How Cloudflare is staying ahead of the curve

Founded over a decade ago by Lee Holloway, Matthew Prince and Michelle Zatlyn, Cloudflare has gone beyond providing virtual firewalls to become a fully fledged cloud-based network security platform used by 18 of the 20 largest companies in the world.

Today, its services ranges from content delivery networks and the well-known 1.1.1.1 public DNS (domain name system) service used by more than 10 million people to zero-trust offerings, pitting it against traditional security suppliers and emerging rivals like Zscaler.

On a recent trip to Singapore, Prince spoke to Computer Weekly about how the company stays ahead of the curve, speeding up product development through an in-house developer platform that it has since commercialised, and where Cloudflare plays in the broader zero-trust landscape, among other areas.

You started Cloudflare after you wrote a business plan while you were at Harvard Business School. What was in that business plan and what has changed since then?

Prince: Michelle, Lee and I were the three co-founders of the company. At the time, we saw that the world was moving from on-premise hardware and software to the cloud. That was going to result in a significant change in how security was provisioned. You couldn’t buy a piece of hardware or software to deliver security.

We also saw a big, underserved portion of the market, where developers, small businesses and even mid-size companies just couldn’t afford state-of-the-art security solutions. And so, the original idea of Cloudflare was to build a service, with security incorporated into the network itself, that could respond to the shift to cloud and be affordable not just to the largest companies, but also individual developers.

The idea made total sense when we presented it to our advisors, except that if we stuck ourselves into every internet connection, things were going to slow down and become less reliable. And so, we became obsessed with how we could eliminate any latency that we added as we were delivering those security services. We also looked at how we could enhance reliability so we wouldn’t be making anything less reliable.

And as we did, we knew security was going to be one of the core pillars of what we deliver. But when we turned on our first beta, we were surprised that we had done so much work around performance and reliability that we were increasing the performance of anything that was sitting behind us and decreasing the errors and problems that people had.

And so, the very first line of the business plan was Cloudflare as a service that makes connecting to the internet faster, more reliable and more secure. We looked at all the steps that had to happen each time you clicked on a link or log on to a server, and how to make those things faster, more reliable and more secure.

I think what’s changed over time are two things. First, as we continue to serve not just developers and small businesses, but now 18 of the 20 largest companies in the world, what we heard from customers was that they didn’t just want us to protect their infrastructure. They also wanted us to protect their people and they wanted the same developer tools that our own team were using to build modern applications.

During these tough economic times, people are trying to conserve cash, but at the same time if you try to buy a firewall today, you can be on a waiting list for nine months and you may have a problem that needs to be solved tomorrow. I think that is forcing the region to consider cloud services more quickly

And so, we’ve expanded our products to a zero-trust set of solutions that focuses on protecting individuals as they are using online services where we took our network and extended it to provide different functionalities. We’ve also built Workers, a developer platform that allows us to service more things.

The second thing that has changed is we’ve realised that there are two other pillars that really matter, in addition to performance, reliability and security. Our mission is to build a better internet, and so if you could go back in time and redesign the protocols of the internet to be better, what would that look like? Obviously, it’d be faster, more reliable and more secure, but there’s also efficiency, which is what companies are talking to us about today. With increasingly challenging times, how do we find ways to save money as we use the internet?

The other pillar is making the internet more private, because a better internet is a more private internet. That means making sure that advertising agencies aren’t tracking you as you go about the internet, and that you can trust that a network connection is there. It’s also about keeping personal data private and making sure that if you’re a company, you’re storing and processing user data where the user is.

The Asia-Pacific (APAC) region contributes about 14% of Cloudflare’s global revenues. What are your thoughts on the region, and what’s your sense of where it is heading when it comes to picking up more customers?

Prince: For some very structural reasons, the internet here can be very expensive and slow. There are also a lot of different countries here, not all of whom have the best relations with one another. And so exchanging data between those nations becomes very complicated.

I think Singapore plays a very important role in being a trusted neutral party, and it’s one of the reasons our headquarters in Asia is here. But from a cyber attack perspective, there’s no region in the world that suffers more cyber attacks than in Asia. In China, it’s simply a cost of doing business and it’s common for competitors to launch cyber attacks against each other. That’s not something you see in Europe or the US.

In the same way, there’s regional tension between various governments with a ton of hacking of each other’s governmental authorities. While those create challenges for running the internet here, they also create enormous opportunities for Cloudflare. We have continued to invest in the region, because we think there’s an incredible opportunity for us to solve some of those problems. We can make the internet significantly faster, more reliable, more secure, more efficient and more private.

Around privacy, a number of countries in the region, whether it’s India, Australia, Singapore or China, have leaned into data residency and data locality. Having a network like ours very much aligns with being able to provide that. Today, we operate in more than 120 countries, and that’s way more than any other cloud provider. And so, when you have data about a customer in Sri Lanka or in the Philippines, we are going to have infrastructure in those places, and we can keep that data local.

I think the challenges in the region are that it’s just a really complicated region. In the US, you can hire salespeople in Kansas, and they can sell in Maine, California, Alaska or Florida as it’s sort of one big homogeneous region. Here, we’ve had to build up various teams that have very specific local knowledge, and I’m travelling here to build relationships with customers because it’s still a place where meeting face to face and building trust is so important.

The other thing is that APAC, as a whole, has been the slowest to adopt cloud services and there are still people who want a physical box when they buy security solutions. I think we’re starting to see that change, especially in markets like Australia and among startups in countries like India, where almost all the top startups are using Cloudflare services.

During these tough economic times, people are trying to conserve cash, but at the same time, if you try to buy a firewall today, you can be on a waiting list for nine months and you may have a problem that needs to be solved tomorrow. I think that is forcing the region to consider cloud services more quickly.

You mentioned Cloudflare Workers, which is about making it easy for developers to deploy serverless applications on your network and simplifying management without having to manage areas such as scalability. Is there more to that? I mean, it seems like you’re competing against the hyperscalers. What’s the thinking around this service?

Prince: Workers started out as a product that we built for ourselves. Around 2016 or so, we had all these ideas and we wanted to go into zero trust. We wanted to build new functionality, but our development process had slowed to a halt because we were managing our own infrastructure. We had VMs [virtual machines] and containers, and when we rolled out new features, we often had to completely reboot machines. The operational overhead of launching new features caused the velocity of our product development to slow down massively.

One day, I had lunch with our chief technology officer, John Graham-Cumming, and our principal engineer, Kenton Varda, at a Mexican restaurant near our office in San Francisco, and we said we have a real problem. There were so many different things we should be able to build with our network, but we didn’t have a platform that allowed us to build efficiently. We needed to rethink how our own team develops applications. While you can spin up a new VM on the cloud, you still have to manage stuff like installing an operating system, and it could take hours. Containers are more efficient and take it down to minutes, but you still have to manage how you do scaling.

What Workers did – and Kenton’s real genius – was to spin up new instances in milliseconds rather than minutes because developers should be able to just deploy code and pick what region it goes into. We wanted to make it easy for our developers to deploy features without even thinking about it. And so, we moved from containers to what we call isolates, which allow your browser to go to a web page and safely run code that it’s encountering for the first time within milliseconds.

Those isolates give us the security framework and sandbox that allow us to spin up new instances very quickly anywhere in the world. What Workers delivered, first and foremost, was that it allowed us to build zero-trust capabilities. It allowed us to go from having done nothing in that space to catching up with Zscaler, which had been working on zero trust for 14 years, in two years. That’s all because we have a developer platform that allows us to innovate much more quickly.

We realised that our customers had the same problem too. Walmart came to us wanting to build a new shopping cart application to support their flash sales. They were able to deploy it with Workers and scaled it automatically as more of their customers came online.

What’s powerful, though, is that our own team is pushing for things like object stores, databases and message queues, and we’re building those features for our own team because we need them for our own products. But we’re also opening them up to our customers, so anytime we build something that our own teams use on our own platform, it inherently gets exposed to the public.

Our free and pay-as-you-go users are incredibly valuable as ambassadors inside larger organisations. Often, when we release a new product, we give it to those users first, because they kick the tyres and make sure it’s available

Today, all new features at Cloudflare have to be built on Workers, and what’s powerful about that is that not only do we always have new tools and features, they are also the most programmable by customers. Our zero-trust platform, for example, can be highly customised with your own event handlers to do specific things.

As you know, there’s a lot of noise and confusion in the market when it comes to zero trust. What does zero trust mean to Cloudflare?

Prince: It’s a term that gets used so often that it almost lacks meaning, and there’s a risk of people writing it off as just a fad. What’s interesting – and I’ve been working in the security industry now for more than 20 years – about zero trust is that while I agree that it’s gotten a little fuzzy, it’s a different way of approaching security that does more to keep you secure than anything else I’ve ever seen.

When I think about zero trust, there are three key aspects that you need. Cloudflare only does one of those three, and we partner in the other two areas. The first area is that you need an identity provider – and there are a lot of great identity providers out there.

What we’re seeing is that companies will try to standardise around one identity provider, but they’ll often have ancillary ones where they have contractors they don’t put on their own identity management system. We are unlikely to compete directly in the identity space; instead, we partner with others, and whether you have one universal identity provider or multiple providers, we work with them to help you create a true zero-trust solution.

The second thing you need is an endpoint security service, and it’s not just antivirus – it goes beyond that to monitor the health of the device that you’re connecting to. It’s like traveling through an airport with my passport, which is sort of my identity provider. There’s also a fever-screening device to make sure you’re not sick, and that’s like your endpoint security provider. Both of these need to work with the border guards or the person who’s controlling access. That’s the third component: the network itself, which is what we provide.

No matter what you’re doing in the zero-trust space, one thing that’s common – whether you’re using cloud or on-premise solutions – is the network. And so, we act a little like a border agent: we’re taking the passport, looking at the results of the fever screening, and then deciding if we’re letting you through or not.

And because we can be ubiquitous across anything you’re using, whether it’s service like Salesforce, Workday, Amazon Web Services, or a solution you’re hosting in an Equinix datacentre, we can be that border guard in front of all of those things.

Those three bits together form what is zero trust. We compete with other companies like Zscaler and our products line up very well. Palo Alto Networks is also getting into that space, although they run their service on top of Google Cloud, which causes them some performance and reliability issues.

We’ve heard from customers about the confusion around zero trust and they don’t know where to start. So, we created a zero-trust roadmap which is vendor agnostic and has all the components you need to be zero trust compliant. We also gave recommendations based on what we’ve seen from other customers on how to start and what they should plan for in the next five years.

While there are very few companies that have completed the entire roadmap, every step you take along that journey makes you safer online. At Cloudflare, we have completed that entire journey and it has protected us against some really sophisticated attacks.

Cloudflare has many pay-as-you-go customers – are there any efforts to convert them to annual contract value customers on longer-term contracts?

Prince: To be honest, that’s not a priority for us. A typical customer journey for us could start with someone who has a personal blog and writes about something they’re passionate about. They will come to use Cloudflare because they have performance, security, reliability, efficiency and privacy needs for their personal blog, and they often use the free version of our service – or maybe they pay us a small amount on their credit cards.

But that’s their hobby and what they do for fun on the side. It’s not their job, but if they encounter a similar problem at work, they bring in Cloudflare. An example of this would be Salesforce, where one of their senior engineering leaders used us on his personal blog and never paid us anything.

One day, Salesforce had a problem, and the engineering leader knew how to solve that problem because he solved it with Cloudflare. We wouldn’t ever want to do something to make him pay us $20 a month, which is nothing compared with the millions of dollars that Salesforce pays us because we have that good initial relationship.

So, our free and pay-as-you-go users are incredibly valuable as ambassadors inside larger organisations. Often, when we release a new product, we give it to those users first, because they kick the tyres and make sure it’s available. We have a consumer app called 1.1.1.1, a DNS service used by over 10 million people every day. They use it everywhere and they’re constantly giving us feedback. We don’t care if any of them never paid us.

We also have a paid version, but the primary reason for that is so that we can make it clear that there’s a business model that isn’t selling data because we don’t sell customers’ data. The real business model is those 10 million people giving us the feedback so that our zero-trust products, which have the same codebase, are as reliable wherever you go. That enormous user base is key to how we can develop as quickly as we can.