How Cloudflare builds customer trust with Security & Privacy Certifications
Presented by: Rory Malone, Samuel Vieira, Victoria Salang
Originally aired on February 17, 2023 @ 2:00 PM - 2:30 PM EST
What is a security validation? How does the ‘Payment Card Industry Data Security Standard’ help my business sell online? What do I need to know about the changes coming to the International Organization for Standardization’s 27001 standard?
Find out these and more about Cloudflare’s certifications and validations with members of Cloudflare’s Security & Privacy Compliance Team.
English
Security Awareness Month
Transcript (Beta)
Hello. Welcome to Cloudflare TV. It is the month of October, and that means it's Security Awareness Month.
We have another session with our security team. We're going to talk about how Cloudflare builds customer trust today with our security and privacy validations.
Let's start by saying hi. Sam, why don't you say hi? Hi all. It's really nice to be here.
It's my first time on Cloudflare TV, so I'm really nervous.
I apologize for that. And just a brief introduction. So I joined Cloudflare about one year ago in August 2021, and I'm part of the security validations team like Rory and Victoria.
That's cool. Victoria, why don't you say hi too? So hi. I just recently joined Cloudflare, so I'm part of the security validations team, mainly responsible for the PCI DSS certification.
That's very cool. Welcome to Cloudflare, Victoria, and welcome both of you to Cloudflare TV.
So my name is Rory. I'm also in the GRC team, the Governance Risk and Compliance team, and I have responsibility for our global privacy compliance program, so I'm focusing most of my time on privacy.
And I have been with Cloudflare since late 2019, so a couple more years.
Okay, great. So we are going to talk about our security and privacy certifications today, but first of all, let's kind of set the scene of how the security team, Victoria, you mentioned validations.
I mentioned GRC. Sam, how does it all fit together?
Who is who and what do they fit in with? Yeah, so basically our team, our closest team is security validations.
We all are under the GRC department, so Governance Risk and Compliance, and the Governance Risk and Compliance fits under the security team.
So we are quite a large team. Within GRC, we have three slash four dedicated teams.
One is security engagement that can actually be split into security engagement and customer compliance.
They are responsible for training and awareness and external facing policy on the engagement part.
So this month is basically the big result of part of the security engagement work.
And as part of that team, we have the customer compliance part. It's a very important team.
It's focused on answering customer questions, prospective customers, reviewing security-relevant clauses in contract agreements.
And it's a very important team in any tech company.
And being a security organization like Rosemary's, it's much more important for us.
Another team we have there is security risk.
Basically, they handle all the security management-related topics, and that includes enterprise risk assessment, that includes targeted risk assessments, and all the risk management processes that we have in the organization.
And by last, we have the security validation team where us three belong, and that we basically are responsible to deal with internal and external audits, compliance and regulatory requirements.
We basically act in three main aspects currently, core certifications and compliance.
And here we are talking about ISO standards. We are talking about SOC2 report, PCI DSS, like Victoria mentioned.
Also on the government part, we have a dedicated team for that.
And that's mainly focused currently in FedRAMP-related activities.
We can probably go in more detail. And then the privacy and regulatory compliance, where Rory is our star there.
Yeah, I think that covers basically our GRC department within the big security group.
So basically, everyone is in the security team.
And then within the security team, there's a department called Governance, Risk and Compliance.
And as you said, within Governance, Risk and Compliance, we have all those pillars, those different responsibilities, especially that really important one, customer compliance.
If anyone ever reaches out to the compliance team at Cloudflare, the security compliance team, they'll probably speak to someone from the customer compliance team.
So that's a really important team for us.
And yeah, security validation, that's us. So there's, I think, six of us in the team.
Three of us are here, which is great.
The other three are based in the US. And yeah, together we make up security validations.
Okay, cool. That is a little bit about who we are, what we do. Let's go into a little bit about what certifications and what validations Cloudflare has.
So the first one up, I think Sam is for you. What is SOC2 Type 2? And does Cloudflare have it?
I guess we do. SOC2 is a service organization's report on controls that exists in two types, Type 1 and Type 2.
Makes sense. Type 1 is usually like a perspective over the design and implementation of controls in a specific point in time.
Type 2, it provides an overview over a period of time.
It can be three months. It can be one year. But basically, it's an audit perspective on the controls an organization has implemented during that period of time.
Those controls are related with security, availability, processing integrity, confidentiality, or privacy.
The organizations can choose which of these five trust pillars they can include in their report.
This report is something requested many times to the organizations because it's really important in several different aspects.
It can be important as oversight of an organization because it provides an external perspective of the controls you have implemented.
It's very useful also in vendor management activities, due diligence processes.
Our customers, our prospects ask us this report a lot because it gives them insights over the way we implement controls, over our security practices, et cetera.
And yeah, I think that covers basically what the SOC2 report is.
Nice. And is it a global standard? Is it an Asia-Pacific standard, US standard?
Where does it originate from? It's originated in the US, but it's globally recognized.
Right. Nice. Nice. OK, the second one on my list.
I think, Sam, it's you again. C5. What about C5? Who or what is C5?
C5 is our newest, most recent achievement at Cloudflare, I guess, on the compliance perspective.
It's a report. It's a standard designed by the German regulator BSI.
It's the German Federal Office for Information Security. And basically, it's focused on information security for cloud services.
It's very aligned with other industry standards like ISO.
And also, as add-on, it includes or it implements or it's designed to help organizations to implement general requirements also on the EU Cybersecurity Act.
So it's something very helpful for a cloud service organization and is most focused on the German market.
But I reckon that this is also recognized by the industry, not only in Germany, but also in other European countries, for example.
Right.
Yeah, no, that's great. So it's both SOC 2, type 2, which has kind of originated from the US and become a global standard.
And C5, as you said, I think maybe the newest one, which is originated in Germany, but really understood and used across many countries in Europe and indeed globally.
All right, the next step for me. So it's the ISO.
So I guess first, what is ISO? ISO is International Organization for Standardization.
And in case you missed it, it is ISO, the abbreviation. But the name is IOS.
It's just one of those things. The acronym is different to the actual name.
But yeah, ISO. That's what it stands for, International Organization for Standardization.
And it's effectively a global set of standards bodies that come together.
Representatives from different countries come together, many, many countries, nearly all countries around the world, actually.
And they contribute to standards.
And it's a way of just having global trade and being able to deal between country to country, whilst also understanding, for instance, the size of a unit or a security standard in this case.
So the standards that Cloudflare has in the ISO range, so there's ISO 27001.
It's probably the most well-known ISO security standard out there.
Back in, I think it was 2001, when the ISO organization did a survey.
They found something like 36,000 organizations had this standard, ISO 27001.
And that was across over 130 countries. So really, really broad spread. It is absolutely an international standard.
2001, that's ISO 27001, is based around information security.
So it's a set of security practices. There is a related standard called ISO 27002.
That sets out all what are called controls, basically kind of rules, internal rules, to help you manage a business with regards to its security standards.
And so ISO 27001 tells you how to go about making sure those security standards apply in your organization.
And you can be audited against it.
So when someone says they have an ISO 27001 certification, what they mean is they've been audited by someone, an external third party, who come in.
They go through and check all those controls listed in that separate standard, 27002, are being met.
And then they can give you a certificate that says, hey, this organization has gone through this process.
They validated that they have all these controls in place.
And so we can give them this certificate. And as I said, it's probably one of the most widely used information security standards out there.
There are some additions to that.
So Cloudflare has had the core certification, ISO 27001, since I think 2019.
But also we've added on some standards. So earlier on this year, Cloudflare added on an addition to those controls, which is basically focused on cloud privacy.
So the management of personal information for a cloud provider.
Cloudflare obviously is a cloud provider, and we do manage a lot of personal information.
So this is a great addition. We added this earlier on this year.
So with ISO 27001, we've extended it to include ISO 27,018. It's the name of that second standard.
We also have a third ISO standard. In this case, it's one that was developed following the EU's publishing of the GDPR, the General Data Protection Regulation, which is the EU's kind of like big standard that's kind of become a bit of a global standard in privacy.
And what the people that contribute to the ISO organization did is they looked at things like GDPR and they extracted it just from the European laws and said, well, how can we make this into more of a global standard that could apply no matter where you are in the world, but using a lot of the principles, using a lot of the guides and the information that GDPR put together.
So as you'd expect, ISO 27701, that's 27,701, nice short name, is really well connected to GDPR.
If you look at the index actually of the standard itself, which you can buy from the ISO website, there's a mapping between GDPR and this standard.
So it really goes lockstep in. So basically by getting this standard, it's a really good way to demonstrate that you are on top of your GDPR compliance, that you understand how to process personal data in a safe and secure way, and one that really contributes towards your overall privacy program.
So those are the three ISOs that Cloudflare has, ISO 27001, ISO 27018, and ISO 27701.
Next one up is PCI data security standard. Victoria, can you tell us all about that?
PCI, Payment Card Industry Data Security Standard, is the standard for protection or the technical and operational requirements for protection of payment card or payment account data.
So the subject matter of it is payment account or information, which is comprising of cardholder information and sensitive authentication data.
So that is the subject of the PCI DSS. So in Cloudflare, we do validate in two ways.
As a merchant, since we accept payment card, payments for the subscriptions, and then as service providers.
So we have certain products that helps our customers and clients to meet their PCI DSS requirements.
That's quite cool. So Cloudflare both obviously has the PCI standard because like many businesses these days, we take payments online.
But also we have products that we can help other customers take payments online and meet the standard.
That's doubly cool. I think you've trumped us there, Victoria, immediately with being able to both use the standard with customers as well as use it ourselves.
So that's awesome. Finally, Sam, I know you briefly mentioned FedRAMP there, but perhaps you can just quickly summarize Cloudflare and what we're doing with FedRAMP as well.
Sure, basically we are in the process of getting FedRAMP authorization.
Basically, FedRAMP, that stands for Federal Risk and Authorization Management Program, it is a U.S.
government initiative that intends to provide a consistent approach to cloud products and services.
It basically is a risk-based method for helping the federal agencies to adopt and use cloud services.
FedRAMP can exist in two different impact levels, low, moderate, and high impact.
We are aiming for moderate impact in the moment, and it's basically the moderate impact is the standard for security of controlled and unclassified information across federal and government agencies.
So it's for government data that is not publicly available.
And the high impact will aim for sensitive data. And yeah, basically that's what we are currently doing in the FedRAMP space currently.
Nice.
So I'm checking against our description of our show. We have talked about what is a security validation tick done.
We've talked about what is PCI DSS, how does it help my business sell online?
Obviously, if you're taking credit cards online, it's hugely important that you have standards and protect that information.
So we've covered that. Before we go on to the next one, which is changes coming, it's worth saying, how do customers get access to these certifications?
Because often they want to download something or show a report. So what I'm gonna do is I'm gonna share my screen and I can show exactly how you get access to these online.
So let me see. Cloudflare, right. Hopefully my screen is showing now.
So Cloudflare has something called the Trust Hub. So if you don't wanna copy the URL there, you can literally Google Cloudflare and Trust Hub and it will take you to this section of our public website.
There's a page called Compliance Resources there.
And this is this page about certifications and compliance resources.
And you can see all the standards that we've mentioned so far. So ISO 27001, ISO 27701, ISO 27018, SOC 2 Type 2, PCI DSS 321, C5.
And this is where we add additional things.
And as we add more standards and more certifications, we'll be adding them to this page.
So you can find out more about the individual ones.
This is the public page. There's also a way to download the actual reports and to, if you're a customer, and we do ask you to be under a non-disclosure agreement before you access the further documents.
And that is a page we have on our Cloudflare Developers Docs site.
So it's called Access Compliance Documentation.
I find this page exactly the same way. I Google Cloudflare Access Compliance Documentation.
I think it's something that customers do a lot as well. And here we go.
This is how you do it. You log into the Cloudflare dashboard. You can go to Support and then Compliance Documents.
As I mentioned, if you haven't yet accepted the non-disclosure agreement, we require you to accept that.
And then you can download the documents.
And just a reminder, this is for a super administrator.
So it's the person that, the root owner of the account, the person that set up the account or is the top of the administrative tree.
Sam, do you reckon you can, let me stop sharing.
Do you reckon you can show us that page in the dashboard?
I think I can do it very quickly. Let me show my screen. Yeah, this must be one of the most used pages across both, I guess, our developer docs and also in the actual Cloudflare dashboard itself.
Can you see my screen? Yeah, we can. Okay. So basically I just logged in my individual account.
You have the support option here on the top right side.
You click Support, Compliance Documents. And basically it will appear the list of all documentation that we prepared and that you can use to help you internally.
It can also help you with your external audits if you need to provide assurance to your auditor that you are using vendors that are meeting your security requirements.
And yeah, you can just download and you have access to that information.
Nice. Yeah, a lot of customers ask for that page or at least ask for the documents on that page.
So there we go. You can go self -service, download the documents yourself in a really helpful way from the Cloudflare dashboard.
And just a reminder, if you need any more information about how to get there, just Google Cloudflare Access Compliance Documentation.
It will bring up that help page I just showed on the Cloudflare doc site.
Okay, cool. So going on to our next section, changes to certifications.
Okay, obviously we're working internally on new certifications the whole time and on extending our existing certifications, but all those standards change.
Do you mind sharing the next slide, Sam?
So I think we're going to talk about changes coming to the standard called the one I mentioned called ISO 27001.
So I hear there is a just almost ready to publish new version of this ISO 27001 standard.
I think the previous ones you can see from the screen came out in 2013.
So it's a couple of years old now. And the ISO organization likes to refresh these every 10 years or so to make sure they're up to date and they kind of reflect the latest best practices.
So we are literally waiting for the final one.
I think it's due maybe next week or in the next kind of week.
So yeah, if you're considering the standard, wait a week until the new version, the 2022 version comes out for them before purchasing it.
And so it's had a slight name change.
So instead of being information technology techniques, code of practice, it's information security, cybersecurity, and privacy protection.
Really interesting to see privacy being added in there as well. And there's a new structure this time around, isn't there?
So the controls have been kind of grouped into these four areas.
So controls that are related to organizational.
So about your own organization, the standards, et cetera, you have in place.
People controls. So making sure that people, for instance, maybe passed a background check before they're hired.
Physical controls. So obviously making sure things are safe physically rather than in the virtual world that you use.
Protection if you're moving media around the place, you have security if you're using physical data centers, et cetera.
And then finally, some technological controls.
And I think it's right in saying most of them are in the organizational.
So there's, I think, 37 controls in organizational. And there's 34 in the technological.
I think there's eight in people and 14 in physical. So the number has actually come down.
So previously there was 114 controls in the previous version of the standard.
That's come down to 93 controls. So it's actually they've merged some and changed them around a bit.
One of the other changes that we're seeing this time around is the addition of hashtags, what the ISO organization are calling attributes.
So it kind of helps you understand a bit of metadata, really, about controls.
So for instance, there's a control type, which is the hashtag preventative.
So you understand that's a preventative control. There's information security properties that they could be about confidentiality, integrity, or availability.
There's obviously cybersecurity concepts that things like identify, understanding what may be happening on a network or on a system.
And then some operational capabilities. Governance is a hashtag as well.
And finally, security domains. So governance and ecosystem and also resilience.
I think also they have in their protection, defense, and there's other ones that fit in.
So like for instance, detect, protect, identify, respond, recover.
They're all the ones under the cybersecurity concepts. Cool.
Sam, shall we go on to the next slide? And let's maybe deep dive into some of the new controls.
Yeah, just before going there, just let me add that this new version of the 27.0.0.2 controls is already published.
Like Corey mentioned, this supports the ISO 27.0.0.1 standard that is about to be published.
And how this impacts any organization.
So when the new standard comes to life or is published, the organizations usually have a time frame to implement a new version of the standard.
Usually it's about three years. So we are expecting the new 27.0.0 .1 to be published as soon as it is.
We have three years to adapt the internal processes we have to this new version of the controls published on the ISO 27.0.0 .2.
And yeah, that's basically that. Interesting things. So the new version, it includes some new controls and many of them were merged or rebranded, reworded.
And this is actually a good example of a control that already existed in the previous version.
And the wording is very similar to the already existing one. We can compare.
So I included here the wording on the previous version. We can see that the control description is very similar.
The implementation guidance it exists is again similar adopted to our new reality.
And also the purpose that is now something new on the new structure.
It's very aligned with what was called the control objectives that already existed in the previous version.
And we can see that on this control that we use here as example.
Moving forward, as well as updating the actual controls themselves, the structure has been changed and additional ways to understand them have been added in, which I guess helps with understanding and clarity.
Yeah, yeah, definitely. And just a quick overview over the controls because we kind of exceeded the time that we had planned for this.
And the new controls are actually new, but many of them were already somehow mentioned on the previous version of the standard.
They got more importance now. An example is threat intelligence that it was already mentioned in some specific topics.
Now it's explicit.
And here we can, for example, our security, our dashboards, the offer that Alfamir has can already give our customers a great help to achieve and meet this control on the threat intelligence.
Information security for cloud service, the title is obvious.
The increased relevance of cloud services for any organization required to have an explicit control for that.
Business continuity, for me, this is about the clarification.
It's a good clarification on business continuity controls.
The previous version mentioned a lot of information security aspects on business continuity.
And now it's completely explicit on ICT readiness for business continuity.
And other top, the ones, the topics that I think worth mentioning and highlight are the ones related with privacy and information deletion, data masking, data leakage prevention are the ones that are really new.
Some of the aspects were touched among several old controls on information classification, media handling and asset management.
But now we have very explicit controls covering those topics.
They are very related also with another ISO standards.
Some of them that we already have, like 27 ,018.
But there are a set of complimentary standards also touching on these topics. Worth mentioning also the web filtering, monitoring activities.
That is something that our software products can help you achieve with, especially on web filtering.
We have URL filtering.
We have DNS filtering. And there is, on the data leakage prevention also, it would work to take a look on our Zero Trust solutions and software for teams offers.
I think that's a quick overview. Again, Cloudflare has a number of products that can help you meet the new standards that are coming with our Zero Trust range.
That's awesome. Victoria, okay. I hear there's new changes coming to PCI as well.
Could you give us a quick summary of PCI version four? We've got about three minutes to go.
Okay, three minutes. So PCI DSS version four. So in this standard or in this iteration of the standard, the council aim to add additional requirements to meet evolving security needs of the payment industry, promote security as a continuous process, add flexibility for the organizations to meet the security objectives and to enhance validation methods and procedures.
So the examples of these are, for example, expanding the requirement for multi-factor authentication to all accesses in the CDE environment as opposed to before, there was only the requirement for remote.
So there are also additional requirements for e-commerce sites and for phishing to address ongoing threats for this as well.
So there is also the new flexible way for organizations to have their validation with the customized approach.
This has been introduced in this standard that organizations, risk mature organizations can define their controls and they can be validated against these controls.
Now there are certain criteria that needs to be met before an entity would be allowed to validate on that one.
It will be a different and separate discussion.
So there are also some added allowed flexibility as to the frequency of defined performance of activities.
So based on targeted risk analysis, so these activities like types and frequency of inspections of point of interaction devices, as well as the analysis for the systems that are not commonly at risk of malware.
So they can define when they will need to do that one.
So quickly in about 30 seconds, what is the timeline for people moving over to the new standard?
Does everyone have to do it overnight? Of course not.
So there is the 3.2.1, which is the current existing one is still valid until March, 2024.
So entities can either choose to be validated with the 3.2.1 or 4 .0 until March, 2024.
After that one, PCI DSS 4 is the only standard which entities can be validated against.
So, but there are also... There is still plenty of time. There is still plenty of time.
People aren't going to need to do it overnight. I'm afraid we are out of time.
I think we should have a sequel because we have so much to talk about.
Thank you so much everyone for watching. That has been the security validations team talking about security compliance and standards.
We'll see you next time.
Bye.