Originally aired on June 22, 2022 @ 4:00 AM - 4:30 AM EDT
In this Cloudflare TV Cloudflare One Week segment, Cloudflare Director of Product Sam Rhea will host a fireside chat with Matt Weinberg, Founder and President of Happy Cog.
Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
Hi everyone, let me just make sure we're live here. We're having a chat just about movies and life, but thank you for joining us today. Welcome to Cloudflare One Week. Welcome to Cloudflare TV. My name is Sam. I'm our Director of Product for all of our Zero Trust products here at Cloudflare. And I'm joined by Matt. Matt, why don't you, I'll let you introduce yourself here to our audience. Sure. I'm Matt Weinberg. I'm the co-founder and president of technology at Happy Cog. We're a full service interactive agency. We know a whole bunch about Cloudflare and we help a lot of clients get onboarded with a bunch of Cloudflare products. Alright, and I had the privilege of getting to see Matt speak at our Cloudflare Connect event in New York a couple of weeks ago. So I'm a little more privy to kind of what this looks like for your end customers, but for everyone else out there, what does that look like? Do people come and approach you about different problems they have and then you solution and recommend and deploy Cloudflare? Or how does that typically go? Yeah, I think there's two paths. The clients that have heard of Cloud... pretty much everyone has heard of Cloudflare. There are clients of ours that are like CTOs or CIOs, and they're very familiar with Cloudflare and they come to us, they know what Cloudflare is, and they very specifically say, I want X, Y and Z, help us implement it. And then we have a whole another set of clients. Maybe it's more on the marketing side, or maybe it's still information technology or security or whatever, and they just have problems that they want us to help solve. And they say, we have this security problem or we have this, we've heard about this and this kind of industry trend or benefit, and we at that point, we talk about Cloudflare. And then I would say there's other clients that don't even bring this stuff up, that they're just hiring us to do a website or a mobile app or some integration or some database. Then as part of those conversations, we kind of say, you should really be thinking about X, Y and Z to protect this stuff. So I'm kind of reporting here from our Lisbon office. Are your customers global? Are they there in the United States with you? A little bit of everything. Yeah. Our customers are generally focused in the United States. A lot of them are global, but the global ones will typically have headquarters in the United States, even if it's one of just many global headquarters. Yeah. And when they, when you recommend Cloudflare to them, what's the.. what's generally the first step, how do they tend to begin that journey? Is it with the reverse proxy products more often or something specific in the mix? I would say 99% of the time it's with the reverse proxy products, which in general are CDN and the firewall. I'd say 99% of our clients, again, we're building a website or a custom publishing system, an e-commerce system, a mobile app and API. And the first thing we're saying to them is, We need, we want a CDN for better performance, we want a firewall, we want some bot protection, these kinds of things. Let's just get Cloudflare in the mix. Super easy, very little technical setup because we're building all of that out anyway and we obviously have experience with it. And again, I've had the benefit of getting to see some of the really cool work that you all do for your own end customers when you tell them We're deploying to Cloudflare and we're going to set up Cloudflare. How do you define what success looks like with Cloudflare to them? What's the kind of outcome that you point them to about why you've introduced Cloudflare to the equation? So it's kind of a funny one. So let's just speak about, again, that first onboarding, that reverse proxy, the CDN, the firewall, the bot protection. In kind of a funny way, it's success if they almost never hear the name Cloudflare again, like in some ways... if the site stays up, if they never get speed complaints, if it's fast, if we don't have to worry about bots, if we don't have to worry about SQL injections, those kinds of things, that's kind of a success. And so not to say we don't talk about Cloudflare, but like almost, you want it to be invisible and just doing its thing and not even... the client doesn't have to worry about it. And I will say, you know, there's certainly metrics. We look at page vi... the core page vitals or the core Web vitals that Google has, you know, page speed and are we doing caching and CDN type things. Are we getting attacked all the time? Can we see how many threats are blocked? That whole analytics dashboard is really nice in the Cloudflare dashboard to show that. Yeah, yeah. Because you don't realize, you know, you're getting scanned constantly. So all that stuff is really nice. And yeah, I'd say that's, that's a big success, that the site stays up and fast and isn't attacked. You're totally, you're totally right. It is a, it is a really strange one, especially being on this side of the house where the definition of success for so much of what we do is you never heard about it, right? Like it's that something didn't go wrong, which I guess is probably a good segue into one of the themes of Cloudflare One Week or for, just generally those who are watching this who are unfamiliar with Cloudflare One. We have spent the last ten plus years building out Cloudflare's network to solve a handful of problems, and a lot of those problems started with things that could be solved by our reverse proxy, our WAF, our CDN, people's internet properties and their websites, making them safe and secure. And the real wonderful thing about that network that was built out was that we didn't set out to build a CDN or a WAF or DDoS mitigation. We set out to build a network, on top of which all of these really special products get to develop and grow and solve very different use cases. And over the last four years, we've really focused on a new set of use cases that deal with also performance and security, but inside of an organization. So how do we tell, how do we help a team replace their VPN with a Zero Trust security model? How do we help an organization secure their outbound connection to the Internet or just connect different resources east-west style from one data center to a branch office, or from my laptop to a public cloud where we have services deployed. And it's been a really fun journey for us. But together on the networking side and the security side, we call it Cloudflare One and it represents our Zero Trust security solution as well as our networking offering that really gives customers the ability to use their network or use our network as if it were their own. It's a new set of customers. It's a new set of kind of use cases. But all the same technology, all the things that made kind of the first phase of Cloudflare products really special. And I understand that you all have been helping some customers of your own deploy, now, the Zero Trust side. Is that right? That's right. Yeah, many of them. What does that look like? What are they starting from? Is it a VPN? Is it something else? What's the journey there? Well, you know, it's funny because just like you all had that journey from like building out your network and your reverse proxy and all of that, and then kind of slowly expanded. That's kind of what we see. I can't recall any clients really, that we've just implemented the whole suite at once, but I can recall a lot of clients where we've kind of built it up and then looked back and then Wow, we've implemented a lot of the Suite and it's Workers and it's One and then it's all the rest. Where they're coming from really, really differs. So some of them have, some of them were traditionally office-based companies and they had this kind of internal office, but over the last two years, they've kind of turned more remote and they didn't really have a lot in place to handle that. Some of them are using VPNs, what we might call like legacy- type, older VPNs, which all of their employees dislike. Some of them are using RTP and other kind of, like virtual terminal type of technologies. And so and again, kind of going back to access granting, many of them are using tools like an Okta or OneLogin or Google Workspace, Workplace, whatever Google calls it this week, G-suite for that stuff as well. And many of them use of course Active Directory, ADFS, those kinds of things too. And when they are, so, like you mentioned, they're on their, on that journey. They're pretty often starting with the reverse proxy set of products. At what point in their journey, and I'm thinking about the organizations who, we hear this a lot from our customers, are people beginning to move to a Zero Trust model. They don't really know where to start. At what point in their journey are they kind of coming to you and your organization saying, or are you going to them and saying, Hey, internet properties, fast, safe, this is fantastic. Got this problem inside of my house now. When is that moment? So let me give you a very typical type of scenario - for that. -Perfect. So, client hires us, they're a big company, where rebuilding their whole web presence is a very complex operation with many pages on the site and potentially it's e-comm or it's publishing or whatever it might be. And they have a current live site and we're building something new. So, we're building on staging so far, something brand new. And we've get Cloudflare Reverse Proxy in the mix almost right away on staging because we know that's going to be part of production. And so again, CDN, Firewall, all of that. Very typically at that point, or at some point during the build, we'll have a good use case for Cloudflare Workers. So we'll say to the client, Ok, we're already using Cloudflare here, it's perfect, it's on the staging site, Workers would be great. We need it for like just one or two kind of little things. So we'll implement Workers, one or two little things, right? But then as staging kind of progresses on its journey, we want to start granting access to staging for more and more people within the company. Yeah. This is a pretty basic use case, right? Like, it's not... a lot of times these aren't even super confidential PII. It's not like that. It's just a staging site, but... - Marketing website, yeah. - Exactly. But at this point, we want to go from just kind of our internal team within the client that's accessing it to maybe more and more people and maybe they start wanting to give more access, like they have a PR team that's going to have to do a big pitch on this. They have a brand-name team that's going to have to do a big pitch. There's CEO, CTO that's going to want to look at these things. So it ends up being kind of a good use case for us to say, You know what, let's just throw Access on top of this. Because if we throw Access on top of the staging site, and first of all, we can make sure it's non-public, Google can't - get to it, the public can't get to it, whatever. - Right. - But we can kind of slowly add more and more access. At first, just our internal team there that we're working with. Oh then, of course, my team internally, and we're authenticating via -Google and maybe they're authenticating via Okta, but it all works. -Yeah. But then, they have an external PR team or something. Well, that's fine because Access lets you authenticate with one-time codes, just with email addresses. And so this is a really good way... What ends up happening is, we're using Access for this and this, site goes live, we don't need Access for that anymore, but we still have Access on the staging site. And suddenly, a lot of people within the organization have seen Access and said, Wow, well, you know, I saw that you're using it here. We have X, Y and Z other internal systems. Can we throw Access on top of that? And that's how it kind of organically expands. And I've seen that exact thing a number of times. That is a really fascinating but also just it makes perfect sense that that would be the trajectory that, you're building, something new for your customers, you being Happy Cog, and you want to give them the opportunity to kind of expand the audience of who's experimenting with it and providing feedback to it. And then suddenly people realize, wait a second, this might be a better mousetrap for everything else. When it gets to that point of, Wait a second, this might be better for other use cases. Do you find that it's a different part of the organization that you're now working with or speaking with? Has it gone from maybe a marketing team or engineering team into a security team? That's exactly what happens, because the security team often needs to do a kind of final review of the website, like a final security check before launch. I see. So they see it and we say, Okay, here you can get on to the site using Access. And so they do their review and a lot of times they'll email us and say, you know, we saw Access. It's really interesting. We have this whole separate thing that's happening here. It's whole internal system. Can we use that same Cloudflare account? They'll use terms like "same Cloudflare instance" and "same Cloudflare license" or whatever to kind of move it over. We'll say Yeah, absolutely. And then they'll kind of bring us on and it's a totally different team and set of services. It's a really interesting process. We see the same thing with... and that's maybe, I've been working on this at Cloudflare for over four years now and that's been one of the more fun parts about the journey we've been on as an organization, talking to and learning from our customers, where when I started, when we started this group of products, a lot of our customers were like what you were describing, the marketing and engineering folks who were kind of at the end of maybe some other pilot or work or saying, Hey, you know, you should chat with the security folks because there's some problems over in their side of the house I think you could be helpful with. And we said, Okay, great. And we needed to learn a lot about this new set of problems and these new types of teams that could benefit from what we had built out. But it's been a really fun journey. When you go talk to those new teams, kind of a similar question of the outcomes. What are the outcomes that you highlight for them look like? So slightly separate buyer, slightly separate use case with the security side. Yeah, they're often looking for better audit trails, better logging, reports, like those kinds of things. So what gets interesting here is that when we show Access to the marketing team, they're mostly concerned about HTTP, you know, just looking at the staging site or whatever. But then the security team will typically say something to us like, Well, how are we accessing the servers? Do we need to open up a port? And we'll say, No, actually we don't even need to open up a port. We've got access over Cloudflare Access. And that kind of, that is really the light bulb moment for them because they understand at that point it can be really any port in any service. And so what's a success for the security team? You know, closing port 22, basically, or not having public IPs, reducing the area's... Surface area. Yeah. The surface area of scans for external security tests, having audits, who logged in, who failed, who tried, like all that kind of stuff becomes really interesting. That's what the success metric is for security. You're totally right. I was told something early on and then again somewhat recently by a particular customer who said, who is a customer I just adore. And said, on very friendly terms, Stop talking about your network. So what? That's our superpower! And this customer said, Yeah, I get that that's your superpower. But when we're thinking about these, in particular, the Zero Trust suite, we're thinking about the outcomes that we can, we can go home on time, right? Like we're not getting paged on Saturdays. We have visibility that we didn't used to have without investing in a bunch of kind of manual effort or multi-quarter project. And I said, Ok, that lines up. And we've tried to start to speak to what the products do in a more outcome basis as opposed to just pure speed, which is a little different for us than maybe some of the reverse proxy-style use cases where pure speed is the primary outcome, which has been kind of fun. Right. I see that, what you just described with like VPN replacement-type stuff as well. We have clients where they need VPN for all kinds of reasons. We've talked about this and there's Zero Trust there. Right now, their VPN is set up as just basically in a server closet in New Jersey or North Virginia or whatever it is. And they have all of these global people and all those global people are VPNing into a single kind of geo location in Northern Virginia or wherever the server is. It's a ton of latency and all of that. And yeah, I mean, you have that network, but really like the end, the end result for people is fewer drops, fewer annoyances, like easier to get to things, just, you know, all those kind of things. Exactly. Fewer issues. Sure. On the other end of that, do you ever run into hurdles or hesitation, or are there hard conversations you have to have with customers about reasonable and healthy skepticism they have in moving to this model? Yeah, I think there's a lot of that. First of all, when you're dealing with a bigger company, just in general, vendor procurement is always going to be a big set of questions, right? Especially for a security vendor. Totally. 100%, like even put aside like the specifics of what you all are doing, just like in general, new SAS service, new vendor, what's that process like? Is it in the budget? Who needs to sign off? Is there going to need to be a six-month review about this? I mean, that's that's one thing just in general. But then when it comes to you, you know, you're... Cloudflare is selling security services and networking services and all of this. And so, of course, clients are going to have questions about how secure are you? What's your uptime? Are you putting stuff... is this, does this become a failure point for them? And what are their other options? And then, there's questions just around their control and their administration and giving us access to a limited set of things and role-based and all of that as well. I would say that the nature of the questions has changed. If you go back a couple of years, you all were a smaller, less well-known company. So I used to have to spend more time kind of explaining what Cloudflare is, you know. Now you all are like, you're more well-known. This sounds silly, but like you're a public company, you're like a real... You feel more real, kind of in a way. No, I get that. Yeah. Yeah. And so I spend less time, I think, explaining what Cloudflare is and more time explaining why it's better than some of the legacy vendors. You know, they would typically have a contract already with some kind of security vendor or some kind of on-prem type solution or something. So there's more of that. Is it worth it and why is it worth it and how does it make us move faster, etc.? Yeah. It's a very... One of the things that kind of, what I've seen with customers on the hesitation piece is, Hey, what does this mean when... Are we introducing kind of a single point of failure in the flow? Or, is this something whereby Our legacy model's really painful, but it works. Are there, kind of, is this going to be something that's risky for us? Right? Like we... the last thing we wanted is to get paged more. And to kind of address some of those concerns, we typically start with a pretty tightly-scoped pilot, like helping customers identify what are the two or three more popular internal web applications, for example, that you use and moving a cohort of users but not everybody over to those applications. When you see customers start their journey, is that something you recommend as well or do people tend to go Ah, we're just cutting over today? No, 100%. I agree to start slow and start with little things that honestly would have low impact if they had trouble, like we talked about the staging site before, and I think letting it build from there, even honestly, contractually. Like I don't know, maybe you won't love me saying this, but like just sign up for that self-service plan. Like get on the $200 a month, whatever, sign up and then you can grow from there. It just makes it, first of all, that kind of number can typically be just put on someone's credit card, like our marketing contact. Just they've put it on their corporate card and that's it. And then we kind of expand from there. So it just makes it a lot easier, I think it convinces people more and it helps the client, the end user understand what implementations actually would be like. We are obviously big fans of the self-serve plan. And one of my favorite, I think they are currently the sixth largest user of our Zero Trust products just by seat count. They started in exactly the way that you describe with, a member of their DevOps team put their credit card down, just saying, you know what, I'm sick of the VPN, I'm doing something about it today and now it's thousands and thousands and thousands of users. So I love that self-serve reference because it's part of our DNA, it's who we are and who we've always been. As far as how customers begin their journey with us. What advice do you have for customers who are kind of thinking about starting to move in this direction and given all the deployments that you've seen? Well, certainly one thing would be what we just discussed. Start small. Is there some low impact, low blast radius thing where it can be a little bit of a sandbox internally just to kind of try things out, understand what configuration is like, all of that? And I think that's really nice. If you're starting with the reverse proxy stuff, and then we'll talk about Zero Trust, but with the reverse proxy stuff, you don't have to turn everything on, even feature-wise. Like start with SSL termination, move to Authenticated Origin Pulls, add Polish. Add... all of those things can be kind of added on piece by piece as you kind of get more used to it. For Zero Trust... I mean, one thing we see is if internally it's going to be a big job for the internal IT team to do the Okta setup or whatever else, start with the one-time pin codes, start with the easy authentication step, start with just a couple easy rules and then add on security after that. I'm sorry, I shouldn't say add on security, but add on more and more security tools. Yeah, exactly. Just to keep it easy for yourself. And then what happens is, one day you look back and you're like 95% to where you want to be, but it felt really easy along the way. Yeah, I love that. So the recommendation is break it up into small, manageable chunks that every day you get a little more secure, but no days is it a giant incident, which is totally disruptive to how you're working. Exactly right. And as more and more people get exposed to it, they'll kind of understand the value and they'll get more used to it and they'll kind of see their own use cases where they can use those products as well. Now, I promise you, you can be completely candid with your answer here. Are there areas where you want to see us add new features, new functionality, new areas of improvement, rough edges that we need to sand down? Seen a lot of these deployments. What are areas where we need to be, kind of, because I can give some roadmap previews here, but what are areas where you need to see some changes or want to see some changes? And then I'll ask you a second question about what are just natural speed bumps and road bumps that people hit when they're deploying this? But first, what can Cloudflare be doing better? I know a few folks who can work in that direction. - Okay, so just being completely candid... - That's what I want. - Even me, and I deal with Cloudflare every day almost, I think the naming of some of the products like the buckets and the... Magic Transit and we've got Magic Land and we've got Magic Firewall and we've got... we used to have Argo and Argo Tunnel and then we had Cloudflare for Teams, then we had Cloudflare One, and then we have Access. And so it's just a lot and it's a little bit confusing even for me, what products are, where they fall, what's the cost? And then you have the, the $3 user month, the 7... that's like just I think that gets a little confusing, honestly. The naming and the packaging. Yep. Completely agree. Yeah. And I think part of it is you all launch products really quickly. Like your velocity is very high and so you're constantly doing that and so it's just, it can be hard to track, frankly, all of it. So that's one thing. And then the other thing that I, you all have made much better recently. If we'd talked a couple of months ago, I definitely would have mentioned the tunnel configuration with the YAML files and all of that. But that's all gone now. And you can kind of configure it all through the Zero Trust dashboard, which is a huge - improvement. - Shout out to the tunnel team and the PM there, who is probably watching this. That was a... that was their sole focus so far this year was Tunnel's the best way to connect to Cloudflare if you can figure out how to connect it, right? And making that easy has been, I think, a relief to a lot of people on our own internal teams who, of course, use Tunnel and Access inside of Cloudflare. So I'm thrilled to hear that that is the experience that you're having as well. Now on the customer side, what are the kind of hiccups that they run into, places where people watching this who are considering starting in this direction should be keeping an eye out for, if you've seen any? Yeah, so I mean, one thing again is just internal procurement processes. No IT team wants what's called "shadow IT" where they feel like the marketing teams like signing up for all kinds of stuff and it can raise red flags. And I would say, you know, be honest and upfront about what this is and why it's not a security risk, but it's a security benefit and kind of loop them in. I think that's one thing. I think that, in general, some teams don't understand some of the trade offs of caching. So if we're talking about the reverse proxy system and caching, and that means you have to have a whole cache clearing system and expirations and all of that, I think - that's very important to understand. - Some education on that. Yeah. Definitely. And I think it's important to understand.... Well, let me let me rephrase a bit. So we talked before about the Cloudflare Analytics Dashboard that shows you threats blocked and all of that. The truth of the matter is that every site is getting probably like thousands of IP scans and SQL injection attempts and all of that per day. It just happens. Thousands or more. And what happens is clients don't know that. They don't know because the vast majority of them don't do anything. So you implement Cloudflare, this dashboard, and it's like thousands and thousands of attempts and they kind of... We're getting attacked all the time.. Exactly. I think that's a good education point, which is saying, look, this is happening. You're now seeing it. It's not happening more. It's actually happening less now because Cloudflare is protecting it. So that's kind of another thing. Yeah. Okay. Those are really helpful. Fantastic. Well Matt, is there anything else that we should be sharing with viewers, sharing with the audience, any kind of closing thoughts about folks who are getting ready to start a Zero Trust journey? No. I mean, I think that... I think it's great. I think it's a huge user benefit, especially if you're on kind of a legacy VPN. I think that, I just think in general, once you've kind of joined the Cloudflare platform, it was very interesting to see what else. I talked about Workers before. Like once you are on Cloudflare, once you're using it, once it's in front of your site, just like understanding all the other stuff you can do with Workers or whatever else, gets really beneficial and really important too. How to grow with that experience. Fantastic. Wonderful. Well, thank you so much for your time today. It's nice just to kind of get to chat and hang out, I think. One thing that we were speaking before we went live here, about being at the Cloudflare Connect event and getting to talk to people in person and now having kind of follow-up conversations like these on Cloudflare TV. This is really fun and life is starting to feel a little bit more normal. So I really appreciate your time and what you shared with us, and this is just been great. Yeah. Thanks so much for having me. It's really a pleasure and thanks so much for everything you all are doing. Wonderful. Alright, for everyone watching, there is a lot more Cloudflare TV segments, a lot more announcements about Cloudflare One Week. Stay tuned. Stay tuned to the Cloudflare blog, where we're sharing all the updates that are coming out every day. I think there's 29 total this week, so it's going to be busy. The Cloudflare TV has a special section where you can see the Cloudflare One Week specific talks. I'm think I'm going to say Cloudflare about 20 times in this send-off here, but thank you for tuning in and stay tuned for what's coming. It's going to be a really exciting week. Matt, good to see you. Thank you again. Thanks so much. We have seen malicious foreign actors attempt to subvert democracy. What we saw was a sophisticated attack on our electoral system. The Athenian project is our little contribution as a company to say, How can we help ensure that the political process has integrity, that people can trust it, and that people can rely on it? It's like a small family or community here, and I think elections around the nation is the same way. We're not a big agency. We don't have thousands of employees. We have tens of employees that we have less than 100 here in North Carolina. So what's on my mind when I get up and go to work every morning is, What's next? What did we not think of and what are the bad actors thinking of? The Athenian Project, we use that to protect our voter information center site and allow it to be securely accessed by the citizens of Rhode Island. It's extremely important to protect that and to be able to keep it available. There are many bad actors out there that are trying to bring that down and others trying to penetrate our perimeter defenses from the Internet to access our voter registration and/or tabulation data. So it's very important to have a elections website that is safe, secure and foremost, accurate. The Athenian project for anyone who is trying to run an election, anywhere in the United States, is provided by us for free. We think of it as a community service. I stay optimistic by reminding myself there's a light at the end of the tunnel. It's not a train. Having this protection gives us some peace of mind that we know if for some reason we were to come under attack, we wouldn't have to scramble or worry about trying to keep our site up, that Cloudflare has our back.
