ℹ️ CIO Week: Zaraz
Presented by: Marc Lamik, Yair Dovrat, Yo'av Moshe
Originally aired on October 11, 2023 @ 6:00 PM - 6:30 PM EDT
In this CIO Week segment, Cloudflare product managers and engineers will take a deep dive into the products and features we launched today.
Read the blog posts:
- Why Cloudflare Bought Zaraz ,
- Cloudflare acquires Zaraz to enable cloud loading of third-party tools ,
- Zaraz use Workers to make third-party tools secure and fast
Visit the CIO Week Hub for every announcement and CFTV episode — check back all week for more!
English
CIO Week
Transcript (Beta)
Hello and welcome to today's CIO Week session. And I'm really happy to have two guests with me today.
I'm Mark.
I'm project director at Cloudflare, and I've. Luckily already been working.
With the two of them for the last few months.
And it's great that they're here.
The two co founders of the race instead of the Cloudflare just announced the acquisition today who has been CEO of Cirrus and you are first in CTO.
Welcome to Cloudflare in the broadest sense and welcome to this session.
Just maybe let's start with a small introduction you have.
Tell us a little bit about your background and how did you end up co-founding Xerox with the.
Sure.
So I was basically always a developer. I started coding well back when I was six years old.
Many, many years ago, I was super enthusiastic about the internet and building products for it, etc..
And yeah, I was at some point in my life around early twenties, I started the software agency building websites and that grew a little and then started another startup and another one got into the whole startup scene.
At some point, I mean, very early on you and I met and then we just started to do something together.
And I think you can tell more about that. Yeah.
Yeah. You're welcome to Cloudflare as well. Yeah.
Tell us a little bit about you and maybe a bit about the story, how the two of you started, saw us and yeah, how you've what product you saw, what problem you're solving with this product.
Yeah.
So thanks for having us, first of all. So as you have mentioned, we were friends since quite a young age.
But when you have approached me about maybe opening a company together, I was actually working with some of the leading Internet companies in Tel Aviv for implementing the type of third party tool that today we built a product without in a smart way.
And back then, I was just seeing problems again and again, like occurring in different accounts.
It was less about how we load those tools and more about like the accuracy problems, reliability problems.
And so the first product that we started building was about it was a QA software for third party analytics tools.
It was the intent was to basically detect bugs that create anomalies that make you spend money on marketing campaigns in a very not in a wise way.
So this is how we started.
And then we joined Y Combinator in winter 2020.
And I think it was then that we realized during times of sales process when we tried to sell the what we call old product, that people are mainly like asking us about performance security issues.
So they were like seeing a report where we listed all the third party analytics tools on the page and, and asking like, Oh my God, we have so many third party tools.
What's the impact on SEO? Does it affect our page speed?
What do we do if one of them is being hacked?
Like because it's JavaScript basically loading in the user's browser.
So I think this is how we brought the first insight to actually deal with the loading of the third party solution.
Cool.
And going, going back when you've kind of started the rails, you learned, okay, there is a market, there is an opportunity.
Tell us a little bit about when you've implemented it, like with the first customer and saw the results and saw how actually the impact was, how, how, how was the process around it and how did it feel when you saw what it actually achieved with like customers, customers website?
Do you want to?
Sure.
I think this was like back in January 20, maybe even December. We launched with the first customer after about half a year, if I'm not mistaken, over like working together and engaging over in many ways they help us to shape the product, like to actually decide how it's going to work.
And so, yeah, it took a long time to implement it all.
But I remember that night when we when we went live, it was pretty amazing.
I mean, it took, I think about like to see the sprint performance improvement that was very fast.
I mean, that we could even do while on stage.
We could see that we're like taking their time to interactive and basically all the metrics became like heft in many, most of the cases.
But what was really exciting to hear from them was, I think about a week after or two weeks after that, these things actually had a major impact on the conversion rates.
And like we've seen, like sales going up and the general, yeah, I think their customers were much happier.
So that was super exciting.
I think we felt like we have we've built something that can make data better for people.
And if I can add, I think so.
We always went after the big enterprise Internet companies, mainly because, as you have just said, we wanted to make the Internet faster for consumers.
And this is where most of the traffic goes.
But also, I think they split into two different groups.
So there's a group that look that is looking for some hot fix to a performance problem.
And then third party solutions are the easiest thing. You can shave from your page loading times because like with one line of code back then we could have just saved the browser from loading sometimes 5060 different JavaScript of third party tools.
And then there's the other segment that are like the most tech savvy Internet companies that actually did everything they could to make their own website faster.
But then remains like the level of, Oh, but what do we do with HubSpot, Google Analytics, the Facebook pixel?
Like you cannot like other teams need that and you have no control over those scripts.
And then we also saw that by removing those tools to load from the cloud, we managed to get them to the highest performance score they wanted, so.
Cool. That's great.
I think you've also in the blog post that you just posted, you talked about one of the customers that you brought with you to Cloudflare Instacart about the impact that they saw on their website.
Can you tell us a little bit about what what was like the problem space and what what did Zaraz how did Zaraz help them to make the website faster?
Yeah.
So we started working with the Instacart engineering team on loading. I think it's around 12 of their third party tools, basically all the third party tools they load.
We started on the shopper's dot Instacart dot com domain. By the way, Instacart is one of the leading delivery grocery shopping websites in the US and Canada and we were working with them to understand how we can integrate with as many tools as we could.
And we basically started by launching it on a single page and then on the domain and now on the entire consumer website.
And yeah, we can speak about the result.
I think it's all shared in the blog post, but time to interactive was improved by half like total blocking time.
So the actual.
The main reason for them to engage with us is that they wanted total blocking time to drop and they said like, let's let's try to drop it to like 0.1 seconds, 0.2 seconds, and it actually dropped to 0 milliseconds.
So third parties were the main thing that were locking the browser cool.
So that was, that was an amazing improvement for, for them and also hopefully for many, many more customers to come.
So we are in CIO Week and a lot of CIOs are not only concerned about the speed of the websites, but also about the security aspect.
And how can I make the web presence of my company as secure as possible?
What angle and how can Zaraz help to make websites more secure?
The architecture is ours is by far completely different than the normal type miniature, like how we used to think about these bodies and how they used to run on websites.
The thing is that the bodies preservers used to work inside the browser, so the browser used to take all those scripts from around the web.
You really have no idea where they're coming from.
And what were those scripts doing?
Because sometimes Escape would call another script from some domain that you just you have no idea about.
We often see the customers that like you just go on your own website, you look at the network tab in the developer tools and you have no idea what these requests are, what script is creating them.
And so, yeah, the browser would just get those things from all around the internet and then execute them inside, like in the browser context.
If one script like this is doing something malicious, it can basically hijack everything that's happening, like it can inject script.
And that was there was a great example for that on Matthew's blog post about how something kind of similar happens for a very short while on.
But yeah, those scripts can I mean, they are dangerous.
If you don't know who wrote them, then you basically have no control over what's happening on your website.
The way the ROS works is that we take all those tools and we're basically firing the code, like we're executing it on the edge.
So it's a completely isolated environment that doesn't actually reach your customers, and it can do only what it is meant to do.
It's like it's reviewed before it is actually put on the platform.
And so like, yeah, basically the whole attack surface is just not existent anymore.
That's amazing.
That's cool. Yeah.
You want to add something? Yeah, I think it's.
It's not only security, it's also about about privacy.
So sometimes third parties load other third parties or, like, redirect a request to a different endpoint that you weren't aware of.
And they share a lot of information about your, your end users.
And whereas that doesn't happen anymore.
So it also reduces the privacy risk attached to third parties.
And also we worked with one of our biggest customers quite a while about what we call the DLP feature.
So we noticed that many of our customers accounts are including by accident, like private email addresses, names in the URL.
Sometimes imagine like you have a signup form and then after the user signs up, you have a query parameter with the user's name or company or whatever we can all of the requests that are leaving the browser and going to third party endpoints that to make sure that they do not include any personal identifiable information or pages.
And this is one of our enterprise feature for privacy. Cool.
Thank you very much. Changing gears a little and talking also a bit about Cloudflare and how things came together.
you. I close to Cloudflare way or were close to Cloudflare way before the acquisition happened because you actually built the wrath on Cloudflare technology.
You have maybe you can tell us a bit about why you went with Workers in the first place and how you use that to build Zaraz and to make it successful.
Sure.
I think when it started, when we just, like, stumbled upon this idea, we figured that we have to run code that will generate the JavaScript file that would be different for every like that can be different and can be generated dynamically every time somebody tries to access it.
So we figured we can't just use a normal seed and just like host a static file, we need like an actual server side.
And we were honestly at the beginning, we were not familiar with the work environment.
We started looking for different places to do something like this.
We initially wanted to have like a Docker image that would run all around the world, but we just looked at the costs of running that.
And that was I mean, it was both like a nightmare to maintain and extremely costly for a startup.
And then one friend from NYC, from our Y Combinator batch said we should check out Workers.
And then I remember initially he warned me a little. He said something like, But, you know, it's it's not exactly like Node.js.
You can't do everything there.
And so the idea was to have a lambda or something like that, like a cloud function somewhere that will do the heavy lifting or the worker will do more difficult things, just like handling the first request because it's so fast.
But as we built it, we figured out that it can actually do everything we needed.
And not only that, with time, the Workers ecosystem just grew tremendously.
And then at some point, very early after we started using it, workers came out and then the Durable Objects came out.
And by that time we just we looked around like we didn't need any more, like no lambdas or no class functions.
Everything was just built into this one worker that we had.
And yeah, I mean, it was actually even I remember porting this, it was a JavaScript based lambda to a Cloudflare Workers task that we thought would be a little tedious and many things would not work out of the box.
But I can say that about 99% of the code was just like left exactly as it is.
We needed to do some tiny adjustments.
But overall, I mean, Workers allowed us to run.
I mean, serverless is a pretty serious and complex piece of application.
There's a lot of different plugins and extensions for different tools that we implemented, and there are different operating modes.
The fact that we could basically take all that huge code base and actually thanks to Webpack, just like put it into one script and send it over to Workers.
That was for us in your dream.
It was also just like suddenly we had to maintain only one part, like there was no external activation or some other functions running somewhere.
We use KV for this, these Durable Objects for thinking between different things and yeah, it was actually pretty pleasant to maintain.
Thank you so much.
Just throwing a question from the audience in asking where did the names Zaraz come from and what does it actually mean?
Does it have a meaning?
Yeah.
So funnily enough, it has meanings in many, many different languages, but it came from Hebrew, Zaraz in Hebrew is like a catalyst or an accelerator.
But then when we launched on Hacker News, we actually discovered that I think it's like it has a similar meaning in Polish and another in Ukrainian.
Yeah, something like On the spot or immediately or things like that.
So yeah, it was to express how fast it is.
That was the initial thought.
Cool.
Thank you. Yeah.
Going back to talk a bit about software and zeros. So you're trying to Cloudflare team a few weeks ago.
How has it been?
Kind of.
So first, like kind of maybe you can tell us a little bit about the strategic motivation on your side to continue to develop as a Zaraz product based on and being part of Cloudflare.
And then maybe also talk a bit about how you how kind of starting it Cloudflare was and how you kind of got into the Cloudflare for that team's.
We should start.
You can stop.
So first of all, joining Cloudflare was and still is.
We still don't know everybody.
Obviously, it's a it's already a big, big start up, but it is really fun.
I think the level of knowledge and the culture are proving themselves to be what we thought.
I think Cloudflare has quite a strong brand out there and it definitely proves.
I think the so there are many reasons why we why we chose Cloudflare. I think the biggest one is the scale.
Like we started building this company to make the web faster and we were betting on Cloudflare as its network grows.
We thought that the actual impact we can have on the entire web is going to be huge.
And I think there is a strong alignment with what we stood for. So like Cloudflare is all about helping build better Internet, faster, more secure, reliable.
And in that sense, we were super aligned, I think from day one, it was clear.
And of course, obviously some technological advantages that maybe you have you want to speak about.
It's a bit. Yeah.
But even before the technological things, I think one thing that both of us I think were very much like eye to eye with, although we saw the potential in working with Cloudflare One, was that I think very early for us we realized that we're on a mission to remove third party scripts on the Internet, to just not have the going in all these cables around the world.
We were like sitting in our apartment in San Francisco and we calculated the carbon footprint of all those JavaScript, like going everywhere.
And we thought like, we can make the world actually better by getting rid of these scripts.
And like one thing that was challenging for us, I think, as a startup was to convince vendors to move to this.
We could often like do our own things like, like reverse engineering stuff and, and figure out like how the tool works and then do it ourselves.
But if we wanted, like, if we really want to take over the internet, I'd like to get rid of all those scripts.
Then we needed like, I don't know, like a bigger brother to help us with it.
Somebody that, that will yeah.
This will make, make our statement sound like louder and hurt.
And it was just that.
I think that by doing this thing through Cloudflare, our ability to reach all the internet and to reach really all the vendors and to convince them that there's a better way to do it now and that it's like forever support.
And this is how things are going to happen from now on.
You have to move to this because this is where the Internet is going.
I think when this statement is coming, backed by Cloudflare, then the potential it has to change the Internet is just much better, much bigger than it was when it was just like a young startup.
So for us, that was exciting to do.
Thank you.
Yo'av, maybe on this you not only kind of yeah, we're not only announcing Zaraz joining Cloudflare, but we actually also announced a fully integrated beta version of the Zaraz product that's available to every Cloudflare customer.
Yo'av, how has it been integrating Zaraz into Cloudflare already heard you use Workers so I guess that made it a little bit easier.
But how was how was the process and how how easy or difficult was it to get the Zaraz integrated into Cloudflare?
Yeah.
Like I say, we were originally using Workers. So in many ways it was like the most complicated parts of the.
Yeah, that's going to sound funny, but the most complicated parts of Zaraz were the easiest part to port and the most simple parts of the rust where the hardest parts to inside Cloudflare.
And by that I mean that our core, like the core of the rust is this worker that was just basically didn't need any changing at all.
And perhaps the hardest thing with the port was simply the front end, which we needed to write from scratch for it to really fit perfectly and to have like a coherent experience, like when somebody goes and enables it for the website.
But there were not really any.
Challenges that we couldn't anticipate or anything like that.
The Cloudflare infrastructure.
How things are working behind the scenes was very new to us and we needed to learn how everything works.
But there wasn't anything there that made like coding wise or like in terms of the architecture, something that was a very challenging task.
I mean, that's why I think we were able to launch it so fast, honestly.
Yeah.
And that's that's amazing. And everyone can actually try it out.
Yeah.
Tell us a bit more about what we what we launched today and what customers can already use from Zaraz.
Yeah.
So we launched a free beta of Cloudflare Zaraz, which means that every Cloudflare customer can go to their domain and toggle on Zaraz and add their third party first tool like I don't know, Google Analytics.
We launched a library of 18 tools today.
It's a limited library.
We will add more and more tools as we go on.
And it's also limited a tiny bit in terms of features because we need to make them fully integrated.
So the feature, DLP feature is still, for example, unavailable.
The good thing about this MVP is that you can basically starting off today remove all your third party tools to load from the cloud without any code changes.
So if you manage your domain on Cloudflare, it will just automatically magically work.
You don't need to paste any JavaScript to your site. And we are also launching for enterprise customers.
This is a quite the process is a little bit different.
It goes through a DLC and some quality assurance phase and we test with enterprise customers.
So they need to actually engage with us directly. But yeah, this is why what we launched today.
Cool.
So, you've as you said, you've already launched with some enterprise customers.
But what I like what I got. So for all the customers listening, what is a good customer for us?
Like, for whom does it does it bring bring the biggest advantage both on the on the performance, but also on security and privacy side.
So it's actually for any website that loads third party tools.
I haven't yet met any enterprise company that doesn't load more than 15 to sometimes 100 third-party tools on the website.
So in terms of security, even one tool can be the biggest risk.
So it's actually the value proposition I think fits to every company that has a website in terms of page speed improvements, it's usually.
So the more third party tools you load, obviously the more slow down they create.
So and it tends to be that consumer companies, ecommerce companies, publishers, they have a stunning amount of third party tools on every page load.
I guess, Marc, you know, from your previous background in fashion and e-commerce that like it can get like you can get down the rabbit hole when counting So.
So yeah. In terms of speed, every consumer company that loads tons of third party tools can can boost their performance significantly.
Cool.
Thank you. Yeah.
Yeah. You've already mentioned. It a little bit.
About like the strategic value of Zaraz changing how like third parties are integrated into websites if you're looking like.
Into the next years.
What do you.
What? I like the big goals you want to want to achieve with the product.
Yeah.
So as you have mentioned, it's only a matter of time. One thing until all third party JavaScript will basically be deleted from the web.
It's it's quite obvious that, you know, browsers are limiting the usage of third party cookies and consumers are more and more concerned about privacy things.
And it's only a matter of time until all third party vendors will basically open an API and help just allow you to load third party tools on the cloud.
And for that, companies would need the infrastructure to do that. Right.
So it's like it changes an industry that wasn't changed since the 90s more or less.
And I think this is where we see ourselves as the new infrastructure download tools I haven't met before.
There was a single company that tried to even load the most basic tools like Google Analytics with the measurement protocol from the backend and hadn't had like the worst headache.
It's really, really difficult because it's still hybrid.
You need to implement cookies on the browser yourself.
It's really, really a complicated process.
So yeah, in terms of what we see moving forward, we had some engagements with third party vendors already together with our customers.
So it's really working and it's definitely the way to move forward, like working with them with our SDK to build new integrations that are not loaded from the browser.
Cool. And where do you think is especially when we look at privacy and security, where do you think the industry is moving in that space?
And how where do you think is the in the end, the balance between using third parties, giving them the data that they need, but still making it as private and secure as possible.
Yeah. So that's a good question.
I think there's a constant debate because I mean, the Internet is free for a certain reason and you actually need many of those analytics and advertising tools to to work.
But you and we want to allow them to work, but we don't want to sacrifice the user's experience or privacy.
Right.
So I think that moving forward, we see companies are more and more concerned about what data they will basically ask for more governance, more control.
It's the end of the you know, I'm putting a JavaScript on my website and whatever, whatever happens, happens.
Like it's going to be much more controlled and regulated not only by GDPR or EPA rules, but also by the companies themselves.
And we definitely built some features to to help different parts of the company manage everything that has to do with third party.
So it's not only like traditional time management software are usually marketing tool, Zaraz users are sometimes legal teams or data teams or policy teams that like, you know, are making sure that nothing is saved or nothing is sent without us allowing it, etc.
So great.
Thank you, Thank you.
The two of you, welcome to Cloudflare.
I think you've got an amazing product running now and thanks everyone for watching.