Security Spotlight - 3 Trends Shaping the Future of Workforce Security

Okay, and we're live. Welcome, everyone, to Security Spotlight. My name is Lane Billings.

I'm the product marketing manager for Cloudflare for Teams, and I'm here with Sam Rhea, director of product for Teams.

Today's episode is called Three Trends in Workforce Security, and today Sam and I are going to be talking about some of the trends that we've observed both in the last 20 years that have led to the creation of our Cloudflare for Teams platform and also what we think might be coming next.

So thank you, everyone, for joining us today, and we'll get started by introducing our friend Sam.

So Sam's the director of product here at Cloudflare. Sam, you're based in Lisbon now, been at Cloudflare for a couple years.

Can you tell us a little bit more about kind of your journey to the Teams group and what you like to do in Lisbon these days?

Yeah, and hi, Lane, and thank you for having me here.

I want to say I like your background a lot. I remember concerts. I hope we all get to remember them again soon.

I'm here in our Lisbon office, which I'm just a little bit biased, but is my favorite and our best office of many around the Cloudflare family.

But about a year ago, actually a year and seven days ago, we, about a dozen of us, moved out here from different offices around the world, from offices in the U.S., London, or Singapore office, to begin to build what is the newest Cloudflare office.

And the Lisbon team consists of engineering, product, and security, and our support team, and many others.

It's been really fun to be here over the last year, but before that, I was in our Austin office.

And I also have the special fortune in our Austin office to watch that grow from something that was smaller when I started to something that's very large.

I think it's our second largest office now.

But in both of those locations, I've had the opportunity to get to work on a team within Cloudflare that we call Emerging Technology and Incubation, where we constantly ask ourselves, what new problems can we solve given Cloudflare's network?

And that's a pretty wonderful starting point, if you think about how we get to frame some of the solutions that we're building.

And some of those products have included workers, our stream platform.

I had an opportunity to work on a registrar product back in the day.

But over the last few years, most of my focus has been on the pieces of our ETI group and the products in our ETI group that have now become our Cloudflare for Teams offering.

Sam, what's your favorite part of your day job right now?

When I talk with a customer and they log in to Cloudflare Access for the first time, like whether they're in a POC or they're just logging into my test account, and for the first time, it clicks that, oh my goodness, there is a better way to do security out here.

And it's kind of in classic Cloudflare fashion.

It's both more secure, but also easier to use. That's a tremendous amount of fun.

And you had to watch that happen a lot recently during the kind of remote work offer period, where we offered Teams for free for a couple months.

Huge influx of customers signing up for onboarding session and signing up for the product.

How many of those did you end up doing? Oh, dozens. But I think several members of the Cloudflare team had me beat.

First off, I have to give a shout out to the Calendly team and the Calendly product.

That's an incredible product.

And that was the only way we could do what we did, because quickly after, as you know, the offices began to close and people began to work from home, we wanted to take the products we have and make that easier and more secure for organizations and get them out there for free to help people in real time.

I remember us helping a hospital system onboard. And you could actually be talking to the person, listening to the problem they had and the kind of lack of solutions that were available to them in such a short time.

And I think I'm so grateful to the volunteers from the Cloudflare team who pitched in to help people out, because it was more than just the product managers or sales.

We had members of the database team volunteering to help onboard customers to this model, so they no longer needed a VPN, no longer needed to be in the office.

Members of the design team, the support team, everybody was all together, not just the product group, focused on helping these customers cut over.

So I did a few dozen, but I'm pretty confident many people have me beat on that.

Yeah, yeah. And it's always fascinating when events in the world kind of force a conversation that was previously being had kind of among a certain group of people into the mainstream.

And that's what I think about when I think about what happened at Cloudflare around the time when we were first enabling remote work and doing the remote work offer.

When we first launched Teams, one of the main challenges that we were hearing from customers was that with remote workers, they were having issues connecting.

There was more latency in their connections. It was kind of challenging to think about how to scale that, but it wasn't necessarily an urgent issue for everyone.

And then all of a sudden when it is, it kind of changes the discussion, the conversation that you're having with people.

And I guess I wonder, Sam, do you feel like people were prepared for it?

And were they able to kind of get what they needed to make the changes to continue working the way they wanted?

I'm not sure any of us were prepared for it.

That's probably true in any number of facets.

I think what a lot of the people we spoke to, there was kind of a hierarchy of needs in what they were trying to address.

There was kind of an initial phase where the concurrent licenses or the appliance bandwidth or the appliances they had provisioned just quite simply could not handle the scale.

And that was a problem where minutes mattered, which meant any opportunity to see, even just remove a bucket of a few thousand users off the VPN, because the only thing that kept them on the VPN was a series of apps that you could cut over pretty quickly.

Minutes mattered in that first phase.

And then we saw a second phase where people began, I think, all of us began to realize we're probably going to be doing this for a while.

And that's a, we went from the first phase where minutes mattered to the second phase where days mattered because we were planning for the future of work in a lot of teams.

And you hear people talk about years of adoption contracted into months.

And that was certainly true. And in the second phase, I think a lot of the problems that people were trying to solve were not just, oh my goodness, people cannot connect.

We need to cut over to a different model. But in the second phase, these problems were things like, how do we continue to do this at scale for years?

How do we put a system in place where our security and compliance measures can be hopefully equivalent, but ideally better than what was in place before the pandemic.

And then I think we've begun to enter this third phase where everyone recognizes this is going to go on for a while.

And not just that, even when hopefully it's very soon, even when life can go more back to normal, I think the nature of where people do their work is always going to change.

And so in this third phase, we've seen more and more people looking at new solutions or completely new approaches to keeping their team safe, to keeping their team connected.

That actually, again, if that second phase was about, we want it to be as good as it was in the office, this third phase is about we want this to be an overall better experience for both security, IT, and our end users.

Yeah. And do you feel like the conversations were different with companies that were small?

I mean, at Coppler, we've got a lot of startups using our network.

We've got large companies too.

Do you feel like it was a different conversation between a 10 person company and a thousand person company?

Funny enough, it really wasn't. I think the core problem of I need people to securely connect to a sensitive resource is shared at 10 or at 10,000.

And the nice thing that we were able to help make easier is that with a model like Cloudflare Access, the biggest difference between 10 and 10,000 is the scale of helping people cut over.

And with a model like Cloudflare Access, we're able to give people a single URL that has all of their applications that they used to need on the VPN.

And so there's one email that goes out in some cases to 10 people, but in other cases to thousands and says, hey, this is the new home of where the applications live.

And that is probably the biggest difference between the two groups, but we're still trying to make that even easier.

Yeah. Yeah. I think it's going to be really interesting to see, Sam, over the next 10, 20 years as we come up with easier ways to do things like make applications available remotely or filter traffic coming from a device in a corporate setting, it really makes me wonder how skills and the security space are going to evolve.

Because when I think about the amount of people in the world that can set up a network appliance or that can accurately configure a more sophisticated identity and access management platform, those skills are hard to find.

You don't meet a lot of people who go to school for that, who have those certifications, and it's really in short supply.

And one of the things I really wonder about and like to think about is how different tools for access and for what we're building with Secure Web Gateway could kind of change what security teams spend their time on.

Yeah. I certainly hope Cloudflare Access and all of Cloudflare for Teams makes it such that I think a lot of people in the world are certainly capable and bright enough to come and help unravel some of the thorny problems in a security space.

But what the opportunity is to give them back is that time that they could spend on things that are unique to their organization.

And the way that we can do that, the way that I think is really important to do that, is to make it easy to use.

If you can, whether it's an IT team or security team, if you can give their team members back hours, days, and weeks of their time, because everyone has, and they're all a little different, but everyone has a kind of fundamental challenge of secure remote access, especially now, or keeping the devices that are in homes and apartments like these safe from threats on the Internet.

People have variations of those, but they have that same fundamental challenge.

Where you want to be able to invest security and IT time into is that those problems are solved.

And where we're investing those security and IT time into are problems that are unique to our business, unique to our industry, unique compliance requirements that we have to meet, or unique scale problems that we have.

And so by making it easier, we can let people kind of focus on doing what is their actual job and have fewer worries about things that are problems we all share at some fundamental level.

Yeah, and Sam, I know you're really tight-knit with our security team at Cloudflare, and we talk to them a lot about what they're working on and what they need.

You had a really interesting launch today that addressed something that I think they had been asking for, and they've been on a journey with how they handle user access and how they think about it that they've talked a lot about, and we share it a lot.

Can you tell me a little bit more about kind of what they're dealing with right now from a security perspective and how we work together to build out Cloudflare for teams with them?

Yeah, we're extremely close to them.

It's one of my favorite parts about working at Cloudflare that we think of them as our first customer, and mostly because they're probably the most honest and direct with feedback about what they want and what they need.

We were in a meeting earlier today where we're reviewing some new designs for a new feature that's coming to Cloudflare for teams, and we had brought in a member of the security engineering group because we wanted their input.

If you were using this, which hopefully you will when it launches, what would you find confusing about it?

What would you be excited about it? They had some feedback, and then about halfway through, they stopped and said, but you know what?

This one thing that's currently in the app really drives me crazy, and we spent 10 minutes collecting the feedback.

It was a little off topic, but not necessarily out of the wheelhouse of what we were there to do, and the fact that we have that relationship with our friends in security and in the IT teams here at Cloudflare, such that in the middle of an otherwise unrelated meeting, they feel comfortable enough that they can say, hey, this could be better.

It's annoying to me, and I just love that because that makes it so much better where we have this completely open line of communication between our group and theirs, and this feature that we announced today started that way.

If you follow the news about the Twitter hack, that began because a team member at Twitter had their account phished.

Twitter, like a lot of SaaS companies, has an internal administrative panel that their own team uses to triage customer issues and things, and so far as they've disclosed, it appears that there was a spear phishing campaign that was able to get that user's credentials in some fashion, and it wasn't like a mission impossible theft where they broke into their home and stole their laptop.

By some kind of social engineering, they were able to convince that user to share their password and ultimately share a multi-factor code if that was included as well, and we looked at that as a company because we also have internal tools that are pretty powerful.

We try to add a lot of best practices like application level permissions, logging, and multiple layers of security in depth to secure those tools, but we looked at it.

We thought this risk of a team member being phished and then the access to tools that they have, that's pretty significant.

That's a pretty dangerous scenario to let happen.

How do we, to the best of our abilities, put every safeguard in place to stop people from getting phished, and we looked at one of the applications in particular and just kind of focused on it as a testbed for this problem, and one thing about Cloudflare that hopefully is becoming much more common around the world is that we distribute hard keys to all of our employees, and if you're unfamiliar with, to the audience, if you're unfamiliar with the hard key, they look different.

The one here, my laptop's almost, you could barely notice it if you just glance, but what it means is that to authenticate as a second factor with this hard key, I have to have it in my possession, and these social engineering attacks, someone could not call me or on a chat room pretend to be a team member of mine and say, hey, can you read back the code from your hard key, because so long as it's in my physical possession, the certificate exchange that occurs with the hard key could not occur with someone down the street or on the other side of the world, and that's pretty powerful.

It's a really powerful measure against phishing. I think it's Google who, when they first rolled out hard keys, since they did that and they have a very large workforce, they have not had any cases of employees being phished.

It's a great solution. We roll this out to our employees, but there's this huge catch where if you are logging into an application that requires a second factor, your identity provider, R2, will prompt you for that second factor, which in some cases will default to the hard key, which is great.

That's what we want. We want people to have to use the hard key because that's what stops phishing attacks, but there's a little option there where you're given the alternative of saying, oh, you know, I don't have my hard key on me.

I'm going to use an app-based code, which is more secure than a text message code, but not as secure as a hard key, and what that really means is so long as that option is available, you're only as secure as the weakest option in that flow, which means, yes, we all have hard keys, but if someone's really determined, they're just going to try to go around that, and the security and IT team looked at that and said, how do we force hard key authentication?

Every time someone wants to guarantee that no one is able to reach that application without the hard key in their possessions, the anti-phishing measure, and we looked at that, and the room, it was virtual, but you kind of feel like all the heads turned towards the Cloudflare access team and say, hey, can you all help us?

And again, we're so fortunate that, A, they're willing to kind of come to us with those types of challenges, but also they become part of the team.

I think they helped us, not think, I know they helped us in a number of different phases of building this solution out, testing it, giving us feedback on it, and within kind of the course of working on this together, we were able to add a new feature that we've announced today into Cloudflare access where on an application-by-application basis, you can go into Cloudflare access and say, hey, any users connecting to this have to use a hard key.

Our CSO commented on LinkedIn that this is my favorite Cloudflare access feature, which for us is the biggest praise because we love our security team and we want them to feel like the product is solving their needs in the hopes that that's going to be representative of customer needs.

Yeah. Sam, I love the way that we're thinking about this because there's been so much progress in the identity space in the last 10 or 15 years to provide a lot of different methods to any end user so they're more available now in consumer -facing apps, they're more available in the average workforce app, the identity providers have really ramped up support for a broad variety of methods and so users get some choices for how they log in and that's good and yet there's still room for businesses to really have more flexibility about how they implement these tools, right?

And so it's one thing to have a lot of methods and in some cases you want to give a user a lot of different choices for it to be a really convenient experience and to have that flexibility, but in other cases your business requirement is that you've got an application with a ton of sensitive data that represents a risk and you need a tighter control on it and so there's so much room for continuing to look for areas between what an identity provider can do, what we can do with our Zero Trust network access solution, what a traditional kind of firewall can do, what we can add to that with a secure web gateway solution and I love that we really are tuned into what our security team needs because they're invested and they're using the products every day and so I think it's a really cool story and I think we're going to continue to get really interesting feedback from them that impacts our roadmap.

Just thinking to the next couple years, I really like to think about where we're going next because because Cloudflare for Teams and the way that we've evolved it today, we really think about the challenges that people have around setting up and managing VPNs and connecting users through VPNs.

We think about the challenges about firewalls and about having to route user connections all around the world just to scrub and filter the traffic.

We've been thinking about the last 20 years and the big thorny problems that that's presented and building a platform to help with some of those challenges that exist today.

What do you think the next couple years look like in terms of the way companies need to think about securing their workforce?

I think the challenge is still a physical location challenge just in a weirdly different way.

The way I think about it a lot is in a world where everyone was in the office and even in a world where they left their computers in the office, the front door to that office was the most important part of your security perimeter.

Literally, the locks on that door were the literal keys to your organization.

Of course, that began to change as people worked in some people in the office, people out of the office, branch offices over the last 10 or 15 years.

Now, we've shifted completely to the other side of the equation.

No one's in the office, everyone's at home, but the most important part about security is still physical.

It's not necessarily that the front door to my apartment, well, I hope it's very secure.

That's not the thing that is gating security in an organization.

What it really boils down to is you now have thousands of users who are at home with a laptop that maybe they need to share with family members for school or a laptop that maybe they have an iPad nearby that they would prefer to use because it's easier to carry around.

They are at home on untrusted Wi-Fi networks and susceptible to the types of attacks that people would, again, say sadly, want to launch against a vulnerable remote workplace where maybe if you were in the office, it would be a lot more comfortable to raise your hand and say, hey, has anyone seen this?

This looks uncomfortable.

Something feels odd about this page or this download, but today, maybe you are much less willing to do that because you're home and by yourself.

I think so much of security is going to shift now to the idea of how do we keep the devices in our fleet safe, which starts with the endpoint, but also how do we keep the way they connect to certain sensitive resources secure, which is a slightly different problem, but what keeps them, keeps something in common between the two is that they all begin and end with a connection.

Yes, it's still a physical problem, but it's now a physical problem that begins and ends with a digital connection.

The types of attacks that can reach this laptop begin and end with a connection and the types of attacks that can reach a sensitive resource begin and end with a connection.

I spend a lot of time thinking about the team, a really wonderful group spends a lot of time thinking about is that there's identity and sources of signal are on the physical side where the hard key like we were talking about earlier, the password to get into my laptop, the password to get into SSO and any number of other signals that you can gather about the device that's connecting.

Then there's the types of resources on the other side and how they differ and how their security models might differ.

Some might have really advanced security models within the application, some might not, but if you're able to secure the connection between the two, both as a bouncer in front of the applications on the other side and as a bodyguard for these devices that are all around the world now, I think that's going to be more and more important.

Yeah. What work does that eliminate?

How does that make on a security team's life easier? I imagine no one on IT or security teams around the world found a way to make their lives that much easier in the last nine months because of everything that we're responding to, but one thing that we do hear a lot is I want to find a one-click option to have security everywhere.

I want to just have a blanket layer of security on resources, on users and devices.

Then on top of that, as people evolve and their approaches to security advance in a world where we're all at home, a lot of it becomes about control over those different features.

I think it changes the work of we're securing the office network and it makes it much more complicated because now you're not securing one office network, you're securing thousands of laptops that are connecting from thousands of networks around the world.

The way that you make it easier is you avoid it becoming much harder.

To avoid it becoming much harder, you have to find a basic set of foundations that I think deliver a comprehensive enough security level that then for whatever is unique to your organization, you can begin to customize and tinker with as needed.

I think it'll be interesting to see as better and easier to use tools for all those different functions start to become more and more widely adopted, how the work that teams do shifts to policy and not administration.

Administration will always be part of an IT or security person's role, but if we can spend more time thinking about how does the internal dashboard need to be protected?

What type of data is there? What assets are most important to us?

What are the different scenarios in which a user could access them?

What's the right policy for the right type of user for the right moment in their day?

I think that's where we're going to make a ton of progress.

I also like to think about the idea of not having to put so much burden on users to be as educated or security aware and conscious and moving those things to be built into tools themselves.

Sam, you and I work on Cloudflare for Teams.

A lot of the capabilities we've been talking about today, including the new hard key feature, including the VPN replacement that we've been talking about with remote work, how can people start using that and what kind of company is it for?

We want to make it easy enough for every company to discover and use, but sophisticated enough for large organizations to feel like this is the security system that I want everywhere.

The best way to get started is to go to teams.Cloudflare.com and you can begin to learn more, but I would recommend too, if you say, okay, I know the link, what would tangibly happen next?

I would recommend two things. The first is our Cloudflare gateway product, which delivers security like a bodyguard from security from threats on the Internet as you move about the Internet.

You can set that up at your home.

You can start today by keeping your home network more secure for free with our Cloudflare gateway product, which is a, with a feature within the gateway product that does DNS filtering against malware and threats on the Internet.

And on the access side, I would recommend pick the largest web application that the most users in your workforce use and show them an experience and you can put it behind access in about 20 minutes.

There are demo videos you can watch and you can show them that experience of, hey, this is hopefully what the future looks like in the sense of something easier and safer.

And I would recommend finding the access side, finding one application where you can help your team understand why a safer model is also easier to use.

Pave one mile of your road and then go get started elsewhere. Fantastic.

Sam, thank you so much for your time today. I've really enjoyed speaking with you.

Good to be here. Thank you, Lane. Have a good rest of your day. All right.

Take care. Bye.