Adopting Zero Trust best practices means adopting a “never trust, always verify” mentality that checks the authenticity and safety of every request to every resource: Jen Taylor, SVP & Chief Product Officer, Cloudflare
Jen Taylor, SVP & Chief Product Officer of Cloudflare, spoke exclusively to Express Computer about how businesses can make use of their current security and networking infrastructure while they make the switch to Zero Trust.
Taylor also discussed the benefits of Cloudflare products for businesses. When customers use Cloudflare to implement Zero Trust security, they are assisted in three main areas: securing application access, defending against threats, and securing SaaS environments, such as the Microsoft ecosystem.
Taylor concludes by advising some priorities CIO and CISO should keep in mind for 2023. He believes that CIOs and CISOs work in a difficult and unstable economic environment. In order to secure a vast attack surface, remain on top of the shifting threat landscape, and prepare their organisations for long-term growth, there is increasing pressure to reduce spending on IT and security. Consolidating vendors has been a C-level objective in order to increase the effectiveness of their IT stack, along with maximizing cybersecurity talent, and lastly, embracing hybrid work to boost future growth, mentions Taylor.
1. How can your customers leverage existing security and networking infrastructure as part of a transition to Zero Trust?
At its core, Zero Trust is not about products or features; it’s a mindset and a holistic security strategy. Specifically, adopting Zero Trust best practices means adopting a “never trust, always verify” mentality that checks the authenticity and safety of every request to every resource. Achieving this fundamental shift in mindset – from changing how IT and security teams work, to what controls they use and where – can take time.
That’s why it is so critical that vendors in the Zero Trust make it easy for their services to fit into an organisation’s existing ecosystem of security and networking infrastructure. Cloudflare recognises that customers often use many different identities, endpoints, and cloud providers, so our Zero Trust platform can concurrently integrate with them all in the same customer account. Organisations only need to set up each integration once, and using our platform as a single control plane to enforce policies, they can reuse that integration across many use cases.
For example, most organisations use their existing corporate SSO to verify the identity of full-time employees. But they can even verify access based on social identities (like LinkedIn or GitHub) to avoid the cost and effort of provisioning new corporate identities for contractors and third parties. We strive to make our platform as flexible as possible, so organisations can build their Zero Trust strategy on the infrastructure they already use.
2. What are the business goals the enterprise wants to achieve with Zero Trust and how can you help them embark on this journey?
The primary trend motivating organisations to adopt Zero Trust is the need to secure hybrid work. Whether users are working from home, the office, or their favorite local cafe, IT and security teams are on point to deliver consistent protection and experiences across any location and device.
In enabling this ‘work-from-anywhere’ model, enterprises are reimagining their IT and security to pursue three strategic business goals:
Improving team productivity: When implemented thoughtfully, Zero Trust security services can help simplify policy management and speed up troubleshooting for administrators and deliver better experiences for end users by, for example, delivering consistently faster and safer connections.
Reducing cyber risk: With users and devices distributed outside the traditional corporate perimeter, organizations are turning to Zero Trust to reduce their expanding attack surface and defend against threats like ransomware and phishing.
Improving technology efficiency: Consolidating controls onto a single Zero Trust platform helps organisations be more efficient by deprecating legacy appliances and disparate point services. Streamlining IT and security architecture in this way enhances visibility, simplifies management, and helps organisations deliver the digital experiences they need to stay competitive.
3. Any plan for managing identity & applying it to the security controls across the enterprise network?
Identity is foundational to Zero Trust. Aspirationally, organisations should strive to verify identity for every request to every resource across all users. Cloudflare helps aggregate identity signals from multiple sources by integrating with leading corporate IdPs (such as Okta or Microsoft Azure AD), as well as social identities (like LinkedIn or Github) and open source standards (like SAML or OIDC). Moreover, we support multiple instances of the same IdP: for example, a FedRAMP and non-FedRamp use of Okta.
Identity is essential, but it is one of many contextual signals organisations can use to build Zero Trust policies. For example, security teams can build policies based on device posture (e.g. whether or not a device is deemed safe), hard key authentication, and other conditional criteria like the geography or time of a request. Embracing Zero Trust means layering on these contextual criteria, so your enterprise achieves the level of granularity you want in your security.
4. How can Cloudflare help prioritise what’s important – some can retain internal victory with Zero Trust and gain the confidence of staff and top management.
Enterprises should modernise security with Zero Trust at their own pace with steps and milestones that make sense to an individual organisation. With that said, we have seen organisations face analysis paralysis and don’t initiate any projects because they don’t know where to start.
As an initial starting point, we often see organisations start by offloading VPN traffic and transitioning to cloud-delivered Zero Trust Network Access (ZTNA) controls for select apps (often self-hosted web applications) or select users. A subset of internal users could include developers or IT teams or third parties like contractors, suppliers, or newly acquired teams who could benefit immediately from a safer, faster user experience.
Expanding from this starting point, organisations begin layering on additional per-app policies based on role, multi-factor authentication (MFA), hard key requirements, identity checks, device posture, and more. As teams build confidence in this approach, they move to retire their VPN entirely and protect non-web and legacy private networks with Zero Trust. As more teams within an organisation begin benefitting from Zero Trust, enterprises gain more buy-in to extend visibility and controls to other environments like SaaS applications and Internet access.
Cloudflare collaborates closely with customers to help them find their preferred starting points, based on their current pain points and their strategic priorities. And to help organisations just starting to explore their journey ahead, we even developed a vendor-agnostic roadmap with a detailed breakdown of the steps, tools, and teams involved in rolling out a Zero Trust architecture: https://zerotrustroadmap.org/
5. How can Cloudflare prioritise what data needs to be protected and continue managing data across the enterprise for Zero Trust protection?
The reality is that many organisations often don’t know what information exists in what locations. Complex legacy IT architectures limit visibility into what sensitive data needs to be protected, and the expanding organisational footprint created by remote workers and devices only makes that challenge worse.
Cloudflare experts run workshops with customers, where we collaborate to map out our clients’ existing architecture, their blind spots, and their aspirational IT and security framework. Through those conversations, we can help identify where highly sensitive information exists – whether in on-premise or cloud environments or elsewhere – and how users within or outside the organisation interact with that data – for example, in SaaS apps, in emails, and more. Our team then helps customers figure out how services like our ZTNA, secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), and remote browser isolation (RBI) can reduce the risk of data leakers and mitigate insider threats. Over time, we jointly build a roadmap to help them extend protection to more data and more environments.
For example, when customers forward proxy HTTP traffic via Cloudflare, we can apply a range of in-line controls to protect data in transit. Our ZTNA service can help ensure only the right users reach sensitive information within applications, and our Data Loss Prevention (DLP) service can inspect traffic for certain types of data and block connections carrying data to places they should not be.
Plus, RBI makes it easy to control how users interact with data in web browsers. For example, if users handle sensitive customer data in SaaS apps, administrators can restrict downloads, copy-pastes, printing, and more, so that information stays in the SaaS app and never reaches a local device.
6. As per a recent report, 96 percent of Indian enterprises are adopting Zero Trust security architecture. How are Cloudflare solutions contributing to organisations?
When customers adopt Zero Trust security with Cloudflare, we often help them in three thematic areas:
Securing access to applications: We deliver a faster, safer, and more reliable way for employees, contractors, and partners to access applications, whether in public cloud, private data centers, or SaaS environments. Security is improved with multi-factor authentication and identity-based policies based on default-deny and least privilege best practices. Users also benefit from a more streamlined authentication flow and faster, more resilient connections than what they may be used to with, for example, a VPN.
Threat defense: Cloudflare protects against ransomware, multi-channel phishing, and other cyber threats with consistent controls across remote users and offices. We help organizations avoid costs and reputational damage by strengthening threat defense through proactively monitoring DNS, HTTP, and email traffic.
Securing SaaS environments, like the Microsoft ecosystem: Modern knowledge works spent so much time in SaaS apps like email, shared documents, and chats for collaboration, communication, and more. Even though these SaaS suites often have some built-in security, it is still critical to layer on a Zero Trust approach to proactively minimise risks of misconfigurations, shadow IT, user errors, and more. So, we extend visibility and in-line and API-based controls across SaaS environments that help organisations more agile with their cloud email, identity, and application investments from vendors like Microsoft.
7. What are some priorities CIO and CISO should keep in mind for 2023?
CIOs and CISO are operating in a challenging and volatile economic climate. Pressures are mounting to streamline expenses on IT and security, while still securing a sprawling attack surface, staying on top of the fluid threat landscape, and equipping their organizations to grow over the long run.
One C-level priority has been consolidating vendors to improve the efficiency of their tech stack. Organisations want to spend less on multiple-point solutions and avoid juggling multiple management interfaces and contracts. Instead, businesses are turning to partners like Cloudflare that unify many critical security capabilities on a single platform and single control plane. CIOs and CISOs feel that consolidating helps not only improve financial efficiency but unlocks productivity for the IT and security teams that need to work on these tools every day.
Another C-level priority has been to maximise cybersecurity talent. High-quality IT and security talent is in short supply, and budgets are only getting tighter. So organisations are thinking about ways to equip their existing staff with the right strategy and capabilities to secure more with less. Adopting a Zero Trust security posture plays a key role here because those best practices significantly reduce your organisation’s overall risk level. Plus, again, unifying security controls on a single platform can help your teams be more efficient and effective in protecting the organisation.
A final C-level priority is to embrace hybrid work to drive future growth. Modern employees expect this work flexibility, and supporting hybrid or remote work can help organisations attract and retain the highest quality talent. Plus, delivering superior IT and security experiences for all users – whether at home, in the office, or on the road – demonstrates your organisation’s commitment to helping your employees do their best work and will keep them more satisfied and effective.