Cloudflare One Week in Review

Cloudflare held another innovation week from June 20 – 24, this time focused on Zero Trust solutions. They introduced a number of new capabilities and aligned their marketing message around what is expected for a full-featured Zero Trust SASE platform. Included in this were comparisons to offerings from other vendors. While Cloudflare is not considered the leading SASE provider by industry analysts at this point, these latest developments bring them a step closer to feature parity. At minimum, they check all the boxes for a marketable SASE platform and have a growing stable of customers. The question for investors will be whether they can continue to move upmarket, win larger deals and displace leading providers for enterprise spend in this growing category of the security market.

In this post, I will review Cloudflare’s Zero Trust offering, the product announcements made this past week and the opportunities for Cloudflare to increase their share of the market.

Audio Version
View all Podcast Episodes and Subscribe

Background and Opportunity

Cloudflare operates a globally distributed network of over 270 data centers (also referred to as PoPs) in proximity to population centers that span more than 100 countries. These are connected by a private network with software defined routing. Each data center delivers the same set of services and includes significant compute power with which they can perform full packet inspection. This high level of network traffic and granular data packet processing is a consequence of Cloudflare’s best-in-class DDOS, WAF and bot mitigation services.

Enterprises can easily connect their corporate network, offices and employees to the same Cloudflare network, providing a more reliable and secure experience than traversing over the public Internet. All Cloudflare data centers host all services – application services (DNS, CDN, WAF, DDOS), the developer platform (Workers, data storage, email, video streaming, JAMstack), network services (FWaaS, smart routing, IDS, network interconnect) and their new security services (ZTNA, DLP, CASB, SWG, email, browser isolation). Because every data center mirrors the other, traffic isn’t routed to centralized data center hubs for handling individual functions like inspection or filtering. User traffic is processed at the closest data center onramp and then traverses the Cloudflare network until it arrives at its destination. As I’ll discuss later, this bundling of all services from a consolidated platform provides some advantages.

Cloudflare continues to grow its network reach, regularly adding new data center locations with more compute power, data storage and network interconnects. Cloudflare’s current global distribution ensures that they have a data center located within 50ms of 95% of Internet users. In September 2021, they announced Cloudflare for Offices which will extend Cloudflare’s network into over 1,000 of the world’s busiest office buildings and multi-dwelling units.

Cloudflare focuses significant effort not just on expanding their data center footprint, but in optimizing the flow of traffic between data centers. To do this, they have over 10,000 network interconnects, including regional ISPs and other cloud providers. Custom software in each data center calculates the optimal path for network transit in real-time, resulting in lightening fast network performance. In fact, Cloudflare recently published an update to their network benchmark tests, reporting they were the fastest provider in 1,290 of 3,000 (43%) of the world’s most used networks. Second place went to Google at about 800, with Akamai, Fastly and Cloudfront rounding out the top 5 with less than 400 each.

This performance is important as we consider the function of SASE (Secure Access Service Edge). Secure access handles access control, by ensuring that a user can only connect to authorized enterprise resources. Service Edge addresses the usability side, by requiring global reach to deliver all networking and security capabilities with high performance and low latency for all enterprise edges (on-premise data centers, branch offices, cloud resources, mobile users). Some SASE providers have depth in the SA function, but aren’t so performant on the SE side, leaving users secure but frustrated.

Cloudflare Service Offering

From this global network, Cloudflare offers an ever expanding suite of product services. They started with Application Services, which included DNS, load balancing, DDOS and CDN. The CDN label has clearly stuck, as some industry analysts still refer to Cloudflare as a “CDN provider”. Nonetheless, application services represent the bundle of products that built Cloudflare. It also forced them to assemble a global network of data centers with optimized delivery, deep packet inspection and software-defined routing. This network required significant bandwidth and processing capacity in order to fend off the largest and most sophisticated DDOS attacks.

As an outcome of their global network and commitment to run all services on all servers, Cloudflare realized that they could address more of the needs of their customers. They noticed that server resources in their data centers were not fully utilized with Application Services, providing excess CPU, disk space and network bandwidth that could be harnessed in other ways. As DDOS attacks and CDN traffic surges can be episodic, Cloudflare was naturally left with extra resource capacity.

With these excess resources and the ability to address adjacent customer use cases, Cloudflare expanded into other areas. They introduced new Network Services, which help enterprises connect, secure, and accelerate their corporate networks. These eliminate the need to purchase legacy network hardware and set up MPLS circuits by provisioning a private WAN on Cloudflare’s network. On their private network, customers can apply firewall rules and perform intrusion detection.

Cloudflare also realized that developers could use more services on their global network besides a place to cache static content (aka CDN). In 2018, they introduced a serverless development runtime called Workers. This allows developers to deploy scripts written in most popular languages that run in parallel on Cloudflare’s Edge. To enable more than the simplest of coding functions, developers need the ability to store data as well. For this, Cloudflare introduced several data storage technologies, including Workers KV (key value), Durable Objects, R2 (object store) and most recently D1, their distributed SQL database.

This review of Cloudflare’s full platform and service offerings provides important context as we look forward and distinguish Cloudflare from other providers. On one hand, pure play security vendors focused on Zero Trust have advantages in feature depth and customer trust. They represent the go-to solution for large enterprises that want to use an established player. These providers benefit from incumbency and recognition by industry analysts.

On the other hand, Cloudflare brings a broader set of capabilities to the problem of Zero Trust SASE. Their foundation in network delivery drives superior performance and usability for enterprise users connected to their private WAN. This ensures that every enterprise “service edge” is in close proximity to a Cloudflare data center onramp and that their traffic traverses the secure network as quickly as possible.

Having a full-featured development environment running from the same edge locations brings programmability to SASE. Customers have the ability to customize aspects of the Zero Trust experience if they wish, or build their own edge services to enhance their security posture. More importantly, the Cloudflare development team can leverage the same edge-based, serverless framework to build composable primitives that can be assembled into new services at an accelerating rate. This is the engine behind their rapid product development cadence.

It’s these capabilities that Cloudflare is bringing to Zero Trust and SASE. While they are entering the space later than entrenched players, they have the opportunity to achieve feature parity and attract new customers with a broader product offering. Of course, the incumbents aren’t standing still. Let’s look at how Cloudflare’s Zero Trust solutions have evolved over the last two years and then what emerged from Cloudflare One Week.

Zero Trust

As Covid lock-downs forced employees to work from home, enterprises had to radically change their network and security topologies. The prior perimeter-based approach of relying on corporate networks wired to physical offices with a limited VPN capability was no longer tenable. Even as employees return to offices now, corporate CIOs have to accommodate a much larger percentage of employees, contractors and partners working outside the corporate network.

Similarly, the risks to enterprises have multiplied as hackers try to take advantage of these new operating models to gain access to corporate resources. This has forced enterprises to invest significantly in their security infrastructure. At the core of the new security paradigm is the concept of Zero Trust. This enforces a new model in which every user access to a corporate resource is authenticated and authorized on every request. No longer does a user simply log into the VPN and have unfettered access to everything.

Vendors scrambled to update their product offerings to address the new demands of Zero Trust. Equipment providers like Palo Alto Networks and Cisco rolled out new cloud-based network services to address Zero Trust use cases. More modern network-based vendors like Zscaler and Netskope rebranded their solutions to address Zero Trust requirements. Even the virus protection companies like McAfee got into the mix.

Given their global matrix of interconnected data centers and experience routing high volume traffic, Cloudflare had a strong foundation to add Zero Trust services. Cloudflare One is their Zero Trust SASE platform for enterprises looking to connect employees, offices and data centers to a secure network. It was introduced in October 2020 as part of a week long binge of product releases called Zero Trust Week.

Cloudflare One provides a unified set of tools to enable a Zero Trust security posture for customers. It delivers a cloud-based, network-as-a-service to protect enterprise devices, data and employees. While this represented some packaging of existing SASE products like Access, Gateway and Magic Transit, it also adds browser isolation, a next-gen firewall and intrusion detection. Cloudflare One is the umbrella product offering, and these other tools roll into it.

In order to round out the Zero Trust capabilities of the platform, Cloudflare announced partnerships with leading providers in identity management and endpoint protection. Cloudflare allows customers to preserve their existing identify management tools, with integrations between Cloudflare One and providers like Okta, Ping Identity and OneLogin. Similarly, for device security (endpoint protection), Cloudflare has partnered with CrowdStrike, VMware Carbon Black, SentinelOne and Tanium.

Cloudflare added more support for private networks. Private networks allow a customer to hide IP address ranges and only expose resources to designated clients. Using a private network, an enterprise can remove public network access to their internal software applications. Only employees with the appropriate client app and permissions will be routed to the obfuscated application. This capability also supports non-HTTP traffic, which was a constraint previously. Cloudflare’s support for private networks is similar to Zscaler’s ZPA offering.

For customers that still want some control over traffic flowing across their network, Cloudflare introduced Magic Firewall. This provides a network-defined firewall for an enterprise to secure users, offices and data centers. Like a typical hardware firewall, users can specify allow/block rules based on IP, port, protocol, packet length, etc. This is integrated with Cloudflare One making these capabilities automatically available.

To protect employee browsing activity, Cloudflare offers Browser Isolation. This product addresses the risk that a script downloaded from an infected web site might introduce a vulnerability into a user’s device. To prevent this, Cloudflare actually runs a copy of the user’s browser in a sandboxed environment on one of Cloudflare’s distributed data centers. The results are then streamed to the user’s local browser instance as a set of draw commands to render the page. This prevents the user’s browser from actually running any code. If a vulnerability is encountered, it only installs on the sandboxed version of the browser, which is then destroyed in the cloud.

Cloudflare One provides visibility into network activity with its Intrusion Detection System (IDS). The IDS product is a natural extension of the visibility enabled by Cloudflare One. Once an enterprise has connected their employees, devices and data centers to Cloudflare’s network, Cloudflare can actively inspect that traffic for threats. This takes the form of traffic shaping and traffic inspection. Shaping observes normal, expected behaviors and flags anything unusual, like a particular user accessing many resources in rapid sequence. Traffic inspection involves examining each user request for something malicious, revealing a targeted attack. For both types of detection, IDS can alert security personnel or take proactive action, like blocking a user’s source IP address.

Finally, to formally bring secure access to the network edge (SASE), Cloudflare launched their Magic WAN with Magic Firewall integrated into it. Magic WAN provides secure, performant connectivity and routing for all components of a typical corporate network, including data centers, offices, user devices, etc. This can be managed as a single SaaS based solution. Magic Firewall integrates with Magic WAN, enabling administrators to enforce network firewall policies at the edge, across traffic from any entity within the network.

Beyond the improvement in security and simplicity, customers who connect their network to Cloudflare through Magic WAN can realize significant cost savings by ditching their MPLS connections. Typically, an enterprise would connect offices to regional data centers using MPLS over leased lines. Each data center would have leased line connectivity to at least one other data center. These data centers would host corporate applications and a stack of hardware boxes to keep them secure. Enterprises that migrate some of their corporate applications to the cloud would also typically establish connections from their data centers to the cloud providers directly to boost security and performance.

Magic WAN allows all of this overhead to be replaced by Cloudflare’s single global anycast network. This provides significant benefits to the enterprise. Geographic growth (acquisitions, international expansion) isn’t constrained by long lead times for leased MPLS connections. Employees no longer experience latency accessing applications, as traffic can be routed directly versus being backhauled to a central location for inspection. These capabilities brought Cloudflare more closely aligned with Zscaler’s SASE platform and product offerings (ZIA, ZPA).

Cloudflare’s Zero Trust Positioning

As part of their Investor Day in May, Cloudflare leadership reported that 10% of their 154k customers (over 15k) have been paying for Zero Trust services. Cloudflare’s opportunity is to expand this penetration and bring it closer to the 75% who pay for application services.

As part of the press release kicking off Cloudflare One week on June 20th, leadership revealed that the number of Cloudflare One customers has increased 100% over the past year. Further, daily average traffic has increased by 6x during the same period. Given that total customers increased by 29% year/year in Q1, we can assume that Zero Trust uptake is growing faster than overall customer growth.

The Cloudflare One Week press release also cited a number of customer examples, including:

• Financial services company BlockFi
• Financial application provider Curve
• Online business catering platform ezCater
• International airlines Japan Airlines
• Digital wealth manager Moneybox
• Transportation and logistics leader Werner Enterprises
• Digital agency Panagora

Cloudflare has called out other customer wins for Zero Trust products during the prepared remarks on past earnings calls. Here are some examples from the last two quarters:

• A Midwestern U.S. state bought 75,000 seats in a three-year $5.1M deal.
• A large Indian media platform chose Cloudflare and signed a $150K deal for 5,000 seats.
• A European Fortune 500 automotive company adopted Cloudflare’s Zero Trust approach to help manage their global fleet of more than 10M vehicles. They signed a contract worth $320K per year.
• A global Fortune 500 telecommunications company signed a $1M annual contract for over 100,000 Zero Trust seats.
• A Fortune 500 media company signed a $250K annual contract for more than 10,000 zero trust seats

Based on this, we know that Cloudflare is gaining a foothold in the Zero Trust / SASE market. However, this progress pales in comparison to Zero Trust leader Zscaler. On their Q3 earnings call in May, the Zscaler team reported adding new Global 2000 customers at a record pace. In the prior two quarters, Zscaler brought on close to 80 G2K customers. At this point, they claim that about 40% of the Fortune 500 and 30% of Global 2000 companies use Zscaler services. Approximately half of their Global 2000 customers have purchased ZIA and ZPA, and just the ZPA product has surpassed $200M in annualized revenue. This drove significant growth in new $1M-plus ACV deals across major geographies and customer verticals.

We don’t have comparable metrics on Zero Trust customer penetration within the Global 2000 for Cloudflare. Based on customer highlights in the last two quarterly reports, it appears they have picked up a handful of these size customers. On a recent interview with a Forrester security analyst, Cloudflare’s CEO acknowledged that their most significant traction for Zero Trust customer penetration has been with the digital natives. These companies are generally already using Cloudflare for application services or the developer platform, and then layer on Zero Trust. Many of the examples included it the Cloudflare One Week press release (BlockFi, Curve, ezCater, etc.) fall into this category.

As part of their Investor Day session, Cloudflare shared that 26% of the Fortune 1,000 are paying customers, including 13 of the top 20 (as of December 2021). They didn’t break that out by product category, but we know that 10% of all customers use Zero Trust products and the majority subscribe to application services (DDOS, CDN, bot mitigation).

The opportunity for Cloudflare is to leverage their existing relationship with large customers to cross-sell Zero Trust services. They can emphasize the advantages of their architecture, extensibility, network performance and ease of onboarding. In their Zero Trust Roadmap, Cloudflare lays out the migration to Zero Trust SASE for an enterprise as a series of steps, implying that new customers can start improving their security posture incrementally.

One other consideration is the opportunity for bundling of Cloudflare products across multiple categories. Assuming Cloudflare can continue to improve their Zero Trust SASE offerings and bring them to parity with leaders in the space, they can offer customers the opportunity to generate efficiencies and cost savings by consuming other Cloudflare products (application services, network services, developer platform) in one budget allocation. The CEO spoke to this opportunity on the Q1 earnings call.

I think going forward, as we’ve talked about in previous earnings calls, what you’ll see us do more and more is bundle together our services into much broader licenses. And so you can see that with even some of the examples that I brought up on the prepared remarks earlier, where companies that buy into our total infrastructure commit to a certain spend with us, and then they are able to just continuously add additional products, and we true that up on an annual basis. I think we are really unique in that we have that broad set of different products, where once you’re using our service, we can start making intelligent recommendations, and we can solve so many problems for customers that those sort of sitewide licenses make sense. And I think that that will continue to be a big piece of our growth going forward.

Cloudflare Q1 2022 Earnings Call, May 2022

This bundling of spend with larger customers was highlighted as the source of Cloudflare’s growing Dollar-based net retention (DBNR). In Q1, that increased to 127%, up from 125% last quarter and 123% a year ago. It underscores Cloudflare’s effort to expand sales with large customers, which now contribute 58% of revenue. In the Q1 earnings call, leadership provided several customer examples where Cloudflare is capturing incremental spend, after the initial customer use case within one department or one product line.

This cross-selling of offerings across application services, network services, the developer platform and new Zero Trust SASE represents an opportunity for Cloudflare to win more budget spend from their 154k paying customers. This will keep driving up DBNR and support high revenue growth as Cloudflare scales.

Industry Analyst Feedback – Gartner Magic Quadrant

Industry analyst Gartner published a Magic Quadrant for SSE (Security Service Edge) in February 2022. Using SSE as the relevant category for Zero Trust is new for Gartner. They define SSE as securing access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring and acceptable-use control enforced by network-based and API-based integration. Gartner has created the SSE category to more accurately reflect the latest expectations for a network-based Zero Trust solution that includes secure web gateway (SWG), cloud access security broker (CASB) and Zero Trust network access (ZTNA).

With the new consolidation of categories, Zscaler shares the leader’s quadrant with Netskope and McAfee (now branded as Skyhigh Security). Palo Alto Networks also ranks high on the Ability to Execute axis. This represents a pretty large shift in the competitive landscape. In the Magic Quadrant report for SWG in 2020, Zscaler was the only provider in the leader’s quadrant. Netskope and McAfee were named leaders in CASB for the same year. Gartner’s combining of categories highlights the competitive dynamic in the new Secure Service Edge category. Enterprise customers have more options to consider.

Cloudflare: This vendor provides proxy-based SWG solutions, including RBI and CASB in-line DLP and application control, as well as ZTNA. We excluded Cloudflare from this Magic Quadrant because it did not offer API integrations as part of its CASB as of 30 August 2021.

Gartner Magic Quadrant for SSE, February 2022

In the 2022 SSE Magic Quadrant, Cloudflare was not included in the matrix, but was listed in the Honorable Mention section of the report. This was due to one missing component as of August 2021 for a full-featured SSE solution . The component is an API driven CASB, which Cloudflare now supports. Assuming Gartner doesn’t change up the categories again in 2023, it is likely Cloudflare will be included in next year’s Magic Quadrant.

Strategy Summary

I present this background, so that investors have the full context around Cloudflare’s architecture, suite of services and product strategy. I think it helps appreciate why Cloudflare isn’t a CDN company that happened to wander into SASE. I think their foundation of a globally distributed network of data centers where all services run everywhere provides them with a strong onramp into Zero Trust SASE. Plus, the fact that every data center includes an application runtime, a robust development framework and multiple data storage primitives makes the whole network infrastructure programmable.

With that set-up, let’s review what Cloudflare announced during Cloudflare One Week, which delivered a new set of capabilities for Zero Trust and solidified their market position relative to other vendor offerings.

---

Sponsored by Cestrian Capital Research

Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.

The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage. Software Stack Investing members can subscribe for the premium version of the newsletter with a 33% discount.

Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.

---

Cloudflare One Week

Per their normal practice, Cloudflare kicked off the week with a couple of blog posts on a Sunday (June 19th). The first post set the stage by making the case for a Zero Trust architecture. The Cloudflare team reviewed the concepts and argued why the Cloudflare One platform is best positioned to address the Zero Trust SASE space. One of the goals of Cloudflare One Week was to educate. Based on their discussions with customers, the Cloudflare team found that many security leaders understand that they need to transition to Zero Trust, but aren’t sure how.

To help guide those decisions, the Cloudflare team published a stand-alone site called the Zero Trust Roadmap. This outlines the components of a Zero Trust architecture, suggested solutions for each and even a list of providers by category. It is designed to be vendor-agnostic, listing competitor offerings like Zscaler and Netskope side-by-side with Cloudflare’s product. The vendor listings are even in alphabetical order to be fair (acknowledging that “C” comes before “Z”).

To complement this roadmap, they published a second blog post on Sunday that maps all of the components of a SASE architecture and speaks to how Cloudflare’s platform aligns with these. The goal of course is to demonstrate that Cloudflare has a feature-complete Zero Trust SASE offering at this point.

Based on this mapping of Cloudflare products to the core components of a full-featured SASE offering, Cloudflare One Week delivered a number of announcements. These included new product releases to round out Cloudflare’s SASE offering and capabilities that further improve a typical customer’s security posture. As the week wrapped up, the Cloudflare team also published an analysis of how their Zero Trust platform lines up with those of competitors. Following up on comments from the Q1 earnings report, they took aim at Zscaler again.

This kind of bravado could be interpreted in many ways and isn’t unique. We have witnessed other instances of this kind of product performance badgering recently. Databricks frequently takes shots at Snowflake (including this week’s opening keynote at Data+AI), MongoDB towards AWS DynamoDB and even SQL in general, SentinelOne and Crowdstrike, Tesla to any other EV manufacturer, etc. Personally, I don’t mind that any of these companies ramp up the competitive chatter, as long as they deliver. If anything, I have to applaud the Cloudflare team for having confidence in their product. Notable for investors is that we are seeing this exuberance as Q2 is wrapping up. I suppose that could either reflect desperation or positive momentum.

In the meantime, let’s take a look at some of the more notable announcements and learnings from Cloudflare One Week. Overall, it delivered several new capabilities to round out Cloudflare’s Zero Trust SASE product suite. With these releases, Cloudflare now checks all the boxes for a full-featured SASE solution. Some of these capabilities were new additions, like data loss prevention, email security, CASB and private network discovery. Others were extensions of existing products. Finally, the team made a few announcements around industry awards and partnerships.

Data Loss Prevention (DLP)

In Cloudflare’s reference service listing for a full-featured Zero Trust SASE solution, DLP is marked as required and “coming soon” for Cloudflare customers. With Cloudflare One week, the team announced that Data Loss Prevention is being delivered as a native part of the Cloudflare One platform. It is being tested now as a closed beta for a subset of customers.

Data Loss Prevention is a strategy for detecting and preventing data exfiltration or data destruction. Many DLP solutions analyze network traffic and internal endpoint devices to locate leakage or loss of confidential information. Organizations use DLP to protect their sensitive business data and personally identifiable information (PII), which helps them stay compliant with industry and data privacy regulations.

To prevent data exfiltration, DLP tracks data moving within the network, on employee devices and when stored on corporate infrastructure. When data is in danger of leaving the corporate network, DLP can send an alert, change permissions for the data or in some cases block its flow.

Sensitive or confidential data is usually tracked through identification methods like keywords, pattern matching, explicit fingerprinting and file identification. These indicators help understand the information being transmitted across or out of the network. Role-based access control (RBAC) also helps identify users who are trying to access data that isn’t aligned with their job function (engineers retrieving financial data).

Cloudflare currently provides several measures for preventing data loss. The platform logs DNS and HTTP requests, and controls user permissions across all applications via RBAC. With this announcement, customers will be able to use Cloudflare’s network to scan all traffic leaving devices and locations for data loss, without compromising performance. Some of the capabilities included in Cloudflare’s DLP solution are:

• Customers can build rules to check data against common patterns like PII
• Add keywords and craft regexes to identify the presence of sensitive data. Profiles for common checks, like credit card numbers, will be provided by Cloudflare.
• Label and index specific data to be protected.
• Combine DLP rules with other Zero Trust rules. As an example, customers could create a policy that prevents users outside of a specific group from uploading a file that contains certain key phrases to any location other than the corporate cloud storage provider.

After configuring a DLP profile, Customers can then create a Cloudflare Gateway HTTP policy to allow or block the sensitive data from leaving the organization. Gateway will parse and scan HTTP traffic for strings matching the keywords or regexes specified in the DLP profile.

DLP runs inline on the same hardware that accelerates traffic to the rest of the Internet. This is an important advantage, as Cloudflare doesn’t need to route corporate traffic to another location or central hub for inspection. DLP is performed inline, on the same servers that are supporting all of Cloudflare’s other services. This capability could have additional benefits, as Cloudflare’s platform is used for other functions, like application development.

Email Security

Security breaches initiated through email phishing attacks are becoming one of the most common threats to enterprises today. Deloitte research has found that 91% of all cyber attacks begin with a phishing email. The FBI received 19,954 Business Email Compromise (BEC) and email account takeover complaints in 2021 with adjusted losses of $2.4 billion. Email security needs to be part of any enterprise’s Zero Trust strategy.

In order to address that gap in its Zero Trust SASE security offering, Cloudflare acquired Area 1 Security in April 2022. With the acquisition, Cloudflare provides organizations with a tool to block phishing, malware, business email compromise and other advanced threats. Area 1 Security’s capabilities are being integrated into Cloudflare’s Zero Trust strategy.

The first step was to rebrand the product as Cloudflare Area 1 and make email security capabilities available for purchase to all Cloudflare enterprise plan customers. This provides Cloudflare customers with a cloud-native email security platform that proactively hunts for attacker infrastructure email campaigns.

The Cloudflare Area 1 team operates a suite of web crawling tools designed to identify phishing pages, capture phishing kits and locate attacker infrastructure. In addition, Cloudflare Area 1 threat models assess campaigns based on signals gathered from threat actor campaigns. The associated IOCs (indicators of compromise) of these campaign messages are further used to enrich Cloudflare Area 1 threat data for future campaign discovery. Together, these techniques give Cloudflare Area 1 methods to identify the indicators of an attacker prior to their attacks.

As part of this proactive approach, Cloudflare Area 1 also houses a team of threat researchers that track state-sponsored and financially motivated threat actors, newly disclosed CVEs and current phishing trends. Through this research, analysts regularly insert phishing indicators into an extensive indicator management system that may be used for the email product or any other security product that may query it.

Cloudflare Area 1 also collects information about phishing threats during the normal operation of Cloudflare’s mail exchange server for hundreds of organizations across the world. As part of that role, the mail engine performs domain lookups, scores potential phishing indicators via machine learning and fetches URLs. For those emails found to be malicious, the indicators associated with the email are inserted into a tracking system as part of a feedback loop for subsequent message evaluation. Area 1 also enhances built-in security from cloud email providers by providing deep integrations into Microsoft and Google environments and workflows.

As part of Cloudflare One Week, the team announced two new capabilities to enhance email security with Cloudflare Area 1:

• Area 1 threat indicators are now available broadly across Cloudflare’s Zero Trust platform. In the simplest terms, both Area 1 and Cloudflare products actively identify threats from DNS, web traffic, email and other sources. This threat data from Area 1 is being incorporated going forward into Cloudflare Gateway and its 1.1.1.1 product for free users. Soon, they will flow threat data the other way, from Cloudflare’s Zero Trust threat data pipeline back into Area 1’s email phishing detection algorithms.

• Browser isolation is being applied to email links for Cloudflare Gateway customers. Cloudflare’s Area 1 email security solution constantly scans incoming emails for an organization. If the system considers a link to an outside site to be suspicious, the user can open the destination site using Cloudflare’s Browser Isolation service. This would effectively render any malicious activity on the destination site useless, but also allow the user to view the content in the event that it is legitimate. This effectively balances risk mitigation with user productivity, as it doesn’t make sense to block every single outbound link in an email.

Private Network Discovery Tool

A common challenge for security teams is to track all the resources accessed by enterprise employees as they conduct their daily operations. Networks are constantly evolving with new resources being spun up. When security teams are not told about these resources, they may not even be aware of them. That makes it difficult for them to perform their job to protect these resources and employees on the private network.

To address this challenge, Cloudflare introduced a new tool for Zero Trust customers. Called Private Network Discovery, Cloudflare’s Zero Trust platform will start passively cataloging the resources being accessed on a private network and the users who are accessing them. This doesn’t require customers to make any configuration changes.

Customers will be able to view applications being accessed, the users accessing them and the number of requests in the Private Network Discovery report.  They can then review the application usage. If it is approved for employee use, the security team add it to Cloudflare Access and create a Zero Trust security policy for it. This new feature is being launched as a closed beta for existing customers.

Gateway and CASB Integration

In February, Cloudflare announced the introduction of a new API–driven Cloud Access Security Broker (CASB) via the acquisition of Vectrix. Cloudflare’s CASB service helps IT and security teams detect security issues in and across their SaaS applications. The service examines both data and users in popular SaaS applications to alert teams to issues including unauthorized user access, file exposure, software misconfigurations and shadow IT. Adding an API-driven CASB solution to the Zero Trust platform was also a missing feature, in order for Cloudflare to be included in Gartner’s SSE Magic Quadrant.

Cloudflare Gateway is one of Cloudflare’s other Zero Trust products that protects users as they connect out to the Internet. Instead of backhauling traffic to a centralized location, users are connected to the closest Cloudflare data center. At that point, Gateway applies one or more layers of security filtering and logging before accelerating the user’s traffic to its final destination.

A remaining problem to address involved the interaction between the two systems. Customers needed a way to move beyond a CASB report of issues to investigate, and actually take action to limit user access to these applications. This would transition the security team from awareness to remediation regarding an application, whether to limit functionality available or block access altogether.

To solve this problem, Cloudflare is adding the ability to create Gateway policies from CASB security findings. Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior, while still allowing usage that aligns to company security policy. This means going from viewing a CASB security issue, like the use of an unapproved SaaS application, to preventing or controlling access. This provides a cross-product experience from a single, unified platform.

Cloudflare’s API-driven CASB is in closed beta with new customers being onboarded each week. This new integration with Gateway is available now to beta customers. Cloudflare plans to open up access to CASB later this year.

Other Enhancements

In addition to the new features announced during Cloudflare One Week, the team introduced a number of product enhancements. I will detail these briefly below.

• Bring your own threat feeds. Cloudflare created new integrations with popular third-party threat intelligence data providers. These allow customers to incorporate this threat data into their Cloudflare One products by uploading their API keys to the Cloudflare Security Center. They can then use the additional threat data to create rules within Cloudflare One products like Gateway and Magic Firewall, as well as infrastructure security products including the Web Application Firewall and API Gateway. Search results from Security Center’s threat investigations portal will also be automatically enriched with licensed data. Initial threat data partners are Mandiant, Recorded Future, and VirusTotal with more planned in the coming months.
• Extensible access policies. Added significantly more control and customization in defining Zero Trust policies. Cloudflare created an External Evaluation rule option, which allows users to call an API during the evaluation of an Access policy. Customers can create their own API endpoints to apply custom verification logic to determine access. After authenticating the user, the API returns a pass or fail response to Access which will then either allow or deny access to the user.
• Introducing Cloudforce One. Cloudflare announced a new threat operations and research team. The primary objective is to track threat actors and disrupt them by publishing tactics, techniques and procedures (TTPs) for Cloudflare One products to harness. Customers will get better protection without having to take any action and can read a subset of research published within the Cloudflare Security Center. The team is being led by Area 1 Security’s co-founder and head of their threat intelligence function. He was a founding member of CrowdStrike’s services organization, and before that a Computer Network Exploitation Analyst at the National Security Agency (NSA). Other team members possess similar expertise in security analysis and operations.
• Improved intrusion detection. Cloudflare already provides intrusion detection through its Network Services product suite. They are introducing a new stand-alone service that actively monitors for a wide range of known threat signatures in a customer’s live traffic. IDS capabilities will operate across all of a customer’s network traffic, spanning any IP port or protocol. Cloudflare’s IDS is a software layer that will continuously collect threat intelligence from the 20M Internet properties hosted on Cloudflare as well as by observing user activity on their free network access tools. Magic Firewall customers can get access to these new capabilities as a private beta.

Awards and Partner Programs

During Cloudflare One Week, the company was recognized with an industry award and introduced a couple of new partner integrations.

• Microsoft Award for Security Software Innovation. In early June, Microsoft announced the winners for the 2022 Microsoft Security Excellence Awards, a prestigious classification in the Microsoft partner community. Cloudflare has won the Security Software Innovator award. This award recognizes Cloudflare’s innovative approach to Zero Trust and Security solutions. This award highlights Cloudflare’s close collaboration with Microsoft to develop world-class solutions for their mutual customers.
• Microsoft Intune Integration. Cloudflare announced a new integration with Microsoft’s Endpoint Manager (Intune). This integration combines Cloudflare’s Zero Trust suite with Intune for Windows, Mac OS and mobile devices. Joint customers will be able to check if a device management profile with Intune is running on a user’s device and grant access accordingly.
• Cloudflare One Partner Program. The company launched the Cloudflare One Partner Program, built around Zero Trust, Network-as-a-Service and Cloud Email Security offerings. It helps channel partners deliver on Zero Trust while monetizing in tangible ways – with a comprehensive set of solutions, enablement and incentives. The program is being introduced through a stable of IT service providers, distributors, Value Added Resellers and Managed Service Providers. Customers can find a partner via the Partner Program page. Launch partners include TD Synnex, AVANT, Wipro, RKON, IBM Security and Rackspace.

Investor Take-Aways

Cloudflare One Week packed in a lot of announcements. There were almost 30 individual blog posts detailing new products, enhancements, programs and security updates. Collectively, these bring the Cloudflare One platform to feature list parity with other SASE providers. There is still much progress to be made, as several of the product introductions are in beta mode currently. I expect these to progress through the availability stages quickly and Cloudflare to continue fleshing out their Zero Trust SASE platform offerings.

While Cloudflare is not a leader in Zero Trust solutions currently, that is their intent. During an interview with a Forrester analyst, the CEO was asked how Cloudflare plans to overcome enterprise customers preferences to work with the best-of-breed solution provider in Zero Trust. His response was simply for Cloudflare to become best-of-breed. He referenced past examples in categories like DDOS and WAF, where Cloudflare was not the leader when they entered the market. But, he claims they are the best provider now. The CEO expects the same for SASE.

Given Cloudflare’s rapid innovation cycle , I think this is a reasonable expectation. While on the surface Cloudflare appears to issue a lot of press releases and blog announcements, there is substance underneath. Products released in the last two years have gained the trust of some of the most demanding Internet users. As examples, Shopify is leveraging Workers for Platforms to allow merchants to build custom logic into their stores. Atlassian is using Durable Objects to power a real-time collaboration feature for users.

Additionally, as we consider the full scope of SASE, Cloudflare already excels in the “Service Edge”. This half of SASE requires the provider to bring their network to all the enterprises’ edges (offices, devices, data centers, applications) and efficiently route user traffic between them (not just at the switchboard). This function has been at the core of Cloudflare’s offering since inception. The “Secure Access” portion is where Cloudflare is still progressing, particularly as they navigate the web of enterprise applications. But they will figure it out. From a technology point of view, I think Service Edge is harder to perform well at scale.

I also think an iterative product development cycle can make competitive positioning very dynamic. Most analysts would acknowledge Datadog’s leadership across observability at this point. Yet, two years ago, they were far behind Dynatrace in APM. In the latest Gartner Magic Quadrant from June, Datadog occupies roughly the same position as Dynatrace in the leaders quadrant. A product-oriented culture, strong software development mindset, broad vision and rapid release cadence contributed to the momentum that is carrying Datadog forward to a point where other providers are challenged to keep up.

I think a similar opportunity exists for Cloudflare. They share many of Datadog’s traits in product development centric culture, widening platform of services and blistering release schedule. Cloudflare hasn’t achieved the same financial operating leverage as Datadog, mostly as a consequence of their owned and operated data center architecture and delivery model. I think Cloudflare will find this leverage, particularly as new monetized products utilize the already paid for building blocks in composable platform primitives.

On the other hand, we have seen innovative companies enter new markets dominated by incumbents and not gain significant customer traction beyond some digital natives. Twilio’s entry into the contact center market with their Flex product in 2018 provides a reference point. They offered all the building blocks for CCaaS and even provided a basic working solution. The value proposition for customers was in the programmability and customization possible. Four years later, Twilio has some customers for Flex, but are not the leading provider.

Against this background, I think that Cloudflare’s pace of innovation, broad platform offering and composability of primitives will allow them to sustain their growth and begin to encroach on competitive offerings in Zero Trust SASE. In a tougher macro environment, technology leaders at enterprises will be looking for opportunities to consolidate spend and leverage bundling to reduce the number of vendors. By addressing a broad set of use cases and continually improving their offering, I think that Cloudflare will be well positioned to win new enterprise deals and keep expanding share with existing large customers.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.

Additional Reading

• For another perspective on Cloudflare’s platform, innovation and product offerings, peer analyst Muji at Hhhypergrowth offers in-depth coverage as part of his premium content.