Announcing Cloudflare’s Data Loss Prevention platform
Today, we’re excited to announce that your team can use Cloudflare’s network to build Zero Trust controls over the data in your enterprise - wherever it lives and however it moves.
Stopping data loss is difficult for any team and that challenge has become harder as users have left offices and data has left on-premise storage centers. Enterprises can no longer build a simple castle-and-moat around their data. Users now connect from any location on the planet to applications that live in environments outside of that enterprise’s control.
We have talked to hundreds of customers who have resorted to applying stopgap measures to try and maintain that castle-and-moat model in some form, but each of those band-aids slow down their users or drive up costs - or both. Almost all of the short-term options available combine point solutions that ultimately force traffic to backhaul through a central location.
Part of Cloudflare One, Cloudflare’s approach to data loss prevention relies on the same infrastructure and global network that accelerates user traffic to the Internet to also perform inline inspection against all traffic regardless of how it arrives on our network.
We also know that enterprises need more than just scanning Continue reading
Using Cloudflare for Data Loss Prevention
Data exfiltration, or data loss, can be a very time-consuming and expensive ordeal causing financial loss, negative brand association, and penalties from privacy focused laws. Take for example, an incident where sensitive smart grid and metering R&D knowledge information from an industrial control system of a North American electric utility was exfiltrated through an attack that was suspected to have originated from inside the network. Unauthorized access to data from a utilities company can result in a compromised smart grid or power outages.
In another example, a security researcher found exposed and unknown (undocumented) API endpoints for Tesla’s Backup Gateway that could have been used to export data or make unauthorized changes. This would have had very real physical consequences had the unauthenticated API endpoint been used by an attacker to damage the battery or the connected electric grid.
Both these examples emphasize the importance of considering internal and external threats when thinking about how to protect a network from data exfiltration. An insider threat isn’t necessarily a user willfully causing harm: according to Fortinet’s 2019 Insider Threat Report, from the organizations surveyed 71% were concerned about a careless user causing an accidental Continue reading
Protecting your APIs from abuse and data exfiltration
API traffic is growing fast. Last year alone it grew 300% faster at our edge than web traffic. Because APIs power mobile and web applications, transmitting instructions as diverse as “order a pizza from my favourite restaurant using this credit card” or “place a cryptocurrency trade and these are my personal details”, they are ripe for data theft and abuse. Data exposure is listed as one of the top threats for API traffic by OWASP; this includes data leaks and exfiltration from origin responses (API Security TOP 10 threats 2019). The increase in API traffic and more frequent data attacks call for new security solutions.
Cloudflare’s security toolkit had always been designed to protect web and API traffic. However, after talking to hundreds of customers we realised that there is a need for easily deployed and configured security tools for API traffic in a single interface. To meet this demand, in October 2020 we launched API ShieldTM, a new product aimed at bringing together all security solutions designed for API traffic. We started by providing mTLS authentication to all Cloudflare users free of charge, gRPC support and Schema Validation in Beta. During the launch we laid Continue reading
Browser Isolation for teams of all sizes
Every Internet-connected organization relies on web browsers to operate: accepting transactions, engaging with customers, or working with sensitive data. The very act of clicking a link triggers your web browser to download and execute a large bundle of unknown code on your local device.
IT organizations have always been on the back foot while defending themselves from security threats. It is not a question of ‘if’, but ‘when’ the next zero-day vulnerability will compromise a web browser. How can IT organizations protect their users and data from unknown threats without over-blocking every potential risk? The solution is to shift the burden of executing untrusted code from the user’s device to a remote isolated browser.
Bringing Remote Browser Isolation to teams of any size
Today we are excited to announce that Cloudflare Browser Isolation is now available within Cloudflare for Teams suite of zero trust security and secure web browsing services as an add-on. Teams of any size from startups to large enterprises can benefit from reliable and safe browsing without changing their preferred web browser or setting up complex network topologies.
Remote Browsers must be reliable
Running sensitive workloads in secure environments is nothing new, and Remote Browser Isolation (RBI) Continue reading
Anatomy of a Targeted Ransomware Attack
Imagine your most critical systems suddenly stop operating, bringing your entire business to a screeching halt. And then someone demands a ransom to get your systems working again. Or someone launches a DDoS against you and demands ransom to make it stop. That’s the world of ransomware and ransom DDoS.
So what exactly is ransomware? It is malicious software that encrypts files on computers making them useless until they are decrypted. In some cases, ransomware could even corrupt and destroy data. A ransom note is then placed on compromised systems with instructions to pay a ransom in exchange for a decryption utility that can be used to restore encrypted files. Payment is often in the form of Bitcoin or other cryptocurrency.
Recently, Cloudflare onboarded and protected a Fortune 500 customer from a targeted Ransom DDoS (RDDoS) attack -- a different type of extortion attack.
Prior to joining Cloudflare, I responded to and investigated a large number of data breaches and ransomware attacks for clients across various industries, including healthcare, financial, and education, to name a few. I’ve been in the trenches analyzing these types of attacks and working closely with clients to help them recover from the aftermath.
In this Continue reading
Announcing antivirus in Cloudflare Gateway
Today we’re announcing support for malware detection and prevention directly from the Cloudflare edge, giving Gateway users an additional line of defense against security threats.
Cloudflare Gateway protects employees and data from threats on the Internet, and it does so without sacrificing performance for security. Instead of backhauling traffic to a central location, Gateway customers connect to one of Cloudflare’s data centers in 200 cities around the world where our network can apply content and security policies to protect their Internet-bound traffic.
Last year, Gateway expanded from a secure DNS filtering solution to a full Secure Web Gateway capable of protecting every user’s HTTP traffic as well. This enables admins to detect and block not only threats at the DNS layer, but malicious URLs and undesired file types as well. Moreover, admins now have the ability to create high-impact, company-wide policies that protect all users with one click, or they can create more granular rules based on user identity.
Earlier this month, we launched application policies in Cloudflare Gateway to make it easier for administrators to block specific web applications. With this feature, administrators can block those applications commonly used to distribute malware, such as public cloud file storage.
These Continue reading
New device security partnerships for Cloudflare One
Last October, we announced Cloudflare One, our comprehensive, cloud-based network-as-a-service solution that is secure, fast, reliable, and defines the future of the corporate network. Cloudflare One consists of two components: network services like Magic WAN and Magic Transit that protect data centers and branch offices and connect them to the Internet, and Cloudflare for Teams, which secures corporate applications, devices, and employees working on the Internet. Today, we are excited to announce new integrations with VMware Carbon Black, CrowdStrike, and SentinelOne to pair with our existing Tanium integration. Cloudflare for Teams customers can now use these integrations to restrict access to their applications based on security signals from their devices.
Protecting applications with Cloudflare for Teams
When the COVID-19 pandemic unfolded, many of us started to work remotely. Employees left the office, but the network and applications they worked with didn’t. VPNs quickly began folding under heavy load from backhauling traffic and reconfiguring firewalls became an overnight IT nightmare.
This has accelerated many organizations' timelines for adopting a Zero Trust based network architecture. Zero Trust means to mistrust every connection request to a corporate resource, and instead intercept and only grant access if criteria defined by an administrator are Continue reading
Announcing Network On-ramp Partners for Cloudflare One
Today, we’re excited to announce our newest Network On-ramp Partnerships for Cloudflare One. Cloudflare One is designed to help customers achieve a secure and optimized global network. We know the promise of replacing MPLS links with a global, secure, performant and observable network is going to transform the corporate network. To realize this vision, we’re launching partnerships so customers can connect to Cloudflare’s global network from their existing trusted WAN & SD-WAN appliances and privately interconnect via the data centers they are co-located in.
Today, we are launching our WAN and SD-WAN partnerships with VMware, Aruba and Infovista. We are also adding Digital Realty, CoreSite, EdgeConneX, 365 Data Centers, BBIX, Teraco and Netrality Data Centers to our existing Network Interconnect partners Equinix ECX, Megaport, PacketFabric, PCCW ConsoleConnect and Zayo. Cloudflare’s Network On-ramp partnerships now span 15 leading connectivity providers in 70 unique locations, making it easy for our customers to get their traffic onto Cloudflare in a secure and performant way, wherever they are.
Connect to Cloudflare using your existing WAN or SD-WAN Provider
With Magic WAN, customers can securely connect data centers, offices, devices and cloud properties to Cloudflare’s network and configure routing policies Continue reading
Magic WAN & Magic Firewall: secure network connectivity as a service
Back in October 2020, we introduced Cloudflare One, our vision for the future of corporate networking and security. Since then, we’ve been laser-focused on delivering more pieces of this platform, and today we’re excited to announce two of its most foundational aspects: Magic WAN and Magic Firewall. Magic WAN provides secure, performant connectivity and routing for your entire corporate network, reducing cost and operational complexity. Magic Firewall integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at the edge, across traffic from any entity within your network.
Traditional network architecture doesn’t solve today’s problems
Enterprise networks have historically adopted one of a few models, which were designed to enable secure information flow between offices and data centers, with access to the Internet locked down and managed at office perimeters. As applications moved to the cloud and employees moved out of offices, these designs stopped working, and band-aid solutions like VPN boxes don’t solve the core problems with enterprise network architecture.
On the connectivity side, full mesh MPLS (multiprotocol label switching) networks are expensive and time consuming to deploy, challenging to maintain, exponentially hard to scale, and often have major gaps in visibility. Other architectures require backhauling Continue reading
Welcome to Cloudflare Security Week 2021!
Today kicks off Cloudflare's 2021 Security Week. Like all innovation weeks at Cloudflare, we'll be announcing a dizzying number of new products, opening products that have been in beta to general availability, and talking to customers and through use cases on how to use our network to fulfill our mission of helping build a better Internet.
In Cloudflare's early days, I resisted the label of being a "security company." It seemed overly limiting. Instead, we were setting out to fix the underlying "bugs" of the Internet. The Internet was never built for what it's become. We started Cloudflare to fix that. Being more secure was table stakes, but we also wanted to make the Internet faster, more reliable, and more efficient.
But a lot of what we do is about security. Approximately half our products are security related. And that makes sense because some of the Internet's deepest flaws are that it specifically did not engineer in security from the beginning.
Security: The Internet’s Afterthought
John Graham-Cumming, Cloudflare's CTO, gives a terrific talk about how the Internet we all have come to rely on wasn’t designed to have the security we all need. In Tim Berners-Lee's original proposal for Continue reading
Moving k8s communication to gRPC
Over the past year and a half, Cloudflare has been hard at work moving our back-end services running in our non-edge locations from bare metal solutions and Mesos Marathon to a more unified approach using Kubernetes(K8s). We chose Kubernetes because it allowed us to split up our monolithic application into many different microservices with granular control of communication.
For example, a ReplicaSet in Kubernetes can provide high availability by ensuring that the correct number of pods are always available. A Pod in Kubernetes is similar to a container in Docker. Both are responsible for running the actual application. These pods can then be exposed through a Kubernetes Service to abstract away the number of replicas by providing a single endpoint that load balances to the pods behind it. The services can then be exposed to the Internet via an Ingress. Lastly, a network policy can protect against unwanted communication by ensuring the correct policies are applied to the application. These policies can include L3 or L4 rules.
The diagram below shows a simple example of this setup.
Though Kubernetes does an excellent job at providing the tools for communication and traffic management, it does not help the developer decide the Continue reading
Random Employee Chats at Cloudflare
Due to the COVID-19 pandemic, most Cloudflare offices closed in March 2020, and employees began working from home. Having online meetings presented its own challenges, but preserving the benefits of casual encounters in physical offices was something we struggled with. Those informal interactions, like teams talking next to the coffee machine, help form the social glue that holds companies together.
In an attempt to recreate that experience, David Wragg, an engineer at Cloudflare, introduced “Random Engineer Chats” (We’re calling them “Random Employee Chats” here since this can be applied to any team). The idea is that participants are randomly paired, and the pairs then schedule a 30-minute video call. There’s no fixed agenda for these conversations, but the participants might learn what is going on in other teams, gain new perspectives on their own work by discussing it, or meet new people.
The first iteration of Random Employee Chats used a shared spreadsheet to coordinate the process. People would sign up by adding themselves to the spreadsheet, and once a week, David would randomly form pairs from the list and send out emails with the results. Then, each pair would schedule a call at their convenience. This process was the Continue reading
Cloudflare and WordPress.com partner to Help Build a Better Internet
Cloudflare’s mission is to help build a better Internet. We’ve been at it since 2009 and we’re making progress — with approximately 25 million Internet properties being secured and accelerated by our platform.
When we look at other companies that not only have the scale to impact the Internet, but who are also on a similar mission, it’s hard to ignore Automattic, maintainers of the ubiquitous open-source WordPress software and owner of one the web’s largest WordPress hosting platforms WordPress.com, where up to 409 million people read 20 billion pages every month.1
Privacy First Web Analytics
When we started brainstorming ways to combine our impact, one shared value stood out: privacy. We both share a vision for a more private Internet. Today we’re excited to announce a number of initiatives, starting with the integration of Cloudflare’s privacy-first web analytics into WordPress.com. This integration gives WordPress.com publishers choice in how they collect usage data and derive insights about their visitors.
Automatic Platform Optimization for WordPress
This is not the first time Continue reading
Third Time’s the Cache, No More
Caching is a big part of how Cloudflare CDN makes the Internet faster and more reliable. When a visitor to a customer’s website requests an asset, we retrieve it from the customer’s origin server. After that first request, in many cases we cache that asset. Whenever anyone requests it again, we can serve it from one of our data centers close to them, dramatically speeding up load times.
Did you notice the small caveat? We cache after the first request in many cases, not all. One notable exception since 2010 up until now: requests with query strings. When a request came with a query string (think https://example.com/image.jpg?width=500; the ?width=500 is the query string), we needed to see it a whole three times before we would cache it on our default cache level. Weird!
This is a short tale of that strange exception, why we thought we needed it, and how, more than ten years later, we showed ourselves that we didn’t.
Two MISSes too many
To see the exception in action, here’s a command we ran a couple weeks ago. It requests an image hosted on example.com five times and prints each response’s CF-Cache-Status header. Continue reading
A deep-dive into Cloudflare’s autonomous edge DDoS protection
Today, I’m excited to talk about our autonomous DDoS (Distributed Denial of Service) protection system. This system has been deployed globally to all of our 200+ data centers and actively protects all our customers against DDoS attacks across layers 3 to 7 (in the OSI model) without requiring any human intervention. As part of our unmetered DDoS protection commitment, we won’t charge a customer more just because they got hit by a DDoS.
Autonomous protection the edge
To protect our customers quickly and with precision against DDoS attacks, we built an autonomous edge detection and mitigation system that can make decisions on its own without seeking a centralized consensus. It is completely software-defined and runs on our edge on commodity servers. It’s powered by our denial of service daemon (dosd) which originally went live in mid-2019 for protection against L3/4 DDoS attacks. Since then, we’ve been investing in enhancing and improving its capabilities to stay ahead of attackers and to disrupt the economics of attacks. The latest set of improvements have expanded our edge mitigation component to protect against L7 attacks in addition to L3/4.
This system runs on every single server in all our edge Continue reading
The Teams Dashboard: The Design Story
Intro
Cloudflare for Teams was first announced in January 2020, along with our acquisition of S2 Systems. It was an exciting day for everyone at Cloudflare, but especially my team, who was in charge of building Teams.
Here is the story of how we took Cloudflare for Teams from initial concepts, to an MVP, to now a comprehensive security platform that secures networks, users, devices, and applications.
Background
When I joined Cloudflare in April 2019, I was excited to have an impact on helping to build a better Internet. I was fascinated by the intricacy of how the Internet works, and wanted to untangle that complexity to provide our users with the best in class experience, with a simple and concise design approach. Little did I know that I would have the opportunity to launch a product that would impact thousands during a time when people need the Internet the most.
We started conceptualizing what would eventually become Cloudflare for Teams in July 2019, with a big vision and a small team. Coming off the excitement of 1.1.1.1, the team began thinking about how to bring this functionality to small, medium, and enterprise businesses. Our Continue reading
Automatic Platform Optimization post-launch report
Last year during Birthday Week, we announced Automatic Platform Optimization for WordPress (APO): smart HTML caching for WordPress sites using Cloudflare. Initial testing across various WordPress sites demonstrated significant improvements in performance metrics like Time to First Byte (TTFB), First Contentful Paint (FCP), and Speed Index. We wanted to measure how APO impacted web performance for our customers since the launch.
In the blog post, we answer the following questions:
- How fast is Automatic Platform Optimization? Can you demonstrate it with data?
We will show real-world improvements for several performance metrics.
- Is Automatic Platform Optimization flexible enough to integrate smoothly with my WordPress site?
We have added and improved lots of features since the initial launch.
- Will Automatic Platform Optimization work when used with other plugins?
We will cover the most common use cases and explain how Automatic Platform Optimization could be fined-tuned.
Measuring performance with WebPageTest
We use WebPageTest as a go-to tool for synthetic testing at Cloudflare. It measures web performance metrics in real browsers, is highly programmable, and could scale to test millions of sites per day. Among the benefits of synthetic testing are easy to produce results and their relatively high reproducibility.
Automatic Platform Optimization Continue reading
Enhancing privacy-focused Web Analytics to better meet your metrics needs
Last December we opened up our brand new privacy-first Web Analytics platform to everyone. Today, we’re excited to announce the release of three of the most requested features: adding multiple websites to an account, supporting Single-page Applications (SPA) as well as showing Core Web Vitals in Web Analytics.
Bringing privacy-first analytics to everyone
Since we launched two months ago, we’ve received a lot of feedback from our users. We are really happy that we are able to provide our privacy-first analytics to so many of you.
Popular analytics vendors have business models driven by ad revenue. Using them implies a bargain: they track visitor behavior and create buyer profiles to retarget your visitors with ads; in exchange, you get free analytics.
Our mission is to help build a better Internet, and part of that is to deliver essential web analytics to everyone with a website without compromising user privacy. We’ve never been interested in tracking users or selling advertising. We don’t want to know what you do on the Internet — it’s not our business.
You now can measure multiple sites
When we launched Web Analytics, each account was only able to measure one website. We are happy to announce Continue reading
Lessons Learned from Scaling Up Cloudflare’s Anomaly Detection Platform
Introduction to Anomaly Detection for Bot Management
Cloudflare’s Bot Management platform follows a “defense in depth” model. Although each layer of Bot Management has its own strengths and weaknesses, the combination of many different detection systems — including Machine Learning, rule-based heuristics, JavaScript challenges, and more — makes for a robust platform in which different detection systems compensate for each other’s weaknesses.
One of these systems is Anomaly Detection, a platform motivated by a simple idea: because bots are made to accomplish specific goals, such as credential stuffing or content scraping, they interact with websites in distinct and difficult-to-disguise ways. Over time, the actions of a bot are likely to differ from those of a real user. Anomaly detection aims to model the characteristics of legitimate user traffic as a healthy baseline. Then, when automated bot traffic is set against this baseline, the bots appear as outlying anomalies that can be targeted for mitigation.
An anomaly detection approach is:
- Resilient against bots that try to circumvent protections by spoofing request metadata (e.g., user agents)
- Able to catch previously unseen bots without being explicitly trained against them.
So, how well does this work?
Today, Anomaly Detection processes more than Continue reading
ARMs Race: Ampere Altra takes on the AWS Graviton2
Over three years ago, we embraced the ARM ecosystem after evaluating the Qualcomm Centriq. The Centriq and its Falkor cores delivered a significant reduction in power consumption while maintaining a comparable performance against the processor that was powering our server fleet at the time. By the time we completed porting our software stack to be compatible with ARM, Qualcomm decided to exit the server business. Since then, we have been waiting for another server-grade ARM processor with hopes to improve our power efficiencies across our global network, which now spans more than 200 cities in over 100 countries.
ARM has introduced the Neoverse N1 platform, the blueprint for creating power-efficient processors licensed to institutions that can customize the original design to meet their specific requirements. Ampere licensed the Neoverse N1 platform to create the Ampere Altra, a processor that allows companies that own and manage their own fleet of servers, like ourselves, to take advantage of the expanding ARM ecosystem. We have been working with Ampere to determine whether Altra is the right processor to power our first generation of ARM edge servers.
The AWS Graviton2 is the only other Neoverse N1-based processor publicly accessible, but only made Continue reading