As organisations attempt to carry out broad network transformations, moving to a Zero Trust architecture is a critical initial step. Mohit Bijlani, Head of UK/IRE at Cloudflare, tells Intelligent CISO’s Mrigaya Dham about how Cloudflare’s approach differs from other vendors and the most significant risks it helps mitigate.
Zero Trust is a widely discussed approach. How does Cloudflare think about Zero Trust?
Before discussing Zero Trust, we need to understand how traditional IT security paradigms operate or have operated. With the right traditional IP security models applied, what we recognise as the castle and moat concept, means the network perimeter is considered a relatively safe zone or the ‘castle’. Security controls were mainly applied to actors trying to gain access to resources and applications that resided within that network perimeter from the outside. In this case, those who were a part of the organisation within that network perimeter were trusted implicitly and given free rein along with access to almost everything.
In contrast, Zero Trust security architecture implies you should trust no one and nothing implicitly. Regardless of where actors are accessing applications or resources from and agnostic of where those resources or applications reside. It is important to understand that this is a common fallacy. People think that Zero Trust is a single product or piece of technology but that is not the case. Instead, it is a framework that comprises several different security principles and technologies with a Zero Trust network access, or zip DNA as it is commonly referred to, being the driving principle. The market invariably uses these two interchangeably.
How does Cloudflare’s approach to providing ZT security differ from other vendors in this space?
Firstly, a vendor landscape is typically two buckets – either vendors such as hardware appliance-based vendors, right point solution vendors, such as makers of VPNs, network firewalls or they could be cloud-based vendors who are essentially replicating the same functionality but, in a software-defined and SAS consumable mode, still points solution vendors.
Cloudflare’s approach is different in two ways, one being that we have one of the largest networks in the world to deliver security, with the content and resources being accessed by the users. This network spans 275 cities in over 100 countries, putting us within 50 milliseconds of 95% of the world’s Internet-connected population. So, for context, the blink of an eye is 300-400 milliseconds, it is quite fast and wide, enabling us to serve millions of customers and mitigate over 124 billion cyberthreats a day.
We have more insight into attack vectors but due to our network’s sheer volume and wide reach, we learn from these attack vectors using our artificial engines and Machine Learning engines to make real-time updates to our services. This puts us in a much better position than our peers to protect our customers versus zero-day vulnerabilities. Following that, our vast network reach ensures no latency in terms of security solutions.
Many have used VPN to log into services and we haven’t spoken to a single customer that enjoyed using VPN and the same applies to our software-defined security peers as they don’t have the wide network reach that Cloudflare has. When you’re trying to access applications with limited networks, you still have tremendous latency, which can translate into numerous business problems impacting revenue-generating activities.
Cloudflare has deliberately taken an approach to build out our Zero Trust solution as a single control plane. This helps reduce risk and complexity, reducing the total cost of ownership for our customers. In addition, this helps them get on board with our services quickly and realise faster time to value, further reducing the risk of having inconsistent security postures across multiple control planes. That’s a key advantage for our customers, especially because Zero Trust network access is the first step towards a broader transformation of the security and network edge perimeter, which can include other security controls.
What are the biggest risks it helps mitigate?
Data breaches are by far the most prominent risk. Numerous independent studies out there assess the annual likelihood of a data breach for a large organisation to be in the 26-28% range, with the cost per data breach being three to five million dollars. We also know according to Deloitte that 91% of all attacks still begin with a phishing email. The price and risk standard for businesses is much higher. Regulators impose fines but much deeper damage can be done to a brand due to loss of trust, resulting in customer churn and lost revenue.
How have you seen customers in the UKI market initially scope their ZT journey?
Some customers are up to speed with ZTNA and SASE principles and have a clear adoption roadmap. They approach us as they recognise Cloudflare as a leader in these domains with concrete use cases they’d like to get started. On the other hand, many customers are just learning about these areas and asking vendors like us to help educate them and advise them on identifying use cases to deliver quick wins and build roll-out plans. One of their key objectives is to lead these transformations while minimising business disruption. These are typically the customers who doubled down on legacy IT security technologies to keep the lights on during the pandemic and got hit with increased services and IT support costs, or these services didn’t fully mitigate security risks, or they are seeing increased pressure from their finance departments to shift spend from CAPEX to OPEX with the threat of a recession looming.
How have you seen customers build their internal use case with executives and senior leaders to invest in Zero Trust modernisation?
Unsurprisingly, executives want to see a positive return on investment-driven business cases while approving such transformations. When it comes to factors being considered in most cases, one is the total cost of ownership of the new solutions, meaning how much the new solution is going to cost vs. what they initially have in place. Another factor is incremental savings – whether a solution reduces the attack surface or increases security. Thirdly, the potential savings they would get from the redacted data breaches. Furthermore, increased ROI under faster time to value and any end-user productivity gains are essential factors. It is important to consider the nature of the spending (CAPEX vs. OPEX), especially with a potential impending recession, which customers want to understand. Lastly, what the cost of change or any business risk is when implementing a new solution.
The network hardware supply chain shortages are not going away. How can organisations mitigate this by moving the workload to the cloud?
We are seeing this currently, with the delivery lead times ballooning to almost four to eight months with hardware appliance vendors. This trend will only continue, and businesses will find it increasingly expensive and time-consuming, ultimately accelerating the need to transition to infrastructure as a service platform.
In this arena, by digitising or clarifying their edge, Networking and Security stacks businesses can offload these problems to the right vendors, ones that are well equipped to deal with these supply chain challenges. They can also take advantage of the cost and scaling efficiencies that cloud vendors like Cloudflare offer.
Are there any parting thoughts or anything that you would like to add to the discussion?
In summary, I’d like to conclude that moving to a Zero Trust architecture is merely the first step of a broader network transformation undertaking for businesses – which in my view, is inevitable given the macro shifts we’ve been observing in the market. Digitising the corporate network can be a big undertaking but now is the time for businesses to invest in at least developing a road map. I would advise CIOs, CISOs and heads of IT to try not to reinvent the wheel here and instead rely on industry peers like Cloudflare to share successes and failures from implementations we’re seeing. This way, we can help both accelerate and de-risk your transformational journeys together.