🎂 This Week in Net - Birthday Week Edition
Presented by: Matt Silverlock, João Tomé
Originally aired on June 16 @ 12:30 AM - 1:00 AM EDT
It's Cloudflare's Birthday!
In this week’s program, we’re doing a special edition of This Week in Net covering Cloudflare's Birthday Week 2022 — featuring a broad array of exciting new announcements, products, and more. João Tomé is presenting and is joined by Matt Silverlock, Director, Product Management at Cloudflare.
Visit the Birthday Week Hub for every announcement and CFTV episode — check back all week for more!
English
Birthday Week
Transcript (Beta)
Hello and welcome to This Week in Net. This is a special edition for Cloudflare's Birthday Week 2022.
We're celebrating our 12th anniversary and as usual we have a full and packed week of announcements that hopefully can help take in more than one way the Internet to a more simple, safe, and also private, innovative level.
I'm João Tomé, storyteller at your service, based in Lisbon, Portugal, and with me from the other side of the Atlantic Ocean, I have Matt Silverlock, a director of product from our emerging technology organization.
Hello Matt. Hi everyone, thanks Strat, thanks for hosting.
You're in New York, right? That's right, yeah, I'm in New York and we've got a growing bunch of folks out here in New York, which has been great.
It was a big week in terms of announcements, major ones, great feedback already we had on social media from customers.
In terms of this birthday week, was this birthday week different from others in a sense, like the products that we launched?
We launched a lot of things, but the type of products that we launched has a different feel to it?
Yeah, I think very, very much. So, one of the things we realized coming into birthday week this year was that we just had so much stuff to announce.
And so, what we ended up doing was separating birthday week into two parts.
And so, we had GA week last week and we obviously talked about that.
There's a recap blog for those of you that want to sort of the quick view.
Of all the things that were in beta or that were in beta over the last few months, over the last year, and that were fundamentally about ready to go to GA, what we call being generally available, which means fully supported, they're accessible to everyone.
And that made it really, really easy to sort of clear the path for a lot of what we wanted to announce on birthday week, which is a lot of stuff that improves the baseline of the Internet, stuff that we're obviously really thinking ahead about as well.
And we'll obviously talk through some of those things as we go on.
But yeah, fundamentally, we've often combined those sort of two pieces of products going into beta, products going into GA.
We think this makes it way clearer for customers.
And again, it lets us sort of be a little bit more exciting during birthday week since we can talk about stuff that we've been sort of working on behind the scenes as well.
Exactly. And in terms of the types of announcements, they go to different types of Cloudflare users -customers, right?
You go from developers and the work that, for example, or the tools they have with workers, but also new capabilities in terms of Zero Trust.
And why not start with the first announcement of the week, the first Zero Trust SIM.
So this is a SIM card that takes security on cell phones, on smartphones to a new level in a sense.
Yeah. So on Monday, we announced what we're calling the first Zero Trust SIM or SIM card.
For those of you who've only heard about this in passing, the SIM card is traditionally the physical little card that goes into your phone or mobile device.
More and more and more, that's also becoming an eSIM or effectively what's called an embedded SIM, which is great from a supply chain and security perspective, right?
It's nice to also have to ship these things around. And so the way we think about this is we see mobile device security as this huge, frankly, battleground, right?
Organizations are consistently being threatened.
The sophistication of attacks is only increasing. And more and more and more, we are using personal devices for work, right?
The sort of concept of bring your own device or BYOD.
It's kind of a given, right? These days, we kind of expect it.
I think most of us joining organization expect to be able to use our personal device in some ways for work.
Carrying two phones, managing two devices is challenging for employees.
It's costly for employers as well, but it obviously presents a whole bunch of security challenges, right?
It's how do you make sure that employees aren't getting phished on their personal devices?
And we've seen that increasingly happen over the last, particularly the last six months with the Twilio breach, sort of what's been happening at Uber, the attempts, however, unsuccessful on Cloudflare by the same sort of sophisticated attackers.
And again, very, very focused.
How do we just make sure that doesn't happen? And so we looked at this and said, well, how do we just protect device, everything that leaves a device?
And so the SIM card really became that sort of area of focus. And so I think this is something that's really important to us.
I think for the CISO, CAO, security teams at organizations that we've been speaking to as well, we think this is sort of fundamentally going to change how they do mobile security in a really positive way.
And so again, building that into our Zero Trust platform.
So not just the SIM part, but also making sure that integrates with all of the policies, the analytics, the threat intelligence that we have.
So again, that employees aren't getting, you know, phished or malware or compromised through the mobile devices that they keep using for work.
In a sense, the SIM card is, so attacks are getting more, more sophisticated and that's a way in.
And we see, like you mentioned a few examples, that's a sophisticated way in for attackers.
And this allows us in this sense to have a broader set of protection. And everyone is using now their mobile phones much more for work, definitely.
So this allows people and their employees, the companies, to be more protected in a sense.
Yeah, very much. I think that's really the main goal again. You know, probably to sort of cap that off, you know, we see, you know, organizations, you know, looking at breaches and other data and going and discovering, you know, employees' personal numbers and getting sort of those from unrelated breaches of other services that, you know, employees have signed up for, cross-referencing those, and then again, using that to target your employees on their personal devices.
And so, you know, the battle's already there, like we're already in this challenge, right?
And so again, organizations are already facing these kind of threats.
And so again, we've been thinking really long and hard about how do we keep bringing this protection all the way down the stack, in from the software layer to the network layer, so organizations are not getting compromised.
So this is in beta, so it's starting now.
Let me share my screen again. Before I was showing the blog post you wrote with James Hallward, there's also a Cloudflare TV segment only about that from earlier this week, but let me share your Twitter account actually here, where you show how it looks in your iPhone in this case, for example.
So what the ECM in this case, because the iPhone 14 Pro already has the possibility of ECM, what it looks like, right?
Yep. So yeah, this is something where we're testing internally at the moment.
I think, you know, importantly for all of our products, but especially Zero Trust products, is making sure this works, and it protects our own organization, and also as well is easy to deploy, right?
So we work pretty closely with our own CAO and CCO and security teams, right, is when we build this kind of stuff, it's like, is it actually easy for them to manage?
Is it easy for them to deploy?
So we're doing a lot of that work now, and obviously intend to sort of open this up to the first set of beta customers early next year.
Yeah. So in a sense, it's hardware and software now being together, right?
Let me stop sharing my screen.
Let's continue securing Internet of Things. It's also one of the announcements on earlier this week.
So that's a layer in terms of having all of those devices we have in our homes, IoT devices, being prepared for a private network, the Zero Trust network in this case, right?
Yeah. And so I'll touch on this one quickly because we have so much to cover, but of course, when we say IoT devices, you know, again, a lot of us think about, and I said this, you know, in the session earlier this week as well, we think about IoT devices in a home, but we don't always associate IoT devices as cars.
Like every car these days has mobile connectivity, but you buy for mapping, for telemetry, for self-driving, you know, if not for the actual control of it, but for sending, again, a lot of that telemetry and data back and forth with the device, even just infotainment systems.
Every payment terminal you're interacting with increasingly uses cellular connectivity.
And again, those are IoT devices, let alone all of the industrial sensors.
And so as we were working on the sort of idea of the Zero Trust SIM, we also realized, well, hey, a lot of these same protections that apply to humans in an organization apply very directly to Internet of Things devices, again, payment terminals, connected vehicles, industrial use cases.
And how do we protect those? Because we've been defending from IoT sort of based botnets for the last 12 years, since the beginning of Cloudflare.
They've only gotten bigger. The largest DDoS attacks on record are from IoT devices and IoT botnets.
That's right. That's right. And so, again, it's sort of, if we have this kind of core component, this SIM at this network layer, how do we go and bring that to other applications?
And IoT is increasingly being this part of this.
I think there wasn't a payment terminal that I touched when traveling in the UK early this year that wasn't a cellular device, right?
It was all of these food stalls, all of these merchants, right? They're not setting up Wi-Fi.
They don't want to have to configure it. The payment operator doesn't want to have to sort of deal with supporting that.
It's way easier for them to give a device that just works from the moment it's on.
But then they also have to still make sure it's secure, right?
They have PCI compliance concerns. They have reliability concerns.
They want to make sure that the device or the SIM can't be lifted out of the device and used to compromise other things.
And so, it's really about combining that IoT security part with that Zero Trust SIM as well.
And another of the big announcements this week was all about D1, our quest to simplify databases.
For those who don't know what D1 is, what is it and what did we announce this week?
So, what is the evolution of the project in a sense? Yeah. So, D1, D for database fundamentally, but D1 is our first managed database service, our SQL relational database for those of you that are developers.
When we launched Workers several years ago, one of the biggest and ongoing asks was fundamentally, can Cloudflare offer a database?
We've been thinking about this for a while, how to make sure that it meets the needs and our requirements and customers' expectations of it being distributed and also really easy to use.
And so, as we move down this path of persistency from KV, from durable objects, R2, which went GA last Wednesday, this need for a traditional database, again, a SQL database, which is super familiar to folks, was huge.
And so, we announced the private beta for D1 early this year during platform week.
And then this week in birthday week, we've been continuing to iterate on the experience.
So, Wrangler, which is our command line interface for working with a developer platform with Workers, durable objects, R2, and obviously D1 now, making it really, really easy to create databases, copy them locally, back them up.
A lot of this really core functionality that is, I think, really, really important to making it easy to use the database as well.
If we just gave you a SQL-like API, you'd probably be happy for about 10 minutes, and then you realize how restrictive that is, and that it's pretty unwieldy.
Letting you do backups, snapshots, as you're going through right now, restoring those makes your life so much easier because you can take that prod data, you can test it, you can roll back, you can run that in CICD, all of this really, really helpful stuff that we can take care of, and you can use Wrangler to build around as well.
We also launched the UI for D1 as well, which is great for getting started, great for understanding the capabilities, great for folks that maybe just are building out smaller applications and just want to click through the UI and get things started.
And then a little bit of a sneak peek into how we're thinking about transactions, this sort of core database concept of bundling together operations so that they happen atomically, and how that works when the database is distributed, how we can use JavaScript for that instead of developers having to learn a custom transaction language.
I could talk about this for hours, but there's a lot happening in the D1 world.
If you haven't looked at it before, if you want beta access, you should definitely run through this blog post.
You should register interest.
We've been giving out private beta access left, right, and center. We're pretty liberal with giving that out.
We're happy for folks to test. And so, yeah, please sign up.
There's a lot happening in D1 world. Continue to follow along in the D1 space over the next few months as we keep iterating.
And we're looking for feedback.
So the idea is for people to also help us make the product better. So that's also important in that case.
In terms of capabilities, you said one thing I think is really important is saving time.
When you save time to developers, to those who are working in this stuff, you're saving time to the company.
You're saving money to the company.
And people usually are more satisfied with their work because it's not that complicated.
It's more easy. So it's a cascade effect in a sense when you make those solutions, right?
Yep, very much. We also had this Thursday the hardware keys day.
This is also so hardware plays a role in vulnerabilities and problems.
You discussed that you already talked of some of the vulnerabilities that happened a few weeks ago.
And so the hardware key goal here is to make a solution safe, not that expensive, and easy for people to use.
So this is a partnership with Yubicode also, right?
That's right. Yeah. So I think hardware keys, sometimes often I would say even sort of misinterpreted is probably the best word to use.
And so we've got this plastic keys and you touch them, right?
But fundamentally under the covers, it's the technology and the protocols that they use that actually really provide the protection.
So that's called FIDO2 or web authentication, a couple of open standards.
And the way the hardware key works, very differently from like the two -factor code that you might be used to is that hardware key has a tight cryptographic binding to the site or the resource you're trying to request.
So a great example is, I'm trying to log into say Gmail.
And if I had two-factor codes, I'm going to get a code. I'm going to type it in.
I'm going to use my Authy app or my Google Authenticator app or whatever two -factor app I'm getting or SMS two-factor.
Well, it's great, but how do I know that the site's prompting me for that code is actually that site?
It is really easy to get phished these days.
And what often happens and what has happened in recent breaches is that the attacker will send folks a site.
So this is what they attempted on Cloudflare.
And this is where hardware keys came in. They sent employees a site that was Cloudflare-okta.com.
It had the orange login. It looked like our Okta login page, our single sign-on provider.
And what they would have liked to have done is take the username and the password and then the two-factor code, if we weren't using hardware keys, proxy that to themselves, and then immediately go and use it and log in on your behalf, using a web browser behind the scenes that the attacker controls.
You don't know. That's it. You've given away that the multi -factor authentication is not quite multi -factor.
Where hardware keys work is that key has a tight binding.
It's often called like an origin binding to the website. And it's cryptographic, right?
It's tied to the TLS issuance or the SSL certificate system as well.
It makes it fundamentally impossible or near impossible to do that proxy phishing attack.
And so even if you typed in the username and password on this phishing site, it can't prompt you for the same token on your hardware key.
It just makes a huge difference.
Every breach we've noticed, and I don't want to obviously, this stuff can be hard, but every breach we've identified over the last few months, I think 130 companies just that we've identified alone, we're not using hardware keys.
It is a huge gap, but we also realized that it's hard to deploy this stuff.
It can be expensive. And so to sum this up, a huge goal with our partnership here with Yubico is to make the cost of the hardware keys themselves as low as possible.
And then in conjunction with stuff like Cloudflare Zero Trust Platform and Cloudflare Access as part of that platform, make it really, really easy to put those keys in front of applications, even applications that don't natively support them to force users to re -author their keys after certain time periods, or if they log in from a different location or a different device to really sort of raise the bar as well of when those keys are prompted for.
So it's plug and play also, right?
It's easy to... Very much. So it's not just the cost of getting the keys, which we obviously have worked really hard on here to make as easy and as low barrier as possible, but then the cost of deploying it to an organization.
And that's something that we've had for a while. It's just sort of tying these two things together.
So this is a really exciting one. I think this is, again, part of our goal to sort of make a better Internet.
And part of that is helping organizations and individuals not be compromised, right?
And using the right kind of multi-factor authentication, which again is fundamentally a hardware key.
You probably want to, it's great if you can get them for $10 to $15 each instead of say $45 or $55, which is typically the retail price.
So it makes it huge. It's a big difference for a big organization where you have a lot of employees.
Very much.
Even as an individual, right? If you're living, say outside of the United States, $55 US is a lot more in some countries as well.
And so something that can be $10 or $15 is also just much more accessible to individuals as well.
But again, at organizational scale, if you're buying two keys per employee with 500 employees, that's a thousand keys.
That adds up fast. Plus you probably want backups and things like that as well.
So again, just really making sure that it's easy to have hardware keys in an organization, easy to deploy them.
And that cost is not a barrier.
One of the things I think, so people can request the hardware keys in their dashboard, Cloudflare dashboard, right?
That's right. So that's the call to action to that.
So this is really to our area one, when you have like all those emails arriving and you just by mistake click on a link, someone fooled you, and then you have a problem there, we have a solution for that, right?
Email link isolation is our response in a sense to those unsafe links that everyone sometimes by mistake clicks or is worried on clicking, right?
Very much.
And so this is part of our Zero Trust platform. So area one is our email security product.
And fundamentally the way it works is you don't have to change your existing email provider, though it's a much bigger decision, is you point your mail service at Cloudflare.
We get to sort of scan and proxy that email traffic, right?
And do threat detection on those. And then here, what we can do as well is what we do is we rewrite those URLs, those, particularly the ones that look like phishing URLs or otherwise malicious.
And we put them into what we call like browser isolation.
So we actually run that website in a remote browser, which means that a browser vulnerability or a zero day can't compromise the browser on the local machine, which would often be disastrous, right?
It would typically in most cases, it results in significant sort of breach of the entire device once you break out of that browser sandbox, right?
And although browser zero days can be somewhat rare, they are very, very powerful, and you have to assume that all of your employees are on the latest version of say Chrome.
That's just not always the case, right? And it pops out a window, this window I'm showing, right?
The special website window for people to select what they want to do.
Yep, exactly. And again, we have all of this built into our existing sort of threat intelligence platform as well.
So you don't have to always go, okay, this is a link that's threatening.
Like we do a lot of that detection behind the scenes automatically for you, which just protects your employees by default, right?
No matter what email client they are using, which is important.
So because it's done at the email level, if they're using Apple Mail on their Mac, if they're using Webmail and Gmail, if they are using iOS or Android client of their choosing, right?
We're rewriting the links in the email content itself.
And so it works regardless of the client or the platform they're using, which is important, right?
It has to protect your title. And we did dogfooding here.
So with just four weeks inside the company, we saw a lot of links reviewed in a sense.
Yep. So again, this goes back, as we said, I think you and I said at the top of our session here, we dogfood, we test this stuff internally, because we are also the focus of a lot of these threats and attacks.
And so it's really important that it works for our employees.
We're a growing organization. We've got employees everywhere on different kinds of devices.
And so again, making sure stuff like our email isolation works for ourselves and works well, and that we're taking the critical feedback of our employees is really important to making great products for customers.
For sure. And anyone I was showing before the blog post, there's a link there for anyone who wants to join the beta version, right?
Yep.
That's right. So yeah. So it's there. This takes us to developers. We announced, I think this is a big announcement.
It's a lot of money, a fund, a call fair, with support of a venture capitalist fund, $1 .25 billion fund to back startups, any type of startups build on call fair workers, right?
So this is a big announcement this week.
That's right. So we've worked with a number of sort of the top venture capital VC funds, across the world, and sort of announced, and we've already seen others sort of be interested since we announced this, but a $1.25 billion funding program with these firms.
So if you're building something on a developer platform, with workers, like we mentioned with D1, R2, KV durable objects, all of the queues, which we also announced as well, all of these sort of pieces of a developer platform, right?
You can apply for some of this funding, right? And through this program, it's a great way, if you think about how do I bootstrap my organization, I'm building this up on workers, how do I sort of scale my organization, get funding to hire more employees, to continue to sort of think about scale, right?
That can often be really challenging if you're doing it alone, for anyone watching that has gone through funding rounds and term sheets, and obviously tried to figure out, bootstrap a startup and talk to VCs.
And so our goal was, how do we sort of take some of that friction away for folks that are building on top of Cloudflare, and use some of our connections there as well.
And so really, really excited about this.
I think, you know, we're going to see a lot of, we've already been seeing a lot of cool stuff being built on top of workers.
You know, this will just make it even easier for sort of the next billion dollar business to be built on top of Cloudflare.
And it also shows the amount of money we were able to get in a short amount of time.
And this is the work of many teams, many people in the company, shows that workers has a special touch in terms of the ways already perceived in the industry.
It's not that old, but it's well perceived in the industry, right?
Very much. In fact, you know, we've, you know, if we think back to last year's Zaraz, which was a startup focused on, you know, privacy and particularly sort of tracking and for e-commerce and performance, was built on top of workers.
And we actually ourselves acquired Zaraz back late last year as well.
And so again, you know, there's a ton of really, really interesting companies that are building their entire tech stack on top of Cloudflare and are seeing, you know, rapid growth.
And so again, we wanted to figure out a way to sort of make that happen faster.
Exactly. There's more announcements regarding workers.
I was showing here that some of the blog posts. So there's new, several announcements.
We have Cloudflare.com for people to see all of the announcements, also Cloudflare TV segments, press releases, and also a mention to GA Week.
So a lot of things to see. Radar 2.0 is also launching in beta on Friday.
So a lot of announcements.
In terms of, did we forget something in terms of the big highlights that you think?
Yeah, I think I'm actually, you've gotten right there, which is turnstile.
And so this is our replacement for the traditional capture.
So if you're tired of clicking on traffic lights and palm trees and buses and airplanes, and you know, which box is that, and let alone not just being tired, but for folks where that can be, you know, maybe sort of have site challenges and things like that, where that's actually maybe not trivial.
You or I might be like, I can tell what a plane looks like, but not everybody's in that situation.
And then on top of that, you've got obviously privacy concerns because you're sending your data, your IP address to a third party, right?
Who's using that for other purposes.
And so we've all been frustrated with captures for years. And so, you know, we've been thinking about how do we, how do we get rid of them?
How do we get rid of them without subjecting website owners to the fraud and abuse that captures are, you know, fundamentally designed to mitigate.
And so turnstile is our answer for that.
We have an API for this. Customers can sign up and start using this today.
It's really, really powerful. It uses a lot of our technology behind the scenes around sort of bot detection and threat intelligence, you know, to verify that users are real and not malicious.
And again, you know, we're giving this away for free, right?
It's really important for building a better Internet. Again, I think we're all exhausted by the way that captures work again, the weak sort of privacy guarantees around the way they've worked as well.
And yeah, I think this one's really important.
You know, someone that's built websites before I would have loved to have something as easy to use and as this, right?
Just like given the choice between, you know, dealing with a bunch of fraud and abuse and putting up this high friction capture, you never really felt particularly comfortable what you're supposed to do.
True. And it's a bad user experience as a user, you hate it. So the companies also hate it because users hate it and having more privacy and a better user experience and faster.
And that it means a lot. It's important, right? Yep, totally.
We're wrapping up. So let me just suggest everyone to see again, our page for birthday week.
There's a bunch of announcements we didn't discuss. And I have to suggest to everyone to check our 12th 2022 Annual Founders Letter, a lot of Star Wars references, but a good viewpoint of how the Internet is going, the challenges and the problems, but also the hope, right?
Very much. Yeah. We'll also be doing a bit of a wrap-up blog post as well for those of you that were inundated by all the announcements we've done over the last few days to make it a little bit easier to pass.
But I think, as you said, hit the website, there's a great way to sort of just look through the things that are relevant and interesting.
Tons of things to register interest into, tons of betas for people to get their hands onto immediately as well.
And there's this keychain with the hardware keys there. Useful.
Close by. Very much. And that's wrapped. Thank you, Matt. Thank you, Jacques.