What it Takes to Provide Internet to Every Person on Earth
Best of: Internet Summit 2016
Anja Manuel and David Schaeffer describe the landscape of Internet users. What are the new projects that are bringing Internet to rural areas? What makes that a hard challenge for both the implementer and the user? David provides a definition of "The Internet" and Anja begins a conversation about the dynamics of those who govern it.
- David SchaefferFounder & CEO, Cogent
- Anja Manuel (@AnjaManuel1) Co-Founder & Principal, RiceHadleyGates LLC
- Moderator: Alex Dyner, Head of Special Projects, Cloudflare
How switching off your firewall can actually make you safer (2020) Cloudflare Product Mananger Sam Rhea sits down with Adam Shepherd, Editor, IT Pro, to discuss how Cloudflare for Teams can protect devices, networks, and internal applications without compromising performance.
Music Music Music Music Music So we're going to change gears just a little bit.
Our next session is going to explore what it takes to provide Internet to more people around the world.
And I'm very pleased to introduce two guests who can provide both a technical perspective on that and also a public policy perspective.
Dave Schafer is the founder and CEO of Cogent Communications, a tier one Internet service provider ranked as one of the top five networks in the world.
Cogent provides Internet access and data transport services to companies, carriers, and others who rely on Internet access.
The company built its own IP data network independent of the traditional voice-based networks of the large telecom companies, which allowed Cogent to reduce the high cost of bandwidth down to a level never before offered in the marketplace.
They founded Cogent in 1999 and over the last 17 years has built it into one of the world's largest ISPs.
Anya Manuel is co -founder and principal in Rice Hadley Gates, along with Secretary of State Condoleezza Rice, National Security Advisor Steve Hadley, and Secretary of Defense Robert Gates.
The company is a strategic consulting firm that helps US companies navigate international markets.
She's also the author of This Brave New World, India, China, and the United States, which explores how each country's history and politics influences their conduct today.
From 2005 to 2007, she was responsible for South Asia policy at the US State Department.
Anya is also a lecturer at Stanford and sits on Governor Jerry Brown's Advisory Council on International Trade and Investment.
Welcome to you both.
Thank you. So Anya, I'll start with you. Frame the issue for us.
What does it mean when we talk about providing Internet to more people around the world?
Thank you, first of all, for having me here. This is a great event. I had the privilege of working with Jen in government and was very happy to hear her presentation, too.
Let me just frame the issue from a policy perspective. So overall, getting access to the Internet for the world's people has been a stunning success.
3.6 billion people out of the 7 and 1 half or so that we are, 3.6 billion people are on the Internet.
And it's growing by hundreds of millions a year. The problem these days, and I'm sure Dave will talk about it more, it's less accessibility because there are 1.3 billion Android phones on earth.
It's more the expensive cost of data, which Cogent and other companies are trying to bring down.
So all of that is a hugely positive trend. But there's a counter trend that you need to look at, which is that of those 3.6 billion people, over a third live in countries where the Internet is heavily censored.
So China, Russia, the Middle East, places where the Internet that we see here, global, interoperable, open to everyone, freedom of expression, it just doesn't exist in that way there.
And let me give you just some examples.
China and Russia had a conference this summer where the discussion was all about how the Internet shouldn't really be international.
It should have country boundaries, just like real physical countries have boundaries, which of course is completely anathema to what was created here in the 80s and 90s.
And the Internet would look nothing like what we would want it to look like today.
Around the world, and I don't want to pick just on Russia and China, but in lots of other countries, you have data localization laws.
Many of you probably work with this specifically, where they're saying any data about our citizens needs to be stored here in country.
And that means, by the way, we can monitor absolutely everything they're doing.
China alone employs 2 million people just to censor its Internet behind the Great Firewall.
I've never seen any of these, but you imagine people in a warehouse sort of deleting people's tweets.
And it has a real impact on global commerce as well. In China, eight of the world's 25 most popular websites are blocked, including Facebook, and Google, and Twitter, and many of the ones here.
The US administration has said that's a restraint of trade, because of course we don't block Chinese Internet sites here.
So overall, this is a positive story, but there are countervailing trends that we can all help manage from here.
And if not managed well, I think in 20 years you'll see an Internet that's quite different from the one that we all grew up with, and that you all spend your times working with.
Yeah, it's interesting, because we talk about the Internet, and we use that one word.
And it means very different things in different parts of the world.
I think both from a kind of government -driven policy standpoint, but also technically.
Right, Dave? Do you want to talk a little bit about that?
You hear a lot about projects that Facebook and Google are pursuing about bringing more people online.
That's actually a different type of product that we're used to.
There's a great challenge to bring the remaining population of the world into the 21st century and bring them online.
The Internet has succeeded for several reasons.
First of all, it was a network that could sit on top of any other network, so it was not built initially as a purpose-built network.
Secondly, it's a network that had no particular application in mind when it was conceived and as it is developed.
It's that level of flexibility that has created the value of the Internet and why people value it so greatly.
But as we look at the world, of those 3.6 billion people connected, that means there's 3.7 billion people that are not connected.
And it's going to be very hard to get the remaining population connected.
If we disaggregate those numbers, about 900 million people have broadband connections the way we know it, a fixed wireline connection that really allows us to use the Internet the way we are accustomed to using it.
The remaining roughly 2.7, 2.8 billion people that connect to the Internet connect actually through mobile devices, which are much more expensive to operate on a per-bit basis.
Many of the countries have very low teledensity. They have poor regulations, even for their telecom infrastructure.
And in many of those countries, the telecom infrastructure is a cash cow for the government.
Usually the government owns them. The US is a bit unique in that our telecommunications industry was private.
Although it was heavily regulated, it was private.
Whereas in many countries, it's the PTT, the Postal Telephone and Telegraph Network, that is the underlying infrastructure for the Internet.
And the Internet is very threatening to those companies in that it delaminates the application from the network.
It means that much of that voice revenue that they're so dependent on is going to go away.
So oftentimes, you have internal conflicts within the government.
Some parts of the government want the Internet. Others don't.
So as we look at new projects that are looking to bring Internet to these remote areas, they're looking to do so, one, by improving tele -density.
Two, creating new business models that are not dependent on a subscription-based model and maybe ad -based or application-based.
Now that brings a whole other set of concerns, which is, does that service provider really allow their competitors to use the Internet as well?
So there's a balancing act in any of these business models.
And we have a lot of work to do. The easy work is behind us.
It's gonna be very hard to get the remainder of the world on the Internet.
And from a user's perspective, what are the implications behind the different types of networks?
Putting aside the policy and some of the censorship issues that Anya referenced before, how does the impact to the user vary because of these things?
So everyone in this room and all of us use the Internet on a regular basis, but very few people could actually define exactly what the Internet is.
And it's a very definable thing. It's a network that has somewhere around 1,400 petabytes a day of information passing across it.
The average bit travels 2,700 miles.
It goes through 2.4 networks from origin to destination and it'll traverse eight and a half routers between origin and destination.
And the Internet works because 50,000 networks interconnect with one another and do not block traffic between those networks.
So for a wireless user, those bits are very valuable because you can use them anywhere at any time and they're extremely flexible, but they're very expensive.
You know, wireless delivery of information is orders of magnitude more expensive than fixed line.
So countries that had existing fixed line infrastructure, whether it be cable or telephone, that allowed for Internet service providers like ourselves to leverage that infrastructure, have much better user experience, have much richer content.
You know, a small screen helps in that you have less information on that small screen, but you know, the main application today that people are driving bandwidth growth on is video.
And you know, the video experience on a four inch screen is very different than a 60 inch screen.
And you do need to have fixed line connectivity to give a good user experience on that large screen.
So there needs to eventually be a business model where service providers can deploy capital, get an adequate return and build that infrastructure and at the same time, not be married to any application.
The Internet has flourished because it's application agnostic.
So one topic that's quite timely today and over the next couple of weeks is the regulation of ICANN, for example, which regulates the root domain system.
You know, what are your, I guess for both of you, what are your views on that?
And what are the two sides of the argument behind, you know, between regulation and sort of the self -regulatory point that you made before?
Great question, thank you. Let me ask with, let me start with why should we care?
We're all sitting comfortably in this room here in Silicon Valley.
Most of us work in tech and I think we have this assumption that if our little companies grow big, of course we're going to be doing business in other countries.
Of course there's gonna be one global interoperable Internet.
Of course our friends in China and Russia and the Middle East and Latin America are gonna be able to talk to us on WeChat or WhatsApp or whatever it is.
That's not 100% a given. That was actually done because people who were early, I think you're hearing from Tim Berners-Lee, you know, folks who started this whole process were very thoughtful about how the Internet would be governed or not governed.
And the answer is, it is only very loosely governed. So ICANN is a non-profit organization based here in California and it basically manages the domain name system.
Which means if there's .com, .org, .paris, .netherlands, they create those new domain names.
They also, I think, have loose management responsibility over the root servers, actually the backbone of the Internet.
I know Dave and Cogent manages one of those, but there are 13 and they're all around the world.
So why do we care about this? In the 1990s, when the Internet was first getting big, the US government said, let's have a zero dollar contract with ICANN to just have minimal oversight and make sure this works.
Across three presidential administrations, there's never been a problem.
The Commerce Department basically rubber stamps when they say, okay, fine, now we're gonna have .paris as a domain name.
And that contract is about to expire now, like on September 30th.
And this really should be a political non-issue. But in the crazy political environment we're in, a few folks, including Senator Cruz, now that he's no longer running for president, have decided that this is a big political issue.
And actually, if we give away the Internet, if the US government no longer has control, he argues, then folks like China and Russia will take control.
That is exactly backwards.
Because when I go, I spend a lot of time in China and India and Russia and these places, what I hear from folks there is, well, you Americans are controlling the Internet, so we need to have our own national Internets.
And if you don't let go, as the US government of this, we're gonna start moving in that direction.
So this is something that you all can actually do. This is the week. I don't usually tell people to call your congressman, but call, I'm telling you right now, call Senator Thune, who's the head of Judiciary Committee, who's kind of on the fence about this.
Call Senator McConnell. This is the week that the decision is going to get made, and it's not at all clear that it's going to go the right way.
So there's my little spiel on that. I think that one more thing, and then I'd love to hear your views on ICANN too.
Another thing we can all do to continue this Internet that has worked really well for all of us is to keep supporting US companies' willingness to expand abroad.
I think there's often an instinct to just give up and say, well, LinkedIn, they're kind of in China.
Facebook's never gonna get in.
And there's a lot of criticism on the US side of companies that try to expand internationally.
I think that's wrong. I think even if you have to go and live by the national restrictions in a country that you're trying to do business, the idea of interacting more with the Chinese, with the Indians, with the Russians, with the others is always a good thing.
And so we should support our company's willingness to do business in all of those places.
Well, I couldn't agree more that the openness of the Internet is a success. Bob Metcalfe coined, I guess, an axiom, the inventor of ethernet, that said the value of the network is worth the square of the number of unique users to the network.
And I think that really understates the value of the Internet because it's not only the square of the number of users, but also what percentage of their time they spend on the Internet and what is the value that they get out of the Internet.
And I think by that algorithm, you would see the Internet is increasingly important to society.
You know, the Congressional Budget Office did a study probably about five years ago now and concluded that basically 1% of real GDP growth per year globally was attributable to productivity improvements caused by the Internet.
And it's this very decentralized idea where anybody can have a good idea, anybody can publish that idea to a global audience, and it's now available to everyone in the world.
And the reality is most of those ideas fail, but a few become wildly successful and change the way we live.
And no one picks the winners and losers.
The end users are empowered to do that. And it's this decentralization that has been the cornerstone of the Internet.
So going back in history and looking at the control of the Internet, actually in 1991, the Department of Commerce was tasked with privatizing the ARPA and DARPA nets and called a conference in DC that was actually hosted on Wisconsin Avenue at the National Academy of Sciences.
66 companies came to that event and actually only eight raised their hand to take over this thing called the Internet, to privatize it.
And the requirement almost seems ludicrous today that in order to be one of those initial backbones you had to agree to connect a T1 between nine physical sites geographically dispersed in North America.
And if you did that, you are a global quote-unquote tier one Internet provider.
And at the application layer, the Internet was free to do whatever it wanted.
At the control plane layer, there was this idea of root servers.
And there are 13 root servers. 11 of those are run by not-for -profit entities, research entities for the most part.
And two of them are run by for-profit entities.
Ourselves and VeriSign run two of the root servers. And when you type a web address in, what you're doing is expecting that set of characters to be translated into a hexadecimal numeric code that is basically the IP address of that website.
Now IPv4 is somewhat limited. It's two to the 64th addresses.
There's about 4.2 billion addresses. We're facing an exhaustion there, so we've been migrating to IPv6, which increases the address space to a virtually unlimited number of two to 128.
But it's this root server system that's very distributed, very self-healing, and really self-regulating.
In fact, the underlying software that runs these root servers is free shareware.
Guy wrote it, Paul Vixie's still around, still does updates on it for free.
There's a root server working group that meets once a year.
There's no government sponsorship. People go to a different location in the world and talk about technical issues, how to secure the root servers, how to make them work more efficiently.
And the reality is the actual resolution of an address to your domain name is being done by your service provider in a very distributed DNS environment.
So this whole I can, who controls what discussion is truly much ado about nothing.
It's a political issue by people who have no comprehension of the mechanics of how the Internet actually works.
It wasn't, I think this...
And it proves that these days everything has become a political football.
Wasn't meant to be a plug, but I guess it turned out to be that.
More broadly, what's the role for government then? Oh, I think the government has a very strong role to play in preserving the Internet.
I'm a serial entrepreneur and I actually dislike regulation viscerally.
And it was funny when I had to go meet with the FCC chairman a couple of years ago and ask for regulatory support, he laughed and he says, do you wanna wash your mouth out with soap now after you've asked for this?
And it really revolves around this issue of net neutrality.
And in the, I guess, benign form, it's certain providers refusing to allow their customers to get access to all content equally on an unfettered basis.
Maybe on a more extreme case, it's a country putting up a firewall like the Golden Wall in China and having 2 million people scrub through traffic going in and out and filtering things.
But the Internet works because it is a level playing field and the government needs to make sure that it's a traffic cop in that relationship.
And the reason is local distribution of any utility, whether it be roads or water or gas or electricity, telephone services, cable services or the Internet are all natural monopolies.
And monopolists will abuse their power if they are not regulated.
So there's a social contract that's made that says, you get some monopoly rights, but in exchange you have to agree to a set of consumer protections.
We in the West adopted those rules. We were very fortunate that we had an FCC chairman who stood up to some political opponents and passed some pretty tough net neutrality rules.
They don't favor anybody, but they don't prohibit anybody from selling their application or content to anyone in the world.
We saw the European Union struggle a little bit, get to some regulations that were more or less in line with what we have in the US, but not quite as strong.
And then when you get outside of those two geographic theaters, you're seeing people around the world really struggle with this.
They want content to reside in their own country, servers have to sit in their own countries.
This has nothing to do with web performance.
This has to do with political control. And I do think that's a very dangerous place if we allow that to continue.
You're not getting much disagreement here.
I agree completely with what Dave said. And I think the Internet is so unique.
It's the only time that there has been in the world true government by the people for the people.
So the fact that this works with distributed root servers, the fact that there isn't the United Nations as one central authority controlling it, that there aren't national governments who are controlling it, is a huge victory.
And it's something that we shouldn't take lightly.
And I think the US government has been really thoughtful about this, to step in when there is a need to, like on net neutrality and others, but then to keep out and let the community, like all of you guys, basically govern themselves.
So I think we have about five minutes left.
So we have time for a few questions from the audience, if any of you guys wanna ask Dave or Anya a question.
What do we say to the Congress?
That's a good question. It's a good point. I guess I would say, look, I can send you more detailed talking points, but the bottom line is, China and India are not gonna take over the Internet if you allow this contract with the Commerce Department to expire.
This is a non-issue, and you should just let it expire. Yeah. So you were mentioning about censorship in countries like China and Russia before, and there used to be, from a technological perspective, a lot of technologists who were interested in anti-censorship, there was this idea that maybe technology was gonna solve this problem, and that hope was alive for a while, but it sort of has become more clear over the past decade or so that even if we can make it so that people in countries like that can access some information, that actually doesn't have a huge impact, like the censorship model that China and Russia are using now is, well, at least if we censor most of the things and we have government -sponsored bloggers and things like that, it'll look, to most of the people, the way that we want it to look, and that seems to be good enough.
So it seems that technology actually isn't going to be able to solve that problem.
Is there an alternative political approach that we can take to address things like censorship that, as you were mentioning, have to do with, if we want full Internet penetration everywhere around the world for everyone, really have to solve that problem?
It's a really good question.
I think a lot of us used to have a very purist view of this. Everyone would be on the Internet, and suddenly there'd be free speech for all.
That hasn't quite worked out, because as we get ever more sophisticated algorithms to serve up ads, turns out the censorship side also gets more and more sophisticated and can root out things that they don't want people to say.
I think there's no silver bullet, but it's a keep on trying and gently pushing.
So there's no reason for U.S.
Internet companies to give up trying to go to China. I'm picking on China a lot today.
There's a lot of other countries, too, to China and Saudi Arabia, and in some cases, Brazil.
Brazil was shutting down bits of the Internet just during the Olympics.
We should keep going. We should gently, gently, because if you push too hard, you're gonna get kicked out.
This is what happened with Google. They had a very, I thought, a very ethical, very thoughtful stance, but it resulted in they got kicked out of China, or they left China.
But I think by gradually getting people to communicate more, gradually prodding both on the government side and on the technology side, ultimately, I'm an optimist.
I think we're gonna move that trend back in the right direction.
Hi, my name's Joe Jason.
I'm with a firm called DNA Partners. We're a seed investment firm here in Silicon Valley and China.
In regard to the FCC's new law that passed that the Internet is now a utility, and the commissioner is calling it a commodity, and I'm fine with that.
I'm neutral on this question. So do you think there may be new taxation associated with service providers' connectivity and service providers' digital media?
So I think the chairman had to go ahead and classify the provision of Internet services as a Title II service.
That's a section of the FCC code that allows them to then implement rules.
Now, they took a very light approach, and really, in a 400 -page document, spent about 200 pages explaining how all the other previous commissions had failed in front of courts, and they wanted to address issues that various courts, all the way up to the Supreme Court, particularly an opinion written by Anton Scalia, prohibiting the FCC from having any opinion on the Internet.
So they put all of that in place.
They classified it as a Title II service, and they basically put four guiding principles.
There's not one single regulation in place today for the Internet.
Those principles are pretty uncontroversial, I think. There's no blocking, no throttling, no paid prioritization, and all bits have to get through in that a service provider has an obligation to make all addresses on the Internet available to their end users.
Those are pretty simple statements. What they did is they kept a big stick in their back pocket and said, if you don't do that, we can be much more prescriptive in our regulations and step in all the way to the point of rate regulating or removing your ability to actually sell services if you abuse it.
And there's a clear pattern of abuse from Comcast and AT&T and Verizon.
So it's not like the service providers were innocent. You have to remember the Internet is a cable or phone company's worst nightmare.
Brian Roberts probably goes to sleep every night and is praised that when he wakes up in the morning, this thing called the Internet is gone, because then there's no Netflix to compete with him.
Now, in terms of taxation, Congress has been very clear. There's an Internet Tax Freedom Act.
It does have an expiration, but it has been extended now, I think, 16 consecutive times.
And it specifically says the Internet is exempt from any taxation.
That does, though, present a problem. We have a second agenda in America, which is broadband connectivity to those that don't have the resources to have it on their own.
And for 100 years, we had a cross -subsidy situation in telecommunications, where businesses paid more than residential.
People in cities subsidized rural services. And finally, consumers subsidized education and government.
Those were done through the Universal Service Fund.
It's actually a tax you see on your phone bill every month. It's actually pretty confiscatory.
It's 17.4%. That's a big tax. Going forward, those funds have been diverted from traditional telephone services to broadband services.
And there are several programs.
There's an E-rate program, a BTAP program, that are designed to build broadband out to schools and to rural communities.
However, it's being subsidized by a shrinking revenue base, which are the legacy services.
So there is a fundamental problem that the new services need to be developed.
They need to be subsidized in rural areas where they're not cost-effective, unless we wanna be a society that says only city dwellers get good Internet service, and people in the suburbs and in farms don't.
And I don't think that's our social plan. So with that, there has to be a subsidization mechanism.
And ultimately, it is gonna have to come out of the like users in the markets.
Now today, that's actually prohibited by Congress.
And it's just another example of this political ineffectiveness we have where the two sides can't somehow come to a common sense answer.
So I too I'm gonna try to keep us on time. We are out of time, but I wanna thank Dave and Anya for being here and for a great discussion.
Thank you. Hey, thanks a lot.
Optimizely is the world's leading experimentation platform.
Our customers come to Optimizely, quite frankly, to grow their business.
They are able to test all of their assumptions and make more decisions based on insights and data.
We serve some of the largest enterprises in the world.
And those enterprises have quite high standards for the scalability and performance of the products that Optimizely is bringing into their organization.
The reason we partnered with Cloudflare is to improve the performance aspects of some of our core experimentation products.
We needed a way to push this type of decision making and computation out to the edge.
And workers ultimately surfaced as the no -brainer tool of choice there.
Once we started using workers, it was really fast to get up to speed.
And then it just works. So that was pretty cool.
Our customers will be able to run 10x, 100x the number of experiments. And from our perspective, that ultimately means they'll get more value out of it.
And the business impact for our bottom line and our top line will also start to mirror that as well.
Workers has allowed us to accelerate our product velocity around performance innovation, which I'm very excited about.
But that's just the beginning.
There's a lot that Cloudflare is doing from a technology perspective that we're really excited to partner on so that we can bring our innovation to market faster.
Hi, my name's Adam Shepard, and welcome to this webinar presented by ITPro in association with Cloudflare on cybersecurity in the cloud.
I'm joined by Sam Ray, product manager for Cloudflare for Teams.
Sam, welcome. Thank you. Thanks for having us.
So I think it's fair to say that over the last 10 years or so, the enterprise workplace has changed dramatically.
The rise of things like mobile Internet, SaaS apps, widespread connectivity, remote working have all dramatically changed the enterprise landscape.
But while these things have all been transformational in terms of our day -to-day productivity, we don't always think about the impact that it's having on the data that underlies all of this.
What kind of impact have these changes in usage patterns had from a cybersecurity and data protection standpoint?
Yeah. Well, the scariest thing for me, at least, about the way that these changes have impacted cybersecurity is that we're still trying to apply the cybersecurity model of 10 years ago to this new paradigm.
So all of the things that you described where users are working away from the office, they're now working on SaaS applications, data is living both internally and externally.
But the way that we approach security and safety around that data, around those users and those devices, is still in the past.
And that's something that poses a real risk to how businesses operate today because that old legacy model is just not scaling with how users actually do their work.
Okay. So would you say that there are areas where security is almost getting left behind?
Yeah. And the funny thing about the last 10 years is that the Internet got much better for consumer users and business users of SaaS applications.
And Cloudflare got to be part of that.
Over the last 10 years, Cloudflare has built out one of the world's largest networks to deliver the Internet closer to the end user in now 200 cities around the world.
And we did that for the websites and web properties. There's now 20 million that serve the public.
And what I mean by that is that these are large sites that you and I could access just as consumer users, individual users.
And that experience has gotten so much better in the last 10 years. And Cloudflare built a network to continue to make that faster and safer for those end users.
But the way that security is still applied in an enterprise, in a business, is, like you said, really lagging behind, stuck in that old model.
And that's part of why we've released Cloudflare for Teams to think about how can we apply the network and all the benefits that's delivered to the infrastructure that it protects.
And then the speed benefits it's delivered to those end users, those individual users, and bring that into the enterprise.
So that for an employee, your experience using your work apps, whether they live internal or external, feels fast and is inherently safer.
And as safe as your experience using things just on the regular public Internet.
So as you mentioned, the way that employees access corporate systems has changed dramatically.
A lot of traditional remote access systems have been based on a data center, VPN appliances.
How have these more traditional ways of remote access coped with the boom in SaaS applications and remote working and that kind of thing?
Yeah, they haven't. They've tried to force the Internet back through these legacy ways.
Ten years ago and before that, most corporate networks were built in a castle and moat type model.
You hosted things in your own data center.
You installed a VPN appliance in your corporate headquarters. Your corporate headquarters had its own network that was peered with the internally managed resources that you were using.
And you surrounded all of that, both because it was inherently a private network, as well as with security hardware that you had to deploy to keep threats out.
But once you were inside that castle, you were mostly safe.
But as, like you mentioned, as the way that people do their work has changed, that old model now presents a couple of different problems.
The first is that if someone is able to get inside those castle walls, they're probably able to do a lot more damage than just the fact that they are inside the network.
Most networks, if you're able to reach that private network, you often almost always have overly broad access to internal systems.
And to prevent that requires some really complex configuration for the administrator, the business protecting those systems, to invest time and resources in configuring.
And there can still be mistakes.
And then the other problem is that now users are leaving that castle.
They are going out to use SaaS applications. They're using things that are not internally hosted.
And they're also working away from it. They're working in remote teams or distributed models, or they have branch offices.
And the problem for those remote and distributed teams is that they now have to, to do anything, connect all the way back to that castle remote model, where that old legacy hardware is attempting to apply the same security posture to the whole Internet that it used to only have to apply to the internally managed network that it was protecting.
And so that, for your end users, just is a miserable experience. I don't think anyone, Cloudflare included, when we were using a VPN several years ago, enjoys the experience of using a VPN to do your work.
The idea that I could be traveling away from, for us, the headquarters in San Francisco, and wanted to open a wiki document on our internal wiki, I had to connect all the way back to San Francisco to do so, deal with the latency that introduced.
And if I was on a mobile phone or trying to access it from anything other than a workstation, I had to deal with the cumbersome VPN clients that you need to rely on to connect to that private network.
So that experience is pretty terrible. And then for your security team, it's also terrifying, because once you're on that private network, you frequently lose a lot of visibility into what users are doing, and into the potential threats that could infiltrate that network, and compromise the types of resources that you're protecting.
And then it all gets even worse if you're using the Internet to do your job, which all of us are now.
Where these remote users, users outside of headquarters, they're backhauling all the way back through headquarters just to get to G Suite, or Office 365, or Salesforce.
Which again, just produces a pretty miserable experience overall for those users.
I think as part of that trend, one of the things we keep hearing over and over, over the last couple of years, is that the traditional security perimeter, as we've always thought of it, is pretty much dead.
Why do you think that view has become so common?
Yeah. As the security perimeter was built to protect things where you had a really high degree of control over them, internally managed resources and tools, often in data centers that you controlled.
But that's just not the case anymore in most businesses.
Most businesses are now using applications where, in a SaaS app model, the data actually resides elsewhere.
And so the users are accessing that data on a platform that is externally managed by the SaaS provider or the vendor.
Likewise, the actual data that powers a business, some of the systems and the infrastructure that powers what that business might do, is shifting away from internally managed data centers to a public cloud model.
And so you now kind of have to look at drawing your perimeter around everything that's going on in this model, which pretty quickly, you're going to make a mistake.
You're now attempting to protect mobile devices that are all over the world, dozens if not hundreds of SaaS applications that are being used, some of which you don't even know are being used, a public cloud provider and possibly multi -public cloud providers, which each have their own different approaches to securing the data that lives in them.
And now your perimeter is just this Swiss cheese of how do we apply something consistent to all this data that is just moving in every direction?
And what's really exciting about Cloudflare is that we do a few things really well, and one of those is moving data around the Internet.
And we do that because we've built out this network that originally started by protecting the infrastructure on the Internet, the origin servers that serve the websites and the properties that lived on Cloudflare.
And now that we're able to take everything that we've learned with that infrastructure and apply that to any request that a user is making, whether it's going internal or external, we're able to deliver a comprehensive level of security in a way that doesn't require a true perimeter.
Every request you're making, whether it's to a SaaS app or to your internal wiki, is being evaluated and being protected and being secured wherever you are and close to where you are because of that distribution of that network.
So, based on that kind of idea that the security perimeter is now so porous as to be effectively impossible to defend with traditional thinking, is the solution then for enterprises to apply endpoint protection clients to BYOD devices and corporate devices as a method of stopping any potential security issues at the endpoint?
Yeah, there's layers of it. One thing that's really important to us on the security products at Cloudflare is that we solve problems that we have ourselves.
And we were speaking with the security team at Cloudflare, talking to them a while ago about the upcoming launch of Cloudflare for Teams, and really attempting to kind of treat them like our own customer and kind of interviewing them about what was important.
And the way that our group and their leadership put it is having layers of security and that defense in depth is so important.
So, part of that does include endpoint security on the device.
But then when data leaves that device, it's now in flight and potentially at risk.
And that's where a lot more of the Cloudflare services can begin to help secure that data as it's in transit, as it's leaving an employee's laptop and traveling on its way to a SaaS application.
Or as you have an external request that's coming into something that you host yourselves and you control internally, making sure those requests are authenticated, secure, encrypted, and private and fast is really important and a really critical part of building that defense in depth strategy.
So, speaking of speed, one of the common complaints that we've heard anecdotally over the years from security teams and security professionals is that users, when they feel like a security solution is impeding their ability to get work done or making their applications or devices slower, that they'll simply circumvent it, turn it off, disable it.
How can security teams combat this kind of behavior? Yeah, there's probably two models where they could think about this.
And one is not fun, and the other is something exciting that we've built here at Cloudflare.
But the first is you could just enforce it.
At least you could try. You could deploy some pretty rigorous rules around device usage, kind of force everything to comply in a way, though, that, like you said, if the experience is slow, cumbersome for the end user, they're just going to be miserable.
The second is you could actually make it faster.
Not just good enough, but faster. And one thing that's unique about Cloudflare is the Teams security platform builds on services and technology that we've been developing and releasing to individual users.
Cloudflare Warp, it's a mobile application that uses the Cloudflare network to connect your mobile device to any destination on the Internet, not just destinations that are behind Cloudflare, but through Cloudflare's network.
And that's really valuable because given the distribution of our network, as well as the data we have about performance and connections on the Internet, we can make that experience much, much faster.
And Cloudflare for Teams also builds on other technologies that are incredibly performant that we've built out.
One of its features in particular is a DNS-based filtering.
So this is something where at an office network level or a mobile device, you could block things like phishing or malware from users inadvertently requesting those.
But it builds on top of our 184.108.40.206 resolver, which is the fastest DNS resolver in the world.
And so in all these situations, we really see security and performance, security and speed as being both complementary but also necessary.
Because like you said, if it's so slow that people just find ways around it, it's not actually secure.
And so we want these to go hand in hand with all the products that we build.
So speaking of which, you've mentioned a couple of products, Warp, 1.1.1, Cloudflare Teams.
For viewers who are perhaps most familiar with Cloudflare's DDoS mitigation service, what does the infrastructure that underpins that DDoS mitigation service allow Cloudflare to offer in terms of protection capabilities?
Yeah. So to build up the scale at which Cloudflare has to protect infrastructure from the size of DDoS attacks that we've seen, it takes a massive network.
And not just a massive network, but also a very well-distributed network.
And by building out that network now in over 200 cities and over 90 countries around the world, we are both closer to the end user but also at a scale that we feel we can secure the 20 million web properties that are on Cloudflare and some of the largest websites in the world.
And once you're able to use those same data centers, that same network, that same scale and distribution to solve this particular problem, you're able to benefit from all of the reasons that Cloudflare for infrastructure is fast.
And it's fast because it's within 100 milliseconds of 94 % of the world's Internet-connected population.
So when you're just an individual user reaching a site behind Cloudflare, the content, if it's cached, it's close to you.
If it's not, the network is able to intelligently find the origin and return the content to really speedy experience.
And with Cloudflare for Teams, all of the things that we've learned in the last 10 years doing that for infrastructure, we can now apply to individual employees and team members who are using corporate resources, whether they are things that are protected behind Cloudflare or SaaS apps that live off Cloudflare, but that request from the user is going through Cloudflare first.
When it comes to rolling out new technologies within an IT department, one of the most common obstacles that IT teams run up against is the worries from senior management that it will incur additional costs and complexity versus the solutions that they're already using, which in many cases are viewed by management to still work fine.
How can IT teams convince purchases and board level members that Cloudflare solutions won't incur these same kind of cost and complexity concerns?
Yeah, we often find a lot of our customers are initially interested in the Cloudflare solution simply because they are so tired of both internal and, to your point, executive level complaints about the VPN that they use in their business.
For an IT team to recommend to leadership that, hey, we want to replace our VPN with something faster and better, I don't think any leadership group has ever disagreed that the VPN wasn't worth replacing with something faster and better.
It's a fairly universal experience where it's a painful process for members of the organization anywhere and at any level.
And so there's an ease of use aspect to making the experience better for your entire organization, not just a smaller group within it.
And then there's also something powerful around the productivity that you gain when you're not dealing with the experience of a VPN, a traditional VPN.
That takes a few different forms.
One is if you join a new company where a traditional VPN is in place, there's probably a multi-hour session just onboarding you to how to use it, how to navigate it, getting it installed, explaining what credentials you need to use.
It's a fairly lousy way to start your first day at your new job is dealing with this, hello, welcome to the VPN.
And that is only harder if you're trying to work with contractors and vendors and partners who need to access your internal systems.
And you now either have to decide, do we onboard them to our VPN?
Do we expose them in some other way? If we onboard them to VPN, how do we convince, for example, our accountants or our lawyers or our marketing agency that they want to install this VPN client on their devices?
So there's this loss of productivity when you're dealing with that.
And then there's also just the loss of speed when users are traveling away from, say, the corporate headquarters and dealing with that.
But then finally, these are at their core and most importantly, security products.
And in a traditional VPN model, when you're on that private network, it's almost always you're going to be able to reach something you should not be able to.
And if you're just an employee who stumbles upon it, hopefully you raise a ticket and report that.
But if you're on the private network and you're someone malicious and you're able to reach data or applications, you're able to cause a security incident at that company.
That, of course, is going to cost significantly, both in terms of lost time, potentially lost customers.
And so with a product like Cloudflare for Teams, particularly its VPN replacement, you can now have comprehensive security that's faster for those end users that makes that experience of your first day or managing the VPN so much better.
But for your security team also gives them much more granular control over the resources that they are protecting, as well as much more visibility into auditing potential events that could have occurred.
So it's both faster and easier to use, but also for your security group, something that's much more comprehensive.
So for Cloudflare, which has built most of its business on protecting, as you say, kind of the public facing Internet, why is Cloudflare now deciding to get into internal enterprise applications?
So when Cloudflare first launched, if you had a website on the Internet to keep it safe, you had to buy pretty expensive hardware and then maintain it.
And you had to buy hardware that could scale with the peak of your demand or also, in some cases, scale with the DDoS attacks that could be lobbed against the infrastructure that you were maintaining.
And but most of this infrastructure was serving, like you said, a wider audience.
And Cloudflare began by moving that hardware into our cloud delivery model, into our network, so that you could just focus on running your infrastructure and running your web property, and we could focus on the security of it.
But by moving it into our network and with how distributed that network is, we could also make it that much faster, both by bringing it closer to the end user, but also more intelligent routing around how that traffic was being served.
And so the result was this very large, very well distributed, very sophisticated network that, in this case, was obsessed with protecting and improving the performance of your infrastructure.
But we within Cloudflare are really excited about thinking through what types of problems can we solve with that network and how unique that it is.
How can we take the experience that, in this case, the people managing these web properties and their own customers and audience, where everything was faster and safer, how can we take that experience and apply it to solve other challenges?
And one of the challenges that both we internally at Cloudflare and we started to observe from our customers was, this is fantastic, but what about the way that my employees work?
What about the SaaS applications that we use that we're having to send traffic bound for box.com all the way back through headquarters?
What about the internally managed resources where users are having to hop on a VPN to deal with that?
And for us, a lot of these problems can be solved by just applying that distribution, that scale of our network, and doing the same thing that we did for infrastructure by bringing the physical hardware and the types of cumbersome management of that security and performance hardware into our network.
And making it that much better, we can do the same thing for the types of hardware and other types of applications that protect users and employees and how they navigate the internal business apps that power that organization.
And so we're really excited to begin to point that network at this new type of challenge, but we're really fortunate that it exists, that we're able to move so quickly and deliver something that's this fast and this safe for those users because it builds on everything we learned protecting infrastructure.
I think that's all we've got time for, I'm afraid. Sam, thank you very much for joining us, and thank you for tuning in.
Be sure to check out the rest of this series to get more insights on the state of cloud security today, and we will see you next time.