Cloudflare on Cloudflare: Life as a customer zero with zero trust

But now that we're using it internally, that kind of makes you a customer of your own product. All right. Hi, everybody. My name is Chase. I'm a strategist here on our Cloudflare security team. And today I'm joined by Corey Mahan, who's our vice president of product overseeing our zero trust product areas. Hey, Corey. Hello. And today we're going to talk a little bit about about Corey's role here, overseeing Zero Trust, as well as his perspective on our own implementation here at Cloudflare. So, Corey, to get us started, why don't you give us just a little bit of background about yourself and then we can get into some questions. Awesome. Yeah. Excited to join Chase. A little bit about me. So, Corey, I've been at Cloudflare now for almost four years. In past lives, I was a security practitioner. So, I like to tell everyone I'm building the tools that I always wish I had, leading security teams big and small and all over the globe, and kind of lean into kind of all the zero trust principles. And then we'll probably talk a little bit about that, but building and delivering things and shipping things has always been really exciting to me. A fun fact, my first job ever was at a data center. So I used to rack stack cable, clean sub floors. And so now on this very SaaS zero trust world, pressing a button and it working, I have a deep admiration and appreciation for. So I've never lost those roots. And so when we build products, again, remember what it was like to like rack and stack a cable to expand some things. So very, very excited to chat today and lean more into kind of all things. Zero Trust. Cool. Can you walk us through the scope of products that you oversee? So today at Cloudflare, I helped lead what we would call our Zero Trust products. And if you were to use the analyst term, you might hear SSE or SASE, Secure Access Service Edge is kind of one framing of that, which is the bigger one, which encompasses SSE. But in reality, these are products and solutions that help protect users, data, devices, and networks. And so you can think about that in terms of like a secure web gateway, right? Protecting users from accessing. maybe malicious threats on the internet or only allowing certain things or redirecting them to where they should be you can think about this in terms of like zero trust network access concepts and principles right like access products and services whether it be to a web app self-hosted app or infrastructure um you can think about this in data loss prevention right so you're making sure all the data that's moving across those networks um all the way to services like our connector and our magic wand service so that you can connect your you know your facilities or your sites together faster and then on-ramp them too so if i were to give you the actual list it sounds like gateway and access and casby and dlp and dex and a bunch of other things but at the heart it's really how we apply the zero trust principles the way that we connect secure and accelerate users employees data and devices so that's like a wide breadth of products like obviously all under the zero trust umbrella but you know having all those products under you like what does a day in the lights look like are you primarily focusing on one product are you talking to customers of the internal like what's your day-to-day look like? I get this question a lot. And I think I've answered it differently every time because the day -to -day changes in a good way. Yeah. I think about it very much in platform and problems. And so it normally will find its way to a specific product. But how do we solve customer problems? And I'm talking with customers, which I do do almost every day, some in great ways, others in ways we can help make them better or ways we have to get better. But in all of those, it's understanding the problem and then relating it back to the platform to then find that product. each day it might be a really deep dive on data loss prevention and how all the ways that we need to do better and and kind of figure out things that are kind of solving the next iteration of challenges or it might be in a way of hey kind of what's new and what's you know kind of coming up next and so it might be exploratory or looking at ways that are you know not necessarily something that we have today um in not just talking to customers also talking with engineering and internal stakeholders and so i spent a lot of time with our engineering teams i spent a lot of time reading specs and understanding what's coming and i to spend a lot of time kind of researching what else is out there. And so not just news reports of the bad things that have happened, but kind of, hey, where does all of this information and kind of all these approaches that we're applying to the technology that we know, kind of that SSE and SaaS-y space that continues to grow, where else is it growing to that we're not thinking about? And so very customer-centric and focused in that, hey, whether we're building something new together or solving a problem that we have, that normally leads into the platform, which then leads down into kind of the finer grain product, which then leads down into... features and so i would say a day in the life of this week so is is i won't say the day that we're chatting but has already been a of ram a mix or a wide range of all of those things and then given that mix like how do you prioritize what gets done first like obviously you talked about talking with customers and then talking with internal engineering like when all those things are going off and conflicting like how do you like drill in and be like this is the most important thing to do right now i think there's a lot of of thought around this. I think some might think it's very much science. I think some might think it's very much art, right? Science being like, what is the highest leverage thing or what will have the largest growth or revenue impact? The science is, hey, no one's exactly asking for this, but if we did this, it would unlock all these and solve all these problems for customers. I hold the firm belief that it's somewhere in the middle. And so there's a lot of science that you can use hard data and specific kind of conversations. And then there's kind of the art of, you know, everything around the problem, but not highlighting and finding that problem that we're going to go solve. well. And so I kind of think about it in the middle. And so how do you then make decisions based off that? Again, it's kind of a mixed framework. And so there's a lot of product best practices out there. I won't kind of list them all off. What you try to do is kind of think about impact and security value mixed in with feasibility. And so, right, we might have a great idea in Cloudflare where we like to ship very quickly and be iterative. And so what that means usually is, you know, we understand the problem very well. What is the first part of that problem we can solve completely? And let's go tackle that. Now, sometimes that might be a little bit longer than we'd like or might produce scope more than we'd like, but it's always getting something into customers' hands as fast as humanly possible and then looking at the impact of that, right? Does it solve a net new risk, an emerging risk? Does it make something good, great? All of that kind of goes into the hopper and then kind of looking at what's most reasonable. But at the end of the day, what kind of drives and trumps all of that is customer feedback. And so it's, hey, there's a really big problem for us. That comes from... First and foremost, I know we're talking about customer zero. That is a huge benefit of having a customer sitting across the hallway, literally. And so that's been a very beneficial way to even talk to them internally whenever you need. They're, you know, sometimes it's difficult to get on a customer call at midnight. Your customer zero two is always there with you. And so it's really, really great to have that kind of collaboration. Great. Well, that's a really good pivot into talking about customer zero. You know, we did another one of these sessions with Derek where we talked about our own implementation. And he gave us kind of the details of like what we've done. like the order of which we deployed everything and the thought behind that. But now that we're using it internally, that kind of makes you a customer of your own product. So how has your day-to-day use of the product impacted the decisions that you're making day-to-day around these products? It helps practice kind of, I would call, do the product basics brilliantly, right? And so one of those is usually not over-rotating to immediate or over-time sensitive feedback. So you might hear one thing and that doesn't mean drop everything and do it. Sometimes it does, but rarely does it mean that way. You look, you know, themes. And so using it when it's yourself, knowing you have the, you've been given the capacity and capability to say you drop everything and change that because I experienced it, can sometimes be tempting of like, hey, we should stop everything, go do that. And so being able to one kind of take a step back from that, but it has been enlightening is the right term. I think everyone is so lucky to use their own products every day, much less have their team, much less have their whole company. And so even the things, you know, that are. in a good way that you don't think that you would test for or be able to run into, you get to do that because you're also using it every single day in almost all ways. And one of the biggest benefits is that I don't have to try to go use my own product. It's embedded in every single thing I do, every single part of every single day. And that is like, you cannot ask for more as a product person. Was there any like particular feedback that you received from the internal organization dog booting that you weren't expecting? that was like out of left field. And anyone thinking about running customer zero or type program where the internal teams are obviously using and consuming the services and products you build is that you don't expect how good of the feedback and perhaps how candid and direct it will be. And so I think with customers at times, you might have to build that relationship to really hear them out. Really tell me, call the baby ugly, if you will. Tell me where that pain is. That is what I'm after. And this short circuits a lot of that is because the team knows that everyone is trying to make sure this product is exceptional. And so you immediately form that. You might have an issue where a customer might raise a concern. You need to schedule a time. You need to get on a call. You need to get engineering. You might need to go debug. This is very different because you're a chat message away from being on a meeting with someone unwinding what they just ran into. It's very timely. It's very fresh. It's very recent. You can recapture it. You can repeat it. And so from like a response perspective, it's next to none. It's amazing. And then from a going forward perspective, you can see. where the real sharp edges lie because you have that data in front of you with users that you can ask at any point in time. And so there is a huge, I did not expect that to be so impactful as I think it has been and I think will continue to be. Yeah, I think something I've noticed being on the customer zero side of this is how eager people were to adopt like being the customer zero. Like we see people put in bugs with like full reproduction steps, like logs, green. share and i was like that's like kind of like what we expect ourselves to do as a customer zero like team that's like dedicated to it but not the broader company like typically we're seeing a little bit more vague bugs coming in which are great but i think that's been a really cool thing is that it's not just a team of like seven people that we have here at cloud player it's like the whole company is adopting this mindset which really like multiplies the impact that you guys get on the product side coming back 100 and i think i think another thing to underpin there is that sometimes the security products that can be challenging to generate or to replicate real human behavior right at scale and not tens or hundreds of thousands of people. And because we're able to run alphas on a user base that is willing and able and ready to troubleshoot with you, that is a unique advantage of the whole customer zero effort is it's not something that you have to really push for. Sometimes you have to say, okay, hang on, slow down. Let's wait on this alpha. Let's roll this beta instead. And so you have a very fast feedback loop, which is at scale and able to have with real, you know, real human behavior, real human traffic, real human processes, things that exist in the business world. That's not to say we don't have obviously advanced testing and kind of all the things in to end, but it's very, very helpful when it's actual production usage from the onset. Totally. One of the big pieces of feedback that I think like, you know, any security team implementing tooling is going to have to think about a lot is the trade -off between performance and security, obviously. has done a really good job about balancing those two things. But how do you navigate that space when there's a potential impact that's like internal that you can see right away? I think it's helped push us in this kind of the age old security adage, right, that the security performance use of use pick one, they conflict. I think at times they still in 2025, they still do at times kind of cause friction. One thing that I've been really excited by having customer zero programming has helped me think with customers on. is giving customers the option to make that choice. And so building features that allow customers to make that, maybe there's, you know, everyone's friction tolerance and security posture varies. And so what might be great for one customer, maybe you're a large financial institution versus you're a, you know, a digital media company that has very few assets, perhaps, that are highly sensitive. The way that you deploy this infrastructure and technology will look very different. And so we're not prescriptive, but what we do is we want to... continue, it's really motivated me and inspired the team to build controls that are kind of up to the customer to adhere to their kind of, hey, the performance or speed or friction perspective and or the security posture. And so that they can kind of choose, hey, we want to really lean in here. We want to make sure things are airtight. And in other areas, we really need performance to be kind of paramount, even in some cases over security, which do exist. They might be more exception-based, but they do exist. And so that has been really, really insightful rather than us prescribing. to customers, hey, no, that shall. It's become very, very helpful to have the optionality. And then we've kind of built with that mindset of, hey, here may be our best practice and our security recommendation, but we're mindful you might want to and here are the other options that you can choose. Right, to making it more of like a toggle approach of like we have that option to move in and sacrifice a little bit of X, be that performance or security based off of the need of the business. And what we're even seeing too is customers make choices like that depending on the user group. And so users that might have access to less sensitive material or on a company provided laptops that are hardened and locked down and they have access to one thing, they might take a different decision than, you know, say someone that has access to everything or someone in finance that has access to very sensitive data, right? Those decisions can even be made at the individual group and even at the individual user level. And so rather than having to have a generic all or nothing, it's becoming very bespoke to kind of how the customer wants to apply. I'm leaning into the zero trust principles. And so the default denies it. world, et cetera, et cetera. But then giving them capability, flexibility to make those choices. Great. Yeah. I mean, we think about that all the time. I think previously it was this big concern over contractors or people outside your org who might need access to things. I think nowadays we're seeing it with hiring people in more high-risk countries and things like that. So having that granularity at more of the user or group level is great. Cool. Well, let's move on into some of the things that you hear back from customers. So obviously when people are purchasing software, especially security software, it's a pretty foundational part of their tech stack. When you're conveying the return on investment to a customer, like what's your go-to thing to say when someone's like, how am I going to prove to my executive team that this is going to make an impact on the company? Great question. And this is something I, in prior lives, thought a lot about, right, as, especially as you ask and look to continue to get more investment. And so one of the things I see customers do a lot and have played back to me is around kind of the value and how you're measuring value. So one of those is, you know, some might joke that, you know, security software is kind of like insurance, like you have it, but, you know, it's just in case. And so it's kind of that maybe a reactive negative light. What I like to do is kind of what are those positive trends and what are the positive are? So some of them are a number of existing, say, like support and or troubleshooting tickets that you see decrease when you're moving to a solution like Cloudflare's or kind of another very modern kind of zero choice network access versus, say, a legacy or traditional VPN. Right. And so you spend the effort you spend. the time to switch that took that what came out of cost well what's my return the idea being and why i hear over and over is hey not only are we spending way less time provisioning things we're set up and it just works and this is amazing but then two is like the insights that you get from it like oh by the way we were able to see from logs that no one is using app x so we just turned it off we saved x million dollars per year that insight into the behaviors whereas in traditional you would you could dig through logs but people have access to everything and so you have to maybe go to the app in particular where security can make actual insightful recommendations back to the business of, hey, based off of this kind of network data or security data, we know this service is not used or we know this service is widely used on these days. We should ramp this up so that, you know, our business insights team has more compute during this time because we see them act, right? Those insights that occur on the surface, I think are really, really important as well as kind of the overhead piece going down. On the other side of that, I think threats blocked is kind of a tricky one, right? We had 5 million firewall blocks today. Well, okay. That might have been a big deal. That might have been not a big deal. You might be used to having $15 million. So I think those are important to see so you can trend, so you can kind of see attacks come as they go. But the ROI on those, I tend to see customers kind of shy away from. Where I see a lot of value is by the measuring of how many people don't realize they're using this technology. And so when you hear like, oh, we're using Cloudflare, okay, and they don't know what that is, that is actually a win. And why is that a win? It's because they don't know because they're not raising tickets about it. it's actually a faster experience for them overall. A really good example that I encourage customers to do is measure, you know, pick your top three most popular apps, be it self-hosted, SaaS, or otherwise, and with your zero-trust network access provider, measure the throughput latency, time first packet to last, and see what you get. We've had customers, numerous, that will come, and my favorite piece of feedback I've ever gotten was this, which is someone had implemented CloudFedro's ZT&A solution, and the business thought they upgraded the app to make it. faster. And so they had sent a note of praise to IT saying, thank you for updating the version. The old one was so slow. And the business owner was like, we didn't touch the app. What is going on? They were actually just legitimately faster connection. And so all the jitter and all the lag was gone. And so they were very hard to measure in that case. But that's what I encourage folks to do is to look that way. So the ROI comes in kind of those business outcomes as well as security outcomes. One from the business side, hey, what are you saving time on? So you can go spend on more important things. And then from the security side is, what are you looking at catching and what are your policies that look like? And so I think one way I always try to talk to customers and hear a lot from them is during red team exercises or purple team exercises. Hey, when you went through that, how fast did this product solution set catch, block, detect, or prevent what would have been something very, very bad for you, right? And so you think about, again, in the zero trust network access concepts of, hey, we weren't even able to necessarily even have to detect it because... The intruder could not get any further because they were using an unmanaged device. Like they were DOA. We had to, right? And so by just structuring your red team exercise, you can start measuring the value of, oh, wow, the barrier to entry is now here, right? And so there's a value in that of, okay, well, how much did we spend on this prior to make the barrier here? In that case of making it harder and harder again. So anyway, a bit rambly, but like there's a hundred ways that I've heard customers kind of explain it. And a little bit depends too on what they're after. If they're after, okay. kind of in a replacement scenario versus an approved scenario and kind of how they show that value, it has to be both from a business outcome perspective and from a security perspective doing one or the other tends to not land very well in ROI conversations. Yeah, no, totally. When we spoke with Derek, he also mentioned there was like quite a big return on the operational side of it in addition to just the security benefit as well. So I think that it's a common theme that we've been hearing throughout these conversations, Well, cool. Moving into kind of like the future of zero trust, like, do you have any like thoughts or opinions or intuition of like how zero trust is going to evolve over the next like three to five years? Yeah, it's a good question. I'm seeing inklings of it now. And so my answer is kind of based off of that, which is the way that we will apply kind of the zero trust concepts and principles to like AI agentic future. And what by that is Chase and Corey. might have multiple agents performing actions and outcomes on our behalf, but they should be permissions like Chase and or Corey, right? They should look and or act and they shouldn't do things that are not what we aren't able or should be able to be doing, except they don't sleep and we do, right? And so I think that that kind of same construct that we've done to what we would call users in the human context applies not just men to the agents, but the way the agents interact with agents, interact with agents, interact with agents. And so the concepts, I think... still remain quite true. I think they're pretty tried and first, like very first principle thinking type. But I think the way they apply to this very kind of emerging world where you might have assistants doing things that look eerily similar to you and even perform maybe from your laptop in some cases or your phone. I mean, well, to an admin or to a security practitioner might be indistinguishable, right? It just looks like Corey going to the web and going and posting on LinkedIn or going into his or her HR app and down. things, right? But that's not me. That's my agent doing tasks on my behalf. And so I think that world, kind of what the concepts, I think the concepts stay mostly true. I think they evolve to cater to that environment at scale. So it's not a two or three agents. It might be hundreds or thousands of agents when agents orchestrate agents. And so how do you apply those principles at once to an infinitely scaling set of agents doing things on your behalf? I think that's a very fast. fascinating problem. Humans don't scale that quickly. And so you can think about applying it of, okay, you know, how many apps does an individual user have at any one time? Might be dozens, might be hundreds, might be thousands. The answer is now infinite with agents. And so how do you think about that differently if everything is default deny in the access that they're given or in the privilege access that they're stepping into, et cetera, et cetera. And so the things that you would look for in a human behavior or human authentication event and identity. in general, will look very, very different, obviously, with an agent. So anyway, that's an area where this all goes. And I think that kind of becomes a very big topic of where the zero trust principles really do apply. Yeah, I think it's interesting hearing you describe the future of where we have all of these agents and agents of agents. You know, this traditional, quote unquote, model that we typically talk about with Castle and Moat seems to be even more scary. If you're like, we trust everything that's inside the castle. When you have all of these things, you know, cascading down from each other. So do you think zero trust will become more of a standard and not like a bespoke strategy and kind of like take over as that default? Yeah, it's a great question. I do. I actually think zero, the term zero trust will just become, yeah, to your point, security. I think it becomes just a de facto in how and where this all goes. I think, you know, security and standards and government bodies like the nests of the world. I think a lot of like the. kind of looking at the future and stuff coming out is very much like it may be said once and then just inferred to as that's just the norm of what you should be doing. I think time will help with that. And I think as more and more security products are built, more and more security vendors and technologies kind of lean into those concepts. Yeah, it becomes just the norm. The same way if you said firewall today, no one really like that is common language, right? Everyone, most of a lot of people, you have to explain what a firewall is because now it's used in everyday life for all things it's the same thing where zero trust like what what does that mean will become oh yeah and it just becomes security like it just becomes synonymous okay okay so we've kind of talked about you know present day what we're doing with zero trust talk a little bit about the future so let's take a step back and look at the past if there was one thing that you could change about how we've been building zero trust not necessarily just that cloud floor but in general like and you had to start over from scratch today like what would you do different i think lean we lean very heavily into the identity aspects but i think i would i would probably dig further into that and in how identity really is at the root of if you don't have identity it's very hard you're not going to be able to apply any of the principles almost um and so i i think i would have led more with that early days and perhaps built some additional features that i think we partner with some fantastic providers on today um but having that identity piece i think is really really important for all of kind of the downstream and or upstream security practice today. So if I was like building a zero trust solution from scratch today, I think I would start there and probably lean heavier into the identity components. That being said, it's also, there are a lot of very good solutions on the market today. So I don't, I think that would be a slippery slope to try to go do that. Too far down there, yeah. Yeah, it's interesting you say that. When we asked Derek kind of a similar question around like lessons learned of doing our... zero trust implementation like one of the biggest call outs was like it's really important to have a very strong foundational identity and access management program in place before moving into zero trust because you know you're relying on these identity-based checks like for pretty much everything at this point so if you don't have those foundations in place you're going to have a hard time you know deploying zero testing getting caught up in that space so 100 that that might be to build off that that actually might be the thing i would do different is i would i would build more tools to help customers or wrangle that even if it wasn't related to Cloudflare services and products because that's just a good thing for the internet and for customers. It can be very challenging when you have in number of identity providers or you acquire and they have their own or you merge and they have three or this one's legacy and it becomes, ugh, where is our identity store? What does that mean? Because to your point, the value that you can unlock with Cloudflare is massive. But having identity principles and having all that centralized and managed in a good tidy state is parallel. amount. Yeah, absolutely. Well, we are at time today, Corey, but thanks so much. It's been great chatting with you. And I look forward to working with you in the future. Awesome. Thank you for having me, Chase. Yeah, have a good one. Bye.