Strengthening security posture for modern-age SaaS providers

Editor's Notes

1. Majority of the enterprises that have been in business for over 10 years, have some percentage of their infrastructure that looks like the simplified depiction in this slide - the on-premise datacenter. The key aspect of this architecture is that the Apps and Data used to reside within the first-party colo or datacenter that was owned by the enterprise. This implied that all the devices and people that were accessing the enterprises’ apps and data from an outside connection, branch office or headquarters had to connect through a defined edge of the network which was controlled by the enterprise. Network and security teams could segment and segregate this edge to build access control lists and other security measures to bolster the posture. This network edge was then followed by a stack of hardware appliance-based boxes where each box performed a specific function, such as DDoS protection, Network Firewall, Web Application Firewall, Remote Management Server, SSL/TLS inspection and so on. Once the request from the outside world was inspected as per the defined rules and policies, only then would they be routed to the appropriate apps and the relevant data. If the request did not meet the rules and policies then it was blocked or challenged.
2. With the advent and significant adoption of the Cloud - IaaS, PaaS, SaaS - the architecture changed dramatically. Now, part of the app suite and data that in the legacy architecture used to reside solely within the premises of the datacenter were residing in the cloud. This created a hybrid model. The legacy network edge dissolved and did not exist anymore. Moreover, the clunky hardware appliance-based security boxes found it difficult to adapt to this modern architecture. They are not agile, scalable or intelligent to adapt to the changes.
3. The advent of the cloud brought many advantages to the enterprise in terms of catering to the demands and needs of its customers. It created a new era of customer experience and defined the Age of the Customer. At the same time it challenged the legacy hardware appliance-based security service model. Let’s view these challenges across three use cases. Agility: Adoption of the cloud enabled enterprises to build apps from inception to market at unprecedented speeds. New code releases that were usually annual or a few times in a year were now being released at a monthly, weekly, daily or in some cases even at an hourly cadence! This allowed enterprises to gather A/B testing data on customer experience through digital assets and deliver a superior user experience. On the security side, the legacy model could not keep up with the velocity of this change. It started triggering an increased number of false positives, hence lowering the accuracy or breaking the delivery of the code. This was not acceptable and the enterprises started looking for a solution that is easy to deploy and is nimble to adapt to this unprecedented velocity of code changes Scalability: As shown in the previous slide, the apps and data were now residing in a hybrid environment. This challenged the legacy security solution as well, which was not poised to protect the apps and data in the cloud. Vendors made attempts to create ‘virtual patches’ and ‘cloud-based’ models as an extension of the hardware boxes but all of those solutions fell short. The requirements for a modern solution now was defined as one that can comprehensively protect apps and data agnostic of whether they live in an on-premise datacenter or in the cloud. Intelligence: The same cloud technology that enables enterprises to deliver a superior customer experience also enabled malicious actors to launch more sophisticated attacks. It’s of paramount importance for security services to have real-time context. When a vulnerability is made public through a CVE it’s a time race between the security teams and the malicious actor(s). Having a global and real-time context of the threat landscape which directly empowers the intelligence of the security service became critically important. Again, the legacy security services were found to fail in this regard, as they have no-real time context. They are reactive boxes sitting in a datacenter trying to block bad traffic against static rules and policies.
4. Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
5. All of these shortcomings created a massive security gap for the needs of the enterprise. This gap started slowing down the pace of evolution and also put the financial, brand and customer aspects of the enterprise in jeopardy. Cloudflare recognized these gaps and needs a decade ago. As a result, we started working on a solution that would holistically meet the needs of the customers for today and the future. The key to solving this issue was to create a global cloud platform that is built on a global network. This global network would allow a diverse and rich threat intelligence context from protecting millions of Internet properties and leveraging the collective intelligence. The modern Security-as-a-Service solution is Cloudflare. No more static, non-intelligent hardware appliance-based security. All the connections from the outside world, whether they are from customers, employees from headquarters or branch offices, send the requests to Cloudflare which serves as the outer edge for the platform. The requests are inspected and blocked or challenged as per the rules and policies defined by the customer and dynamically with the real-time threat intelligence that Cloudflare curates by protecting over 20M+ Internet properties. Legitimate requests are routed to the desired destination agnostic of whether it’s on-premise or in the cloud. Simple, Fast, Reliable and Intelligent solution for the evolved enterprise architecture.
6. This is our security suite of products. We are passionate about creating security solutions that protects our customers apps and data agnostic of where it resides - on-prem or in the cloud. That’s our main focus, so we put that in the center of our design philosophy. Then we look at the threat landscape of our customers - Zero-day vulnerabilities, brute force logins, API abuse, DDoS attacks, bot attacks and so on - and we purposefully build security products to protect against those. As part of our global cloud platform we offer security as a service to thwart attacks that attempt to leverage any of the attack vector mechanism shown in the slide. Our offering includes WAF, L3, L4 and L7 DDoS protection, Rate Limiting, SSL/TLS, DNSSEC, Cloudflare Access and Bot Management. Comprehensive protection for our customers applications and data, against the most sophisticated attack vectors.
7. What is customer experience automation? It’s a new category of software that allows businesses to connect and automate personalized touchpoints across the entire customer lifecycle. It’s all about making every customer feel like they have a personal relationship with you, no matter how big you grow. Customer experience automation is different from other solutions in that it actually boosts the effectiveness of your existing toolset, work in tandem to make your business more customer-friendly.
8. Today we have over 100k active customers on the platform, we run business in more countries than McDonalds, with half of our business being international, and we have over 300 integrations w/brands you know like Shopify and SFDC. We are rated #1 by G2 for marketing automation. We are #2 on the Shopify App Store for Marketing Automation, and has earned a 4.8 out of 5 rating with 85+ 5-star reviews. Today, we are the only marketing automation tool that caters effectively to Salesforce Essentials customers (SMB), and our listing is the #4 overall Marketing app of the entire AppExchange, and ranks #1 for Marketing Automation. We’ve been able to grow virally, without having to do a lot of marketing, because we’ve made most of our investments in delivering a customer experience. We use our own product to save time, and automate more personalized interactions through the sales process, deliver a really effective and personal customer onboarding flow, triage NPS to stakeholders and more.
9. The chart in front of you shows the relative change in Internet usage as seen by Cloudflare since the beginning of the year. You’re seeing the moving average of the trailing seven days for each country, where we are using December 29, 2019 as the reference point. And this kind of increase is unprecedented at two levels: First, the scale is not unlike something that you might witness during the Super Bowl, but the key difference here traffic continues to stay high, and grow day after day. And secondly, this trend is seen globally! With India being the outlier in this set, all the major countries have seen more than 1.5 times increase in traffic since the pandemic started. US, Canada, Australia and Brazil are all running at approximately 50% higher usage compared to what they were seeing at the begining of the year.
10. “Old School” Techniques Still Provide Significant Value: IR can leverage Rate Limiting, Challenge and Blocking Features during (D)DOS events Targeted Rate Limits for certain areas of our application: Links posted to social media results in scaled resource usage and occasional abuse
11. CloudFlare enables us to balance and respond to changes in traffic shape. Placing public web infrastructure behind CloudFlare saves money, stress and the customer experience.
12. CloudFlare enables us to balance and respond to changes in traffic shape. Placing public web infrastructure behind CloudFlare saves money, stress and the customer experience.
13. We used the load balancing feature to slowly introduce an API gateway to our service infrastructure. Putting an API gateway (reverse proxy) onto our live API service -- which handles over 200 million requests daily -- had to be done with care and observability. The load balancing feature -- with CF’s analytics -- allowed us to control the traffic that was handled by the new proxy layer. Cloudflare made it easy and safe to test in production.