1️⃣ Welcome to Cloudflare One Week!
Presented by: Kenny Johnson
Originally aired on January 19 @ 4:00 PM - 4:30 PM EST
Join our product and engineering teams as they discuss what products have shipped today during Cloudflare One Week!
Read the blog posts:
Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
English
Transcript (Beta)
Hello. Good morning, good afternoon, good evening, depending on where you're watching in the world.
My name is Kenny Johnson and I'm a product manager here at Cloudflare as part of our Zero Trust, and more broadly, our Cloudflare One team.
I'm really, really excited to welcome everybody to Cloudflare One week.
We do Innovation Weeks at Cloudflare roughly every every eight weeks and really the intent behind these are very laser-focused weeks on announcements, updates, new features, new items within the business that we're very focused on within a specific portion of the business.
Cloudflare One is Cloudflare's Secure Access Service Edge offering.
Basically, it's our Zero Trust and network security product designed to help security teams secure their users, Internet traffic and devices.
So really the core thing that we're going to be doing this week are major announcements that are going to make it a lot easier to deploy Cloudflare One within your business,opportunities for folks to get help deploying within their business, both in terms of resources and working with partners, as well as clear guides on how to replace kind of core pieces of legacy technology.
So there are a few places to watch for new content. The first and foremost one is the blog.
We're going to be putting out tons of content on the blog every morning, morning U.S.
time, afternoon if you're in Europe, APAC early, I think, evening.
So keep an eye out for the blog for major announcements. The the other place that we're going to have tons of content is Cloudflare TV.
And we're also going to be working with press and doing press releases.
So, lots of places to to be involved and to keep an eye on for new content being rolled out.
Awesome.
So as part of the week, I want to dive in and talk a little bit more about what Cloudflare One is and what it does for businesses.
So I'm actually going to go ahead and share my screen quickly.
You should be able to see my screen. I've got the Cloudflare One blog pulled up.
So blog.cloudflare.com is definitely your best place to get started and watch for related content around what's being launched within the blog or what's being launched within the week.
So I'm actually going to pull up a specific page where we talk about kind of demystifying, specifically, Zero Trust, SASE, SSE.
There's a lot of kind of marketing buzzwords that get thrown around this space.
So what I want to do quickly is set the scene for which products are involved within Cloudflare and how they map to Zero Trust Secure Access Service Edge and Secure Service Edge.
So the piece that I want to pull up is this diagram, I think really helps illustrate the layers and which are relevant within the Cloudflare Security Suite and more broadly the Cloudflare Product Suite that apply to Cloudflare One.
So the, really the first layer to start with is thinking about the service edge.
Basically, how are we actually delivering the kind of overlying security technology?
So if you want to think about a service edge, it's effectively a network or a distribution layer that you're providing connectivity to users.
So the beauty of Cloudflare is that we already had to build a massive network to supply our CDN and other application security services.
So all of the work that we put into building a global CDN Anycast Network, we're able to take advantage of those same, of that same scale, that same programmability, that same level of orchestration through things like our API and Terraform.
We're able to make use of all of that within our broader SASE suite as well.
So the next step is then how do you actually connect your users to that specific network?
And this really, really we provide a lot of different flexible options for connecting users, devices and services and data centers to Cloudflare's network to then actually be able to apply security controls.
So stepping through what each of these are, the reverse proxy, this is traditional Cloudflare.
Basically, you're able to host a website and Cloudflare actually sits and acts as the proxy in front of that website.
The handy thing that you can do here is you can put Zero Trust controls in front of that website so that we check to see, check a user's identity, check information about the user's device, information about their network before ever allowing them to that website.
This is really handy if you're hosting things like sensitive internal applications.
The beauty of the reverse proxy is that you don't have to install any individual software on a user's device.
It works just strictly with a browser.
The next option is an application connector. So anything that you're self-hosting either in a data center or a public cloud, we have a really easy-to-use application connector, that can be used for multiple applications at once, that creates a secure outbound-only tunnel from either your data center or the public cloud to Cloudflare's Edge network.
This is basically the other side of the reverse proxy for application access that allows you to go from a user's machine to Cloudflare's edge, down into your application server, all with Zero Trust controls enforced on that connection.
Additional options include, we actually have a device client that can run on the device and it is able to forward proxy users' traffic from their machine out to Cloudflare's network as a first hop out to the Internet.
What this allows you to do is do things like secure web gateway controls, so being able to enforce what the user can and cannot access on the Internet to protect them from outbound or malicious internet threats, as well as to control routing into private networks.
So that's more like ZTNA, or Zero Trust Network Access is a commonly used acronym for that.
And then I like to group these three options together.
These are really kind of broader network onramp options. So these are things like if you have a data center or an office where you want to unilaterally route that office's traffic or that data center's traffic to Cloudflare, we offer a lot of solutions around this.
So this can be things like GRE and IPSec tunnels, setting up an actual SD-WAN deployment, as well as if you're large enough to where you actually have your own set of IP addresses or you'd like to lease IP addresses, IP space from Cloudflare, we can enable that and actually Cloudflare is the one who broadcasts that IP range.
And then finally, if you are co-located with major cloud providers or in major data centers, it's very likely that we're hosted there as well and we can actually set up direct connects as well.
So we make it really, really easy and really flexible in how you want to actually and how you actually want to create connections from your resources and from your networks to Cloudflare to then be able to enforce the high-level secure access functions.
So this includes Zero Trust Network Access, so Zero Trust access to your applications, whether or not they're self-hosted and publicly addressable or self-hosted and privately addressable, so they're only in private DNS space or RFC 1918 IP space.
That's things that start with like a 10-dot IP address or a 198 IP address or the DNS sometimes will look something like test dot internal or application dot internal, something like that.
We make it really easy to access those. And then finally, SAS applications.
We're also able to act as an identity proxy in front of those SAS applications to be able to enforce things like device and network posture before a user accesses your SAS tool.
We're also able to enforce CASB-style controls or cloud access security style controls within those SAS applications because you can require that the secure web gateway is also running for that SAS application.
So in order to allow a user access to your SAS application via the identity proxy in our Zero Trust Network Access Suite, you can say that the secure web gateway must also be running, which guarantees that all of that user's internet traffic is going to Cloudflare first, where you can enforce your secure web gateway policies, you can say things like, "Given a user's in a certain Okta group, they can only see certain pages in Salesforce." So that brings me to the Secure Web Gateway tool.
What the Secure Web Gateway tool does is, given that a user's is traffic is being onramped to Cloudflare, so either via a network tunnel from the office or from the client on their device, you're able to enforce Layer 7, HTTP policies as well as Layer 4 networking policies at an individual user level, as well as unilaterally across your user base.
So you can say things like, I want to block all known DNS records that are associated with botnets.
Or you could be really granular and say that Kenny cannot access ESPN on his machine.
You can do things that are broad across the employee base or really filtered down to individual user access.
The other really kind of handy thing about both the ZTNA solution and the Secure Web Gateway Solution is that they generate rich activity logs of exactly what users are doing on a particular resource at any given time.
The other piece that is a really key consideration within the Secure Web Gateway is we have a lot of controls around user privacy as well.
So there's definitely sensitivity around managing and logging what a user is doing on their machine at any given time.
So we make available things like anonymizing user information, we have PII rules that can really filter down who can actually see those specific logs as well as we can fully anonymize them as well.
So there's a lot of flexibility with security and privacy concerns when it comes to monitoring user traffic.
The next one, RBI – Remote Browser Isolation is a tool that basically allows you to either, with the device client on the machine or even using a link-based approach, put a user into an isolated browser instance where basically they are fully protected from anything on that page.
They can click links and things like that and it won't allow them to download anything onto their machine.
It won't allow them to pull malware down on their machine.
So this can be really useful for things like suspicious links that you don't necessarily want to fully block, as well as a lot of threat research teams use them and things like that.
You can also use the remote browser to do things like disable keyboard input, disable copy paste.
There's a lot of data loss prevention use cases as well.
The Cloud Access Security Broker. This is a tool that allows you to do API-driven cloud access security posture assessment so you can plug in our CASB into your major SAS tools.
And what it will do is it will scan through the SAS tool and look for things like publicly shared files, misconfigured security settings, security settings that are likely too permissive.
It'll generate alerts that then you're able to proactively go in and deal with.
Data loss prevention. We actually just had a post go live on the blog for data loss prevention.
This allows you to do things in line and actually look for sensitive data via the secure web gateway.
So I can start to configure rules that say things like Given a file, has a social security number in it, I want to block that file from being downloaded for a subset of users.
So there's a lot of control in terms of being able to define preset dictionaries as well as custom-defined dictionaries of specific terms and sensitive data to look for to either allow or block.
We also offer a firewall as a service.
So the ability to put a firewall in front of both Layer 4 and Layer 7 within your business to be able to kind of put broad swath controls and protect against known attacks and things like that.
And then the final vector is email security. So email is one of the few spots that somebody can have a malicious external user can have unfettered access to your employee base.
As part of our Area One Security Solution, you're able to enable things like phishing protection and other protections within inbound emails being sent to the business.
So being able to close a major attack vector, that's been a really common way that people have attempted to infiltrate businesses in the past.
So we're very excited to include that as part of our overall solution within Cloudflare One.
And as you can see, when I pull up the blog, there's loads of information and data surrounding the email security solution today.
That's actually kind of the featured piece within today's announcements.
Each day will have kind of its own theme you'll see throughout the week.
So that's a quick overview of Cloudflare One. The other piece that I want to highlight is we've also put out a vendor agnostic just recommended roadmap to implementing Zero Trust.
Another common thing that we hear is that it's often difficult to understand how to get started in a Zero Trust implementation or it feels like you have to be all or nothing in implementing Zero Trust.
It's actually something that can be stage gated and broken out into bite-sized chunks.
So we launched zerotrustroadmap.org as a collaborative vendor agnostic guide for being able to roll out Zero Trust.
And we recommend and we provide recommended steps and assessed levels of effort and recommended vendors for each one.
So in here you'll see things like being able to establish a corporate identity.
That's a key piece for Zero Trust, being able to assert who a user is, and then being able to check that in a given stage of either allowing access to an application or verifying policies for outbound traffic to the Internet.
So each of these sections will give recommendations of who should be involved from your team, vendors to consider, what's involved and common steps that we see customers follow.
This is meant to be a representative guide.
Every business is a little bit different. We're always happy to have conversations around what this might look like specifically for your business, but this is just meant to be a kind of initial get started guide to start thinking about what each stage might look like.
The other piece of content that I want to highlight to watch out for throughout the week is we are putting out replacement guides each day, where we basically highlight known steps or key steps of replacing legacy technology within your business.
So today is replacing an email gateway.
Later in the week we'll have replacing a VPN, replacing MPLS lines, replacing virtual desktop interfaces and RDP.
So there's going to be loads of interesting content around how to concretely approach replacing specific pieces of legacy hardware within the business.
So those are the major updates across the blog as well as the roadmap that we've published.
The one other thing that I'll call out is Cloudflare TV is going to be jam packed this week with content around Cloudflare One Week, so definitely keep an eye on the Cloudflare TV schedule.
It's just cloudflaretv.com/schedule. You'll see loads of Cloudflare One specific content throughout the week as well as it'll get repeated over the next couple of weeks as well.
So we are very excited to get this kicked off.
I think the last piece that I will put out is if you want to get started and try out Cloudflare One, it's actually free for the first 50 users.
So I would definitely recommend if you already have a Cloudflare account, you can click on the Zero Trust tab and get started today.
It's free to use Access and Gateway and other core solutions of the platform, as well as if you'd like to talk to somebody to learn a little bit more, you can come to the Cloudflare One page and actually set up a consultation with one of our SASE specialists and we'd be happy to talk through what your specific requirements are and figure out if it's something that we can help with.
So again, thanks for joining. Very excited to get the week kicked off.
Keep an eye on the blog. Keep an eye on social. Keep an eye on Cloudflare TV.
Loads, there's loads of interesting content coming throughout the week and we're very excited to get it kicked off.
Again, thank you so much and have a wonderful afternoon, evening or morning depending on where you're joining from.
Thanks so much.
Everybody should have access to a credit history that they can use to improve their their situation.
Hi, guys.
I am Tiffany Fong. I'm head of Growth Marketing here at Kiva.
Hi, I'm Anthony Voutas, and I am a senior engineer on the Kiva Protocol team.
Great.
Tiffany, what is Kiva and how does it work and how does it help people who are unbanked?
Micro-lending was developed to give unbanked people across the world access to capital to help better their lives.
They have very limited or no access to traditional financial banking services, and this is particularly the case in developing countries.
Kiva.org is a crowdfunding platform that allows people like you and me to lend as little as $25 to these entrepreneurs and small businesses around the world.
So anyone can lend money to people who are unbanked. How many people is that?
So there are 1.7 billion people considered unbanked by the financial system.
Anthony, what is Kiva protocol and how does it work? Kiva protocol is a mechanism for providing credit history to people who are unbanked or underbanked in the developing world.
What Kiva protocol does is it enables a consistent identifier within a financial system so that the credit bureau can develop and produce complete credit reports for the citizens of that country.
That sounds pretty cutting edge.
You're creating, you're allowing individuals who never before had the ability to access credit to develop a credit history.
Yes, a lot of our security models in the West are reliant on this idea that everybody has their own personal device.
That doesn't work in developing countries. In these environments, even if you're at a bank, you might not have a reliable Internet connection.
The devices in the bank are typically shared by multiple people.
They're probably even used for personal use. And also on top of that, the devices themselves are probably on the cheaper side.
So all of this put together means that we're working with the bare minimum of resources in terms of technology, in terms of a reliable Internet.
What is Kiva's solution to these challenges?
We want to intervene at every possible network hop that we can to make sure that the performance and reliability of our application is as in control as it possibly can be.
Now, it's not going to be in total control because we have that last hop on the network.
But with Cloudflare, we're able to really optimize the network hops that are between our services and the local ISPs in the countries that we're serving.
What do you hope to achieve with Kiva?
Ultimately, I think our collective goal is to allow anyone in the world to have access to the capital they need to improve their lives and to achieve their dreams.
If people are in poverty and we give them a way to improve their communities, the lives of the people around them, to become more mobile and contribute to making their world a better place, I think that's definitely a good thing.
My name is Justin Hennessy.
I'm the VP of Engineering at Neto. Okay, so I understand Neto is an e-commerce platform based in Australia.
Tell us a little bit more about it.
Neto is a omnichannel sales platform for retailers and wholesalers.
So essentially what it allows us to do is enable the retailers and wholesalers to sell their products in multitudes of sales channels.
Tell us about the importance of automation in your business.
I came onboard as the lead automation engineer, so I think automation is key to anything in this day and age.
Like if you're not looking at ways to automate the low-value work and then put your people in the high-value areas or high-leverage areas, I think you're just going to get left behind.
So as a technology company, obviously, it's critical for us to make sure that automation is at the core of what we do.
When did Neto begin working with Cloudflare?
So in the beginning, when Neto was looking to migrate from an old cloud provider, we also wanted to improve our, what we call our go-live flow or our onboarding flow for merchants.
And a big part of that was obviously provisioning a website, a custom domain name, and a custom SSL certificate.
Requesting and getting granted that certificate in the whole process took two domain experts full time.
It was a very lengthy and technical process which took, could sometimes took up to 2 to 3 weeks.
So you can imagine, you know, a customer who's itching to get online, that kind of barrier presents a pretty big problem.
So what Cloudflare enabled us to do was to literally automate that onboarding or go-live process to almost a one-click process, and it also allowed us to diversify the people that could actually do that process.
So now anybody in the business can make that, you know, set a customer live with a very simple process and it's very rapid.
So that's where we started.
What are some of the security challenges you face in your business and how are you managing them?
Any online service has to take security very seriously and it needs to know that security is job zero, so we always bake in thinking and process and tooling around security.
So what Cloudflare does for us is literally gives us a really good protective layer on the very edge of our platform.
So things like DDoS mitigation, web application firewall protection, all of that obviously is then translated into a really solid base of security for all of our merchants as well.
The security is obviously front-of-mind for Neto as a business, and online e-commerce presents a lot of security challenges.
So denial of service attacks, cross-site scripting. We have automated attacks that are trying to find exploits in our forms and our platform generally.
So prior to having Cloudflare, obviously we had measures in place, but what we've gained from Cloudflare is a consolidation of that strategy.
So we are able to look through a single lens and we can look at all of the aspects of our security for the platforms.
And I think it's probably safe to say that now more than ever, a good online strategy is crucial to success.
The real privilege of working at Mozilla is that we're a mission-driven organization.
And what that means is that before we do things, we ask what's good for the users as opposed to what's going to make the most money.
Mozilla's values are similar to Cloudflare's.
They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
Mozilla and Cloudflare have collaborated on a wide range of technologies.
The first place we really collaborated was the new TLS 1.3 protocol, and then we followed it up with QUIC and DNS over HTTPS and most recently the new Firefox private network.
DNS is core to the way that everything on the internet works.
It's a very old protocol and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize.
You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.
Cloudflare was a great partner with this because they were really willing early on to implement the protocol, stand up a trusted recursive resolver and create this experience for users.
They were strong supporters of it. One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something and we write down the barest protocol sketch and they have it running in their infrastructure is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use or ten people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the Web, we're talking about bringing it not to millions, not to tens of millions.
We're talking about hundreds of millions to billions of people. Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.
Really, users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the user that make them more secure and we're offering them via Cloudflare.
So that's like an immediate benefit the users are getting.
The indirect benefit the users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it, and that will ultimately benefit every user, both Firefox users and every user of the Internet.
We're really excited to work with an organization like Mozilla that is aligned with the user's interests and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.