The document discusses strengthening security for modern SaaS providers. It describes how enterprise architectures have evolved from legacy on-premise models to today's cloud-based apps and data. Legacy security solutions are not agile or scalable enough for modern architectures. The document outlines Cloudflare's security solutions, including a gateway web application firewall (WAF) and distributed denial of service (DDoS) protection to secure connections and protect against attacks. It also discusses trends seen during the COVID-19 pandemic such as internet traffic surges and rising security breaches faced by SaaS providers.
4. Legacy Enterprise Architecture
Connection through the web and
mobile Apps and API
A well-defined network edge that is
part of the infrastructure
Security stack consisting of hardware
appliances within the enterprise
infrastructure
Apps and data resides within
datacenter premises
5. Today’s Enterprise Architecture
Web/Mobile apps and APIs
connect directly to the
enterprise apps and data in the
Cloud - IaaS, PaaS, SaaS
Dissolution of the legacy
network edge
Legacy security solutions are
not agile, scalable and
intelligent to cater to the
modern architecture
6. Cloud Transformation Challenged Legacy Security
Solutions
Rise of sophisticated
attacks
Lacks real-time intelligence
and integrations to combat
new age attacks
Real-time intelligence
curated by behavioral
learning from a diverse and
global data set
Intelligence
Apps and Data now
reside in a hybrid
environment
Weekly, daily, even hourly
application code updates
Does not scale to protect
apps and data on-prem
and in the cloud
Easy to deploy solution
that quickly adapts to
code changes
Comprehensive, integrated
solution to protect apps
and data everywhere
Transformation
Legacy Security
Solution
Requirements for a
Modern Solution
Agility Scalability
Slow to adapt to the fast
velocity of application
code changes
9. Security Solution for the Modern Enterprise
Customers connect across the world
to closest data centre for a high quality
of user experience
Integrated security and performance
fueled by intelligence curated from
protecting 27 Million+ Internet
properties: Quality, volume, diversity
Comprehensive security against
sophisticated attacks, agnostic of
whether apps and data reside on-
premise, in the cloud or in a hybrid
environment
10. Cloudflare Security Product Portfolio
Gateway
Secure connections to the
public Internet
Internal app access
Illegitimate user access attempt
Layer 4 DDoSattacks
SYN Flood, UDP
amplification
Layer 3 DDos attacks
ICMP Flood, GRE attacks
Layer 7 DDos attacks
HTTP flood, DNS
service attack
Login attacks
Brute force logins, API
abuse
Bot Attacks
Credential stuffing,
Inventory Hoarding
App vulnerability attacks
OWASP Top 10 and beyond
Gateway WAF
DDoS Protection
Rate Limiting
Bot ManagementMagic Transit
Spectrum
Access
Man in the middle attack
Snooping of Data-in-Transit,
DNS spoofing
10
SSL, TLS, DNSSEC
12. ActiveCampaign Customer Experience Automation
Treat every customer like your most important — whether you have 10 or 10 million
CX Apps Marketplace
Remove silos | Connect across all channels | Automate the 1:1 experience
Email Marketing
Marketing Automation
CRM
Support
300+ Integration Partners
12
13. The Global Leader in Customer Experience Automation
100K customers
170 countries
6000+ active partners
#1 on G2 & TrustRadius
580 employees
CHICAGO | INDIANAPOLIS | DUBLIN | SYDNEY
2.5B weekly automated experiences
$100M ARR
13
27. Shared Services
Web
(PHP, Ember, React)
External API
(PHP, Python)
Internal API
(PHP, Python)
Cron Services
(PHP, Java)
CloudFlare
Tenant Data
Aurora MySQL
ProxySQL
Core Config Data
Aurora MySQL
ElasticCache
Memcached, Redis
Logging &
Alerting
Third Party Integrations
Link Tracking
(PHP)
Web Application & Mobile Users
APM
Security
PowerMTA
Mail Servers
Inbox
Provider
s
Queueing - SQS
Majority of the enterprises that have been in business for over 10 years, have some percentage of their infrastructure that looks like the simplified depiction in this slide - the on-premise datacenter. The key aspect of this architecture is that the Apps and Data used to reside within the first-party colo or datacenter that was owned by the enterprise. This implied that all the devices and people that were accessing the enterprises’ apps and data from an outside connection, branch office or headquarters had to connect through a defined edge of the network which was controlled by the enterprise. Network and security teams could segment and segregate this edge to build access control lists and other security measures to bolster the posture. This network edge was then followed by a stack of hardware appliance-based boxes where each box performed a specific function, such as DDoS protection, Network Firewall, Web Application Firewall, Remote Management Server, SSL/TLS inspection and so on. Once the request from the outside world was inspected as per the defined rules and policies, only then would they be routed to the appropriate apps and the relevant data. If the request did not meet the rules and policies then it was blocked or challenged.
With the advent and significant adoption of the Cloud - IaaS, PaaS, SaaS - the architecture changed dramatically. Now, part of the app suite and data that in the legacy architecture used to reside solely within the premises of the datacenter were residing in the cloud. This created a hybrid model. The legacy network edge dissolved and did not exist anymore. Moreover, the clunky hardware appliance-based security boxes found it difficult to adapt to this modern architecture. They are not agile, scalable or intelligent to adapt to the changes.
The advent of the cloud brought many advantages to the enterprise in terms of catering to the demands and needs of its customers. It created a new era of customer experience and defined the Age of the Customer. At the same time it challenged the legacy hardware appliance-based security service model. Let’s view these challenges across three use cases.
Agility: Adoption of the cloud enabled enterprises to build apps from inception to market at unprecedented speeds. New code releases that were usually annual or a few times in a year were now being released at a monthly, weekly, daily or in some cases even at an hourly cadence! This allowed enterprises to gather A/B testing data on customer experience through digital assets and deliver a superior user experience. On the security side, the legacy model could not keep up with the velocity of this change. It started triggering an increased number of false positives, hence lowering the accuracy or breaking the delivery of the code. This was not acceptable and the enterprises started looking for a solution that is easy to deploy and is nimble to adapt to this unprecedented velocity of code changes
Scalability: As shown in the previous slide, the apps and data were now residing in a hybrid environment. This challenged the legacy security solution as well, which was not poised to protect the apps and data in the cloud. Vendors made attempts to create ‘virtual patches’ and ‘cloud-based’ models as an extension of the hardware boxes but all of those solutions fell short. The requirements for a modern solution now was defined as one that can comprehensively protect apps and data agnostic of whether they live in an on-premise datacenter or in the cloud.
Intelligence: The same cloud technology that enables enterprises to deliver a superior customer experience also enabled malicious actors to launch more sophisticated attacks. It’s of paramount importance for security services to have real-time context. When a vulnerability is made public through a CVE it’s a time race between the security teams and the malicious actor(s). Having a global and real-time context of the threat landscape which directly empowers the intelligence of the security service became critically important. Again, the legacy security services were found to fail in this regard, as they have no-real time context. They are reactive boxes sitting in a datacenter trying to block bad traffic against static rules and policies.
Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
All of these shortcomings created a massive security gap for the needs of the enterprise. This gap started slowing down the pace of evolution and also put the financial, brand and customer aspects of the enterprise in jeopardy. Cloudflare recognized these gaps and needs a decade ago. As a result, we started working on a solution that would holistically meet the needs of the customers for today and the future. The key to solving this issue was to create a global cloud platform that is built on a global network. This global network would allow a diverse and rich threat intelligence context from protecting millions of Internet properties and leveraging the collective intelligence.
The modern Security-as-a-Service solution is Cloudflare. No more static, non-intelligent hardware appliance-based security. All the connections from the outside world, whether they are from customers, employees from headquarters or branch offices, send the requests to Cloudflare which serves as the outer edge for the platform. The requests are inspected and blocked or challenged as per the rules and policies defined by the customer and dynamically with the real-time threat intelligence that Cloudflare curates by protecting over 20M+ Internet properties. Legitimate requests are routed to the desired destination agnostic of whether it’s on-premise or in the cloud.
Simple, Fast, Reliable and Intelligent solution for the evolved enterprise architecture.
This is our security suite of products. We are passionate about creating security solutions that protects our customers apps and data agnostic of where it resides - on-prem or in the cloud. That’s our main focus, so we put that in the center of our design philosophy. Then we look at the threat landscape of our customers - Zero-day vulnerabilities, brute force logins, API abuse, DDoS attacks, bot attacks and so on - and we purposefully build security products to protect against those. As part of our global cloud platform we offer security as a service to thwart attacks that attempt to leverage any of the attack vector mechanism shown in the slide. Our offering includes WAF, L3, L4 and L7 DDoS protection, Rate Limiting, SSL/TLS, DNSSEC, Cloudflare Access and Bot Management.
Comprehensive protection for our customers applications and data, against the most sophisticated attack vectors.
What is customer experience automation? It’s a new category of software that allows businesses to connect and automate personalized touchpoints across the entire customer lifecycle. It’s all about making every customer feel like they have a personal relationship with you, no matter how big you grow. Customer experience automation is different from other solutions in that it actually boosts the effectiveness of your existing toolset, work in tandem to make your business more customer-friendly.
Today we have over 100k active customers on the platform, we run business in more countries than McDonalds, with half of our business being international, and we have over 300 integrations w/brands you know like Shopify and SFDC. We are rated #1 by G2 for marketing automation. We are #2 on the Shopify App Store for Marketing Automation, and has earned a 4.8 out of 5 rating with 85+ 5-star reviews. Today, we are the only marketing automation tool that caters effectively to Salesforce Essentials customers (SMB), and our listing is the #4 overall Marketing app of the entire AppExchange, and ranks #1 for Marketing Automation. We’ve been able to grow virally, without having to do a lot of marketing, because we’ve made most of our investments in delivering a customer experience. We use our own product to save time, and automate more personalized interactions through the sales process, deliver a really effective and personal customer onboarding flow, triage NPS to stakeholders and more.
The chart in front of you shows the relative change in Internet usage as seen by Cloudflare since the beginning of the year. You’re seeing the moving average of the trailing seven days for each country, where we are using December 29, 2019 as the reference point.
And this kind of increase is unprecedented at two levels:
First, the scale is not unlike something that you might witness during the Super Bowl, but the key difference here traffic continues to stay high, and grow day after day.
And secondly, this trend is seen globally! With India being the outlier in this set, all the major countries have seen more than 1.5 times increase in traffic since the pandemic started. US, Canada, Australia and Brazil are all running at approximately 50% higher usage compared to what they were seeing at the begining of the year.
“Old School” Techniques Still Provide Significant Value:
IR can leverage Rate Limiting, Challenge and Blocking Features during (D)DOS events
Targeted Rate Limits for certain areas of our application: Links posted to social media results in scaled resource usage and occasional abuse
CloudFlare enables us to balance and respond to changes in traffic shape.
Placing public web infrastructure behind CloudFlare saves money, stress and the customer experience.
CloudFlare enables us to balance and respond to changes in traffic shape.
Placing public web infrastructure behind CloudFlare saves money, stress and the customer experience.
We used the load balancing feature to slowly introduce an API gateway to our service infrastructure. Putting an API gateway (reverse proxy) onto our live API service -- which handles over 200 million requests daily -- had to be done with care and observability. The load balancing feature -- with CF’s analytics -- allowed us to control the traffic that was handled by the new proxy layer. Cloudflare made it easy and safe to test in production.