Superpowers for SaaS providers!
Presented by: Dan Gould, Dina Kozlov
Originally aired on May 15, 2022 @ 2:30 AM - 3:00 AM EDT
In this conversation we’ll tackle how Cloudflare for SaaS meets the diverse needs of today’s—and tomorrow’s SaaS providers. We’ll chat about the current expectations for running a SaaS business and how Cloudflare for SaaS delivers the superpowers these businesses need to propel growth.
English
Product
Transcript (Beta)
Hi, everyone. Welcome to the segment Superpowers for SaaS Providers. My name is Dina Kozlov and I'm the product manager for the SSL TLS team at Cloudflare.
And one of the really exciting products that falls into my suite is SSL for SaaS or Cloudflare for SaaS, as it has been recently renamed.
And today I'm joined by Dan Gould.
Dan, do you want to introduce yourself? Yeah, you bet what's going on, everyone.
My name is Dan. I'm on the product marketing team and Dina and I work together on a lot of application security topics, including one of the more exciting things like Cloudflare for SaaS, which obviously brings us here today.
So super excited, Dina.
We're going to cover a lot of cool stuff, including some of the challenges that SaaS providers need to take into account in 2021.
And this is both for today's SaaS leaders and even tomorrow's sort of emerging SaaS giants and how we can really lend a hand.
And as we say, not so tongue in cheek by giving them superpowers with Cloudflare for SaaS.
And maybe in the spirit of starting things at the beginning, if you had to sort of sum up some of the challenges or the keys to running a SaaS business or maybe some of the IT concerns, what would you say those are?
So when you're setting up a SaaS business, the thing you need to keep in mind is it's not just your website and your application, but it's also your customers.
So if you think of a SaaS business, you're providing a lot of different websites a service.
And so you might have your SaaS.com, which has your service, but you also might have thousands or millions of websites and customers that are relying on you to provide that service.
And what that means is you need to have the best security.
You need to have redundancy. You need to make sure you have all the time.
You need to make sure that both your and your customer's application stays fast.
And where it gets a little tricky is things are easy when you have your domain and you can control its subdomains.
It gets a little trickier when this website doesn't belong to you, but it belongs to your customer, but they expect the service to be working on that and to be providing all of these benefits to them.
And so, okay. So we think about speed. Now, when SaaS providers, obviously we've seen a lot of attacks recently in the newspaper.
That is something they should probably also consider too, right?
Both for them and for the customers. Yes. So when it comes to security, for example, TLS certificates and just the whole PKI, the public key infrastructure system is very important to keeping websites secure online.
What it does is one, encrypts the information that gets sent from one server to another.
But the other thing that it does is it proves that a server you're talking to is who in fact you think you're talking to.
So if I'm sending all of my banking information to my bank.com website, I want to make sure that that's actually my bank that I'm sending it to.
And that's what TLS certificates allow us to do.
And so, oh, go ahead. No, no. I was going to say, so, so far we've heard fast performance, right?
Like that, that's in like today's Internet, that's no surprise. Like things need to move quick.
Security is another piece. And something that I think I've heard you mention in the past is scalability.
How do we think about that for SaaS providers?
Yeah. So that's very important. Either you're already a tech giant and you need to be able to support all of your existing customers.
And your customer base continues to grow.
Or you might be a startup that's just starting out and you're about to launch your application.
And you might have thousands of signups on the first day.
You might have one customer that onboards with tons of traffic.
You need to be able to support both customers. And not just that, but if you think about it, if you just have your origin and all of your customers are routed to that origin, if you have a really big spike that your origin can't support, then that doesn't just ruin the experience for that one customer, but it can bring down the rest of your customers.
And that really takes trust away from your customers.
And it shows that your service is not as reliable as they thought it was. Well, it undermines the growth you're looking to achieve, right?
Exactly. You can't get any of these things wrong.
And we know there's the joke, secure, fast, and scalable.
In this case, you have to pick three. There's no negotiating, right? Exactly.
So maybe, I'd like to talk a little bit more again about the custom domains, because that seems a really interesting place to start in terms of being able to support your customers on your platform.
Tell us a bit more. Tell me a bit more about how we think about custom domains.
Yeah. Let me tell you a bit about it.
And let me show you this graphic that I think might be easier to follow. But essentially, let's use an example.
I have theburritobot.com. It's a service that helps anyone with a burrito shop set up their website.
And so I might have customers that might just want to have dina.theburritobot.com, and that's completely fine for them.
But I might have someone whose website is called burritoshop.com or burrito.example.com.
And so I want to be able to extend my business, not just to subdomains of my SaaS application, but also to websites that I do not own and do not control, such as burritoshop.com.
And so the way it works is essentially burritoshop.com needs to make its way somehow to your origin server so that your application can be served.
And the best and easiest way to do that is through a DNS record.
And so actually, a CNAME record is the best thing that you can use because what a CNAME record does is it essentially says, if I put a CNAME record that's burritoshop.com, CNAME to theburritobot.com where my application is hosted, what that's saying is whatever IP address theburritobot.com resolves to, that's where you should be sending traffic for theburritoshop.com.
And so that way, requests can always end up at your origin.
And through a CNAME record, you can actually control if your IP is changing in the background.
It doesn't matter.
Requests will still get to the right place. And so this is the way where, say, a SaaS provider, and they're thinking about all of these concerns, can extend any protections, performance they have in place to their end customers, right?
Because they're sort of looking after their domains. Exactly. And we kept that in mind when we were building out SSL for SaaS.
We kind of knew that this was the SaaS setup because that's the easiest way to get requests from a website that you don't own to your server.
And so that's actually all it takes to get SSL for SaaS setup.
You need to keep, you need to give your customers a target that they CNAME to.
But the rest is just, you apply all of your configurations on Cloudflare and they're extended to them, but there's no really additional setup steps there.
It's something that you've already been doing for your customers.
So that, okay. This is super cool, right?
And so we can see how SaaS providers can extend what they're doing to their customers.
Now, there are a couple of, or a few things you mentioned that maybe we can talk about.
Security performance and scalability. Maybe starting with security, like what, and maybe we start with the TLS you were talking about a moment ago.
Like, what are some of the key security challenges we feel like people should bear in mind?
Yeah. So right now it is, you have to have a TLS certificate provision for your website.
It's the standard. Browsers, I think something that really helped with the adoption of this is that browsers will now flag your website as insecure if you do not have one.
That's a really bad experience for the end user.
No one's really going to want to go to that website, let alone submit any information.
And so that became the standard. And so SaaS providers needed to figure out a way, okay, now I haven't, I have a TLS certificate on my website, but my end customers need to have the same exact thing.
And so how do I extend that benefit to them? And so you can go about building out your own certificate management system.
You can partner with a certificate authority.
You'd need to build a database to maintain all of these certificates. But not just that, you're going to have to, when renewals come or when these certs are expiring, you're going to have to figure out a way to renew them.
You'll need to figure out how to revoke certificates.
There's a lot of maintenance that goes into this.
And so this isn't just a challenge for a business that's starting out.
But when we actually were building, the reason why we started building out a SaaS was HubSpot actually came to us.
They're a big giant. And they have a team that's dedicated to this.
But they said- A full team. Yeah. And they essentially said, we no longer want to keep managing the system.
Can you guys help us out? You guys are managing millions of TLS certificates anyway.
Can you guys do this for us?
And that's how SSL for SaaS came about. It allows you to not just issue a TLS certificate through Cloudflare just for your website, but also for the rest of your customers.
And we already have been doing the management for years. And so this is nothing new to us.
All it does for us is it allows us to keep even more websites on the Internet protected than just the ones that are onboarding directly to us.
This sounds like it's one of the first superpowers we're offering. Instead of having to hire a bunch of IT people, and we love IT people, but there may be some other ways to use those resources to merely manage TLS, Cloudflare for SaaS can basically do it for you.
Exactly. So think about it as you're setting up, especially if you're a brand new business, you have your checklist of things to do.
By using SSL for SaaS, you just knocked off probably months of engineering work that you can now move on and do the next thing.
Awesome. Awesome. Now, speaking of the next thing with security, how do you think about application attacks?
I know it's something I think a lot about and we've spoken about.
And bots. We go to our radar site.
And for those viewers who are not familiar, radar.Cloudflare.com, it's our portal on global Internet trends.
And we know at any given point in time, 40 to 50% of Internet traffic is automated.
And so that being the case, we would encourage most of our customers to make sure they've got a strong application security posture with the WAF, and they also keep bots at bay.
But let me ask, if somebody, a SaaS provider, does offer this, can this be included in Cloudflare for SaaS?
Yes. So that's actually one of the superpowers.
Whatever you set up on your SaaS zone. So let's you buy a WAF or you buy bot management, what you're actually doing is you're not just extending that to your own website, but you're instantly offering your thousands of customers the same exact protection.
And so something that's already built in is DDoS mitigation, which is huge.
Because if you don't have that, if one of your customers gets DDoS, again, that can knock over your origin server, which impacts the rest of your customer base.
And similarly, you have bot management, where even going back to the burrito example, I might have some bot that's trying to automate burrito orders on one website.
And so I'm ending up sending a lot of bad bot traffic to my origin.
And so now I'm, one, wasting money on serving these requests.
But two, if that overwhelms my origin server, again, that can take down the other websites that are relying on my service.
You just can't let that happen, full stop.
It's just not an option. So this also sounds like, as I hear you talking about this, a big differentiator for a SaaS provider.
If they're able to basically extend a world -class application security suite, starting with the TLS and there's application, web application, firewall, and bots, and DDoS, it sounds like a huge differentiator when by merely doing the C name, vanity name support, they can protect them also, which is pretty cool.
It is, exactly.
And we've also had customers who, for example, make their own plans where one plan is you get the bot, you get the bot management, you get the WAF, and you can just differentiate those by setting up essentially two SaaS zones on Cloudflare, one that has a basic offering, but one that has a more advanced offering.
Awesome, awesome stuff. So security is one of the key areas where we'll give our SaaS customers superpowers.
Something else we mentioned that's also not negotiable is performance, speed, right?
And I know we talk a lot about it, but it probably makes sense just to find what we're talking about when we say performance.
And how do you think about it? I think about it as the time it takes your website to load, the time it takes for all of the content to appear.
If I'm making dynamic changes on the site, I want those to be done automatically.
I don't want to wait for each one of those calls to come through, and I don't even know was my order received or not.
It needs to be instant. Totally. And we've seen a lot of stats which support the need for performance.
And I think if your page load times start getting north of even two seconds, which doesn't seem very long, that's when page abandonments, cart abandonments, which that's busy, that's money coming in the door, really start to spike.
So basically you have a second or two for your page load.
Otherwise, business is going to suffer. And so this performance is critical.
A fast web property basically is equal to happy visitors who spend money with you, right?
Yeah. And if you think about it, if I'm a SaaS provider and I essentially am an e -commerce platform, if my customers see that their website is taking a while to load on my service, they're going to take their business and go to another e -commerce provider.
And I'm just going to lose their business.
And that's not acceptable. That is not acceptable. So as we think about this, sort of another hopeful challenge for a SaaS provider is like, you know, Dina, oh my gosh, suddenly we're big in Japan, right?
Like we've got all this global, like, you know, there's all this global interest.
And what happens when we've got a bunch of new potential customers or visitors a world away?
Like that's another sort of aspect of performance that can't be forgotten about.
Exactly.
So if you think about it, if you're just a SaaS provider and you have this giant spike in Japan and you don't have a CDN or you don't have Cloudflare in front of you, the load times are probably going to take a while if your origin is set up in North America.
It's going to have to go back to the Pacific Ocean and back, right?
Exactly. And that's going to take up probably more than your two seconds for the website to load.
And so we're putting a CDN or Cloudflare, for example, in front of your origin and your customers really helps is we are focused on building out our infrastructure.
We have more than 200 data centers in more than 100 different countries.
And so we're essentially being able to use our network to one, for example, use caching so that I don't have to go back to the origin and make that round trip every single time to load the content quickly.
Another thing that we can do is we can use products such as Argo Smart Routing.
Argo Smart Routing is a product that's essentially think of it as ways for the Internet.
So sometimes networks might be congested and sometimes even the route with the fewest number of hops might not be the fastest one.
And so what we do is we essentially do real-time measurements and we do send your packets along the fastest path to the origin.
And so what that means is even if your origin is in North America, but you have a ton of users that are in Japan, we're going to do all of the speed optimizations on your behalf to make sure that their experience is just as good as the one for the customers that are in North America.
Okay, so this is awesome. So let me make sure I'm hearing this right and how we help SaaS providers with their performance.
So for starters, we use our huge global cloud network, right?
All over the world, you know, more than 200 cities, et cetera.
So basically no matter where you have web visitors, and I think we've used this stat before, we will make sure that they're within 100 milliseconds where we are within 100 milliseconds of that, right?
Which is a lot faster than the two seconds we need to load the page.
So that is awesome, right?
And so that is for, Dina, if I have this right, that's for sort of cache content we have on our network.
Now, usually there might be some more dynamic content like gaming stuff that can't be cached.
And is that where Argo fits in for that content?
Yeah, and actually for both. It just essentially finds the fastest path for your packets.
So whether it's something that you can't cache or where it really does benefit is when it is dynamic, it goes back and forth.
And I think the stat that we have is it reduces the latency by 40%, which is pretty significant, especially if your customer base is global.
That's where it really makes the difference.
That's a real improvement. So it sounds like, and this, look, if anybody's remotely familiar with Cloudflare, they've known we've done this really well for the better part of the decade, this performance piece.
And really it's fundamental.
And of course we make it easy for SaaS providers to consume that. So that is another sort of key superpower, ensuring performance for SaaS providers.
And again, this is both for them and for their customers, right?
Yes. Yeah. No, go ahead.
Sorry. Oh, I was just going to say, whatever your infrastructure is, that's your customer's infrastructure.
So you're representing them. And so they're relying on you to have that fast speed and you need to be able to deliver it and be able to, anytime you're setting anything up, you have to keep them in mind.
Totally. Totally.
Okay. So we've got security, right? We can help them with a huge chunk of their security issues.
Second, we have performance, right? And then third, we have the scalability we're talking about a bit more.
And again, we hope there's a huge spike in demand, right?
But we also need to make sure we can scale and meet it.
Yeah. So let's talk about the scalability aspect. There's a few different kinds of places where you can cut into this.
We talked about certificates earlier.
If you're managing your own system, you have to be managing all of these certificates.
So let's say you have a day where 30,000 customers on board, you're going to need to go issue 30 ,000 certificates and store those in your database.
A big benefit of Cloudflare is that we have customers who have millions of certificates in one zone on us and we're able to handle that scale, no problem.
And so that's one thing that when you use SSL for SaaS or Cloudflare for SaaS, we take the burden away from you having to even worry about the SSL certificate scalability piece.
Another place where this comes into play is your origin.
So like I said, you might have a spike where one giant customer on boards or tons of customers on board and your origin starts seeing these giant traffic spikes.
And this is real traffic. These are real users, but your origin might not be set up to handle it.
And while you can kind of start chasing it and start expanding your infrastructure, you need to have something that's ready in place and something that's ready to scale with you whenever you do.
And that's where one of our superpowers, Workers, comes in.
Workers is our serverless platform. What this means is you don't have to set up an origin server.
Cloudflare is your origin server.
So when we were talking about our 200 data centers in 100 cities, those data centers and that network essentially becomes your origin.
And so you have a super resilient, redundant infrastructure there.
And not just that, but it's actually funny when you go to Workers and you set it up.
And when you're setting up an origin on a cloud provider, it usually asks you what location, North America.
And for us, it's just the earth because every single one of those data centers is going to be running your application.
And that's really powerful. And that's where no matter what your spikes are, we are ready to handle those into our network that already has all of these protections built into it.
And something you've said in the past, or maybe you put in a blog that I love, and I think bears repeating is, you write the code, we take care of the rest.
It's dead. It's simple. And what's more is like, again, with our network, it scales to whatever you need it to scale to.
And so the alternative to using Workers to really support your infrastructure and scalability, I'm guessing is, again, those same poor IT people who are trying to manage the TLS infrastructure, now trying to buy new servers, plug them in, stand them up in multiple locations.
It might be in a cloud provider, maybe it's their own data center, all over the globe.
Is that right? Exactly. And so, yeah, and so kind of how you said, when we're talking about our checklist of getting your SaaS business set up, before you even start building out your application, you have to think about keeping your customers' traffic encrypted.
So provisioning the TLS certificates, you have to make sure they have the right protection in place.
You have to make sure they're fast.
You have to make sure that you have this resilient, redundant network of servers that are ready to serve your traffic.
And so that's where once you onboard to Cloudflare for SaaS, and you use Workers for your origin, you use our WAF and bot management solution for the protection, you use our SSL for SaaS pipeline for the certificate provisioning, we essentially are taking all of these challenges away from you.
And so your engineer that's working on getting your SaaS business started, they no longer have to worry about any of these challenges.
They just onboard to our platform. It takes less than five minutes to get a zone set up on Cloudflare and to get custom domains created and these certificates provisioned.
And from that point on, all you need to do is write the code for your application.
And that's what you should be focusing on. That's pretty amazing, right?
Focus on your core business, our superpowers take care of a lot of the many of the other headaches.
Now, say somebody does, they do, you know, get Cloudflare for SaaS in place.
And that's awesome. How do they then turn around as a SaaS provider and show their customers they're a great SaaS provider?
Yeah.
So taking a step back, how do we show our customers that we're a good network provider and infrastructure provider?
We show them analytics. So our customers say you're just adding your domain to Cloudflare.
The way we show you that we're providing the right security and that we're keeping things fast is we show you analytics.
We show you our bot analytics, which shows you how many attacks we've warded off or how many bad bots we've kept off of your origin.
We can show you cash analytics, things like that.
And so in the same way that we provide that visibility to our customers, we want SaaS providers to be able to provide that same visibility to their customers.
And so we have custom hosting analytics, which we're really excited to announce very soon, but it's available today.
And essentially custom hosting analytics, you can break down into two views.
There's one view, which is for the SaaS provider.
And actually, if I share my screen, it might be easier.
Picture is worth a thousand words, right? To see this. Yeah. So I have the Burrito Bot Zone where I have my SaaS application for burrito shops.
But here I can see the overall traffic.
And so this is really helpful to me because, for example, I can see that one customer is spiking a lot more than others.
And so if I want to, for example, bill them more, I can do that if, for example, I'm serving more requests from my origin for them.
So there's a burrito bot.com. They're using up more requests.
Or for example, I can look up data transfer and see if someone using it up more than others.
But not just that, but also this kind of measures the success of my application.
I have 65,000 requests going to my burrito service overall.
That's pretty amazing. And I can track that over time and see how that changes.
But not just that, but the overall view of all of my customers, I can also see where requests are coming from.
So I can see, for example, that in France, more burrito shops might be coming about.
I love it. Exactly. I can figure out how to make business decisions because as a SaaS business, it's your eyeballs, your viewers are kind of your success.
They're your visitors. And so I might have a customer base in Europe that I now need to service.
And so it helps you answer all of these questions.
But not just that, but another thing that you can do is you can dive in to one of these.
And you can do this in the analytics dashboard. But where it's actually the most powerful is you can use our analytics API, and you can build your own dashboards in your SaaS business so that, for example, I can show chorizo .theburritobot.com, I can show them how many page views they're getting and how many global visitors they're having, things like that.
And so that's where the technology becomes really, really powerful.
Interesting. So this is basically a tool that basically, for starters, better manage your own SaaS business.
And so as you mentioned, we can see if somebody is sort of in the realm of overages compared to how much they have contracted.
And you can then sort of revisit that with them.
And then you can turn around and also just give them the activity, the reports, the logging that they would love to see about their own business on your platform.
Exactly. And so you're enabling your end customers to make business decisions.
But not just that, you can show them all the same analytics. You can show them the analytics to show them, hey, chorizo.theburritobot.com, you don't have to worry about bot traffic because we're keeping them away from your platform.
You can show them the same cash analytics to show them how fast your application is.
And this is really important when you have different SaaS businesses that are in the same realm come about.
And when you're competing with others, this really makes your offering, it really puts it in a much better place because you give your customers visibility into why you're the best provider for them.
Awesome, awesome. So we've covered a lot here. Maybe it makes sense to sort of sum up the superpowers that Cloudflare for SaaS offers.
So from what I've heard, and I'd love to hear from you too.
So security, right? And that's TLS, that's web application firewalls, that's bots, if that is indeed something that you choose to pursue.
For you and for all your customers, the performance that as we've decided is non-negotiable, you must be fast no matter where your web visitors are in the world.
Infinite scalability, if you will, thanks to workers, right? You write the code, run it on our network and your support everybody.
And then now analytics, right?
Exactly. And all of this coupled to go back to the custom and vanity domains, not just for your website, but for your customers' websites that they have control over and the ones that you don't own, and that's where it becomes really, really powerful.
Yeah. So this is amazing. These really are superpowers for SaaS providers. How, if somebody wants to get started, to dive in, where should we send them?
Yeah. If you're an enterprise customer, you should talk to your account team and we'll help you get started.
If you are not on the enterprise plan and you want to see if this is the right solution for you, we have a beta that's ongoing.
So if you go to the Cloudflare for SaaS marketing page or to the blog post, you can find the beta from there, but actually really exciting news.
In a very short period of time, we will have our SSL for SaaS pay-as-you-go available.
And so that way any customer would be able to sign up and go and create as many custom hostings as they need for their own customers without talking to our enterprise team and be able to also use it to test it out and see if that's the right solution for them.
Yeah. And once again, we're going to great lengths to make encryption, make TLS, make PKI, headache -free and even free for more of the world as part of our mission to help build a better Internet.
So actually, maybe it makes sense to leave it there, Dina. This has been a lot of fun.
Cloudflare for SaaS is indeed the superpowers for SaaS providers.
So I appreciate you having me on. No, thank you. This has been a blast. Okay.
Thanks everybody. Talk soon. Bye -bye. Thank you all. Bye. Bye.
Bye.