To make the Internet inherently better and safer, it pays to protect as many companies as possible with a handful of effective measures at no extra cost. That’s the philosophy of Cloudflare, which routes traffic to and from one-fifth of all websites on the Internet and handles about 46 million HTTP requests per second on average. In the margin of a conference on the future of cybersecurity, we spoke with CTO John Graham-Cumming, who has been with the company from the early days.
How did your professional journey become intertwined with that of Cloudflare?
“I at Cloudflare started as a programmer; I wrote quite a lot of code in the early days and eventually became CTO. I ran all sorts of things at Cloudflare – all the technical bits. But my DPhil is in security. Back in 2010, the companies that had the best security were only a handful, like Google, Amazon, or Yahoo. At Cloudflare, the original idea was: ‘That’s silly. Why only them? We should be able to offer the same security levels as-a-service’.”
You could call it the democratization of security…
“Yes. In software, things get distributed downwards, become cheaper, and more available. We had the free service and a 20-dollar-a-month subscription, and it has grown enormously as the use of the Internet has grown enormously. That was one big driver of our business.”
“Back in 2010, the companies that had the best security were only a handful, like Google, Amazon, or Yahoo. At Cloudflare, the original idea was: ‘That’s silly. Why only them?”
“And I think the other big driver is that very early on, we recognized that we’re not going to do this in a small number of locations. You’ll get better performance if you have physical infrastructure everywhere in the world. And you will also be able to divide up the network depending on what the customer wants. Because of the GDPR, you might say, I only want to use data centers in Europe. Or, ‘I’m a German healthcare provider; I only want to use servers in Germany.’ This granularity makes it possible to slice up the network.”
Your company releases new services and features often. How is innovation organized at Cloudflare?
“We have committed projects. There’s a roadmap. We structured the company for innovation, and there are two separate teams doing engineering. The main project engineering group does things that are well-defined in the sense that they know what they want to do in the next three or six months. They have a clear idea of what the market looks like and who might want to buy it. Within that group, there’s innovation within the individual implementations; they are more run like a program.”
“There’s also a separate group called Emerging Technology and Incubation with a separate leader, and they are working on things that are both longer-term and higher risk.”
We have to talk about AI. Do your teams employ it in engineering?
“Internally, we don’t use AI to write code. We were concerned about our code leaving the organization. AIs are good at writing code, but humans have to read it and ensure it’s correct. AI is a great aid, but right now, we don’t use it at all.”
“Our customers are dealing with their employees using AI for writing and analyzing. So they are trying to get a handle on who in the organization is using what and whether it is dangerous. With Zero Trust, they can see who’s using ChatGPT, who’s using Bard, etc. It’s an extreme version of what happens in general in IT. People start using random tools they find on the Internet, and our customers need to know the privacy implications.”
How should CISOs deal with people using AI?
“In some ways, it’s a data loss protection problem. What are people actually uploading? On the one hand, you want to allow the exploration of new tools, and you want to get productivity out of it. But if people upload customer lists, there’s a real risk because data is leaving the organization. That’s why we are focusing on these control tools. You might take the stance that you don’t want anyone from the outside to read your code. So you can’t use code-generating tools.”
“You, however, might not want to stop anyone from using a tool to summarize a document. Partially this is a policy question about what a company wants to allow, and it’s more of a technical question of how you want to implement that policy.”
Another thing that’s on the horizon is quantum computing, which could be a danger from a cryptographic perspective.
“Yes, quantum computing is a bit like the year-2000 problem. But this time we don’t know what the date is. We don’t know when someone will have a viable quantum computer. There is the possibility that we might not know whether a large government somewhere secretly will have got one. The thing is, quantum computers threaten the cryptography we use today, and in particular, if someone were to start storing Internet traffic today, they could decrypt that traffic later. That is a concern.”
“The good news is, we’ve known about this problem for years. There’s a vast amount of research into what is called post-quantum cryptography algorithms, and Cloudflare has been part of that. We have the solution in front of us. We have to roll out these new algorithms; they have been tested and standardized, so it’s just a question of implementing them.”
“It’s all part of this bigger picture of making the Internet better and accessible.”
“We decided that we will include this in everything we do. Because the way to get post-quantum cryptography rolled out is to deploy it as widely as possible. You want many people involved in it. It would get stifled if people had to pay a premium. Hopefully, we’ll see it gets built into the popular open-source and popular web browsers. We handle about twenty percent of the web and we’ll make that post-quantum; hopefully, that will create momentum. It’s all part of this bigger picture of making the Internet better and accessible.”
In security, that’s often one of the things you have to think about. Why would you make something security-wise a very expensive add-on? Because, fundamentally, you need security, and everybody needs it, you are sort of penalizing people by doing that. We did this with DDoS protection. Attacks are so widespread that we decided we are going to include it. We all need the Internet to be more secure. Let’s just fix that part. Our customers need all sorts of extra things, which we charge them for to make their technology really work for them.
There are so many APIs in use nowadays. How do you keep track of them? And how can you keep things secure?
“Often, API traffic is from a website connecting to an API, and then an API is in front of some backend system or a database. It’s often a rich target because there is a lot of structure in there, so a hacker can start to figure out how this thing interacts with the backend and might be able to do harmful things.”
“We use machine learning to detect whether something is an API or not. If so, we can detect the layout of it so that we can build security rules for that specific API. There are ways to treat it differently from normal web traffic. You can allow people to protect the parts of an API that might need a specific type of protection and protect its structure. We can do a lot of that automatically.”
“And then there’s just the normal stuff. DDoS protection, rate limiting, and all the things you need to do in general. There are some specialties around APIs that are worth thinking about. And then the other side is that once an API hits Cloudflare, it is valuable for our customers to be able to decide on part of the API, i.e., to understand the API itself. Much like: ‘This request should be dropped because I don’t like it, or this request should be routed here.’ So we are going beyond just being a neutral tube.”
Things are evolving very fast in the security landscape. Do you have one last piece of advice for CISOs in the mid-and long term?
“The AI that we talked about – it’s evolving right now. People are experimenting. They are uploading things they shouldn’t be uploading. I would worry about that very quickly.”
“In the longer term, I think the challenge is that businesses find themselves in a very cost-conscious environment. Many companies are looking at the cost of how they run all their infrastructure. Within the security world, that’s often done by installing very expensive hardware. I think it’s time organizations think about consolidating down to a small number of providers who can give you the security they need because typical networks have many, many devices. They are very complicated to manage and upgrade, it is complicated to protect things, and the truth is that attacks come from every angle.”
“You need something that’s going to wrap it all around. How can you get to a small number of vendors that give you coverage everywhere across your organization, making sure you can protect everything? You don’t want to make decisions where you are trying to save some money and leave things less well protected. Hackers will look, and they will find out.”
“I think it’s time organizations think about consolidating down to a small number of providers who can give you the security they need because typical networks have many, many devices.”
About Cloudflare
Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protects and accelerates any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company’s Most Innovative Companies in 2021, and ranked among Newsweek’s Top 100 Most Loved Workplaces in 2022.
Founded in 2009, Cloudflare has quickly become a leader in the online security industry, serving over 27 million Internet properties, which is about one-fifth of the Internet. Cloudflare’s services are designed to protect websites and online applications from a wide range of threats, including DDoS attacks, SQL injections, cross-site scripting, and more.
Key features of services include:
- Application Protection: DDoS protection at the application level (7), WAF, API Security, Bot Management, Client Side Security, Attack Surface Management.
- Network Protection: DDoS protection at the network levels (3 and 4), Smart Routing, Network Interconnect, IDS/IPS, WAN as a Service(WANasS), Firewall as a Service (FWaaS)e.
- Employee Protection: Zero Trust, CASB, DLP, Email Security, Browser isolation, Secure Access, Internet Gateway.
In addition, Cloudflare offers a range of benefits for businesses and individuals alike:
- Improved website performance: Cloudflare’s services can help improve website performance by caching content and optimizing delivery to users.
- Reduced downtime: by protecting your website or online application from DDoS attacks and other threats, Cloudflare’s services can help reduce downtime and ensure a website is always available.
- Enhanced UX: with faster loading times and improved security, Cloudflare’s services can help enhance user experience and improve customer satisfaction.