Zero Trust Week: Cloudflare CIO and CSO Panel

Welcome to Zero Trust Week and I'm delighted to have a panel discussion here to kick off the week. So Zero Trust Week is an exciting week for us in Cloudflare. It's a week of product launches and announcements in the area of Zero Trust. It started this morning with the announcement of Cloudflare One which brings together a set of products that we have inside of Cloudflare across Cloudflare for Teams which includes Cloudflare Access and Cloudflare Gateway but it also includes Magic Transit and Cloudflare Network Interconnect and it's a really amazing single platform that we're delighted to announce today. So the panel discussion I have here is first of all I'm David Harnett. I'm Director of Product Management for Cloudflare for Teams. I'm joined by the panel here Juan Rodriguez who's our Chief Information Officer. Delighted to have you here today Juan. Looking forward to some funny stories. Joe Sullivan, Cloudflare's Chief Security Officer. Great to have you Joe. Evan Johnson who certainly has lots of stories. I've heard a few of them before. He's the head of our Product Security Group. Annika Garbers, Product Management for Magic Transit. Delighted to have you here today Annika. And then Sam Ray who really is our Head Product Manager, Director of Product Management for Cloudflare for Teams. He started with Access but now is managing Gateway and our browser isolation product and really has a great view across all of Teams. So delighted to have everybody here today. Thank you for joining me. So we'll go to our Brady Brunch view and I'll stop sharing this this slide. So first question that I'll tee up for this panel is we have this panel because we've got product experts here and we've got our internal CIO organization, security organization. The reason we have that is because we come up with products in Cloudflare by using them ourselves. We solve problems for our own organization. We always use Cloudflare as the first customer as we call it inside the organization. So teeing that up there, what does that partnership mean to you? And I'll go around to everybody. What does it mean in practice? I'll start with Sam and we'll see what Sam has to say. To me it sounds like something. It sounds like in our Austin office, I used to wear cowboy boots originally in our Texas office and when we were building what became Access, whenever I would have a question, I would kind of slightly jog across to the other side of the office to talk to our security team who there's members of our security team and across our offices and there's a few in our Austin office and they eventually made the comment that they could tell how interested or urgent the question was about what we were building by the sound of my horse hooves moving across the office and I think that really, I love that story because it speaks to just how much we get an opportunity to lean on the security team and the IT team at Cloudflare to the point that we would jog over if we're excited about a question because they are internal experts that are both keeping Cloudflare safe and also telling us what we need to keep to do to keep Cloudflare safe and it manifests itself in other funny ways. Just last week, one of the members of our solutions engineering team was talking to a customer about keeping session cookies secure in the browser and they discovered a new feature that we had added to Cloudflare Access that helps make them safer and the customer and the solutions engineer were really excited about this and what was really fun for us is that that feature came about because a member of Evan's team asked us, hey could you take a look at this because we use Access internally of course and we were thinking about ways to make it even safer and we built it together across those two teams and then just a few weeks later a customer discovers it and is excited about it. So it's both an opportunity to learn from experts and have kind of a super team if you will, a kind of super rock band of people solving these problems and then it translates into real customer impact and that's what's so fun about it for us on the product side. That's awesome. So let me open the same question to keeping on our theme of starting with the product group. Annika, in the Magic Transit group and working on Cloudflare Network Interconnect, what does that mean to you to work with organizations like Joe's and Juan's and Evan's? Yeah absolutely. So with Magic Transit we launched about a year ago or a little over a year ago Cloudflare Network Interconnect around a month ago now but the underlying technology for both of these products has been around since kind of the beginning of Cloudflare. When we were sort of looking at the vision for Cloudflare and how we knew that we wanted to architect our network and build it out, it was really important to us to have a really scalable way to protect our network from DDoS attacks without sacrificing performance and the existing solutions that we had which were sort of hardware boxes located in data centers or cloud scrubbing providers that would send traffic around to sort of different locations for dedicated scrubbing, neither of those solutions really made sense for us and so our denial of service team built this system in-house to protect our entire network and then over time we heard from customers like hey we really like the things that you're able to do for us at Layer 7 with Cloudflare's CDN and Layer 7 DDoS products can you actually provide this to us for our entire networks and we sort of looked around and realized that we had built this incredible product to protect our own networks and so that's essentially what Magic Transit is. It's just exposing this or giving this to our customers so that they can use it on their own. So we really relied on the technology that we built through that entire you know 10 years in the experience that our denial of service team had gathered in building out these systems to protect our own network and with Magic Transit we're giving that to customers. Awesome. So now on the internal side, who wants to go first? Evan or Joe or Juan? I'm happy to go and pick up. To me it's been really fun deploying access and a lot of the team's products here at Cloudflare. Getting to see one, how the sausage is made on the newest latest and greatest features and products that they're working on but also it's really cool to be a customer of a product where you have product managers that you're working so closely with who can directly change the product. So we're on the security side trying to make Cloudflare more secure and by extension our customers more secure. When I go to Sam for example and say we want access to solve this problem for us and make us more secure, he has first-hand knowledge of what it's like being a Cloudflare employee and why that's so important to our customers and so he takes our word and our needs really seriously and because of that I think that there's not much fluff in the product like it provides a real security benefit and it's always something that's solving one of our needs that they're working on. So I've had a blast deploying Cloudflare for teams at Cloudflare and also helping try to make it better and helping influence Sam and the direction of the product to continue to be something that's solving security problems, real security problems. I love seeing, with that Evan, I love seeing when we get a list back of P0s, P1s, P2s for upcoming products and then the P0s are Evan's suggestions. So the team is always like those are the first things we're going to do because it's going to be the best product. So Joe and Juan, as execs in the company, it must be a big part of your role. We're in customer advisory board meetings together, you advise on how we should build these products. From your perspective, tell us a little bit about that partnership across the product teams. Well, from where I sit, I experience it in two different ways. As Evan was talking about, when you're running a security team, you try and solve security problems day in, day out and the typical analysis, once you find a problem, is build or buy. And you look to the market, is there something you can buy? And if there's not, you try and figure out how to build it yourself. Typically, you have to build it on your own security team and so it's trying to take away the resources from firefighting or whatever else we're working on and do engineering work ourselves. And then, of course, you have to maintain whatever you build. Being able to turn and see people like Sam across the office and talk to them about our problems and have real product teams and dedicated software engineering teams excited to build what you want is pretty much unprecedented in the world of security as far as I'm concerned. And that has this other secondary impact for our team, which is the cultural impact. We feel when you're in security, you're just playing defense all day long. And the idea that you get to actually be part of innovation and the excitement that comes from building something and being part of it, it's such a positive energy for the team. When we identify a security problem, we don't think, oh no, how are we going to solve it? We think, yes, we can solve it with our product and engineering partners. Yeah, so just to add a little bit of a different dimension to some of the other points that Joe and Evan and Sam made. So one of the things that Cloudflare IT has a very close partnership with a security team, right? I mean, you and I speak like every week and we have, I mean, you take a look at our projects, they basically, we have a lot of projects together. But one of the things that happens when you're deploying security solutions, especially in technology companies, is normally there is some kind of trade-off that you got to make. And normally that trade-off tends to be around experience or something like that. I have a good friend of mine that I've known for many years and he used to work in military intelligence. And he had like these things like, you know, if it's secure, it's got to be painful. And if it's not painful, it's probably not secure. And one of the things that also happens, you know, internally is like, you know, when you got to deploy security solutions, normally, as I said, you know, experience takes like a backseat. And what has been amazing with access is, and I tell this to everybody that talks to me, whether it's customers or prospects and things like that, is like the experience, once we put a service behind teams, you know, the access components, it's incredible. I always say that, you know, once you have basically used that experience of, you know, a Zero Trust solution with a service that you used to have to connect with VPN and things that are basically without our own product, you know, there's no going back. So, you know, when it makes our discussions, you know, with our internal customers, you know, with Joe and Evan and myself around, you know, when we got to secure an application, we're going to put it behind access or anything like that, very, very easy, because people normally, you know, they are like actually pushing us to do that, right? Because the experience is so much better. So, you know, to me to be able to basically work on these things with Sam and you, David and Evan and Joe, I mean, it just puts us well, because, you know, you can almost have your cake and eat it too, right? You can deploy the state of the art security solutions, and then at the same time, be able to provide also an amazing experience for our employees, you know, regardless of where they are. So yeah, it's been a great ride so far. That's great. Thanks for everybody's perspectives. It is such an important thing in the company. You know, I joined in January and with the acquisition of S2 and really just haven't seen this type of partnership before where really everybody is just on the same team and working on coming up with the best product. So that's great. Let me tee up another question about the announcements this morning and Zero Trust Week. So this week, we've got product announcements all week across Cloudflare for Teams. But we also have product announcements for Magic Transit, which is really exciting. And then we announced our platform today, Cloudflare One. So let me start with Sam. So Zero Trust architectures and Zero Trust security with Cloudflare One. Why is it so important? What did we announce this morning? And what does it mean for you as a product manager for Cloudflare for Teams? I love something that Anika said earlier where, Anika, you mentioned giving our customers the same type of DDoS security that we had built for our own data centers, for our own services. And so much of the pieces of Cloudflare One, I think, come together and say, we've built these different components, these different features, because we have our own problems running Cloudflare as a network. Cloudflare is both a company with issues with goals around security that we wanted to solve. So we built things like Access, a company that has a network that we want to keep available and secure. And now we've productized that with Magic Transit. What it all kind of sums up to is, what happens when your old corporate network can, then the problems that you were attempting to solve with it with physical appliances or MPLS links and other vendors of the sort, what happens when those can just learn from what Cloudflare's network has built out to solve those same types of problems at our scale that we can now offer into a single platform? And it's really exciting for me because all of the DNA and everything that we've built in Cloudflare One really has taken shape over years of solving different kinds of problems that we've seen with security and connectivity and availability on the Internet. And it maps well to a pretty significant change that's happened both to us as a company, but to a lot of companies. The applications that our customers use and the applications that we use here at Cloudflare are increasingly living outside of your old castle in the model, outside of your data center. And even more radically, you can of course tell, even though we've got fake backgrounds, and Evans is pretty good with the San Francisco office lava lamp, we're all at home. The way that people work actually reflects a distributed Internet, probably closer than it ever has in the past. And so to keep people productive, to keep people secure, to keep data from leaving the house, you need to map this distributed applications on one side and distributed users on the other with a network that's equally distributed, that's capable of handling that scale. So on the Cloudflare One side, I'm really excited about that. What it means for the team's products, and again, I'll quote Anika, and then I'll turn over to her, is earlier today, we were talking about some of the features that we're announcing later this week, and Anika used the phrase, and I'm probably misquoting, what can we do to make this part of Magic Transit better for teams? And so it's really exciting for having been on the team side for a while now to get to kind of more, to craft something together with our friends on the problems. So Anika, though, can probably speak much better and much more detail about what it means for our networking product set. So with that as a tee-up, Anika, what does it mean? Zero Trust, and Zero Trust broadly, Cloudflare One is really what our customers have been asking for, both the networking side to connect their networks with Cloudflare, but also the end user security side, which is Cloudflare for Teams. So from your side, from the Magic Transit group and the networking side, tell us what you think about the announcement this morning, why it's significant and playing on some of the things that Sam just talked about. Yeah, I mean, when Sam and I have been talking and other folks from the product team have been talking to customers recently about this sort of vision, how all these pieces are going to come together, the thing that keeps resonating with me in the story that customers have told us is that because of this fragmentation that Sam mentioned, running an enterprise network is really hard. We hear from customers that use a ton of different tools, legacy systems, they have boxes that have been sitting in data centers for 10 years that no one really knows what they do anymore. Sometimes folks buy things because they think that they may need them, but are not really sure. And so managing all of this is just a nightmare. And so what we hear from customers is they just really want one place where they can set policies and have visibility across their entire network, which is their devices with Teams, their data centers, their branch offices, and not have to worry about juggling all of these different tools, all these legacy systems, this kind of patchwork of different solutions that when put together are really kind of imperfect and leave lots of gaps in visibility and understanding of what's going on in your network. And so I'm really excited about Cloudflare 1 because I think it really is going to deliver that vision and what customers are asking for. Magic Transit protects your infrastructure, Teams protects your devices, Cloudflare Network Interconnect gives you a secure connection to Cloudflare's network, so all of that topic is even more secure and reliable than otherwise. And then also, as Cloudflare's network continues to mature and as we continue to expand it and build it out, every single one of those products will benefit and grow as we scale our network. So yeah, just a lot of exciting stuff, and I really can't wait to see how we can continue solving problems for customers. Great. And Joe and Evan, as the Chief Security Officer and Head of Product Security, what does Zero Trust mean to you and for this morning's announcement? Same question to you from your perspective. Yeah, I'll jump in. I think for a long time, Zero Trust has meant confusion for the security community. It's meant complexity, it's meant change, and all of those things are scary in the world of security. A decade ago, companies had everything behind this kind of centralized network, and it was easy for those teams to envision a firm perimeter around everything. And then that suddenly went away with the reality of the cloud and with the reality of remote workforces, people taking their laptops home was the start of it. And it's just continued and continued to evolve. And I've started to think of it as an opportunity to get better at security rather than a place to panic, because what we're finally getting to show the world is how you can bring back together devices and network security and authentication of individuals in that environment. And so I think, yeah, Zero Trust is a scary term, but it's also an exciting time, I think, when you see products like ours coming out. Yeah, that's the perfect answer. I remember early on when Joe and I were working together and working on identity and access management, we did some calls with other peer companies of ours, and they listed 25 different vendors that they had and how every segment of their different employee population had interacted with different vendors for different things. And that's just on the SaaS side and not even going into security of all of your different networking protocols and how your corporate office fits in to your identity. There's so many different vendors that all do just one tiny sliver. It can be really hard to even understand how does this fit together to be secure. And so what's really exciting for me about Teams and our announcement today, Cloudflare One, is we have a cohesive vision of how all of these things, we can just put this little one layer of security on top of everything. One cohesive layer to secure all of our different things from the network to our SaaS applications to our internal applications inside of our old corporate VPN that we're shipping away, removing. So it's definitely the confusion aspect and getting rid of that is what I'm excited about. Yeah, if I could jump in for one second. It's kind of like, from listening to Devin, it's kind of like with the fragmentation of security tools in a Zero Trust environment, the parts became more complicated and thus less than the whole, and bringing them back together makes the parts more powerful than the whole ever has been. So it's kind of like a really powerful thing. Yeah, absolutely. We often use the expression one plus one equals three in Cloudflare, but definitely bringing the whole together, it's much more powerful than the components. Juan, you always have a great perspective on user experience and asking you the same question about what Zero Trust means to you. Talk a little bit about when you're managing an organization where you want the end user experience to be something that will be accepted, will be smooth, but also a little bit about the administrator experience. Like every day when we're rolling our product with you, you're always telling us how to make it more simple, not only for our end users, but also for your organization as our first customer. So tell us a little bit about Zero Trust and user and administrator experience. Yeah. One of the things that when I talk to customers or when we talk with just people that I know in the space, it's like not every company has sort of the luxury, if you want to call it that way, to have a Joe, an Evan, a very dedicated and high caliber team of specialized basically security experts. And in many cases, you have more either like a team of generals or somebody that basically they just know enough about the domain, but they're not like a complete sort of expert. So what Joe and Evan were mentioning about like this fragmentation basically of tool sets for everything, it's been a real problem from an IT point of view for many, many years. And I think that this consolidation basically for the administration of all those assets is incredible. I mean, I remember I had in my previous company, people that knew how to manage, for instance, the firewall, people that know how to do like basically the VPNs out of the house, people that knew things about identity, but you didn't have sort of like one place, if you want to call it that, where you can manage policies, manage a centralized set of rules around filtering or things like that, and also access to applications or role-based access controls, things like that. So from an administration point of view, obviously things like this, especially if you have, like I said, a more generalist IT type of shop, makes things very easy from a single pane of glass, if you want to call it, to manage this. And I am a firm believer that at the end of the day, integration and simplification basically tends to win over speeds and feeds, and certain things are more like things that may be like a little bit more best of breed like solutions, if you want to call it that way. And then from a user perspective, normally, I mean, you will see like you will have to have in the end points or things like that, where you'll have like a mobile or a laptop, four or five applications that you may have to install in each one of those devices to manage a specific thing, something maybe like for URL filtering, some of it maybe to access the VPN, some of it to be like maybe for something else. So I think that the more that you can basically deploy at the end point that makes just that experience transparent to the end user, that basically they're getting access to the resources that they want, they don't have to worry about whether like, okay, this is a SaaS application, I got to connect this way. This is an application that I hosted in like a more like legacy data center, I got to connect this other way. All that stuff is basically something that they don't, you know, they don't have to worry about. They don't have to worry about like what application they use, etc, etc. I think it makes for that experience, you know, much, much better. And then, you know, obviously, when you have a distributed network like or cloudcast, regardless of what people are working on, you know, that basically entry point being very close to the user makes for great performance. And that's another one of the things that I always say, it doesn't matter how functional it is. It doesn't matter how pretty it is. It doesn't matter all that stuff. If things are not fast, they will suck. So, you know, being able to at the same time, you know, of that simplification also be able to provide like great performance. I mean, I think it's like an incredible benefit for, you know, in this type of work environment that we have nowadays, which everybody's very distributed. So, that's kind of like my perspective on it. That's great. That's great. Thank you. Thank you, Juan, for that. So, we've got about one and a half minutes left. And I'm going to throw out just one last question for anybody who wants to answer. We're not going to go around to everybody. But this is a bit of a fun question. And I will cut whoever answers off at about 15 seconds to go to do a quick wrap up. But any horror stories about how security failed you in the past or networking failed you in the past, and how our Zero Trust solutions may actually be able to prevent that or fix that today? Just throw it out to anybody who has a concluding story for us. I can think of a lot of horror stories. But I'll jump in with one. You know, when the network perimeter started to devolve, a lot of the applications that were built to be inside the enterprise and not facing the Internet were suddenly exposed. And I saw so many problems. Like, I still think about them, because we built these applications inside our companies. And we never thought that they would suddenly be exposed to the Internet. And all of a sudden, you know, coding vulnerabilities that you never imagined being an issue or identity vulnerabilities, all of them got exploited. And it happened across lots of companies all at once as we got the as companies were getting the courage to open up their applications to the Internet, they found that that was a bad idea. Okay, we're gonna we're gonna wrap up, Joe, we're gonna have to have a separate session on this, because it's so interesting. And I teed up a question with very, very little time. So we're gonna wrap up. Thank you for everybody for joining. This has been a great session, kicking off as Zero Trust Week. Sorry for cutting you off, Joe. See everybody next time. Bye, everyone.