
What was that like a month or a month and a half ago?
Customers have been asking us when we can start storing their logs on R2.
And I love it when customers are sort of two steps ahead of us in that front.
So a lot of anticipation for the product and we're excited to get started on it and release it shortly.
How does this fit into some of the other logging products that we have here at Cloudflare?
And how is this a little bit different? Yeah, good question.
So we have three logging products today at Cloudflare. I'll start with the most recent one, which we released during Speed Week.
This was instant logs and we released this as a beta during Speed Week.
Still rolling it out to enterprise customers.
So if you're a customer and you haven't gotten access yet, it is coming soon.
And basically the use case for instant logs is, is you're able to see your traffic flowing in real time on the Cloudflare dash.
So anything that hits your website, you'll see that, see that coming in on the dashboard.
And yeah, main use cases are for debugging and triaging purposes. So if something is going wrong and you need to find out exactly what it is, it's a great spot because it simplifies the workflow.
You just head over to the dashboard.
No need to.
If you send your logs to a current destination, you don't need to scan through files or anything.
So that's sort of the main use case for that is, is something's happening.
We want to figure out what it is and fix it and see the results as well.
But when you need all your logs, we have a product called log push.
And Log Push allows our customers to push their logs to a third party object storage destination or a SIEM provider.
Some of the big ones that we support today are Splunk.
Jcs on the storage side as well as sorry, Splunk and Datadog on the same side, and then GCS and S3 on the storage side.
And we've also worked with SIEM Providers to build out really great analytics dashboards so we can surface metrics and data that is really important to our customers.
And so going along with this, R2 will give another option for customers to be able store their logs on Cloudflare itself.
And then lastly, we have a product called Log Pull, and our customers really like log pull because Cloudflare stores data for up to seven days for their HTTP request data.
And so it's super easy to use.
You just retrieve logs via a simple API.
There's no configuration needed.
And we've gotten really good feedback on that.
But customers have wanted to see an extension of the capabilities it's offers, and this is where we're showing logs in order to comes in, because we can give customers more flexibility.
They can store logs for any of the products that we offer.
Log push to today and then soon we'll also be able to add additional capabilities on top of what log pull has.
So additional querying just making it easier to understand and find the data that's important to customers.
Cool.
That's awesome. That sounds really powerful.
But why?
Why is storing logs in our to better than what we offer today and what will that really enable us to do differently?
I think the big thing that's top of mind to a lot of customers is cost.
With Cloudflare, we produce a lot of data, especially if you're a larger customer and the cost can really add up both on the data storage side, on the data analysis side.
And we think we can make it a lot better of an experience for customers to do this on.
Cloudflare will build tools that are specific to our data and deliver insights to customers that they don't see on third party platforms that are sort of they're oblivious of the data within them.
So that's a real benefit of Cloudflare is is cost savings as well as catering towards our customers use cases.
That's really awesome.
When do you think as a customer, when will I be able to go in and actually turn this on for my account?
Yeah.
Big ticket question. This is currently in the works.
The work is underway.
We will we have a sign up link in the under the blog post that I've that I've published today.
And so suggest customers that are interested to sign up via that link and we'll notify them as soon as it's available.
This is likely to come in the next quarter or two.
Awesome.
And then when do we think we will also be building additional tools on top of that you talked about?
Yeah, I think this all builds starts from the storage piece and then from there we'll be building additional capability to be able to query your logs with certain parameters.
So I think stay tuned. I don't have a have a great timeline idea of timeline for that yet, but 20 to 22 is going to be big for the log products at Cloudflare.
Cool.
Awesome. Great.
Thanks. Sure. I remember a few years ago when I first joined Cloudflare, seeing log push and being really impressed by how we could aggregate all the logs from all of our hundreds of points of presence in a couple of minutes.
And then very recently, seeing those instant logs appear instantly when we had all of our teams posting requests.
So it was really fun experience.
Cool.
So I'm going to I'm going to talk to you again about customers metadata boundary.
Can you tell me a bit about what we're building the space and the problems it's solving for our customers?
Yeah, I'd love to.
And I think before we can begin to understand what the metadata boundary is, there's actually a larger suite of services that this is a smaller part of, which is what we call our data localization suite.
And metadata boundary is really a part of that.
And so what the metadata boundary very specifically refers to is metadata that's the keyword.
And what metadata is, it's data about data. So this is not our customers data directly.
These are not the requests that flow through Cloudflare network.
But this is data are referring to data about that.
So every time a request comes through Cloudflare network, there are their basic pieces of information that we are able to store for various purposes to provide more value to the customer about that data.
So an example could be the URL or the path or the number of bytes that transmit to the network.
It's not the actual bytes themselves or the contents of those bytes, but just the fact that there were bytes that actually moved to the network.
And customers use this data today for various uses for analytic purposes.
So if you go to our dashboard and you see the charts and the graphs and everything else, that helps you understand what's actually happening to your web properties.
You know what?
They've got a big spike in traffic because there's a big rush to your your site or there's a number of attacks that could be potentially affecting you.
We want to make sure that our customers actually have that visibility. And this is really what metadata, as you saw today.
Now, the metadata boundary is a specific product that ensures that metadata only resides in transits and rests in certain places of the world.
And so we're really, really focused on Europe specifically right now.
And so there's there's a number of large European customers that have very unique requirements to protect their own data and the data of their customers in ways that are much, much more stringent than than certain customers.
These customers are typically in highly regulated industries such as energy finance, health care, these types of businesses.
And what they are coming to us and asking for is that metadata never leaves the EU at all.
And so what the metadata boundary does is it provides basically these same great analytics and logging products that we're able to provide for all of our customers, but we're now able to provide it for European customers who want to ensure that the data never leaves Europe.
And so we've we've done a lot to set up all the same infrastructure that enables us to serve that traffic within the EU.
So it never has to go outside the EU.
And there really there's there's no data about that customer that will ever, ever leave the EU at all.
So that's really what the metadata boundary is it's all about.
Q And what sort of legislative requirements do they do the customers typically run into?
Which helps. Yeah.
And so there are a number of things that have sort of happened in this space very recently and then within the last decade.
And so most people are familiar with GDPR and maybe the very recent Schrems two ruling.
And, and while we believe that Cloudflare services and products that we offer today are really consistent with a lot of these rulings and legislation, some customers want to go even further than that.
And so really, this product is about providing those sorts of capabilities to customers who want to go even further than some of the existing legislation.
And so we really want to give our customers the flexibility and the exact I really want to fulfill the exact needs that they have.
Right.
And I haven't used the metadata browser yet because I'm an American of the year.
But as a as a customer, do I need to log into a separate dashboard or is there something different I have to do once I'm set up?
No, that's a really great question.
And so today and how we actually launch this, it's all transparent and for you.
So our customers, they work with our enablement teams to get things configured and set up.
And then as long as there already reside within the EU, their analytics and logs and everything else will work just the way that they expect.
And there's really no change if if a European customer actually leaves the EU, comes to the US and then tries to access some of that same data, they'll typically be some problems that won't work the way that they expect.
And we're very soon trying to build support so our customers can sort of explicitly determine what mode they're in, and they could potentially access that from across borders and things like that.
But today it's not we don't we don't have that capability.
And so if you are within the EU and you're accessing our Cloudflare dashboard, all of your requests and everything will be routed to our European data centers and it'll generally work the way you expect.
But sometimes when you have groups that are traveling and things like that, there are some, some gotchas that we're working through.
Well, better to err on the side of caution of keeping the data in a region than have a fallout.
Exactly.
Yeah. It's a really tricky problem. And, you know, historically, well before some of these concerns, you know, our customers had some of these concerns.
You would really opt to try to save data under all circumstances.
And as you can imagine, with some of these new requirements coming through, it's generally better to not store something in today's landscape than incorrectly store something.
And so we've actually had to put a lot of work and the engineering side and the technical side to ensure that when things do fail and if they do fail, we always fail open, which really means that we opt not to choose to store something if we don't know what the allowances of that are.
Okay.
That's great. And besides the metadata boundary, what are the other capabilities of the localization suite?
Yeah.
For different regions. Yeah, that's a great question.
So the main concern that a lot of customers have and this is part of the more broad data localization suite, is that when their customers actually make requests to their websites that.
So one of the I have to explain how the basic premise of our call for work so if you have certain protections such as our web protection or using our basic CDN, that traffic often has to be decrypted so we can provide those protections to it.
And what the data localization suite enables is a feature called Regional Services, which ensures that step never happens outside of the EU if you're an EU based customer.
And so that really ensures that.
And then there's a few other features as well, such as we have keyless cell and Go Key Manager, which also ensure that your private keys that are actually used to decrypt that traffic, those also never are able to leave the EU.
And so any time traffic is decrypted in any form whatsoever, it's always within within the boundaries of the EU.
And so that really sort of what describes the more broad data localization suite and the metadata boundary is the newest component of that, which doesn't just apply to the data, which is sort of step one, but also applies to the metadata, which is a step to.
Right.
Thank you, Ben. Yeah, I.
I always find it super exciting that cloudflare's business is able to provide global services and have our network be available all over the world, but also meet the needs of individual regions as well.
Yeah, and it's it's an interesting problem and certainly the direction that the world is headed in, the way that various nations are actually treating their data and looking at this, it's going to become an increasingly bigger and bigger deal.
And we're going to be continuing to make investments to ensure that we can meet the needs of our customers all over the world and in all the different nations with the different regulations and everything else that they have.
And I'm curious to know, since you have that technical standpoint on this, what what would you say the big challenging problem was, was one of the harder things to address with the metadata boundary.
Probably one of the biggest challenges is just, you know, I've kind of already spoken to it a little bit, but really making sure that when things fail, they always fail in a way that is consistent with the sort of requirements that we put on ourselves to ensure that data never leaves the EU, for example.
And so we really had to rethink a lot of the failure modes and everything else throughout our entire system to ensure that under absolutely no circumstances we would ever leak leaked data to the wrong places, because that's considered the absolute worst, worst failure mode for a type of service like this.
And so just really rethinking how we approach those sorts of problems was one of the biggest challenges for sure.
Cool.
And then I think this we did just launch this official as of today. So the blog is live and you can read more about that.
And I believe we're receiving Inquirer inquiries from new customers.
So starting now.
Yeah.
I'm also super excited about the regional data controls, especially for my my team's product suites, which include internal corporate security.
So people's browsing information being able to keep them in the right regions, I think it's extremely important for companies around the world.
Yeah, absolutely.
And certainly the focus right now is the EU, but we are certainly looking very, very closely at other regions and thinking about how we could support this throughout, throughout the entire planet.
Awesome.
Well, maybe now would be a good time to transition to Tim and talking a little bit more about securely browsing suspicious websites and what you as of watched.
Yeah.
Let's let's dig into that. Tim, do you want to start by just explaining what browser isolation is?
Sure.
Yes, sir. I have the pleasure of working on a very interesting product of Cloudflare, which is essentially Cloudflare's browser hosted on the edge of our network.
It's a secure browser that works just like your normal browser.
It's being hosted remotely on a Data center provides a number of security benefits for users while browsing the internet.
What we ship today is the ability to use our remote browser to safely browse suspicious, potentially phishing websites on the internet.
Carlos Browser Isolation is a product that we've built into the overall Cloudflare one Zero Trust Services Suite.
This includes secure access to sensitive to self-hosted SAS applications instead of apps, secure browsing without secure web gateway and security as well in a bundled suite.
And where Browser Isolation comes in is for protecting what is one of the most commonly attacked and most commonly used applications within the workplace.
We all use browsers every single day for checking our email. Log in to our CRM using JIRA, which I'm sure Ben does absolutely every day.
It's a critical tool that we use every day, and it has access to some of the most sensitive data within an enterprise as well.
So whenever a browser is potentially compromised, that can be a really bad day for an organization because it's sensitive information that shouldn't get leaked from it.
When we go back in time and we think about what browsers were in the early days, browsers started off as very simple document viewers.
We never intended for them to be the platform that we interact with database servers.
They were meant for just sharing scientific academic papers between universities.
Over time, with new technologies, not new anymore, but technologies like JavaScript and the increasing complexity of web browsers.
They'd become extremely sophisticated tools that can.
Fairly easily be compromised with a rogue API call or a malicious page being opened.
Sweat Browser Isolation comes in to submit.
It removes the risk of running untrusted website code from your local device to your browser edge.
We do this using some really fancy network vector rendering technology that I'll talk about a bit later.
But in short, it allows the user to have a seamless experience before it feels just like they're using a liquid browser.
We do this by keeping the latency really lower to be used by spouses in a very close sense of to the user.
So what we've launched today is the ability to use Browser Isolation to safely browse untrusted sites.
Typically, when an organization is looking to secure browsing within an organization.
They might start off with a secure web gateway. And these can be very effective tools because they will flat out block requests that should be blocked.
But they're very blunt instruments.
Without this, there's never an exact exactly perfect threat intelligence database in the world because threats are always evolving and changing.
So where Browser Isolation comes in is you can use it to safely browse websites.
Which uses which the threat intelligence may have some uncertainty about, but without actually outright blocking sites from the users browsing.
Got it.
That's very cool. And I think especially with Browser Isolation, it's such a complex technology, but from the customer standpoint, the fact that nothing is really changing, you don't notice a difference is really amazing.
I'd love to get into sort of what was the state of Browser Isolation before this feature and how does that how has that changed and improved the experience for customers now?
Yeah.
When we initially launched Browser Isolation, we launched without controls to control how to use this interacting with the website.
And that's because the core value of Browser Isolation is being able to safely browse untrusted code on trusted websites on a local device.
The great thing about having a remote browser is even though you can control what the website is doing with your endpoint, you can also control what the endpoint is doing with the website that it's browsing.
Since all the user's inputs such as typing into the keyboard, uploading and downloading a file, all of these inputs get streamed through the remote browser before they go to the device or to the website that uses browsing.
So what we are really great use case for using this capability is if he uses browsing a newly registered domains or type of scoring domains categories which could potentially just be harmless new websites or fan websites, for example, or potentially dangerous sites yet to be weaponized and detected by the intelligence.
So with Browser Isolation, you can allow people to access you safely do their job without needing to open up tickets to the art department if something's being erroneously blocked.
And if eventually, as the stress intelligence catches up, the behaviors to restrict that browsing input are lifted by the threat intelligence.
Got it.
And is this something that's available to customers today? Absolutely.
So it's included for any customers with Cloudflare for Teams and Browser Isolation.
Today, The way it's available is within the HTTP rule builder.
You can define a rule to say for specific content categories and to blog posters and details talking about the recommended categories.
You can apply a rule to disable high risk browsing behavior such as printing or uploading or downloading.
For example, if it's a phishing site where it might be trying to get user credentials or get them to upload some sensitive information.
It's really cool.
Can you talk to us a little bit about the roadmap and what are the next big things to come from your side?
Yeah.
We have another blog post for Browser Isolation today coming up tomorrow, actually.
So we're going to be interested.
Yeah, we want a we want Browser Isolation to be available within the broader set of Cloudflare products.
So we'll be introducing new on ramps for Browser Isolation in line with the overall Cloudflare One vision, allowing you to connect your networks and devices in many different ways to cloudflare's performance and security services.
And.
With that will mean things like deeper integrations with Zero Trust access controls and easier ways to integrate Browser Isolation with your security systems.
Do you want to give a little sneak peek as to what for our viewers as to what you're announcing tomorrow as well?
Yeah, absolutely.
So we initially launched Browser Isolation natively integrated with Cloudflare Cloud Gateway.
This required a connector installed on the device to send traffic into Cloudflare's network would be removing the need to have a client installed in order to use Browser Isolation.
All right.
That's powerful. Cool.
Well, thank you, Ben and Tim, for joining today and discussing the products. We have a lot of good things that Cloudflare is coming out with and a lot of good things to watch out for, even the rest of the CIO Week.
So yeah, make sure you tune in, follow the blog and yeah, we're excited to speak to our products today with you all.
Optimizing is the world's leading experimentation platform.
Our customers come to Optimizely, quite frankly, to grow their business.
They are able to test all of their assumptions and make more decisions based on insights and data.
We serve some of the largest enterprises in the world, and those enterprises have quite high standards for the scalability and performance of the products that Optimizer is bringing into their organization.
We have a JavaScript snippet that goes on customer's website that executes all the experiments that they have configured, all the changes that they have configured for any of the experiments.
Now, JavaScript takes time to download, to pass and also to execute, and so customers have become increasingly performance conscious.
The reason we partnered with Cloudflare is to improve the performance aspects of some of our core experimentation products.
We needed a way to push this type of decision making and computation out to the edge.
And Workers ultimately surfaced as the no-brainer tool of choice there. Once we started using Workers, it was really fast to get up to speed.
It was like, "Oh, I can just go into this playground and write JavaScript, which I totally know how to do," and then it just works.
So that was pretty cool.
Our customers will be able to run ten x, 100 x the number of experiments, and from our perspective, that ultimately means they'll get more value out of it.
And the business impact for our bottom line and our top line will also start to mirror that as well.
Workers has allowed us to accelerate our product velocity around performance innovation, which I'm very excited about, but that's just the beginning.
There's a lot that Cloudflare is doing from a technology perspective that we're really excited to partner on so that we can bring our innovation to market faster.
