🔒 Security Week Product Discussion: Commitment to Customer Security
Presented by: Rebecca Rogers, Matt Gallagher, Madeline Gregory, Ling Wu
Originally aired on March 22, 2022 @ 6:00 PM - 6:30 PM EDT
Join Cloudflare's Product Management team to learn more about the products announced today during Security Week.
Read the blog posts:
- Application security: Cloudflare’s view
- Network performance update: Security Week
- Commitment to Customer Security
- Using Cloudflare One to Secure IoT devices
Tune in daily for more Security Week at Cloudflare!
SecurityWeek
English
Security Week
Transcript (Beta)
Hi, everyone. We're here today to talk about our commitment to customer security. I'm with I manage a governance risk and compliance team here at Cloudflare and we sit under the security organization really excited to be here with a few members of the team.
We'll do quick rounds of introductions starting with Rebecca.
Yeah.
Hi, everyone. I'm Rebecca Rogers.
I'm our manager of our Security and Privacy Compliance team here at Cloudflare.
And then my team also works on some regulatory obligations that we adhere to as well.
So we cover security, privacy and the regulatory obligations. And then I'll pass it over to Madeline to do an intro.
Thanks, Rebecca.
Hi, I'm Madeline Gregory. I'm responsible for risk management under GRC.
We're more of the internally facing team for GRC.
We work with a lot of the engineering teams across the business to manage risk.
We have essentially two functions, an internal risk function.
That's our risk assessments for Cloudflare systems, how we rate risk, and how we manage risk across the business.
The second function is our third party risk program.
This is our vendor review process for primarily software cloud and data center vendors.
We also are responsible for enforcing our security contract terms with our vendors.
I am Matt Gallagher.
I am a manager of our security compliance team.
We work with our customers to enable them to understand our security protections, address their questionnaires, assist legal with negotiations in our contracts to make sure that all those protections that Rebecca and Madeline's teams make sure the company has are aligned with the agreements that we provide our customers.
Thanks, Matt.
Our mission within the security, as well as the governance risk and compliance team is really, really to go above and beyond what our customers expect from us, whether it's it's how we manage our third party providers or how we deploy encryption at rest or in transit or in between the data centers.
We really want to show that we take a risk based approach as it as it relates to securing all levels of security as well as all levels within our environments as well.
And we do so while meeting industry and regulatory requirements. The way the GRC team is structured is really kind of like a continuous loop.
So our security engagement team, as Matt says, listens to our customers and understands their needs, how they want to use our products, the type of information they want to send through our products.
And we feed that information over to the validation team, to Rebecca's team, to determine what are what are the gaps for these requirements, what are the gaps for these standards?
And any of these risks that are identified through our customers, through these third party assessments go to Madeline's team for the risk team, and they help provide visibility to management and other organizations on what we need to do to address them, what do we need to do to fix them?
And that cycle basically gets repeated continuously.
So throughout the segment, we really wanted to just go through what differentiates us.
And to start, I got this question yesterday from a customer, and they really wanted to try to understand our approach to third party certifications and reports.
They really weren't sure if we had a separate environment for certain types of data.
And I'm going to go to Rebecca first. What do you think is unique about our approach to third party certifications and reports?
Yeah, I think there's really two things that I've seen here that I think are really unique to Cloudflare that make our approach to our certifications and validations really great.
The first, I would say, is the scope of our validations.
So typically I've seen a lot of security certifications be scoped around the products and it's pretty an onerous process to bring in a product by product for each of these certifications.
But here at Cloudflare, what's really nice is we serve our all of our products through one global network.
So all of the production infrastructure that we certify through our validations is giving our customers our reliability products, our security products, all our whole fleet of products.
So I think it makes it really unique for us to go and say we have a global managed network that is SOC2 certified, ISO certified, etc.
So it makes it really unique and really easy for us to be able to say we're validated for various different certifications.
And then I think the other thing that makes our approach to our third party certifications really unique is we get a really great support from our leadership.
We get approval from them on every certification that we go through.
We'll present what this certification is going to value add to our customers and to our regulators.
And we'll give them all of that information to make sure that they're really behind the decision to go for a new validation.
So I think we are in a unique spot where we really get that executive leadership approval before we go and achieve a new certification.
So I think those are the two things that make.
It pretty unique.
And to amplify what Rebecca said about the uniqueness of this process, it gives us a high level of confidence that we can represent to our customers that we have achieved these certifications or undergone these attestations at essentially our platform level.
So we know that we're operating in a certain way across all our products, and it establishes this baseline of trust with our customers that we can provide a level of security broadly and completely across our products and environment, and that also allows us to be transparent about those details.
We don't have to remember that we've got something hidden in a closet over here versus something hidden in a closet over there.
And that makes it real straightforward to speak to a customer about what we can and can't provide in terms of security on our platform and our products.
Yeah.
I think the way that my team supports this.
We're kind of.
Someone suggested we're similar to a product team for security. We're aggregating all the risk inputs into one risk register.
So when Matt receives feedback from customers or sees trends of things that our customers would like to see from our security posture, we can capture those assets.
When Rebecca sees any findings or opportunities to improve from our external audits, we automatically add those to our risk register.
And then I think from the risk team perspective, like I said earlier, we're more internally facing.
So we're the ones working with security and engineering teams to drive, drive those risks with them and make sure that they are addressed and mitigated.
And then we are responsible for feeding that information back to Matt and Rebecca so that we can improve our audit controls for the next round of audits or update our customer responses.
So we have that very circular flow that we mentioned earlier between our teams.
The other piece that we are responsible for on the third party side is slowing requirements down to our vendors.
So my team makes sure that any of our requirements for customer supporting vendors and our audit requirements are passed to all of our critical vendors.
Yeah, it definitely is very circular when you think about it.
We always get this question too is like, how do we stay up to date with everything?
I mean, there's so much where we're located in so many cities and regions and there's so much that is asked of us.
From a validations perspective, I love each one of you guys can talk about like how each one of us play a part of staying ahead of these new standards and regulations and requirements.
Yeah, I can I can start there.
I think it's also two different avenues here on the validation side.
The first is we work really closely actually with our public policy team.
So if there is a new market and we're getting new customers and new regions, we'll work really closely with the public policy team to really ask them what are the security regulatory obligations that we have in this region?
What are the privacy regulatory obligations that we have?
And we'll make sure that we understand those and work really closely with that legal team to make sure that we're adhering to all of those regulatory requirements.
And then I think the second piece we work really closely with Matt and team is we get all of the intake from our customers.
So what validations are they asking for us to go obtain so that they can gain more customer trust in Cloudflare?
So I'll pass it over to you, Matt, to just kind of talk about how you get that information from the from the customers on what they're looking for.
Thanks, Rebecca.
Customers really are our main source of concern in the platform and use of the platform.
They're driven by their own risk tolerance and sensitivities by their customer markets, but they also have to comply with their local regulations.
And those can be.
Pretty unique depending upon the region of the world that customer operates in.
And they often bring to us questions about do you comply with this framework or what do you know about another framework?
And we'll get very early indication of frameworks that are emerging in given markets.
So it may not be even something that's quite published yet, but we can start doing research and finding out do we have do we have the appropriate controls?
How difficult would it be to certify? We do a little bit of analysis, we pass it to the validation team and then we take a look at the market and what sales believes that we're going to be required to provide to our customers in that region.
And that will help drive the discussion on whether or not we pursue a new certification or audit.
well.
Yeah.
My team really supports the internal side of this planning. We conduct our annual enterprise risk assessment.
So this is reviewed by our third party auditors as well.
But it really helps us stay ahead of business changes that might affect our security posture.
So, for example, we'll meet with all the engineering teams to talk about new products or new product directions and see if.
This.
May change the way that our products, that our customers use our products or the type of data they want to put in those products.
We'll also talk to our infrastructure team to see if they have any changes in how they're growing our network or expanding data center deployments that might affect security as well.
So then we summarize this information and provide it back to Rebecca's team.
And Matt and Rebecca can use that to update any audit, scoping or any controls that we need to provide for our customers.
I think that like what we were a lot of what we were just describing as relates to like new standards and requirements and how that all flows, whether it's from the customer side or regulators or what.
And the drive from a business perspective like that, for the most part, is like providing trust.
And when I think of customer commitment, like trust is actually just one, one term that comes up and the other the other one is transparency.
So through trust, there's through validations and through reports, we have these conversations with our customers to give them a sense of that.
We have everything in place and it's running effectively so they can trust us with that information.
And the other piece I want to focus on is kind of the transparency aspect of things that we haven't really talked about.
And transparency is really I feel like it's in our company's DNA.
We are transparent about all incidents and aren't afraid to show what we've done or what we're planning to do, especially most recently is related to the auto security incident that occurred yesterday.
And we already have a blog that's in our response and how it impacts us.
That was up and running, I think this afternoon and live this afternoon.
We did so previously with SolarWinds, Log4j, etc.
I'd love to turn it over to the team.
Madeline first related to like how do you how do you think we demonstrate transparency on incidents as it relates to risks?
Yeah.
I think we're, um, we have an interesting process from the third party perspective and actually lived in as part of the incident response process, which is not something I've been looped into in other jobs.
So really from the start, we'll work with the detection and response team to reach out to our critical vendors.
Those are the products supporting vendors and processors that matter to our customers.
We maintain a critical vendor list to help us do this quickly, and then we have some automation that really allows us to reach out fast and find out if our critical vendors are affected.
We'll also provide this feedback back to our obviously our detection and response team, managing the incident, but also to Matt and Rebecca.
So they can use this information to update our customers and regulators on our status as well.
And then we get that information that we do get from the rest of the security team, including Rebecca and excuse me, Madeline, and the incident response process we use to create customer consumable information.
We immediately get inquiries from our customers because they have recognized that we do respond very quickly to inquiries.
They get submitted either via their account teams or via our support process, and we provide individual responses to customers.
We provide information facing the sales team so they can provide quick responses, and then also work with the incident response team on messaging that's used for customer support.
So as you can see from any of the incidents that have been public, for example, SolarWinds or the Okta incident yesterday, we have an extremely prompt and informative public and customer facing response and we try to do that to eliminate the fear, uncertainty and doubt that goes along with hearing a major vulnerability in supply chain or other providers.
And it allows us to set the conversation where it needs to be in terms of what our customers need to be concerned about.
- Rebecca?
- Yeah. Yeah, I would just add we use that response that we provide the public and our customers to also send that notification to our regulators.
You know, sometimes we have an obligation to inform them of various incidents or outages, but we go above and beyond that.
We'll give them all of the information that we have to be as transparent as possible with our regulators just so that they have all of that information.
So if we have a blog post out on an incident, we'll send them and point them in that direction so that they can learn as much as we know.
So that's where the validation stream definitely comes in.
And then I think another thing, too, is we really test that process that we just talked about with incidents and notifying our customers through the third party audits that we do.
So we'll bring in third party auditors for various different security and privacy validations, and they'll test that incident response process to really just show the test that we're doing what we say we do in our processes.
So that's another great example where we're really putting the rubber to the road.
I think we are definitely I mean, as you guys can see, I think it's it's just really part of our DNA as it relates to how transparent we are with and the information that we provide as it relates to incidents or any type of issues that we encounter.
I think generally a lot of our customers really want to understand our security posture, I think.
Matt, you and your team always gets a lot of questions related to the type of controls and the layers of security we have as it relates to the underlying infrastructure that supports our products and services.
So how are we transparent with our security posture, with customers, and what do we do to ensure that they have the information that they need?
Well, my team is a I'd like to think of us almost as librarians in terms of information about security for Cloudflare.
We continuously research and develop customer facing information.
Cloudflare has got an enormous rate of improvement and change and development.
And so we're constantly studying new features and the what they provide to our customers and what the security precautions are around those.
We are integrated tightly with the rest of the GRC team to understand where we are in our certifications, what our coverage is, and how that translates into controls that we can talk to our customers about and taking that information.
We also work with legal to make sure that our customer contracts align with all these facts so that we're what we're promising our customers from the sales process through signing their agreement.
And then execution of what we've done in the agreement all aligns with their expectations based on the reality of our security protections at Cloudflare.
We also help ensure that logs and other things produced by security address customer concerns.
Sometimes security people are very technical and a great explanation is great for security people, but it also needs to be able to include non-security people.
And we also make our information readily available for customers. The audit reports and other artifacts that we supply for our customers are downloadable from our dashboard, so customers can self-serve to get those anytime they like.
They can submit their annual surveillance questionnaires through their account representatives, and they all get addressed by our team in a reliable, repeatable and authoritative manner.
Yeah.
That's awesome. I love that we stuck to it and ensured that we're able to allow our customers to self-serve.
I think that saved us a lot of times and then also save a lot of time for our customers because they are able to just get all the information that they need on the dashboard.
Speaking of speaking of certification validations, Rebecca, what's on our roadmap?
I think we have some exciting news that we want to share today. Yeah, I'll start with the breaking news.
So yeah, the first is that we actually just obtained our ISO 2718 certification just earlier this morning actually.
And this is really a privacy validation that we obtained around cloud privacy.
So we're excited to announce this is actually our second ISO certification that we have in our in our privacy validation space.
So yeah, that's the that's the exciting news.
But then maybe I'll take a step back and just kind of talk about the 2022 roadmap in general.
The first is really just all of the standards that we already maintain and we go through these requirements annually with different audits.
So the first is our PCI validation that we go through annually.
We're going through that again in 2022 and just maintaining that PCI validation.
And then we also have two ISO certifications that we maintain ISO 27001, which we've had for several years, and we maintain that validation for our global managed network.
And then the last ISO certification that we actually got last year is ISO 27701,* which is again, another privacy validation that we have.
So we're we were very excited to get that validation and be one of the first cloud companies to get that validation.
And then we also have SOC2, which we've also had that validation for several years and we go through the SOC2 every, every year.
Yeah.
And then we actually have two other exciting announcements in terms of the 2022 roadmap.
The first is our C5 certification that we're adding to our docket of certifications.
And this one is validation that's really closely aligned with our SOC2 validation that we maintain.
But it's actually a framework that was adopted by the BSI, which is a regulatory body in Germany.
So it's really specific to our German market and our German customers are really excited for us to obtain this and then we can provide that and have more customer trust in that region.
And then the last is our FedRAMP moderate authorization, which we're currently in the process to get.
So if you actually go to the marketplace, you will see Cloudflare as listed as in process.
So we're going through that audit right now and we're hoping to obtain our authorization sometime in 2022.
So we have a ton of certifications that we already maintain and we'll continue to do that annually.
And then we have a ton that we're adding just to again hammering in on gaining customer trust, whether it's a new markets or in new industries.
So that's what's coming up this year.
And then I think we have some stuff on the customer compliance side, if you want to talk about that, that's right.
We currently are, we just in fact achieved a microsoft SPA certification.
So we're now on the on Microsoft's marketplace for their partners makes it much easier for folks using Microsoft products such as Azure in an office to integrate Cloudflare with their operations.
And we're on our roadmap is updating our CSA Caiq this year and applying for the CSA Star Level 1 compliance.
So we'll have a couple of more customer facing things that can be applied and we'll continue to work on whatever comes in.
That's awesome.
I think we have like a ton on. We've been really busy with a lot of these initiatives.
I think we have like a few minutes left, so I think I'll probably ask a few commonly asked questions from our customers.
And let me see.
I think what we typically get is ready for my data.
Where is our information?
Where's my where is my information stored?
And we typically have to explain to our customers that Cloudflare is a global platform.
There's 300 and over 300 points of presence around the world, which is our edge.
And we have two core data centers in Portland, Oregon, as well as in Luxembourg.
And all of our all of our customer configurations are stored in the core data centers and all of the services run and our process at our edge.
And we always get we also get this question to we do we have a data localization suite.
Can we ensure that our data only resides in the EU?
Can we ensure that our data resides in the US and.
I guess I can answer this.
Yeah, I mean, we do we do have a data localization suite that we offer to our customers.
So you can if you have requirements to keep your personal data within the EU, we are able to do that.
If you want to keep it in the US, we are definitely able to do that as well.
I'm going to hand this next question off to Matt.
Actually, I think he holds it very dear to his heart.
Why is Cloudflare score low on site security scorecard and security metrics?
Well, that's a that's actually a really interesting question to answer.
Cloudflare is a proxy based service.
So we are running our services behind in Gen X proxies and we're advertising our customers sites to the Internet via anycast.
So that means our customers appear to be running from the Cloudflare domain.
So reputational scanning service that hits the Cloudflare domain will see every open port protocol or service coming from our customers origin sites, being advertised out our IP space.
And IT our customers choose what they do based on their own requirements and sensitivities and tolerance.
We don't manage their websites for them.
And so you will see scores that make it look like we've Cloudflare doesn't do a lot of secure things.
That's not the case.
You're seeing that from our customers and the reputational engines aren't very good at vetting that out.
The way our customers can successfully test our services is to run their own penetration test that can be set up by contacting support.
And if you need additional assistance down the road, my team will get involved in explaining findings or discussing next steps.
Cool.
Thanks, Matt. I don't think we have time for other other commonly asked questions, but if anybody in the audience has questions, feel free to send them our way.
We're going to probably wrap up.
So really wanted to thank everyone for tuning in.
I know it's a really short period of time, but if there are any questions as relates to our products or services security posture certifications that we have, what's on our roadmap, etc., feel free to reach out to the account team.
We're really, really happy to help.
And for the most part, we can jump on a phone call with you and talk to you about your needs.
Thank you so much. Thank you guys also for participating in this clever TV segment with me.
80.