🔒 Securing Cloudflare with Cloudflare

Hey everyone, thanks for joining us here on Cloudflare TV and I hope you've been reading all the blog posts that we've been putting out for Security Week.

We have a few more coming in the week, but I wanted to take some time to highlight one of the posts that we published today, which is Securing Cloudflare with Cloudflare.

So my name is Ankur Aggarwal.

I'm based out of San Francisco. I'm a product manager here on our Zero Trust Group and I'm joined by Derek Pitts and Emily Hancock.

I'm going to turn it over to them really quick to introduce yourself.

Derek, do you want to start?

Sure. Thanks, Eric. My name is Derek Pitts. I'm a Director of Security for Cloudflare in Austin, Texas and I lead our Customer Zero Security Group, which is the team that leads Securing Cloudflare with Cloudflare.

Why don't you tell us what you do, Emily?

Hi, so I'm Emily Hancock. I'm the Chief Privacy Officer at Cloudflare.

I'm also based in San Francisco. And as you can imagine, I do all the things related to data privacy at Cloudflare.

Yeah. And as a product manager here at Cloudflare, I feel like I'm working with the two of you pretty closely all the time.

And we can get into more about why actually our relationships are so close here.

So Derek, you mentioned this really briefly here with Customer Zero, but can you tell us a little bit more about Securing Cloudflare and the Customer Zero effort?

Sure. So Customer Zero is what Cloudflare has recently started calling all of our initiatives towards using our own products internally.

So what we've we used to refer to as Securing Cloudflare with Cloudflare, we kind of got tired of saying it because it was so long.

So we morphed it into Customer Zero.

So we want to make sure that internally we are the first or the number zero customer for everything so that that way any sharp edges, bugs, new features are getting tested internally by my team, by the set of employees that we have for everything.

So we have people who volunteer to test the leading edge things. We have our standard group of every employee.

And so we do that a lot with teams like the team that you work on, work all the way across all the Zero Trust settings.

And we work a lot with Emily's team as well, because sometimes some of the features that are new or things like that have impacts on privacy.

And so we want to make sure that we're always keeping those things in mind.

Yeah, and we've definitely done this even for a feature recently where we released client applications and basically having the internal teams kind of vet and test them before we went out to customers with them.

It was kind of great feedback or just a great confirmation of really what we built.

So kind of to that vein, how do we kind of deploy these features across our software users?

Is it just kind of, Hey, we just turn everything on.

But we know there's a little bit more thought put into this and how we apply this.

And so what we start out with is kind of our security baselines, which we're moving or we're working towards getting the ideal state of Zero Trust, which basically translates into we don't care where you are.

Your network position does not grant you any authorization into any services or tools within Cloudflare.

So what that kind of translates into is we're using all of our Cloudflare one suite of tools.

So we have things like Cloudflare access. We're using the Cloudflare Zero Trust agent.

We use the secure web gateway, which is near and dear to hackers heart.

We use our data loss prevention tools. We use our CASB tools or the cloud access security broker tool for everyone who has to look that up every time like me.

I wrote it all the way out just so I wouldn't forget this time. And then we do on top of that, we do some selective things.

So we use our remote browser isolation and we use our tools that are part of the secure web gateway to increase the security of our employees browsing and Internet activity.

So kind of diving into those a little bit, with some of the granular HTTP controls.

So we have on all of our employees' laptops, we've deployed the Cloudflare Zero Trust agent or what was formerly known as the warp agent.

That way we use that as an on ramp to get to their Internet traffic, routed to Cloudflare's network to gain all of the speed and security, additional controls that that gives us.

And so we have that set up to do inspection of HTTP traffic.

And so that gives us some insight into what is happening, if anything bad has happened, or if someone's computer gets malware or things like that.

We can use those logs as part of a security incident to determine what, how, when, where, and why something happened.

Later on, we'll dive a little bit into how we balance that with privacy.

But right now I'm just going to kind of give a high level of how all of these things work.

We use the gateway to also proactively block malware and phishing sites, as well as we do some automated defense things.

So we block newly seen domains, things that may be suspicious.

We want to essentially block those proactively because they're most of the time used as part of command and control or phishing or malware campaigns against employees.

And then we next move on to selectively isolating Internet browsing.

So we do what we kind of collectively refer to as personal use isolation, which is things like news sites, blog sites, social media, personal email, things where a lot of avenues towards having malware or phishing get introduced.

We isolate those, and that means that we're running those in our remote browser isolation, which is running on top of Cloudflare's infrastructure and not directly on some end user's laptop.

So that helps protect the end user's laptops from any problems in browsers, any bypasses, any zero days, that kind of thing.

And I think something that's actually really neat about that one in particular is the fact that we've deployed this and deployed this so widely in terms of the categories it applies to, and many users don't even notice that anything has changed.

They still access everything, and it takes them a pretty long time to eventually notice that, oh, when I right click on this page, it looks different.

Up until that point, they have no idea that they're in an isolated session the whole time.

Yeah, we've made a lot of progress towards that, and us using it internally has helped improve the product a lot.

We've had a lot of sessions with the team that owns that.

And on top of that, we actually have a feature turned on in our email security product that allows us to basically be a little bit more lenient on our policies for stripping out links.

We turn on browser isolation for links in email that we deem may be suspicious.

This helps us reduce a lot of false positives and a lot of problems for employees.

So if we didn't have the feature, we would block them, which would mean useful things or things that customers are sharing or things that employees are sending each other might get stripped out, and that would be a ticket to our IT team or security team to get that restored.

With the ability to rewrite those as browser isolation links, we can allow those through because we're not worried about them compromising local laptops.

So that's a feature that's really interesting as part of our cloud email security suite.

We also do interesting things with geography -based logging.

We have some places that we deem are riskier for our employees to visit, and so we reduce their access based on them being in those geographies.

We also do a lot of stuff around data loss prevention.

So we want to make sure that things like secrets and some types of other data aren't being shared in places where they're not supposed to be shared.

We use that in concert with our CASB product as well for our Google Drive thing.

So it helps us find secrets and different sets of PII and different things like that that we don't want present in these places, and so it helps us identify those and remediate.

And something I know that we recently released for DLP especially and really announced even today was OCR and source code detection.

So that's Optical Character Recognization and Source Code Detections.

So I know that was something we got to test internally first before we announced it and rolled it out, which is basically we're now doing detections on images as well as the payload data or the text data.

And then additionally for source code detections, it's making sure that certain, say, programming languages or source code types are not uploaded to certain destinations.

So a lot of times, at least for administrators who are really concerned about uploading source code to only approved destinations versus any sort of, say, public repository or public generative AI endpoints.

So I know those are two announcements that are highly related here.

Yeah, and those are really interesting to us. We want to make sure that we're using our approved file sharing applications and their people aren't using personal or going up to different AI sites or different things like that.

So that helps us a lot with identifying those issues and remedying them as well.

And I think the last feature that I'll talk about is email security.

So we do have our email security product deployed.

We have all the business email compromise and all the features that are available to us turned on.

And that has helped us greatly reduce the amount of spam and phishing attacks that we get internally.

That tool is quite interesting because when we were trialing it initially, a lot of people were thinking that we weren't getting email or something was broken because it reduced the amount of spam and phishing that we got so much that people were not reporting it anymore.

And so a lot of people thought it was broken. But those of us who were trialing the product were really excited about it because it was actually detecting all of those.

And we were able to see basically in real time how much value we were getting out of it.

Yeah, I actually remember seeing a few chat messages internally of before and after of getting notifications of like, hey, this spam message is going around, please don't click on it.

And afterwards, we never saw those messages again.

And it was kind of great one to not have to think about tracking these things too.

It was just like, oh, it's another thing that's taken care of.

Yeah, it really spoils you, by the way, for your email and your private life because you forget how much spam and junk there was because in your work email, it's just so clean.

Yeah, that's so true. And Derek, thanks for walking through kind of how we've deployed Cloudflare Zero Trust at Cloudflare and kind of really embraced the Cloudflare Zero effort.

And kind of switching topics just a little bit or really related here is just we want to take some time to also talk about privacy.

So with Cloudflare deploying Cloudflare Zero Trust, we also get a lot of information on our users and our customers do as well.

And to this effect, we've released a number of controls in place to help maintain that user privacy because ultimately, user privacy is very important.

And you also don't want, say, the wrong people in your organization or really everyone in your organization to know, say, the browsing habits or the use of basically everyone that's going through your systems.

This is something that comes up pretty often with users or even our customers, employees, them wanting to be like, hey, I know security is important.

I know this is something we want to do.

But ultimately, a lot of people end up using their device, their corporate devices for personal use as well.

So they're always kind of concerned about what we can see.

So on the Zero Trust side, we've released things like the ability to control what's logged on Cloudflare.

So this is what's stored on Cloudflare.

Within Gateway, we've released controls of being able to say, hey, log everything, log only block events, or just turn off logging in general because I'm going to send my logging out using log push.

And within that, you can always control which fields are logged or sent to you.

And then additionally, we've also added another role within Zero Trust.

So with Zero Trust accounts, you have a super admin who's able to see everything and all the logs.

And then we have a number of different roles for each different type of user.

None of them have access to PII information unless they're granted the PII role.

This allows organizations and enterprises to ensure that only the administrators that need that PII information actually have it.

This is also great to kind of just communicate out to your users, your employees that, hey, we really do value your privacy.

And the reason we are deploying these tools is for security, not for some other reason.

And to add a little bit more to this, I'm actually going to turn it over to Emily to kind of talk through just privacy at Cloudflare and really how we think about it in deploying Zero Trust and really even broader.

Yeah, thanks. I mean, employee privacy is really tricky. So generally in most jurisdictions, maybe not 100% across the world, but in most jurisdictions around the world, an employee doesn't have a lot of privacy in their use of their work computer or their work system.

And so there's some, I think during the pandemic when everybody was really locked down, we probably saw some stories about a lot of spyware that companies were trying to roll out for the employees because they wanted to manage productivity and people were really upset.

And I think rightfully so, because nobody wants to feel like they're being spied on even at work, even if they know that they're not really supposed to have privacy in their work computer.

But it's also important for your employees to feel like they have some autonomy that nobody's constantly looking over their shoulder.

So you want your employees to feel empowered to do the rest work.

So when we think about privacy for employees, we're trying to balance these two things.

One is we want to make sure that the security protocols are in place to keep the corporate network as secure as possible, because we have that obligation to our customers, to the end users, that we don't want their information leaking out.

We don't want information, as Derek was talking about, we don't want anybody to accidentally email a file to the wrong person.

We don't want bad guys getting in and trying to infiltrate. So we have all of these protections in place to make sure that the data that we're entrusted by our customers and end users, we want to make sure that stays safe.

And to do that, we have to do a lot of things that for employees might feel like we're being more privacy invasive.

And that's why I think it was really, really important when we started thinking about Cloudflare Zero Trust, and we started thinking about all the products that we wanted to roll out for that.

It was really important to me and to the product teams to work closely together to figure out, okay, if I'm thinking about how to ensure employee privacy, or at least how to give employees more control, or how to give companies more control over the level of privacy for their employees, how can we build that in?

And so that's sort of what you were talking about, Ankur, that was a bunch of these different controls and logging to make sure that we're giving companies the ability.

We want to give companies the tools, and then they can decide how to deploy them.

And so that was, I think, one of the things that was really important.

And then from a Cloudflare perspective as Customer Zero, I think maybe more than some other companies, Cloudflare feels very strongly about privacy for everyone, and that includes our employees.

And so we took a number of steps to try to be as transparent as possible with our employees about what we were doing, what these tools are, what it means for what can and can't be seen about the use of their corporate networks.

And I think that transparency is incredibly important, and we urge our customers to do the same.

If you're rolling out the Zero Trust suite of products, you want to make sure employees understand what it means, and what does it mean for their laptops, what does it mean for their mobile devices, and then what are the privacy choices that the employees can make.

And so one of those things is, if I used to use my work computer to look at some kind of medical website and look up, I have a cough today, so I want to see what kind of dangerous medical condition I might have because I'm coughing.

If you're communicating really transparently with employees, an employee might think, you know what, maybe I'm not going to do that search on my work computer, I'm going to use my personal device instead.

Or the employee can think, you know, I don't care if anybody knows I have a cough and I'm looking up my symptoms, that I went to WebMD or name whatever medical website, advice website.

So, you know, because people also have really different levels of privacy when it comes to their colleagues and when it comes to their employer.

And so you want to give the employees that opportunity to make the decisions for themselves.

And I think making sure that you're really transparent about exactly what we're doing.

And so Derek and I spent a lot of time, because I'm not the most tech savvy person at the company, shockingly.

So we spent a lot of time trying to think, okay, let's take the least tech savvy person who's using the corporate devices.

They don't really understand how these software products and services work, but they know that this is how they use their device.

And so by putting yourself in the shoes of that person and helping to explain to that person, I mean, the old saying used to be like, explain it like you're explaining to your grandma.

Well, I mean, you know, grandmas all over the place are on the Internet now and are pretty tech savvy these days.

So maybe that's not the best analogy anymore, but kind of like that, figure out how you would explain it to somebody who's really not tech savvy and then help them understand exactly what steps they can take and give, you know, screenshots and other explanations to help them understand exactly what steps they can take to figure out how to make their privacy choices.

I think those were the things that we worked really, really hard on.

And, you know, it's the old saying though, that you can lead the horse to water and you can't make it drink.

I mean, we definitely have had the experience of, we've put a lot of, you know, information out there.

We've put a lot of effort into communicating these things and we still have employees say, wait, what, what?

And it's funny because we have an acceptable use policy that employees look at when they join the company.

And then we have annual legal training where they are reminded about, you know, what's acceptable on using Cloudflare systems.

We have employee privacy policies. Again, people get them when they start and then they are annually asked to review them and acknowledge that they've reviewed them.

And we have a lot of internal wiki pages that give a lot of advice and information.

And so a lot of information is there. And we really try to be proactive about putting it in front of people as much as we can so that people aren't taken by surprise.

Because that's the other thing about employee privacy is you don't want your employees to be surprised and to feel like they've been duped somehow that they didn't know all of this stuff was happening.

So we feel like it's really, really important to make sure employees understand what's happening, when is it happening?

And then doing a lot of training with folks on Zero Trust teams, folks on our internal IT team, internal security teams.

So they understand, you know, hey, we're in charge of data. We have access to data that could be really, really sensitive.

And we need to make sure that we're handling it with a sensitivity that it deserves.

And that's the other thing that's critically important for us is to make sure that everybody understands what their role is in protecting the privacy of that data.

Yeah, I feel like a lot of this is like, it's many fold, like you can't essentially do one thing and ignore the other, like getting it out in front of really everyone that's going to use the product or be subject to the policies, informing them early and often.

And then also baking these design principles, really, privacy principles into the products really helps us kind of build a cohesive product.

And really, it lets the user feel like they're a part of the journey here to secure the traffic instead of like, hey, mandated, you must go do this.

I think that's one of the important things that we've done as a company is when we do annual privacy and security training, we really emphasize to everyone in the company that everyone has a role to play in keeping data private and secure.

So I know Derek, my own security team knows this all too well, but we have a lot of employees who are constantly reporting tickets.

I got this email and it looks a little scary, or I got this thing and I shouldn't, don't think I should have gotten it.

And I think giving employees also the sense of ownership around being customer zero for our products also helps employees feel very empowered to help our customers.

And so they're part of the solution, not only for Cloudflare, but also for our customers.

And I think that actually goes a long way too, is bringing everybody in to say, hey, we all have a role to play in helping do this work.

And here's how you think maybe you're in the HR team.

And so you're not dealing with customers directly, but the fact that you handle this kind of sensitive data and you're helping us learn how we use zero trust tools as customer zero, that's really, really important for our customers.

And I think we really worked hard to try and have everybody in the company understand the role that they play there.

Cool. And I know we've gone through a lot here in terms of both how we deploy Zero Trust to protect Cloudflare, and then also test everything out before it gets out to users.

And now I'll try to see how we think about it more respectively here at Cloudflare.

Any last words before we let the audience hear?

No, I think one of the things that I would say is I would just echo Emily's communicate, communicate, communicate.

I always make a joke when I meet a new person at Cloudflare.

I tell them, well, I may not have met you yet, but I'm sure you've gotten an email from me.

Because every time we test a new feature or roll out a new product, I send an email.

I talked to Emily beforehand because she doesn't like surprises.

But we test the features out. We tell people, we send it, we write up what we're doing, how we're doing it, what kind of customer zero help we're looking for.

Like, hey, this thing is new. It's about to go out to customers, maybe for a security week launch, maybe for something like that.

Everyone test it out, make sure it works.

We want to make sure it's solid. We want to make sure we find anything that's wrong with it, or any bugs, or any like, man, it's not really supposed to do that type things before it goes out to everyone.

So it's always the joke that I make that like, you may not have met me yet, but I've been in your inbox talking to you.

And as a product manager on Zero Test, I greatly appreciate those emails and the effort put into getting these features in front of our company first.

Yeah. And I think like for our customers, I mean, the important things to note are, of course, you always want to make sure you know what the legal obligations are in whatever jurisdiction you're in with respect to your employees and their data.

So that's kind of the, as a lawyer, I have to sort of put that out there, right?

We can't give legal advice here. So customers need to understand that.

But as Derek said, really being clear, making sure you have clear policies in place, making sure you've rolled out those policies and like an employee privacy policy.

I can't think of a jurisdiction where those kinds of policies aren't required.

And it's good corporate governance to have policies around employees use of corporate systems.

So you have to have those policies in place. And the policies need to be flexible enough to give the company the ability to use technologies like ours.

And then at the same time, balance that with the company stance on employee rights.

And in some countries, there are employee works councils or unions where those groups may need to be brought in kind of early before these technologies rolled out or as these technologies are rolled out to make sure that you have their support and understanding.

Again, eliminating surprise for employees is really like the key thing to avoiding a lot of problems.

And the more you can do to explain to employees actually what's happening and help them have privacy choices and taking advantage of some of the privacy controls we've built into our products, the better it goes, I think, when you're trying to roll something like this out.

Awesome. Thanks for walking through that, Emily. It's a really important topic that we love to stress here at Cloudflare.

And Derek, thank you for walking through all the Zero Trust controls on our side.

So that's kind of a great wrap up of how we secure Cloudflare with Cloudflare.

And I hope everyone stays tuned for the rest of the feature announcements and blog posts we have planned for security week.

And see y 'all and thanks for joining our Cloudflare TV segment.

Thanks.