Cloudflare Security in Europe
Presented by: Lucas Ferreira, Zigor Zumalde, Rory Malone
Originally aired on May 23, 2023 @ 5:30 AM - 6:00 AM EDT
Tune in for a special conversation with the Cloudflare team as part of Cloudflare's Security Awareness Month — featuring Lucas Ferreira, Security Operations Engineering Manager; Zigor Zumalde, Director of Security - Europe; and Rory Malone, Security Compliance Privacy Specialist.
English
Security Awareness Month
Transcript (Beta)
Hello, you are watching Cloudflare TV. October is Security Awareness Month, and so we have a session today called Cloudflare Security in Europe.
Without further ado, let me hand over to the people that will be presenting.
Zigor, why don't you introduce yourself?
Hi, my name is Zigor. I'm the Director of Security for the EMEA region based in London, and I'm leading the security teams over here in Europe.
And I'm here today with Rory and Lucas. Hello, everybody. I'm Lucas. I am a Security Operations Engineering Manager out of Lisbon.
We are part of the European team together with Rory.
Thanks, Lucas. Yeah, and my name is Rory. I'm working in the Governance, Risk and Compliance part of the security team here in Europe.
I'm actually based like Zigor out of our London office and looking forward to chatting with everyone for the next 30 minutes.
Yeah, so we'll be talking about the European security teams.
And the first question we're going to see a little bit of the story of the teams.
So first question for Rory, when did Cloudflare start hiring security roles in Europe and how has the team growth since then?
Yeah, so I've been with the security team in Europe just about three years.
So I joined in November 2019.
I think we had just started building the team a couple of months before I joined.
And it's around the time that Cloudflare IPO. So Cloudflare IPO in September 2019.
It's a US, originally US founded company, and now it's a global business all around the world.
So I, yeah, I'm not the oldest member of the team in Europe, but I'm definitely the most long standing member of the team in Europe.
I recently celebrated my birthday, so I'm very sensitive about age.
But today we have, we've built the team up throughout 2020, 2021, and now in 2022.
I think we have 17 people now working in the security team across Europe.
We represent at least four countries, many, many more nationalities and backgrounds.
And I think the really impressive thing is this year, 2022 alone, we have hired seven people in the European security team.
So that shows the kind of growth that we're undertaking and the kind of exciting time it is to be a member of the security team here in Europe.
So Igor, perhaps I can ask you a question. So as I said, Cloudflare, founded originally in California, now a global business.
Why the need to have a security team in Europe?
Why should we have such strong representation from the security team here?
Yeah, so this goes back to last year.
So in one of the first conversations I've had with Joe Sullivan, and this was before I joined Cloudflare, he explained to me that a strong security team should have a global footprint.
This is a strong indicator of security function maturity, and that allows us to be both resilient, but also efficient.
And efficient because that enables us to start having a follow the sun model.
So we start by building security functions in Europe to support the US.
The way he summarized it is that he told me the security European team should be able to address pretty much any security situation, whether it's an incident, whether it's a certain investigation, whether it's support in engineering, any regulator, prospect, sales, clients, you name it.
So we should be able to support any security requests, situation, incident that waking up anybody in the US.
So that's the end state that we are seeking.
Being able to support any single function over here in Europe. So that's the first part.
But not only that, we also want to be able to support regional needs.
We are closer to some specific engineering teams, some products are specifically developing in Europe, and being close to them, we want to be able to provide them a better security service.
So that's the second part of what we want to achieve.
Being able to be closer to the needs and the problems that we might have in Europe, for engineering, for regulators, prospects, things that are very specific to the region.
So those are the two main objectives that the team has. And that has been my main responsibility to join forces, support the teams and grow them to support the mission.
So if we go a little bit into more details about what the security team do, I have a question for Lucas, which is, which part of the security teams operate in Europe today?
Yeah, so we have a lot of teams already operating from many of the European offices.
Let's start with my own team, security operations engineering.
So we operate basically from the Lisbon office. We also have application security.
So we have application security experts in Europe.
The detection and response team also has a strong presence in doing a lot of their work.
Rory is our representative from the government's risk and compliance team.
So we also have many folks from the GRC team operating from many of our European offices.
We have infrastructure security being represented in Europe as well, as well as strategic programs, which is a very specific role targeted at basically protecting Cloudflare using Cloudflare.
So given that we have all those teams around here and around our European offices, Zigor, what's next?
So what are the next steps?
Yes, we're going to continue with the growth. I mean, as we mentioned earlier, we were 10 members at the beginning of the year.
Now we are 17 and we hope to continue that growth.
Obviously, the current economic climate, it's complicated for all of us.
So we know that that's going to slow down a little bit, but we still want to grow.
We want to also be more efficient. So not only within the region, but globally.
So one of the part is that to better integrate with the US.
I think one of the initiatives is that the way we have structured one of the teams over here, the SOE team, we split that, structure that with squads and with different distributed teams between regions.
So we want to have a close integration with the US.
And we want to also start supporting closer, as I said earlier, the regional teams.
If we have time, we will explore and describe the few initiatives that we have here in Europe.
I can mention things like supporting the WAF adoption within Cloudflare.
So this is something that we're going to work with the strategic program team with Michael Tremonte.
And all those things happen over here in Europe.
And then we have a few other very specific European specific initiatives.
So yeah, we're going to continue growing and develop all the areas and hopefully hiring more people.
And yeah, so what leads us to the next question, which is related to hiring.
So we heard why Cloudflare is the highest security across Europe.
And we also heard which roles are represented over here in Europe.
But the next question is that where can we work where Cloudflare is looking for the highest security teams across Europe?
So yeah, it's a good question for Rory.
Yeah, nice. One of the things that I really love about Cloudflare is that we are building products here in Europe.
We have big engineering teams across the whole company based here in Europe.
And it's so great they're actually building products here.
And so as you said before, it makes sense. We need people working in security to support them and to work with them closely.
So we have our primary headquarters in the EU is in Portugal.
And we have a large number of both teams outside security building products.
And therefore, we have a lot of people as well in Portugal who are working in a security team.
The UK, I think the first office that Cloudflare opened up outside North America is in London.
And still a really big office there.
I think something like 350 people across the whole office.
And so again, there's people working in the security team in the UK and in London.
France, we've opened an office in France. We have a Paris office and a lot of people working across France for the team.
So again, really interested in people who may be based in France.
We have an office in Germany. There's an office in Munich and a lot of people work distributed across different parts of Germany.
Again, we're really interested applicants for some of the roles that come from Germany.
In recent years, we've also opened an office in the Netherlands. So again, anyone working in the Netherlands is able to come work at Cloudflare if they apply for a job.
And I think the nice thing is about all those countries, I've kind of alluded to it.
We have maybe an office in one city, but actually we work on a really distributed basis.
So if you're remote in one of those cities, we're absolutely interested in application.
Sorry, remote in one of those countries, we're absolutely interested in having people apply.
Perhaps you're in Scotland, which is part of the UK.
Perhaps you're in the north of Portugal, which is not Lisbon, where our office is, but we're still really interested.
We have roles that are remote.
I think the other thing to think about is whilst it can be quite difficult to hire people in countries where we don't have a presence, where we don't have an office, and for tax reasons and that kind of stuff, it can be complicated.
We still are growing as a business. And so there will be more offices that we plan to open around Europe.
I know that we're thinking about what we're going to do in Switzerland, what we're going to do in Sweden, maybe some of the Nordic markets.
So if you are in some of those markets as well, don't feel like that's a hard no, you can't apply for a job in the security team at Cloudflare.
I think we're really interested in applicants from some of those countries.
So please don't hesitate. That's where we are today, but also we are growing as a business.
Okay. I'm going to pass over to Lucas for the next question. So say someone's watching Cloudflare TV, they're seeing this segment, they're in one of those countries, or they're able to come work at Cloudflare and they're really interested in security.
What roles does Cloudflare currently have open for the security team here in Europe?
Yeah, that's really nice that we can work in all those countries.
And we have a few positions that are currently open. So that's really a good combination that people can already start applying.
So let's start with security operations engineer for my team, which is security operations engineering.
That's a role for people that will focus on obviously operations that's in the name.
So we have processes like incident response. We have vulnerability management.
We have a bit of compliance that's being done by the team. And we also run the Cloudflare's bug bounty, which is a quite interesting area to be in.
So yeah, that's a very good dynamic, lots of different things going on.
So that's one of the positions we have open right now.
We are actively looking for candidates. I would also mention application security engineer.
So we are interested in engineers with strong focus in securing application, checking code, helping design better and more secure products.
So that's what our application security team will be focusing on.
And yeah, we are looking for candidates with this kind of experience in mixing the security work with the coding and software development work.
We also have the position for a senior security engineer in our detection and response team.
So detection and response is the team that will be doing both defining what we call detections.
We're looking for signs that there is any security problem going on within Cloudflare.
And so that's the first part. And then there is the second part, which is response, which once something is detected, there will be an investigation.
And that's the kind of profile we're looking for.
So those people that can understand and work in that kind of environment.
And the last one that we have currently open is a real software engineer focused on the security incident and event management platform that is being built.
So this is a position for a senior software developer, someone with good experience in the software development work to help us develop and improve even more our SIEM platform, which is under active development.
And it's one of the probably the most interesting projects we have currently within the security team because it has a lot of visibility as well.
Actually, Lucas, can I ask a supplemental question?
Where does someone go to find out more about these roles or if they want to apply for the role at Cloudflare, how can they do that?
Where do they go?
Yeah, the easiest way is go to the Cloudflare website. There will be at the bottom of the page a link called careers or just Cloudflare.com slash careers should go to the same page.
And there are all the career opportunities, not only for the security team, but all teams are going to list their career opportunities in that page.
And it has all the information, all the descriptions. And it's also possible to filter by location, which is pretty nice when people are looking for jobs in specific geographical areas.
They can use those filters to make it easier to find whatever may be interesting.
Nice. I get people asking me questions about this quite a lot.
And they always say things like, oh, I looked on LinkedIn and I didn't find this role.
I'm like, LinkedIn is great for hiring and it's so good for roles.
But just bear in mind that companies don't list all of their roles on LinkedIn or on job aggregation sites.
Go to the company site, go and have a look at what they say in their careers page and find out because the chances are 100% of the roles are listed there and you might only see 50% of them on LinkedIn.
So that's like my top tip for someone who's interested in a role at Caltech.
Yeah, LinkedIn can get a bit confusing if you're looking for a specific location, if a position is listed in multiple locations, it can get a bit confusing, especially for locations or positions that allow remote work.
So not always very clear.
On the Cloudflare careers page, this is always clear there. What's the location?
If it's going to be completely remote or not and all that stuff, everything is going to be defined in the description for each role.
Yeah. Without that, I mean, in any case, if someone is interested in joining us, I mean, they should contact us directly.
I mean, even if the role is not published on the website, feel free to contact us directly on LinkedIn or any other means.
I mean, we're always open to discuss with the passionate and talented people.
If I can give an example, I mean, my own example, I applied for one role and I ended up being hired for something completely different.
So as we discussed with the team and with Joe and they saw that there was a space for me in a role that didn't even exist at that time.
So if we find the right people, I mean, we can make things happen.
So yeah, we should have a conversation and feel free to engage with us.
And also we're currently looking for these roles, but hopefully we're going to have new roles as well.
So this can change very, very quickly and it will.
Yeah, that's important to continue looking at the page, keep monitoring because the new roles are going to go.
Caltech has been growing quite a lot and we expect the growth to continue next year.
So lots of new roles should appear on the page when it's the right time.
So yeah, so I think we could also talk a little bit about a few of the projects we have and especially those that have an European component to them.
So Rory, from the compliance GDPR side, what do we have going on right now?
Yeah, so thanks Lukas. Yeah, so I mean, as Igor was saying, we want to make sure that we have people working in the countries and regions where, in the security team working where we have both employees and customers.
And of course, a really big issue for customers here in Europe is GDPR and privacy laws.
I do part of our security awareness training at Cloudflare and one of the things that I say is security is really important, but actually you can't have privacy unless you have really good security because you just can't keep information private if it's not secure.
So privacy is something that we do as well within the security team at Cloudflare.
I work, as I said, in the governance, risk, and compliance part of the team where we do a wide range of activities from helping manage our risks as a business, making sure that we can respond to some of our customers' questions about security, about privacy, and also to get things like certifications.
So spoiler, there's a special Cloudflare TV section coming up in two weeks.
It's at the same time as this one in two weeks time where myself and Sam, one of my colleagues in the Lisbon office, we're going to be deep diving into security compliance and privacy compliance and talking a little bit about some of our certifications.
So watch out for that coming.
It's two weeks today. But in general, some of the projects that we've done over the last couple of years, Cloudflare has a bunch of security certifications.
So we have a SOC 2 Type 2 certification. We also have an ISO 27001 certification.
But in the last couple of years, we've added some really European focused ones as well.
So there's a new certification called ISO 27701. It's effectively a standard that's been drawn out from the GDPR.
So the GDPR is a European privacy law, but it's been extracted to a global international level.
How would you apply these principles if it was an international standard?
So Cloudflare is certified to this project, this standard firstly last year in 2020.
And we repeated that certification this year in 2022.
So we've been certified to that ISO standard on privacy for two years in a row.
And we also added ISO 27018. It's a cloud security based standard, which we certified for the first time this year.
And actually, we're continuing to look, our customers have so many questions about privacy, particularly in Europe, many questions about GDPR.
And it's one of those things where the law is constantly changing, there's court cases, regulators are giving advice and guidance.
So we're continuing to look at this area. Something we're looking at at the moment is called the EU Cloud Code of Conduct.
It's a code of conduct for how businesses like Cloudflare, cloud businesses, how they handle customers' data, how they process personal data.
And we've joined the group that have developed this code of conduct.
And we're looking forward to declaring that we are compliant with this code in the coming weeks and months.
So it's kind of an active project that I'm busy working on at the moment.
Igor, can I pass over to you maybe to talk about some of the other projects?
Yeah, sure. Yeah, so one of the notable projects that the security team in Europe is working on is a project called Presence.
So this is a very ambitious project led by Richard, our Director of Physical Security, and also Kyle in Portugal is actively working on this.
So in a nutshell, what Presence is, is that we are building a compensated security control in data centers where we don't have the physical security controls that we would like to have.
So the way we're addressing this is that we're planning to build a device that will give us some visual on what's happening on the physical side.
It's a visual detection mechanism in the data centers where we have data centers.
And this is incredibly important in our edge collocations, which are globally distributed and where we don't necessarily have the level of security, physical security that we'd like to have.
And we want to do this in a very efficient and also clever way where we will integrate technologies like facial recognition, and that will give us much better detection, forensics, and change management assurance capabilities.
So one of the interesting parts of this project is that it's developed at the moment, primarily and pretty much exclusively in Europe, but it's a global problem.
And that supports what I was saying earlier, is that we want to support the core functions of the teams.
We want to support specific initiatives that happen in the region.
We want to also lead new security initiatives that are global, new, and challenging.
So that's a very good example of the type of project that we want to build over here in Europe.
Another example that I'm going to let Lucas talk about is the data center on boarding automation.
So again, similar type of attributes about the global problem that we are solving over here in Europe.
So yeah, over to you, Lucas.
Thank you, Zigor. So yeah, as Zigor mentioned, we have a lot of data center and co-locations where we have equipment.
So about 300 of them spread around the world.
And our physical security team needs to make sure that those locations, they have certain standard regarding physical security, access controls, and cameras, and backup power, and things like that.
So they have to interact with a lot of different companies, different vendors to get this information and compile it and understand what is the situation in each of the locations where we have equipment operating.
And this has been a very manual process.
So this is a project we are starting now to automate this as much as possible.
And we're hoping to get a great deal of automation in the whole process so that we don't need people going around and sending emails and calling locations around the world to try to gather information and then going manually through texts and other answers, non-standardized answers, so that they can understand what's going on.
Yeah, so this project will give our physical security team a lot of time bagged so that they don't need to be doing lots of manual steps.
And they will focus on assessing the information they receive.
So that's the most important thing.
Also regarding our locations and our equipment, another project that's going on here in Europe is related to secure boots.
So we have our colleague, Joao Lima, here in Lisbon that is heavily involved in that project together with our other colleagues in the US.
And that's about using the trusted platform modules that modern servers have, which is a security module usually integrated within each server, and use that to guarantee that the software that's running there has been properly assessed and certified.
So that's what we call the secure boot, means only the operating system that's going to be loaded on the machine will be certified, that this is the right operating system for that machine, for that model, and that Cloudflare has an assurance that we know what software exactly is running on our servers.
So there is a much, we start having cryptographic assurance, so it's not about manually going and checking, but that's going to be mathematical proof that we are running the right software on the right server.
So it's a much stronger level of assurance to allow for all the compliance needs and all the security needs that we have for the whole company.
So we are reaching the end of the thing.
Maybe, Rory, you want to? Yeah, so just like some comments.
So I did mention briefly, this is Security Awareness Month. One of the cool things about working at Cloudflare in the security team is that it is a busy month.
There is a whole load of things. So if you're outside the company, make sure you keep your eyes on the Cloudflare blog.
There's a lot of blog posts and content related to security that we're going to be publishing.
And of course, it comes straight up against the birthday week content that was at the end of September on the Cloudflare blog.
Also, there are more Cloudflare TV sessions. I mentioned that there's one in two weeks' time, but actually, next week, I think it's on Wednesday as well, we have the security team talking about women in security operations engineering.
So that's Ellie and Ima from the team. They're going to be doing a Cloudflare TV session.
So look out for that session. Make sure you can find it on Cloudflare TV schedule when it's on.
As I said, in two weeks' time, Sam and myself are going to be talking a deep dive on compliance, some of the certifications we have, and other things related to the governance risk and compliance part of the security team.
And then on the 26th, so again, it's a Wednesday, we have a Cloudflare TV section talking about detection and response.
So some of the most interesting, I think, parts of what goes on in the security team is in the detection and response team.
So we have Anjum and James, who are going to be doing the evolution of the Cloudflare DNR team.
So kind of, I think, how it's evolved over the years.
And there's other content which is available internally at Cloudflare. I'm afraid it's not going to be available to everyone externally, but it's one of the exciting things if you come and join the security team at Cloudflare, you get to be involved with.
So we have Capture the Flags internally. We have a bunch of internal blog posts.
We participate in our company all-hands meetings. So the security team get a spotlight in there so we can talk about security around the whole company, and a bunch of other things, you know, emails talking about security awareness and all sorts of campaigns that go on.
So it's an exciting month to be in security.
I hope everyone enjoyed this Cloudflare TV session. Thank you so much, Lucas.
Thank you so much, Zigor. And with that, I think we're going to head over to the next session.
So thanks very much, everyone, and enjoy the rest of your day.
Thank you. Bye. Thank you. Bye.
