Today kicks off Cloudflare’s 2021 Security Week. Like all innovation weeks at Cloudflare, we’ll be announcing a dizzying number of new products, opening products that have been in beta to general availability, and talking to customers and through use cases on how to use our network to fulfill our mission of helping build a better Internet.
In Cloudflare’s early days, I resisted the label of being a “security company.” It seemed overly limiting. Instead, we were setting out to fix the underlying “bugs” of the Internet. The Internet was never built for what it’s become. We started Cloudflare to fix that. Being more secure was table stakes, but we also wanted to make the Internet faster, more reliable, and more efficient.
But a lot of what we do is about security. Approximately half our products are security related. And that makes sense because some of the Internet’s deepest flaws are that it specifically did not engineer in security from the beginning.
Security: The Internet’s Afterthought
John Graham-Cumming, Cloudflare’s CTO, gives a terrific talk about how the Internet we all have come to rely on wasn’t designed to have the security we all need. In Tim Berners-Lee’s original proposal for the web he wrote: “Authorisation and accounting systems for hypertext could conceivably be designed which are very sophisticated, but they are not proposed here.” Instead, the web was designed to prioritize information exchange over secrecy.
Foundational protocols the Internet relies upon also omitted security concerns. BGP, the protocol that stitches networks together, in its specifications document (known as an RFC) specifically called this out, stating: “Security issues are not discussed in this memo.” Terrifyingly, the word “security” never appears in the RFC for DNS.
All that would be fine if the Internet had remained the academic science project it started out as. But, given its importance, today it’s critical that security be “designed in” at every level. And so much of Cloudflare’s product roadmap over the last 10 plus years has been designing and implementing the security the Internet needs given what it has become.
Cloudflare’s Historical Roadmap: Reverse Engineering In Security
Encrypting all web traffic for free, encrypting DNS, working to sign every BGP route, encrypting SNI, eliminating DDoS attacks as a risk, automatically patching network software vulnerabilities, adding access management to the network. When we say our mission is to help build a better Internet, a big portion of that is helping build a fundamentally secure Internet.
And this week, we’re announcing more ways we’re taking things that have been fundamentally broken in terms of Internet security and fixing them.
A Week of Foundational Security Announcements
On Monday, we start with MPLS. It’s the foundational network technology that many organizations use to power their networks. Unfortunately, it’s expensive, slow to implement, hard to administer, and has no real security by default. Remember that NSA document from the Snowden leak describing Google’s network with the smiley face next to “SSL added and removed here.” That smiley face was fundamentally a flaw in the security model of MPLS. On Monday we fix it, while making it faster and less expensive at the same time.
On Tuesday, we shift to the browser. If you think about it, browsers are the stuff of CISO’s nightmares. Random code is automatically downloaded and run locally on every web page you visit. We’ve talked about how Remote Browser Isolation is a solution to this problem. On Tuesday we’ll be opening it to everyone and also adding more features to our Gateway product to help address the same fundamental issue.
On Wednesday, we’re taking a fresh look at an important space that has been underinvested in by security vendors. Ever been unsatisfied with the permissions and controls a SaaS application provides by default? Ever worry about your application’s APIs leaking more data than intended? Security isn’t always about keeping attackers out, it’s also about ensuring data stays in. We’re investing to help our customers solve these universal challenges.
On Thursday, we’re going to help deal with the complexity of the modern Internet and web. The Internet itself is a collection of networks. And a modern web page is a collection of content and applications. Unfortunately, the old adage that you’re only as strong as your weakest link holds true online. On Thursday, we’ll announce a set of tools that watches for signs of trouble in third parties from network level all the way down to the individual code on your web pages.
On Friday, we’re bringing some of the technology to protect against automated bots, which were previously only made available to our largest customers, to a broader audience. At the same time, we’ll be introducing more tools to identify and protect your APIs, which had historically been more difficult to protect against bot attacks.
Partnerships and Practicality
There’s a reason the word “help” is a part of our mission statement: we can’t build a better, more secure Internet alone. We don’t sell network hardware. We don’t own the core data centers where our customers store their data and run their applications. And there are companies that are deep specialists in things like identity management and endpoint security. And so, throughout the week, we’ll be announcing a number of partnerships with the leading companies in adjacent areas so our mutual customers build complete solutions around our secure, fast, and reliable global network.
One of the reasons that I never wanted to be described as a security company was because of how the industry tends to sell products on fear, uncertainty, and doubt. So, this week, we wanted to flip that script. Instead of the usual scary messaging around hackers in hoodies and fingerless gloves, we’ll be looking at a handful of recent, high-profile hacks and talking about how you can use our products as well as others in order to protect yourself.
Throughout the week on CloudflareTV we’ll be talking to security experts we admire as well as hosting interviews with the product managers and engineers behind the products we’ll be announcing. The schedule has been posted and you can tune in live and ask questions.
A Week Is Not Enough
And that’s not even close to everything. We almost declared it Security Fortnight because there are so many new products and capabilities we’ll be announcing. So don’t be surprised if the announcements roll through the weekend and even into next week.
While cybersecurity headlines often seem grim, we’re incredibly optimistic. It is possible to build a more secure network. We can fix the underlying flaws of the Internet. We’ve been doing it for the last 10 plus years. And, this week, we’re incredibly excited to take another big leap forward.