As organisations attempt to carry out broad network transformations, moving to a Zero Trust architecture is a critical initial step. Mohit Bijlani, Head of UK/IRE at Cloudflare, tells Intelligent CISO’s Mrigaya Dham about how Cloudflare’s approach differs from other vendors and the most significant risks it helps mitigate.
Zero Trust is a widely discussed approach. How does Cloudflare think about Zero Trust?
Before discussing Zero Trust, we need to understand how traditional IT security paradigms operate or have operated. With the right traditional IP security models applied, what we recognise as the castle and moat concept, means the network perimeter is considered a relatively safe zone or the ‘castle’. Security controls were mainly applied to actors trying to gain access to resources and applications that resided within that network perimeter from the outside. In this case, those who were a part of the organisation within that network perimeter were trusted implicitly and given free rein along with access to almost everything.
In contrast, Zero Trust security architecture implies you should trust no one and nothing implicitly. Regardless of where actors are accessing applications or resources from and agnostic of where those resources or applications reside. It is important to understand that this is a common fallacy. People think that Zero Trust is a single product or piece of technology but that is not the case. Instead, it is a framework that comprises several different security principles and technologies with a Zero Trust network access, or zip DNA as it is commonly referred to, being the driving principle. The market invariably uses these two interchangeably.
How does Cloudflare’s approach to providing ZT security differ from other vendors in this space?
Firstly, a vendor landscape is typically two buckets – either vendors such as hardware appliance-based vendors, right point solution vendors, such as makers of VPNs and network firewalls or they could be cloud-based vendors who are essentially replicating the same functionality but, in a software-defined and SAS consumable mode, still points solution vendors.
Cloudflare’s approach is different in two ways, one being that we have one of the largest networks in the world to deliver security, with the content and resources being accessed by the users. This network spans 270 cities and 100 countries, putting us within 50 milliseconds of 95% of the world’s Internet-connected population. So, for context, the blink of an eye is 300-400 milliseconds, it is quite fast and wide, enabling us to serve millions of customers and mitigate over 124 billion cyberthreats a day.
We have more insight into attack vectors but due to our network’s sheer volume and wide reach, we learn from these attack vectors using our artificial engines and Machine Learning engines to make real-time updates to our services. This puts us in a much better position than our peers to protect our customers versus zero-day vulnerabilities. Following that, our vast network reach ensures no latency in terms of security solutions.
Many have used VPN to log in to services and we haven’t spoken to a single customer that enjoyed using VPN and the same applies to our software-defined security peers as they don’t have the wide network reach that Cloudflare has. When you’re trying to access applications with limited networks, you still have tremendous latency, which can translate into numerous business problems impacting revenue-generating activities. In addition, the cost of services might not scale well and gives rise to shadow IT risks.
Cloudflare differs from the rest of the market in two main areas. The second area, in terms of vendor peers, is more tied to how we’ve architected our services compared to our peers. Both hardware appliance vendors and our SAS peers are building point solutions with multiple control planes, which you will generally find out there in the market.
In comparison, Cloudflare has deliberately taken an approach to building out our Zero Trust solution rather than a single control plane. This helps reduce risk and complexity, reducing the total cost of ownership for our customers. In addition, this helps them get on board our services quickly and realise faster time to value, further reducing the risk of having inconsistent security postures across multiple control planes. That’s a key advantage for our customers, especially because the Zero Trust network access is the first step towards a broader transformation of the security and network edge perimeter, which can include other security controls.
That is precisely what you’ll find out there in the market, whereas we have deliberately taken an approach to building out our Zero Trust solution that helps reduce risk. Reduced complexity reduces the total cost of ownership for our customers, helping them get onboarded to our services quickly. The faster time to value and the reduced risk of having inconsistent security postures across multiple control panels are key advantages for our customers. As Zero Trust network access is just the first step towards a broader transformation of the security and network edge perimeter, which can include other security controls, including what the market recognises as secure access service edge or sassy. Even if customers are implementing just that DNA with Cloudflare now, they are much better positioned to undertake a larger sassy transformation as opposed to with a collection of a point solution vendor. This will result in reduced complexity, a lower total cost of ownership, faster time to value and reduced security risk.
Why is it so important?
There are two primary factors making Zero Trust and DNA important today. Firstly, there is a massive shift towards moving applications to the cloud. Secondly, the pandemic has led to the transition to remote and hybrid workforces. As a large proportion of the workforce is now geographically dispersed, the caste and moat network model doesn’t fit the resources and applications being accessed. This further got complicated as a lot of the end-users accessing them can be anywhere and not necessarily behind the network perimeter or inside the castle.
In addition, this brings certain challenges in terms of increased service costs and reduced employee productivity. With more traffic back into the network perimeter, increased ID support costs and the risk of increased resource shadow IT, there has been a signification increase in the volume and sophistication of data breach attacks. The most damage that a bad actor can do to an organisation is its data breach, which negatively affects the brand and reputation. These typically happen when one or more employees’ credentials are compromised to gain access to sensitive information.
Recently, one of our competitors had a data breach in a similar way. With Zero Trust network access, you can potentially limit the damage and protect your reputation at the same time. The critical part here is that any compromised credentials reduce the attack surface given that you don’t have them by default. This covers any trust for any given user even if they are within the network perimeter or inside an office trying to access applications as you can define and grant access with Zach DNA on a per-user and a per resource basis.
What are the biggest risks it helps mitigate?
Data breaches are by far the most prominent risk. Numerous independent studies assessed the annual likelihood of a data breach for a large organisation to be in the 26-28% range, with the cost per data breach being three to five million dollars. The price and risk standard for businesses is much higher and consequences can be hugely detrimental to companies. Regulators impose fines but much deeper damage can be done to a brand due to loss of trust, resulting in customer churn and lost revenue.
How have you seen customers in the UKI market initially scope their ZT journey?
Some customers are up to speed with ZTNA and SASE principles and have a clear adoption roadmap. They approach us as they recognise Cloudflare as a leader in these domains with concrete use cases. On the other hand, many customers are just learning about these areas and asking vendors like us to help educate them and advise them on identifying use cases to deliver quick wins and build roll plans.
One of their key objectives is to lead these transformations while minimising business disruption. These are typically the customers who doubled down on legacy IT security technologies to keep the lights on during the pandemic and got hit with increased services and IT support costs. In some cases, these services didn’t fully mitigate security risks or are seeing increased pressure from their finance departments of shifting spend from Cape to OPEX with an impending recession in the fray as well.
What sectors do you believe are embracing that the most readily?
There are issues plaguing almost all sectors equally and we are seeing adoption across most industries and verticals. Within our customer base, sectors that are embracing ZT most readily are finance, financial services, banking, insurance and retail. Some business services sectors like media advertising, recruitment and staffing can also be included.
What were some of the initial use cases that they tried to tackle?
Implementing ZTNA is the first step towards a much wider SASE transformation that our customers are targeting. Gartner predicts that by 2025, 60% of all organisations will have SASE roadmaps in place. Within ZTNA, typically we see customers begin with bite-sized use cases. These can include eliminating shadow IT risk by putting Cloudflare’s access or Zero Trust network access solution in front of the numerous third party, SaaS, or other applications that they may have. Some organisations want to overcome hardware supply chain-related lead times tied to security appliances or hardware vendors such as VPNs. They may also want to shift their spending from CAPEX to OPEX due to business conditions. Some customers are choosing to use Cloudflare Access to standardise secure access for all resources, applications and end-users across their entire organisation. A proportion of these customers are digital natives or born in the cloud customers whereas some are large enterprises that run vast and hybrid environments.
Lastly, many customers want to implement email security solutions such as our area one offering. This action ensures protection against phishing attacks, which in turn help mitigate data breach attempts by bad actors. The statistics around cyberbreaches originating from email phishing attacks are surprising. It’s a high number according to Deloitte with 91% of all cyberbreaches originating from phishing emails, which essentially target an organisation’s employees or people. They can be the strongest asset but also the weakest link in an organisation’s security posture. There are many different attack vectors, not just downloading malicious attachments but also malicious links. These are some of the use cases we are seeing across the market that can make a big impact on businesses.
Are there any specific success stories that you would like to discuss?
As a cybersecurity vendor, we must keep use cases largely private but we can share a few examples. The first example relates to one of the world’s most prominent media and advertising firms based in London that rolled out Cloudflare access to drive secure access to all third-party SaaS applications for over 25,000 employees based worldwide. Others include standardising secure access across their hybrid environments. Another case of note is a large global financial services firm that is nonprofit and UK based – we are working with them closely to standardise secure access and make protection a central focus of their systems.
Our solutions have helped tens of thousands of end-users across their hybrid architectures. We also had an example linked to email security and protection against phishing covering a large global building materials organisation, which was implemented across 25,000 end-users to protect against phishing attacks and resulting data breaches. This resulted from demoing the solution to the customer and we were tasked with proving that our solution could mitigate phishing attacks. Even though there was a system in place, we took up the challenge and set up our area one solution in their environment in a matter of minutes by using the simulate mode, meaning that we did not disrupt normal business. Our AI and Machine Learning engine started analysing email traffic and we were able to flag phishing attempts with immediate effect within hours. The customer decided to use our solution and roll it out with immediate effect.
How have you seen customers build their internal use case with executives and senior leaders to invest in Zero Trust modernisation?
Unsurprisingly, executives want to see a positive return on investment-driven business cases while approving such transformations. When it comes to factors being considered in most cases, one is the total cost of ownership of the new solutions, meaning how much the new solution is going to cost vs what they initially have in place. Another factor is incremental savings – whether a solution reduces the attack surface or increases security.
Thirdly, the potential savings they would get from the redacted data breaches. Furthermore, increased ROI under faster time to value and any end-user productivity gains are essential factors. It is important to consider the nature of the spending (CAPEX vs. OPEX), especially with a potential impending recession, which customers want to understand. Lastly, consider what the cost of change or any business risk is when implementing a new solution.
What do you think has been the lightbulb moment for executives?
Cloudflare always takes a global perspective when it comes to finding solutions and we focus on how much a company is going to save when replacing existing systems. From our experience, the lightbulb or eye-opening moments for executives stem primarily from four factors – cost savings (reduction in TCO), savings from reduced security risks, Time to value and cost of change.
Are there any specific examples that you can mention?
In Cloudflare’s case, we believe that we deliver tremendous ROIs across 4 key areas as mentioned previously. There is an example with a large media and advertisement customer success story. We estimated that we were helping them save up to almost 5 million per year by reducing the likelihood of a data breach by protecting some of the attack surfaces that weren’t previously secured. Metrics that were enhanced included reduced total cost of ownership, time to value and business disruption risk or reducing business disruption risk. We have taken the stance of building a single platform that reduces complexity and lowers the total cost of ownership. We are very fast to deliver value because our services are available via a single dashboard. They’re designed to be easy to use and fully programmable via APIs and automatable. Combined, they all drive reduced TCO faster time to value further minimising business disruption risk and the cost of change.
Cloudflare itself has been on the journey of adapting zero plus across its 3000 Strong organisation, can you talk about how you made the transition and any challenges that you faced?
Given that it was always part of our vision to lead the transformation of the Edge networking and security domains, we had decided to build out our ZTNA and SASE services for the wider market back when our company was founded in 2009. At Cloudflare, we also have the policy of dogfooding our services i.e., everything we put in front of our customers we use ourselves first to help iron out the kinks and build out Enterprise ready services. By the time the pandemic hit, we were well on the way to replacing our VPN and standardising secure access for all employees with our access offering. Here, the transition didn’t seem out of the ordinary as we were used to doing so with our services with our CISO leading the way in this area.
One of the biggest challenges with an IT security or governance change is getting end-users to adopt the change. Even with the best technology investments, your employees are at risk of a data breach if they don’t adopt the change properly and in a timely fashion. Getting any change adopted must be done via copious amounts of communications with end-users and their management chains before, during and post the change is rolled out. Equally important is putting in place the necessary support resources required to help employees through any potential issues faced during the transition.
Having a blame-free culture is critical because as humans, mistakes are a natural part of life. A healthy environment should be one where we encourage employees to flag any incidents openly and without any repercussions for them. For example, potentially downloading a suspicious attachment. In this example, you can identify breaches early and limit the potential damage of those breaches almost immediately.
The network hardware supply chain shortages are not going away. How can organisations mitigate this by moving the workload to the cloud?
Demand for hardware chips will continue to outpace the supply and will be the hyperscalers. AWS will continue to drive down chip shortages, increasing delivery times for the network and all hardware appliances. We are seeing this currently, with the delivery lead times ballooning to almost four to eight months with hardware appliance vendors. This trend will only continue and businesses will find it increasingly expensive and time-consuming, ultimately accelerating the need to transition to infrastructure as a service platform.
In this arena, by digitising or clarifying their edge, networking and security stacks businesses can offload these problems to the right vendors, ones that are well equipped to deal with these supply chain challenges. They can also take advantage of the cost and scaling efficiencies that cloud vendors like Cloudflare offer.
Are there any parting thoughts or anything that you would like to add to the discussion?
In summary, I’d like to conclude that moving to a Zero Trust architecture is merely the first step of a broader network transformation undertaking for businesses – which in my view, is inevitable given the macro shifts we’ve been observing in the market. Digitising the corporate network can be a big undertaking but now is the time for businesses to invest in at least developing a road map. I would advise CIOs, CISOs and heads of IT to try not to reinvent the wheel here and instead rely on industry peers like Cloudflare to share successes and failures from implementations we’re seeing and leading in the market. This way, we can help both accelerate and de-risk any such transformation journeys together.
Click below to share this article