🌐 Democratizing Access to Zero Trust with Project Galileo and the Athenian Project

Hello and happy Impact Week. Today, this week at Cloudflare, we're celebrating all the ways in which Cloudflare's Network helps organizations around the planet work together to build a better Internet. Today, Jocelyn and I are going to be talking about projects Athenian and Galileo, to really wonderful programs that Jocelyn is going to be sharing a lot more detail about. My name is Sam. I'm the VP of product for our Cloudflare Support zero trust products, which are everything, everything that organizations need to keep their organization connected and secure. Jocelyn. Hi. Hi, everybody. My name is Jocelyn. I'm actually a program manager on our host policy team, which all of our impact projects are under public policy. So we have a ton of different projects at Cloudflare where we provide free upgraded services to the nonprofits of the world, journalists, human rights organizations. We have a lot of election work, so we work with state and local governments. Under the Atheneum Project we have Cloudflare for campaigns, which is dedicated to political campaigns. We have Project Pangea, which is connecting community networks and many other types of projects. So really excited to talk about some of our offerings today and how organizations can get started. That is a just before we dive into what those programs focus on, that's a huge scope. That's a lot of different things going on. What is an average day look like for the policy team at Cloudflare if that even exists? Yeah. So I think when it comes to the public policy team, we've kind of segmented ourselves out into our impact side. So we have a really great team that focuses on like how can we create new projects, how can we have new products that are able to that organizations can use? And we think a lot about that on the impact side. And also environmental social governance really falls under our team. For me, a lot of my day is working with organizations, trying to get them on board into Project Galileo, thinking about how they can use our Cloudflare products, working with different election entities to talk about what types of benefits they can have from Cloudflare, talking a lot about the issues that they're facing. So trying to figure out if it Cloudflare is a fit for what they need. And also a lot of it is internal advocacy about our projects and trying to figure out if people internally have ideas about different types of projects they want to start, because I think I started Cloudflare about three years ago and one of the things that I've learned about how we start new projects is basically somebody at Cloudflare who has a background in something completely different will come to us and say, Hey, like I used to work at like a community hospital, I saw that we had these problems with cybersecurity. Like we have a product that might be able to help with this, like can we figure out how to launch this? So I think a lot of it is talking with people internally to think about like, can we start new projects? Do we have new products coming down the pipeline that might be have the ability to help like a human rights defender in a specific country? So I think a lot of it is the external engagement with different organizations and also the internal engagement of like how do we use our products for good? And to that, to your point about external internal engagement, I know that one thing I really enjoy getting to do our interviews with candidates who are interested in joining Cloudflare and consistently one of the things I hear the most from them when they talk about why they want to join Cloudflare are projects, Galileo and Athenian. So I have the benefit of getting to hear a lot about those. But for everyone out there watching, what are those programs? Yeah, I always love to hear when people are like, Oh, I wanted to join Cloudflare because of Galileo. And I think whenever I first started, Michelle said I had the best job at Cloudflare because she was like, Oh, you get to give our products away for free to really great organizations. So like I will say, I think I have the best job. But so when it comes to our different projects, the first one that we started was in 2014, and that's Project Galileo. And the idea of Galileo is that we actually work with about we kind of segment organizations into two different groups. So we have our civil society organizations and these are basically our partners. So these are really large civil society organizations that we work with every day, and they're actually the ones that decide which types of organizations we should protect under Galileo, because for us, we're not necessarily the experts in foreign policy or human rights or should know we shouldn't. How should we know who we should, providing these free, really powerful services to and also our civil society partners like they have offices on the ground, they work with individuals specifically, and they're really there to be like, yeah, you should be providing these services to these organizations. So we work with about 50 different partners every single day. Like we have this interaction with them. I send them applications that we get from smaller organizations. So there's a lot of collaboration on how we provide our clubs, our services. To the non-profits of the world. The other organizations that we work with are actually the ones that are protected under Galileo, So they're the ones that are receiving our Cloudflare services. Once, once the partners have helped identify them. Yeah, once the partners can say, Yeah, this organization's great, they should definitely be under Galileo. I work with them to get them on board and help them with any issues that they have and kind of set them up for success under Galileo. To give you an idea, we started the project in 2014. Right now we have more than 2000 organizations in 111 countries under Galileo. Wow. So it's been we have. And if you think about it, like every single domain we have under the project has been approved by one of our partners. So like that collaboration, I think, is really essential for the success of Galileo. And what are the I know Galileo works with all kinds of organizations. What are maybe the more common organizational types? What are the fields that they are focused on that comprise the Galileo cohort? Yeah. So specifically for Galileo, it's really interesting because we'll have a range of organizations and when I say like we work with a lot of nonprofits. We work with a lot of human rights defenders. We actually don't necessarily have a set criteria for Galileo because all of our partners are the ones that are deciding. So for example, during COVID 19, we had a lot of organizations that were applying that were like COVID health tracking apps, and they don't necessarily fit the mold of like, this is a nonprofit or like this is a journalism site. So we were seeing these applications and we were like, okay, yeah, let's send them to our partners and see what they think. And they were like, Yeah, like of course this type of website should be receiving higher services because they are getting thousands of requests a minute, let's make sure that they're protected. So I think like one of the great things about Galileo is that as kind of events go on around the world, like we're able to adapt to some of those changes like really quickly and figure out like, oh yeah, we can provide these services to this COVID tracking health app because our partners are like, Yeah, we should be providing these. Services and do those. Have you seen those services evolve in your years here? Were they originally very focused on things like details, mitigation and now there's other types of challenges that they need to solve. Like what? How has that changed over time? Yeah, So I think for me, I started here at Cloudflare about three and a half years ago. It was very much focused on the DOS attacks. A lot of organizations were looking for a web application firewall like very much the website facing types of products. And I think as Cloudflare has grown with its product set, we've been able to kind of mold that to Galileo as well. And I think that's why it's really exciting for Impact Week that we get to provide our whole zero trust suite to project Galileo and our election entities under the Atheneum project. So I think that as we progress as a company, we think about like, okay, we see that these large corporations and companies are using these Zero Trust products, like those same types of companies. Nonprofits are having the same types of problems probably even more. And they probably they only have like maybe one i.t person to be able to help them figure out what that looks like for their small nonprofit. So I think our expertise and being able to provide these types of services is really powerful that community. Making it accessible to them. Yeah, it's all about accessibility because when you talk to a nonprofit, it's so like the past couple of months we've been talking to a lot of nonprofits to be like, okay, how do we provide not how do we provide Zero Trust products? Like we're making this announcement, We want to make it easy. What's the best way to talk about these types of products? And I think it's like being able to talk with people internally, like on the Zero Trust side of like lessons learned on how you onboard folks and then also thinking like externally with our civil society partners being like, Hey, we have this product, what do you all think about it? Do you think it would be useful for human rights defenders that you work with? So I think that your expertise as well is really valuable whenever we think about Galileo. Oh, I would love to. For both selfish and genuine reasons, spend some more time on zero trust, and I know we will in this conversation. But before we kind of move into what was being announced today, you also mentioned Project Athena. What is that? How does it compare to Galileo? How is it different? What is it then? Yeah, yeah. So the project was started in 2017, and the reason why that was started is because during the 2016 election, there were there was the FBI actually reported that almost every board of elections in the United States was scanned for SQL vulnerabilities. And I think one actually county went down due to it. And for us we saw this. We're like, Hey, we can provide these types of services really easily. And so we. Started it in 2017. And the idea was that we'll provide our highest level of protections or enterprise level services to state and local governments that run elections. So if you think about A in the US specifically, we have a very kind of a different way that we do elections. A lot of it is very segmented. So like in each state, each state does their own types of elections and then each county will also do their own way that they do elections. So no county does it the same, which is a very decentralized system. That sounds really great in practice, but when you look at it through like a cybersecurity lens, there's not necessarily a lot of like best practices. Coordination about. Coordination nowadays. I definitely think there is. And like we've seen this during the midterm elections a few months ago, but a month ago, time goes by fast. But so with the Atheneum Project, the idea is that we'll provide our highest level of services to government websites that have like election information. So like if you're registering to vote or if you're posting election results or like polling place location and a lot of it is like is really based on the idea that like in the election, security, like trust is the most important part of a democratic election. And let's say you're trying to find your polling place and like you're on your phone and you're looking at your county and like the website isn't loading. And like one way to kind of erode that trust is by like people are going to assume like, oh, no, like somebody took that China took down the website because they don't want us to have democratic elections or they don't want you to vote. So the idea is, is like we just want to be able to give the tools to state and local government so they can really focus on making sure the transparency and like focus on making sure that they have so much to do anyway in the election space, like let's make sure their website stay online. So that assumptions don't become rigid. That makes it fun. That's really neat. I know as an American living in Portugal, I rely a lot on those websites to figure out how to vote from as an expat living abroad. So that's really wonderful. What percentage of your time do you spend with Galileo? You and the policy team and the impact team versus Athenian? Is Athenian more kind of around the cadence of elections and Galileo's ongoing, or how do you all kind of divide up the time that you allocate? Yeah, so it can be it's interesting. I think Galileo is definitely like all the time. There's always something going on with Galileo. Some new announcement we're trying to make or new products we're trying to announce with Athenian. I think we do. We onboard a lot of organizations or a lot of state and local governments. So for example, we have about 350 that we protect under the project right now in 31 states, and a lot of that is helping them get onboarded and then also helping with after the fact, like if they are interested in new types of products, like we got many requests for like zero trust products before we made the announcement and we kind of had to take that internally and say, you know, like, how can we do this in a responsible way? So we're helping the county more than instead of trying to they're trying to figure out technology that might not make sense for them. But I think with our Zero Trust offering, it's one of the things I am not a solutions engineer. I studied international relations, that was very much out of my wheelhouse. But I feel like I can go through our documentation and think like, oh, I could. I feel like I could set this up for a nonprofit and at least give them a little bit of guidance, which I think is really important when you think about offering zero trust products to smaller organizations or counties that might have one I.T person working for like three different counties. So I think when it comes to during election times, I think it's definitely all hands on board is like for so many people at Cloudflare who are answering support tickets, right. Who are helping participants on. Board if the minutes of uptime matter. Yeah, exactly. So it's kind of all hands on deck during election time, but we're onboarding state and local governments constantly and we're actually expanding. We've expanded it outside of the US to think about like how we can provide these services to other election entities outside the US because, you know, we're a global company. Election security is a global issue. It's not just the US that is having these problems. And you mentioned you're not a solutions engineer, but I think there's probably no one in Cloudflare who's onboarded more customers to products than you single handedly. But that said, how do you decide when to bring a product into the offering that is for And you mentioned making sure it's reached a point where its applicability or usability is relevant to these organizations. But what's the what's the process? What's the definition? I think there's a couple of different processes, and I think that one of them is we come out with products all the time. It's like it's like every week I'm reading the blog and I'm like, Oh, this one's new. That's coming up. And some Galileo organization will come to me and they'll say, Jocelyn, can we use this new product? And I'm like, Let me read about this new product that came out this month. So it's kind of like really having to keep up with what we're doing. And a lot of it is kind of talking with product managers and asking them if, like as a product comes down the pipeline being like, Would you want this under Galileo? What is your One of the things I really like to ask product managers is like, what is the ideal organization or environment for you to use for like, what would you want somebody to use this product for specifically in the nonprofit space? I know, like there's a lot of people at Cloudflare who have worked in either small businesses or non-profits or even like global health organizations, like they have so much expertise. And I really like hearing their own kind of personal take of like, oh, when I worked at this nonprofit, this product that we're that's coming down the pipeline would have been really useful. So I think like getting that type of feedback from product managers as products are coming down, the pipeline is always really nice to see and action and matching it up and figuring out like. But then the other side of that is like whenever we want to provide these types of products, there is a huge learning curve, especially in the nonprofit environment that we try and figure out like, okay, how do we kind of like for Zero Trust, for example. So we launched a Cloudflare impact portal. So it's basically a website that's dedicated to organizations and their Galileo opinion campaigns. Panga About like, how do you get started with Cloudflare? What are the best practices? And kind of we started this whole Zero Trust section with videos from engineers going over what it looks like to onboard different applications or like talking about like what a secure web gateway is like in a nonprofit environment. So I think having material and like being able to kind of relate with an organization makes it a lot easier to talk about how useful the products are. That makes perfect sense to me. And it's really fascinating because you were mentioning this earlier that we built a lot of these products to solve the security challenges of some of the world's largest organizations. But those are some of the exact same problems, if not even more so, that these groups that you are working with face every day. And we have CIO Week coming up in January and we're working on some materials for CIO Week talking to an types of organizations that have dozens or hundreds of people responsible for maintaining these systems to protect against these attacks. Whereas a lot of the Athenian and Galileo organizations, I assume it's maybe like you mentioning one person and rotating through different kind of nonprofits or counties and things like that. So it's a really fascinating challenge. What about the announcement today? So tell us what that means. Tell us what's new. What just changed this morning? Yeah. So originally what we offered under Galileo and Athenian was really kind of our web security type services. So the DDoS protection web application firewall encryption. But we've kind of moved into this new world of like we there are remote workers and nonprofits are distributed nowadays and there's this huge push for, for Zero Trust and the we got a lot of requests from organizations and we were like, How do we do this? How can we provide these types of services in a responsible way? And I think we've really figured that out with our announcement for Galileo and FTN. So really the announcement is that we are going to provide our full Zero Trust suite to organizations under Galileo, existing organizations and new organizations that onboard Galileo and also the Atheneum Project as well. So our Zero Trust offering is Access Gateway, Remote Browser Isolation, Data loss Prevention, CASB and Area 1 Security. So really the full suite of products. A lot of products, a whole lot of products to a lot of organizations. But I'm curious how on the Zero Trust side, so how would you kind of describe these types of products to a nonprofit that might be a little intimidated when looking at the, the complexity of cybersecurity. Environment, all the things to install and set up. So I think about them in kind of two broad categories, and I think this is applicable to the Fortune 500 and small teams everywhere. There are the tools and the services that you use that connect your employees to the resources in your control, right? That make sure that your employees can use that internal application that they rely on to maybe file stories if it's a journalism organization or to kind of document something that they're investigating or reporting into. So making sure that organizations have a way in which. They're users. Whether those are employees, contractors, partners can securely connect to these sensitive resources and no one else can. So there's a set of products and applications and services that together allow for organizations to both make the tools and resources inside of the organization very available to all of the users and employees and contractors that need them. This is our global network, so it's really fast. It has zero trust access, security controls built in. So by default, it's skeptical of any request or attempt to reach these resources and makes you prove that you're supposed to be able to reach these resources. So that's one big category is how do we make it so that an organization can connect to and secure all the things that their users need to do their jobs. And then there's this other kind of even scarier, more unknown category, which is the Internet. Right? One of the beautiful things about the Internet is that we can all connect to it and we can connect services to it, and we can kind of in a freely exchanged set of ideas kind of way anyone can be on the Internet. But the challenge there is that anyone can be on the Internet. And so there's a lot of threats out there that I know organizations you work with, enterprises everybody faces where using the Internet itself is both necessary, of course, for almost every team in the world and a huge risk, a huge liability, because that same Internet that might have the research that you need to do or the emails that you need to send to partners and other regardless of what your mission is, you still have the same challenges and threats of potential phishing attacks, potential malware coming back in your organization, people trying to steal and exfiltrate data from your organization. It's kind of like when you leave your apartment, you think, Did I leave the oven on? What happens when you leave your SAS applications and think, Wait a second, did I leave that Google sheet public or just shared with my organization? So there's all kinds of risks and liabilities that make using the Internet itself potentially really hazardous. So what we want to do with this second category of products is make it so that every organization on the face of the Earth has a fast performant connection to the Internet without worrying about what that also means to them from an attack perspective. So category one, make sure everything can connect and everyone can connect securely. Category two Make sure people can use the Internet in a way that they need in a fast performant way without inviting and bringing the risks back inside. Yeah, I definitely think as you kind of talk about this, I think of so many scenarios of organizations coming to me saying, just like, how do we do this? And I'm like, Let me find the right people that know, and I've worked with so many of our customers to be able to kind of share those stories to a smaller organization that might be able to have the same type of powerful types of products. And that's really what it is. These are what was made available today. And you kind of mentioned working with product managers. I feel almost a little ashamed because on our side we're just excited to say, yes, have whatever you want. You can use our products as much as they are relevant and applicable to your the organizations that you're serving. Because for us it's such an exciting reason thing to just say, let's take the absolute best security products that we have to offer and put them in y'all's hands to deliver and connect these products to organizations that really need them, that without Cloudflare might not have any way to go procure them or deploy them or administer them. How do we take what's the best out there and bring it to organizations of any size? So this is really fun for us on the product side as well, because we're just huge fans of what you all do. Yeah, that definitely makes sense. Do you think there's any like myths or realities you found around zero trust when it comes to like that? You might think a nonprofit will find insightful? Or have you learned something from a customer that you've recently worked with that you're like, Oh, this is what everybody should know about zero Trust in general. The first thing that I always say it's very cliché is it's a journey. There's really you were mentioning this earlier, the zero trust space alone. It's an entire industry. And so I think it's very easy for organizations of any size to look at everything available to them, especially inside of what we offer. Like you mentioned a lot of products and think, whoa, this is kind of intimidating. I don't know where to start. How long is this going to take? And what we tell large organizations and small teams alike is just starting somewhere is what matters. And so one of the big myths is that you have to deploy all of this, right, to really have zero trust security. Or you might hear this described as secure access service edge. You've got to have everything. You've got to have Browser Isolation and LP running in line in our CASB. But the reality is just DNS filtering, which would take about 15 minutes to deploy to an office WiFi router or put on your personal devices. Even that alone, such a kind of step change over not having something like that. And so what will the myth of you need all of it to really be secure? We really want to dispel that. We want to make all of it available. But what we really want to encourage is organizations just to start somewhere. Because whether it's replacing your VPN with our. Access control model, which is a little more involved in DNS filtering. But night and day difference in the security model in the organization. So really finding ways to make sure that organizations feel both encouraged and kind of invited into this idea that it's more of a journey than it is something you have to do this weekend and shut all your systems down. Yeah, I really like the journey model and I think that's something that I'm going to take away thinking about this the next couple of months, like working with Galileo organizations because, like, they don't have to do everything all in one day. Of course we would love that. But no, it is all about what fits their needs and how they're able to do it in their own time. So I really like the journey type of model. So I'm curious like, is there what's like kind of the components of the Zero Trust architecture? Where does an organization get started on this journey? So I recommend two first steps to every organization. The first I mentioned a little bit earlier, DNS filtering. So there's that second category of how do I apply skepticism to the Internet? How do I use the Internet in a secure way without or at least while attempting to reduce the potential risk that it poses to me as an organization. And so I always recommend starting with DNS filtering, because it is very simple to deploy. We run the world's fastest DNS resolver and it's the same technology that powers our 1.1.1.1 resolvers the world's fastest. Now, with all the threat intelligence that we have, Cloudflare being Cloudflare packed into a really, really powerful DNS filtering tool that takes 15 minutes to deploy on the first category, That internal access control side. We talk about this a lot, but hard keys. So the idea that you're using a second factor that is more than an SMS code that can be SIM swapped or stolen or even a one time code that can be kind of lifted from device to device. There are these physical hard keys. I know you know what these are because we all use them here at Cloudflare every day. These physical hard keys that you can build rules to say in our in cloudflare's network for internal user to connect to this system or that system, not only do they need to log in with their identity, they have to be in one of these countries. They have to be connecting from a healthy device. They also have to use a hard key. So those two steps alone, DNS filtering and requiring hard rules, incredible places to get started. But then for organizations that are ready to kind of go beyond that, in particular in the outbound filtering side, there's a lot of layers and they can really kind of advance up the layers as much as they want. So beyond DNS filtering, we can provide a comprehensive secure web gateway. So that's looking inside of the HTTP traffic for things like malware or more specific threats that are kind of hidden inside an otherwise healthy destination. And then of course our DLP. So data loss prevention product, we're scanning files that are moving across the wire through our network for PII. And whether that's malicious or accidental, I know one thing, whenever I include an attachment or an email that really scares me is making sure, wait a second, is this going the right place? Or if I'm uploading it, am I uploading it to an approved destination? This makes it really easy for organizations to say, You know what, You can only upload files to OneDrive. So you use OneDrive and you can only upload files that don't contain Social Security number. So build rules, really advanced rules like that give organizations control over their data, including inside of Browser Isolation. So our Browser Isolation product runs a headless browser in all of our data centers around the world so that instead of the kind of risk that can leap out from the browser on your laptop sitting in front of you, let us worry about that and destroy it at the edge of our network and just send down to the laptop the vector renderings that show what the web page is. So there's a lot of different ways that organizations, after just getting started somewhere, can kind of dial up the security based on their needs. Yeah. And I think like as you kind of just describe all of this, I think about it and I'm like this organizations will they don't have to focus so much of their time on like their website going down or like sensitive data being stolen. They can focus on their mission instead of like focusing on like the cybersecurity side, which I think is really like the theme of when we think about Galileo and Athenian, we want to give people the tools so they can focus on their job of like helping other people or like helping organizations, helping other organizations and putting out election information or like helping people to go vote. Like, I think that's one of the really great things about these projects and why we're super excited about like our whole Zero Trust offerings under the projects. So we share the same motivation. It's every organization has different missions, but they're all none of them want phishing attacks, right? And that's what's really fun about these products. Exactly. So it's great chatting. Yeah, Great to chat with you too. If anybody wants to find out more, just go to Cloudflare Calls. Slash Galileo or Cloudflare dot com slash opinion, fill out an application, reach out to us. And thanks for hanging out with us today. We're reporting live from the Lisbon office. So pretty special place. Wonderful. Thank you, Jossy. Yeah, Thanks so much everyone How.