SECURITY SPOTLIGHT - The Future of Networks and Network Security

Hello, everyone. Welcome to yet another episode of Security Spotlight. I'm Arun Singh here with the product marketing team at Cloudflare. And today we'll be talking about networks and network security, the future of it. And my partner and friend today, Rustam, Director of Product here at Cloudflare, a person that I work very closely with on a day-to-day basis, learn a lot from. So Rustam, welcome to the show. Welcome to the episode. Thanks. Glad to be here. Cool. So Rustam, before we get into the meat of the conversation today, I'm very curious to know, what got you started? What's your personal journey into networks and network security? How did you get started with this? Yeah, it's a good question. And when we were chatting before the show, I was actually trying to figure out where this all started. So I grew up using Macs in the house, and this was in the mid-90s when that was not cool. I couldn't play any video games. I couldn't really do anything fun on my parents' chosen platform. And so the only thing left to do was basically do weird networking things between the various Macs in the house. And then I managed to befriend the IT team at my elementary school, and they started giving me their broken computers. And one thing led to another, and I had this Frankenstein farm of busted Mac power PCs in the house, literally under my bed at one point. And then I started hacking. I started telnetting into random SMTP servers and sending spoofed email. I sent an email from Bill Gates to my grandfather, which was very amusing at the time. I sort of think stemmed all from there, I guess is the short answer. But yeah, it's a good question. One of the really cool things about working at Cloudflare is what I do at work today is not that different from building crazy AppleTalk networks under my bed as a 12-year-old or whatever. So I come to work every day, and I'm like, this is pretty cool. I get paid to do the things I found endlessly amusing as a kid. So yeah. Everyone in your household must be like, look at all this mess, but the kid is curious. That's what's important, right? That conversation has actually happened between me and my parents. They're like, yeah, we used to get driven totally nuts by all that crap in the house, but it's clearly something worked out. Worked out in the right way. That's awesome. Okay, cool. Thank you for sharing that personal anecdote. Okay, let's get started with our discussion today about networks and network security. And as a product marketer, when I look around into the industry, talking to customers, one thing that always keeps coming up is digital transformation. They're agnostic of what the company size is, small, large, medium. They're always thinking about digital transformation means different people to different things. What do you think are some of the key drivers that are influencing this massive digital transformation that's happening? That's a great question. I think there's two parallel trends that are related, but different, right? One is, if we step back, the Internet, even if you're counting charitably, is 50, 60, the early days of the Internet, 50 years ago, maybe, right? We're very early in the history of networking and the history of the Internet and the history of doing business on the Internet. Doing business on the Internet has become more central to doing anything, right? So that's one sort of aspect of this. The other is that it's a lot easier, or the barrier to entry to get things connected to a network, and even to get things secure on a network is lowering over time, right? But because things are getting so much more important, faster than they're getting easier, people are like, oh, we got to pay attention here. We got to figure out what our act looks like. And so one of the things we've seen with computing is, if we go back 50 years, you're racking a mainframe or whatever, right? Martin Lovey is probably better to talk to you about that than I am. But we went from like mini computers to, in the 90s, and the first tech boom we saw, you were still buying servers, right? You're racking them, you're running your own data center. If you want to run your own application, you would buy a new server to run that application on, right? And that took a long time, pain in the butt, expensive. And sort of early 2000s, we saw virtualization start to become a thing, right? People realized that these things called hypervisors are really convenient, and you can actually run multiple virtual servers on one piece of hardware, and that makes creating new servers much easier, right? That was sort of a second generation of data center computing. And then people realized, wait a second, we run all this stuff in the cloud. And that became much easier. And then I think what we're seeing now with things like workers and other related products are functions as a service, right? And that's really, it seems like the direction that computing is going in. I think we're seeing the same thing happening on the networking side today, right? We're still at the phase, networking is significantly behind that evolution that we saw in computing, right? I think a lot of folks are still racking switches, racking routers, racking hardware firewalls, et cetera. And we're slowly seeing that transformation happen on the networking side too. Sorry, that was a really long answer to your question. Does that answer? No, no, no. It is. Actually, it got me thinking because one aspect that you mentioned that enterprises, companies embracing the Internet, we are still in the early stages. We almost take it for a given, like as if the Internet has been there for around forever. It's not. And you make a very good point there. And the second part is like, which I didn't realize before, but right now when you're talking about it, the barriers of entry of businesses has lowered, right? Because of the Internet. And I think that that is another piece because like now we're seeing health tech and FinTech and all of these kind of disrupting for what used to be traditional businesses. So that's very key. Great. So thanks for sharing the perspective on digital transformation and what's really influencing it. Now let's say that I'm a CIO or a CISO and I have a team of people, right? And what used to happen as you walked us through this evolution and through this journey from 80s, 90s to now, what used to happen is that my team used to be this custodians of infrastructure. My team used to always be reacting to change. Business asks us something, we react to it, right? And now the IT leaders of today are going like, no, my team is not that reacting to change, they're the drivers of change, right? So when they're making this paradigm shift of being drivers of change, what do CIOs and CISOs care about the most or what should they be caring about the most? That's part A of my question. Part B of my question is that as they're making that change, the current solutions, do they fit into that transformation? And if not, why not? Yeah, I mean, I think this is actually the answer to this question is very, very, very tied to the trend we were just talking about, right? Like when deploying new hardware or making a change to your IT architecture deployment, the timelines for those things were measured in years or months or weeks, best case, right? The length of that timeline just sort of dictates how you do your job, right? Like, and you're going to be very reactive and like, or have to plan on these long timescales. And as things have gotten more nimble, and the sort of amount of housekeeping, literal housekeeping required to get more infrastructure online or for you to change the way your infrastructure works has gone down, you know, we're waiting for the server to arrive, or we're waiting for the firewall to arrive, or we're waiting for a change window or whatever it is, that sort of excuse for a lack of velocity sort of has gone away, right? So I think CIOs are expected to be much more responsive to changing business realities, right? And then tying back to the other trend we were talking about, the Internet is just more important, right? So the CIO's job is more important as a result. And so these two things, again, combined, have changed the way folks have to think about operating networks and securing networks. Yeah. I remember that a decade back when I was working at Sun Microsystems, the infrastructure team used to take pride in saying, we keep the lights on. And how that whole paradigm has changed quite a bit. Okay. Thanks for that. Let's shift gears towards a different challenge that enterprises and organizations face today, which is, advent of the cloud has happened, which has a lot of advantages. Everyone knows about it. But one thing that is changing is multi-cloud adoption, right? So going from on-prem data centers to the cloud was one jump, but not just to one cloud, to multiple clouds. And I was reading an article by one of the leading banks in Australia. The GM of the cloud business was saying that our main partnership is with AWS, but we also have a strategic partner with GCP, Azure for business continuity, which is great, right? But at the same time, it's complex, right? What's your view on that? How should C-level execs, but also IT teams be trying to take that challenge head-on? Yeah, no, it's an interesting question. Also, I think I've actually met with that CISO at that Australian bank back when you could do things like that and leave living rooms. I think multi-cloud is an interesting thing to talk about, right? I think there's sort of different approaches people take to multi-cloud, right? One is, I'm on-prem right now. I'm thinking about my transition to the cloud, and I don't want Amazon or Microsoft or Google to have a disproportionate amount of power or influence over my IT spend, right? And so that's the sort of, I'm going to spread my spend across a bunch of vendors, and I'm going to try and keep my workload on them as generic and portable as possible. I think that's actually, it sounds great in theory. In practice, it's a bit of a pain, right? It turns out managing a bunch of deployments and managing things from multiple vendors and trying to treat them the same is difficult. And I think the other thing that comes out of that is that these different clouds have relative strengths and weaknesses, and if you're trying to hit the lowest common denominator across them, you're missing out on some of the good things that moving to the cloud brings, right? So the other approach I've seen is folks moving to multi-cloud and trying to find the sweet spot on each of these vendors and then sort of use the good stuff and leave the bad stuff. In either of these deployments, one of the interesting things about our position at Cloudflare is that we are a natural way and place for customers like that Australian bank to route traffic to and from multiple clouds and make sure that consistent security posture is enforced across those cloud deployments. So that's something we're seeing more and more of and just makes sense to me and is also something we're excited to build further product functionality around. Yeah, break the complexity with a single posture. And I think we are not that far off from even from a compliance perspective, these kind of things becoming the norm, right? Some compliance things coming up and saying that you should not have all of it in one public cloud versus multiple public clouds. Yeah, I mean, that's actually a great point. There's both the like vendor aspect, like you might want X to go to Amazon and Y to go to Microsoft for compliance reasons. But the other thing we've seen more and more of is that from a geography perspective, right? So this data should stay resident in the EU and this data should stay in India and this data should stay in Turkey and down the road. And that's also something that we're focused on supporting. We have a pretty mature feature set out in the market right now to help CIOs and CISOs manage that sort of data residency aspect of things. We just launched something called regional services that's specifically focused on that. But yeah, I think that's another interesting dimension to this multi-cloud digital transformation story is like how do we deal with things like data sovereignty. Yeah, I mean often compliance can become one of those dry topics of discussion, but it is actually one of the very critical parts of a business. So especially C-level suite is keeping a very close eye on that, right? Okay, let's talk a little bit about network as a service, right? So I remember the time when, not too long ago, network security, one arc of it used to be access control, there's ACLs on top of rack switches, it moved to host -based ACLs and now like things move into the cloud. You, since elementary school, I've been thinking about networking products, building things together. What's your view as leading the products in the space on network as a service? That's a good question. I think, yeah, there's a couple different ways to tackle this, but so I used to work at one of the hyperscaler cloud, you know, compute companies. It was at Microsoft and we were just starting to transition from sort of custom, really high-end hardware doing our networking to more of a software-defined white box, run fancy software kind of thing when I was there in the early 2010s. But at the time, so software-defined networking and network function virtualization were really, really trendy topics in the industry. But unless you were Facebook or Google or Microsoft, practically speaking, you weren't going to deploy any of that stuff, right? You needed a full-time engineering team to make sense of even the logging output from one of those switches. I think if I were asked what networking as a service is and why folks should pay attention to it, it's really companies like Cloudflare building functionality that helps anyone on the Internet, any company on the Internet, take advantage of things like NFV and SDN and the benefits they confer without having to pay for, you know, a high-end, not just network engineering team, but like engineering team building networking gear, right? That's literally what you're paying Cloudflare for. So I think, you know, there was a lot of hype behind those words five, ten years ago and I think some of that's died down because folks are like, well, we can't actually realize these benefits. But I think the spirit behind those things was totally sound. It was just that the hype led reality a little bit and I think we're able to deliver those benefits. And this, again, ties back to that journey we were talking about at the beginning of the episode where, you know, we're going from physical hardware to virtualized hardware to functions as a service. This is literally what's happening with networking right now, right? We're going from physical hardware. You're seeing some vendors move to virtualized hardware, right? Like literally taking the box they had and then making it virtual. And then you're seeing providers like Cloudflare move to the sort of next generation and deploy network functions as a service, right? So a lot of our network security tools, whether that's, you know, Magic Transit or WAF or whatever it is, are delivered globally at the same time from all of our infrastructure and are really much closer to workers or that functions as a service story in terms of paradigm, than they are like just sort of old school at this point, virtualization. Yeah, you touched upon one thing that always makes me cringe, which is that the virtual appliance aspect of it. You had this hardware box and somebody came to you and said like, oh, no, we are going cloud first. How do you do that? And we're like, no, don't worry about it. Yeah, it's like just take the box and wait, we still have a box now though. It's just virtual. There's obvious benefits. Again, like don't get me wrong. There are certainly benefits to taking hardware and making it virtual. There are more benefits to taking the box and smashing it into a million pieces and turning it into, you know, something delivered truly as a service as opposed to a box that sits in a data center. I mean, just to get specific, the real benefits there around performance, right? So especially if folks move from sitting in an office to working from living rooms and bedrooms and whatever it is all around the world, the idea of just like having one box, whether that's physical or virtual, performing your security functions is literally just not going to scale, right? If I had to do all my work by connecting through a VPN appliance, even if that was in San Francisco, I would be miserable, right? And I would say I don't particularly enjoy working in my living room, but things like Cloudflare Access and Cloudflare for Teams that really allow folks to connect to the Cloudflare corporate network or customers that are using its corporate network in a really secure and performant way, really changes the game on things like work from home. Yeah, no, and last year, well before all of this global pandemic started, I was thinking that, you know, how the branch office thing has completely transformed, right? Now a salesperson who's on the move trying to access a SaaS application like a CRM is kind of an office of one, right? And to the same exact reason, like that sticking that box or a virtual appliance there, is that the best solution for scalability? I mean, yeah, you could put a VPN appliance in everyone's living room, but that doesn't sound... And then connect it via MPLS to your cloud. Yeah, and then we would be having this conversation with our videos off because the bandwidth wouldn't work out. So yeah, no, totally. I think that way it has completely transformed. So because, you know, you lead the products here at Cloudflare, I cannot resist the urge of asking you this, which is Cloudflare has been innovating and shaping the path of this piece, right? And you touched upon it with some of the products like Magic Transit and Cloudflare Access. Can you give us some, maybe one or two tangible examples, a little bit more detailed as to how Cloudflare is helping lead this transition? Yeah, I mean, so just like the Internet is relative in its relative infancy, the move to the cloud is as well. I think, you know, if you're in San Francisco and you work at the fancy, cool startup and everything's on AWS and Kubernetes and all this, it can be a little shocking to hear that like, no, most companies and most important companies doing important work are just starting to think about things like Kubernetes and AWS. So yeah, I think the transition to the cloud is in its infancy. And one of the things that I'm super excited about is, you know, you see this in developing countries where they actually had really poor wired phone service, right? And they have then managed to deploy really, really mature cell networks. Reliance Geo is actually a great example of this, right? India has gone from a relatively unconnected country in a lot of ways to like access to the cheapest, highest quality bandwidth in the world. I remember that, I loved that. Yeah, exactly. And so like, they were able to go from like, not as a worst, but like, not the best to first, and they skipped a whole generation, right? And so I think we're going to be able to do the same thing for companies that, you know, are on the leading edge of that transition to the cloud, but are starting to think about it now. We're going to help them just like totally leapfrog the folks who sort of started that transition earlier, if that makes sense. Yeah, no, no, it totally does. If I may just narrow the scope a little bit of our conversation to one particular arc of network security, which is DDoS, right? It has sometimes such a profound, significant impact because of the disruption that it can cause. And because we started at the top, talking about digital transformation, C-level execs, IT teams, one thing that they are always thinking about is cost effectiveness, right? Because security in the past has been kind of a cost center. You don't want security to be a cost center. You want to show that you, you know, for every dollar that the CFO is investing, we are saving you $5 in mitigating risks somewhere, right? So what's your view on cost effectiveness for, in general, for these cloud-delivered services for DDoS, and specifically for Cloudflare, how do you view that cost -effectiveness value to customer through the products that your team is building? Yeah, so I feel like I've answered every one of these questions with, well, there's two ways to think about this, but there really are at least two ways to think about it. I think there are two ways to think about this problem. One is from a technical perspective, and the other is from a cost and budgetary one. From a technical perspective, doing DDoS mitigation with an edge network like Cloudflare just makes more sense than trying to do it with an on-prem appliance, right? So imagine a data center, you know, you have a rack of hardware, router switch, bunch of, you know, firewall, WAN optimizer, and a DDoS mitigation appliance. You buy some transit from whoever your local provider is, you know, one gig circuit, or 10 gig circuit, or 100 gig circuit, right? Doesn't matter. So say you have a 10 gig circuit, and you have that scrubbing box trying to clean traffic coming in. It is trivial for a booter or some kid to come in, and it's usually a kid, to come in and say, I'm going to throw 20 gigabits per second of garbage at you. The best set of DDoS mitigation hardware in the world in that data center would not be able to do squat to solve that problem, right? You just have a math problem at that point. 10 gig pipe, 20 gigs of traffic, bad things are going to happen. And I mean, obviously, you can go upstream to your transit provider and start asking for null routing and all this stuff. But like, A, the time to mitigate on that is horrible. B, the sort of like, employee experience, both for your employees and for your IT staff is horrible. And C, like, who wants to do that, right? The collateral damage involved in something like null routing is quite high. Contrast that to deploying something like Cloudflare, Magic Transit, or other DDoS solutions. We've got 37 plus terabits per second of capacity globally. That's a very real number. That's not fantasy. And, you know, even if an attack, you know, an order of magnitude larger than what we've seen before were to hit the Cloudflare network, we would be able to absorb that, right? And so, you know, that math problem just goes away. The second thing here is like, the quality of our mitigations is going to be higher than that most of the boxes out there, right? So we solve both the sort of 10, 20 gigabits of traffic in a 10 gig pipe problem. And we also just do a better job than any scrubbing appliance. And so on top of all that, because we're being consumed and delivered as a service instead of on a hardware purchasing cycle with maintenance contracts and all that, the economics are just going to be better, right? And say you go from 10 gigabits per second capacity in your data center to 100, that's a phone call with Cloudflare, right? And you've gained that agility that we talked about earlier, right? Like that capacity is, you don't even need a phone call actually, the capacity is just there. And contrast that with the old world, where you had to go buy another 10 boxes, right? Who wants to do that? So, yeah, I think that's, thanks for bringing it up. That's like a really good example of real crystallization of the value that someone like Cloudflare can provide for an enterprise IT team. Yeah, because often I think about it from like the true cost, like not just the dollar amount, but as you were mentioning that waiting for a week for a box to arrive and racking stacking. And before that, when I was at Sun, a lot of the customers they used to do sizing exercises and there was a whole effort around it. So it's not just that dollar amount, but the amount that you're spending in time and effort as well, right? I don't want to make it time intensive. Totally. I mean, the opportunity cost of your people's time is almost always going to be higher than whatever you're spending on hardware vendors. And yeah, no, that's a great point. Yeah. And then it goes back to the earlier thing that we were mentioning, like, do you want to be custodians of infrastructure? Or do you want to be driving change with the business and being rock stars at your organization, right? Yeah. Great. One final question. I'm going to try to make it quick because we are almost at time. Whenever I talk to security professionals, it's a lot about observability as well, right? Analytics. I want actionable analytics. I want intelligent analytics. So what's your one minute thought on analytics and observability in this cloud world and also from a Cloudflare perspective? Yeah, that's a good question. I think there's a couple of different ways to come at this. More than two, so a couple of different. Yeah. I mean, so one thing, you know, the cloud is supposed to make things simpler and more agile and all these things. And I think it does. But like in that intermediate step where you're like, OK, I used to have a data center. Now I have a data center and one or two or ten cloud providers just getting visibility into what's going on sometimes does get more complicated. Right. And so just having discipline about setting up proper monitoring and proper logging and all that stuff is hard and important. And I think, you know, again, folks use Cloudflare as this sort of central routing platform. We also see a lot of folks use Cloudflare as like a central logging and visibility platform as well. That's great to hear. So I feel like there's so much more to talk, but we'll bring you again for one more episode, Rastam. Always have time. Thanks for the insights. Great to hear from you. And until then, to our audience, stay tuned for another episode coming up shortly.