Whether you are just exploring moving workloads to the cloud, or are fully cloud-enabled, one thing is certain: security has changed from a purely on-premise environment. As cybersecurity risks continue to grow with more advanced attackers and more digital surface area, how you think about staying secure without compromising user experience must adapt. During this talk, you will: - Hear how global consistency, agile controls, and predictable costs are goals and principles that matter in this new environment - Be able to evaluate your current plans against a "customer security model"

1. Cloud Security Adoption
Timothy Fong, Security Solutions

2. Transformation Imperative
It’s increasingly clear that we’re entering a highly
disruptive extinction event. Many enterprises that fail
to transform themselves will disappear.
Why digital transformation is now on the CEO’s shoulders
McKinsey, December 2017

3. Customers Want More
Customers are more
Global Demanding Mobile

4. What are the compelling outside forces
driving change in your business?
What is your industry?
What impacts you most in terms of customer behavior:
Global
Demanding
Mobile
Something else

5. Cloud Adoption:
Opportunities and Risks
Many enterprises are stuck supporting both their
inefficient traditional data-center environments and
inadequately planned cloud implementations that may
not be as easy to manage or as affordable as they
imagined.
Cloud adoption to accelerate IT modernization
McKinsey, April 2018

6. Modernizing Architecture and Infrastructure
On Prem Hybrid Cloud Native Multi CloudPrivate Cloud
Modern MicroservicesMonolithic Legacy Stacks

7. Where are you currently on the
modernization spectrum?
Where are you currently and where do you want to go?
Infrastructure
Architecture
What hurdles are you experiencing or are anticipating?

8. Attackers are getting stronger
While hackers are honing their skills, business is going
digital—and that makes companies more vulnerable to
cyberattacks. Assets ranging from new product designs to
distribution networks and customer data are now at risk.
A new posture for cybersecurity in a networked world
McKinsey, March 2018

9. Customers
Global Demanding Mobile
Attackers are getting stronger
DDoS Data Compromise Malicious Bots
On Prem Hybrid Cloud Native Multi CloudPrivate Cloud
Modern MicroservicesMonolithic Legacy Stacks

10. Which of these cyber security issues
most concern you?
How concerned are you with these?
DDoS
Data Theft
Malicious Bots
Which risks are you trying to address now?
Access Risks
Transit Risks
Application Risks

11. Cloud Changes Security
For a company that has only begun to use the public
cloud, it can be tempting to build a public-cloud
cybersecurity model using the controls it already has for
on-premises systems. But this can lead to problems,
because on-premises controls seldom work for
public-cloud platforms without being reconfigured.
Making a secure transition to the public cloud
McKinsey, January 2018

12. Modernizing application, infrastructure, architecture
On Prem Hybrid Cloud Native Multi CloudPrivate Cloud
Attackers are getting stronger
DDoS Data Compromise Malicious Bots
Customers are more
Global demanding mobile
Modern MicroservicesMonolithic Legacy Stacks
WAF
Appliance Single Sign OnDDoS Appliance
Cloud WAFLoad Balancer Scrubbing
Center

13. Modernizing application, infrastructure, architecture
On Prem Hybrid Cloud Native Multi CloudPrivate Cloud
Attackers are getting stronger
DDoS Data Compromise Malicious Bots
Customers are more
Global demanding mobile
Modern MicroservicesMonolithic Legacy Stacks
WAF
Appliance Single Sign OnDDoS Appliance
Cloud WAFLoad Balancer Scrubbing
Center

14. Modernizing application, infrastructure, architecture
Extract and Consolidate
DNS DDoS Bot Management VPN SSL Load Balancer Firewall
Attackers are getting stronger
DDoS Data Compromise Malicious Bots
Customers are more
Global demanding mobile

15. Global Consistency Agile Control Predictable Costs
Extracting Complexity
165+ Data Centers
Worldwide
Integrated Platform of
Services
Fast Deployment and
Change Control
Easy to Use without
Expensive Training
Programmatic
Automation through
APIs
Data Intelligence from
Broad Traffic Samples
Unified Architecture vs
Manual Professional
Services
Pay for “Good” Traffic
Post-Sales, Customer
Success, and Global
Support Teams
Modernizing application, infrastructure, architecture

16. Security Maturity Model Guide
Assess your current posture along key
security disciplines

17. Level 1 Level 2 Level 3 Level 4
Out of the box capabilities
or very light weight
configurations
More defined use cases,
typically application or user
specific
More granular
configurations
Customer extends services
further along end-to-end
spectrum
Customer deploys dynamic
or sophisticated
configurations
Customized policies to
address edge cases.
More advanced analysis of
traffic and attacks inform
custom policies
Security
Security Maturity Model
Area of Discipline
● Assess your current posture along key security disciplines
● Define and clarify your Cloudflare-agnostic roadmap to improve in areas you care about
● Learn how other companies strengthen their own capabilities

18. Q&A

19. Thank you!
fongster@cloudflare.com

20. Level 1 Level 2 Level 3 Level 4
Out of the box capabilities
or very light weight
configurations
More defined use cases,
typically application or user
specific
More granular
configurations
Customer extends services
further along end-to-end
spectrum
Customer deploys dynamic
or sophisticated
configurations
Customized policies to
address edge cases.
More advanced analysis of
traffic and attacks inform
custom policies
Security
Customer Maturity Model
Area of Discipline
Performance
● Assess your current posture along key security and performance disciplines
● Define and clarify your Cloudflare-agnostic roadmap to improve in areas you care about
● Learn how other companies strengthen their own capabilities

21. Level 1 Level 2 Level 3 Level 4
Block volumetric attacks inline
Block malicious countries
manually
Implement custom Layer 7
rate-based defense
Block specific IP addresses
manually
Deploy tiered Layer 7
rate-based defense
Protect all TCP ports from
DDoS
Review DDoS analytics
Make web server IP address
private
Programmatically block traffic
based on analysis in SIEM
Block with machine learning
and behavior analysis
Deploy latest SSL/TLS to
encrypt traffic from client to the
origin
Reduce risks of route hijacks
with public key infrastructure
Secure DNS with DNSSEC
Redirect insecure requests to
HTTPS
Deploy custom certificates
Deploy HSTS
Deploy Keyless SSL
Authenticate requests to the
origin server
Reduce phishing attacks for
internal users
Tunnel securely and directly
from origin to reverse proxy
Deploy and integrate a
Hardware Security Module
(HSM)
Deploy HMAC to secure
end-points
Improve discovery of shadow IT
Client authentication with
mutual TLS
Mitigate DDoS Attacks
Attack traffic degrades
application availability or
performance and can spike
infrastructure costs
Reduce Transit Risks
Attackers hijack Internet
routes or domains, or
snoop traffic to
compromise sensitive
data or re-route visitors to
malicious destinations.
Security Maturity Model
Area of Discipline

22. Level 1 Level 2 Level 3 Level 4
Reduce
Application Risks
Attackers exploit
application
vulnerabilities that
can compromise
sensitive data
Security Maturity Model
Reduce Access
Vulnerabilities
Insider threat and
privileged access
attacks allow
unauthorized users to
access applications
and systems
Area of Discipline
All or nothing access
management
Manual deployment and
enforcement
Enforce basic access policies
Use SSO and 2FA
Integrate access with Identity
Provider
Centralized access control
across internal applications
Hide origin IP address
Deploy hard key based 2FA
Secure access to SSH and RDP
without a VPN
Search and access audit logs
Enforce granular access
policies
Apply application-level user
permissions
Apply adaptive authentication
Secure applications
against the OWASP top
10 threats
Protect open-source
applications from
zero-day threats with
shared intelligence
Defend against application
specific attacks with custom
request-based rules
Apply threat-intelligence
based reputation filters
Hide origin by closing all ports
to the IP address
Analyze logs for anomalies
Apply Runtime Application
Self Protection
Detect and block basic data
exfiltration

23. Level 1 Level 2 Level 3 Level 4
Blocks malicious bots with
known bad UA strings, IP
addresses, poor IP reputations,
or high requests per second.
Inject Javascript to fingerprint
devices and mitigate bots.
Maintain a whitelist of “good”
bots.
Apply machine learning to
intelligently manage bots.
Apply behavior analysis to
detect anomalous bot
traffic.
Secure mobile APIs with a
secure connection from
device.
Detect and block attacks by
hijacked mobile apps.
Secure applications against the
OWASP top 10 threats
Protect open-source
applications from zero-day
threats with shared intelligence
Defend against application
specific attacks with custom
rules
Block or challenge visitors by
user agent, IP address,
country codes
Apply reputation-based
filters
Hide origin by closing all
ports to the IP address
Detect and block basic data
exfiltration
Apply IP firewall rules to all
TCP applications
Reduce Data
Leaks
Attackers attempt
to contaminate,
exfiltrate, or
compromise
sensitive data
Security Maturity Model
Manage Bots
Malicious bots mimic
humans in order to
harm the business
along a number of
threat vectors
Area of Discipline

24. Modernizing application, infrastructure, architecture
Monolithic
Legacy Stacks
Modern
Micro-services
On Prem Hybrid Cloud Native Multi CloudPrivate Cloud
Extract and Consolidate
DNS DDoS Bot Management VPN SSL Load Balancer Firewall
Attackers are getting stronger
DDoS Data Compromise Malicious Bots
Customers are more
Global demanding mobile

25. Modernizing application, infrastructure, architecture
Attackers are getting stronger
DDoS Data Compromise Malicious Bots
Customers are more
Global demanding mobile

26. Customers are more
Global Demanding Mobile
Companies Respond to Their Market
Modernizing application, infrastructure, architecture
On Prem Hybrid Cloud Native Multi CloudPrivate Cloud
Modern MicroservicesMonolithic Legacy Stacks