Tag Archives: Impact Week

How Cloudflare helps protect small businesses

2022-12-13 Azmina Hashim

Post Syndicated from Azmina Hashim original https://blog.cloudflare.com/how-cloudflare-helps-protect-small-businesses/

How Cloudflare helps protect small businesses

Large-scale cyber attacks on enterprises and governments make the headlines, but the impacts of cyberattacks can be felt acutely by small businesses that struggle to keep the lights on during normal times. In this blog, we’ll share new research on how small businesses, including those using our free services, have leveraged Cloudflare services to make their businesses more secure and resistant to disruption, along with a real story about how Cloudflare makes a tangible impact for small business customers.

Research has indicated that 43% of cyber attacks target small businesses [Source: Institute for Security and Technology, Blueprint for Ransomware Defense, 2022]. Small businesses face many of the same cybersecurity challenges as larger organizations, but with fewer resources to plan, design, and manage their IT systems and security protections. Most small businesses say they don’t have the personnel to address IT security adequately or appropriately [Source: Ponemon Institute, 2018 State of Cybersecurity in Small & Medium Size Businesses].

Your local florist, fitness studio, café, or pet shop is likely using a wide variety of cloud-based SaaS apps to stay open for customers, including online accounting software, booking systems, point-of-sale credit card readers, inventory management systems, content management systems, and cloud email providers. Each of these systems can be compromised and used to launch an attack. As the global pandemic showed us, small businesses operate with tight margins and very little room for any sort of disruption to daily operations.

While larger enterprises may be able to absorb the temporary loss of revenue from a system outage or a ransomware attack, small business owners can quickly find themselves headed for disaster after just a short period of degraded service quality or system outages. Without a full time security operations center at their disposal or even a dedicated IT staff to focus attention on security issues, small business owners might feel powerless to predict, stop, or mitigate any cyber attacks that could affect their bottom lines and, more worryingly, their livelihoods.

At Cloudflare, our mission is to help build a better Internet. We believe the Internet should be open and free, and that all Internet properties, no matter how small, should be safe, secure, and fast. We believe that every website should have access to the best security and performance available, whether that website belongs to a large multinational corporation, a local non-profit organization, a global human rights advocacy group, an institution of higher learning, or a clothing boutique with a single location in a small town. And most importantly, we believe that everyone on the Internet deserves protection against cyber attacks, even if they use a Free plan and don’t spend any money with Cloudflare.

Small business users

We identified over 94,000 small customers using at least one Cloudflare service, such as small businesses. What do some of these small customers look like? One is a small clothing and apparel company based in Central Europe. Another is a popular coffee shop in Southeast Asia. The largest group of small customers (around 30%) are located in the United States, though they are present across North America, Europe, South America, Australia, and Asia.

Location	Small Business Accounts*
United States	28,558
United Kingdom	6,952
Australia	3,454
Canada	3,444
Germany	3,024
Brazil	2,822
China	2,777
India	2,214
France	1,793
Vietnam	1,666

*Small Customer Accounts Top Ten Locations

In 2022, these small businesses and organizations were responsible for over seven billion cached requests per day. We identified over 38,000 Layer 3 DDoS attacks that Cloudflare helped mitigate for small customers in 2022. For small businesses, stopping a cyber attack means keeping their doors open – and potentially keeping their businesses afloat.

Location	Layer 3 attacks on small business customers
United States	18,738
United Kingdom	7,366
China	6,576
Germany	5,423
Canada	2,517
Australia	2,374
Brazil	1,871
Hong Kong	3,365
Russia	4,579
Taiwan	1,666

Free plan users

What about the users on Free plans? As of December 2022, we identified 4.2 million Cloudflare accounts using only services available in our Free plan – representing a 40% increase year-over-year from 2021. Together, these Free plan customers were responsible for roughly 70 trillion requests over the Cloudflare network in 2022 – a value of $7 million of content delivery network services that they received at no cost. Many of our Free plan users are also leveraging Cloudflare Access for free, with over two million free Access seats currently in use.

With so many Free plan users, it can be challenging to know what impact these aggregate numbers have on the individuals who run these accounts. That’s why we were pleased to speak with a user on a Free plan who shared their story.

Customer story

A small local hosting company in the southern United States has the responsibility to protect the websites they host, which all belong to small local businesses – the florists, bakeries, and pet shops who are spending their time and resources supporting the local community and who cannot afford to experience downtime from a cyber attack. Some of these websites have e-commerce capabilities, while others contain WordPress sites. Other properties have some level of customized development in need of protection from SQL injections, spoofing, bot scraping attacks, and other malicious activities. While these small business websites are not being specifically targeted by cyber attackers (and instead experience broad, less focused attacks on a wide range of IP addresses) they suffer the same consequences of reduced performance, downtime, and business disruption as larger properties would.

To help mitigate these consequences, the hosting provider uses our free WAF Managed Ruleset and Bot Fight Mode capabilities to protect customer properties. Cloudflare offers another layer of protection and peace of mind for the websites of small businesses to remain operational. By using Cloudflare’s free services, the hosting provider has significantly reduced the large volumes of malicious traffic coming in from overseas IPs. Since the businesses are small and local, any traffic coming from outside the country is unlikely to be a local customer and clearly is not there to transact with the local businesses.

This hosting provider said that their use of Cloudflare had also cut down on their bandwidth egress fees by $100 per month. That may not seem like much from the perspective of a large enterprise – but it adds up quickly for a smaller company. By caching requests through Cloudflare’s network, the provider also reduces server load, so they have more capacity to handle attacks. Most importantly, the hosting provider finds Cloudflare intuitive to deploy and use, and straightforward to customize for the specific needs of the small business websites that need protection.

We closed our conversation with one final thought: “I can’t believe you’re doing this for free!”

No business of any size should have to face cyber attacks alone, whether they are a paying customer or not. Cloudflare is trusted by millions of Internet properties, from the largest global companies to your corner grocery store. Getting started with Cloudflare is simple, fast, and straightforward. You can sign up for a Free plan in minutes to get the tools you need to secure and accelerate your web presence and keep your small business thriving.

Project Safekeeping – protecting the world’s most vulnerable infrastructure with Zero Trust

2022-12-13 Carly Ramsey

Post Syndicated from Carly Ramsey original https://blog.cloudflare.com/project-safekeeping/

Project Safekeeping – protecting the world’s most vulnerable infrastructure with Zero Trust

Under-resourced organizations that are vital to the basic functioning of our global communities face relentless cyber attacks, threatening basic needs for health, safety and security.

Cloudflare’s mission is to help make a better Internet. Starting December 13, 2022, we will help support these vulnerable infrastructure by providing our enterprise-level Zero Trust cybersecurity solution to them at no cost, with no time limit.

It is our pleasure to introduce our newest Impact initiative: Project Safekeeping.

Small targets, devastating impacts

Critical infrastructure is an obvious target for cyber attack: by its very definition, these are the organizations and systems that are crucial for the functioning of our society and economy. As such, these organizations cannot have prolonged interruptions in service, or risk having sensitive data exposed.

Our conversations over the past few months with government officials in Australia, Germany, Japan, Portugal, and the United Kingdom show that they are focused on the threat to critical infrastructure, but resource constraints mean that their attention is on protecting large organizations – immense financial institutions, hospital networks, oil pipelines, and airports. Yet, the small critical infrastructure organizations that are the foundation of our communities are also at risk: the neighborhood hospital, water treatment facility, and local energy provider that fulfill our fundamental needs. We tend to ignore the small-yet-vitally-important companies that form the supply chains of our nationwide critical systems.

Unlike large organizations, smaller organizations typically do not have the capacity to manage relentless cyber attacks – usually operating on shoestring budgets, they do not have security personnel, threat insight teams, or the latest technology to keep their organizations secure. The numerous real life examples of cyber attacks against these small but vital organizations best illustrate the devastating impacts: in Japan, ransomware shut down a hospital’s access to patient records for nearly two months, halting the hospital’s ability to accept any new patients, including emergency patients; and in Germany, ransomware compromised a local county’s IT systems and no local public services could be provided to citizens for weeks, while the county is still struggling with the aftermath of the attack one year on.

Project Safekeeping: protecting global vulnerable critical infrastructure with Zero Trust

We at Cloudflare believe in helping to build a better Internet, for everyone. And we think that the welfare of our local communities should not be at risk because of the budget and operational constraints of these small and vulnerable entities. We think that we are particularly well-suited to help: Cloudflare is a global cybersecurity provider that blocked an average of 126 billion cyber threats each day in Q3 2022. And with Project Galileo and the Athenian Project, we have rich experience supporting organizations that are particularly vulnerable to cyber threats and lack the resources to protect themselves.

We want our support to be meaningful in order to allow these entities to focus on what they do best – meeting our communities’ basic needs. As expressed in this blog, Cloudflare provides an innovative and elegant solution to cybersecurity: Zero Trust. Zero Trust is a radical change in the approach to cybersecurity that is both effective and effortless, something that a resource-strapped organization will certainly appreciate.

Earlier this year, in response to the increasing cyber attacks on critical infrastructure stemming from Russia’s invasion of Ukraine, we provided our Zero Trust solution to critical infrastructure in the United States via the Critical Infrastructure Defense Project. Now, we are expanding our support to the global community, initially focusing our efforts in Australia, Japan, Germany, Portugal and the United Kingdom.

What Zero Trust services are available?

Depending on their specific needs, eligible entities in these regions will have our enterprise-level Zero Trust cybersecurity services for free and with no time limit – there is no catch and no underlying obligations. Eligible organizations will benefit from the full range of our Zero Trust services:

Connecting users to applications: Real-time verification of every user to every protected application in order to protect internal resources and defend against potential data breaches.
Filtering traffic: A Secure Web Gateway (SWG) prevents cyber threats and data breaches by filtering unwanted content from web traffic, blocking unauthorized user behavior, and enforcing company security policies.
Securing cloud applications: A Cloud Access Security Broker, or CASB, performs several security functions for cloud-hosted services (e.g. SaaS, IaaS, and PaaS applications). Standard CASBs secure confidential data through access control and data loss prevention, reveal shadow IT, and ensure compliance with data privacy regulations.
Protecting sensitive data: Data Loss Prevention (DLP) secures your orgnizations’ most sensitive data in transit.
Email security: Area 1 preemptively blocks phishing, Business Email Compromise attacks, malware-less fraud, and other incessant attacks coming through email.
Safer web browsing: Remote Browser Isolation (RBI) insulates users from untrusted web content and protects data in browser interactions from untrusted users and devices.

In addition to Zero Trust services above, eligible entities will have our world-class application security products – DDOS protection and Web Application Firewall (WAF).

Who can apply?

To be eligible, Project Safekeeping participants must be:

Located in Australia, Japan, Germany, Portugal, and the United Kingdom.
Considered critical infrastructure by governments in their respective localities.
Approximately up to 50 people and/or less than USD $10million in annual revenue/ balance sheet total.

If you think your organization may be eligible, we welcome you to contact us to learn more and apply, please visit: https://www.cloudflare.com/lp/project-safekeeping/.

The Montgomery, Alabama Internet Exchange is making the Internet faster. We’re happy to be there.

2022-12-13 Mike Conlow

Post Syndicated from Mike Conlow original https://blog.cloudflare.com/montgomery-alabama-ix/

The Montgomery, Alabama Internet Exchange is making the Internet faster. We’re happy to be there.

Part of the magic of the Internet is in tens of thousands of networks connecting to each other all across the world in an effort to share information more efficiently. Cloudflare is a member of 279 Internet Exchanges (IX for short), but today we want to highlight one such dot on the global Internet map: the Montgomery, Alabama Internet Exchange, called MGMix. Thanks to the hard work of local leaders and the participation of dozens of networks (including Cloudflare), the Internet in Alabama works better today than it did before the IX launched.

Understanding IXs

Before we talk more about Alabama in particular, let’s take a step back to understand the critical role that Internet Exchanges play in our global Internet. In a simple model of exchanging Internet traffic, one person is on their laptop and requests content on a website, uses a video conferencing application, or wants to securely connect to their workplace from home. The person, or “client” in technical terms, is generally using a traditional Internet Service Provider, who they pay to access everything on the Internet. On the other hand, whatever the user is trying to reach – the website, API endpoint, or security service – or “server” in technical terms, is usually on a different network. How the data gets from the client’s network to the server’s network is not something Internet users think much about, but at Cloudflare, we think about it a lot.

One way that a network can reach another network is by paying a 3rd party network to deliver the traffic. This is called “transit” and it’s an appealing option because it’s simple. One “Tier 1” transit provider can reach the entire Internet. Of course, the tradeoff is that convenience comes at a cost – networks pay transit providers based on the quantity of traffic passed over the connection.

At the other end, larger networks often connect directly with what are called Private Network Interconnections (PNI). If one network is consistently sending large volumes of traffic to another network, it will be less expensive to use a PNI than to send the traffic over a transit provider. In this case, the two networks string a fiber cable across the ceiling of a data center where both networks have a presence, from one network’s cage to the other’s.

Right in the Goldilocks zone between transit providers and PNIs are Internet Exchanges. An IX brings networks together in one place, and lets them freely exchange traffic. Sometimes they’re literally called “meeting rooms”. Once a network joins an IX, they might be able to reach hundreds of other networks without incurring 3rd party transit fees. Thriving IX communities are a power-up for the Internet: they reduce the cost of delivering Internet traffic, incentivizing more networks to join, while making the Internet faster through better interconnection.

Montgomery Internet Exchange (MGMix)

Back to Alabama. Unfortunately, Alabama, and the “Deep South” in general, has some of the worst performing Internet in the country. In Alabama, 15% of locations don’t have access to home Internet with download throughput of 25 Mbps and 3 Mbps upload according to the latest FCC data. In Mississippi, it’s 20%. The national average is 7%. In terms of latency, which is how we measure the speed of the Internet, the Deep South is also well above average.

50th percentile TCP Connect Time (ms) to Major Content Delivery Networks

One of the reasons for the poor performance is that requests for content often travel to Atlanta, Dallas, or other Internet hubs even farther away before coming all the way back to the user in Alabama or Mississippi. That’s why an IX in Montgomery is so exciting: if networks can exchange traffic in Montgomery, the data doesn’t need to travel as far, and the Internet will be faster.

A few years ago, local leaders in Montgomery started to build up the Montgomery Internet Exchange (MGMix). With the support of the mayor, and the help of city staff, and a cooperative that included the city, county, state, and a nearby Air Force base, they launched the IX in 2016. Later they formed a technical committee and upgraded to 100 Gbps of capacity.

With a donated switch from Packet Clearing House, MGMix estimated their initial costs at $1,000 per month for data center space and connection to the Internet. At their core, an IX is just a Layer 2 switch where all the networks plug in and advertise their presence to each other. That’s not to say it’s easy. One of the hardest parts is the work to attract networks.

IX’s have a hard chicken-and-egg problem. The first network at an IX doesn’t have anyone to exchange traffic with. Conversely, once there are a lot of networks at an IX, it becomes easy to attract new ones. Additionally, networks like Cloudflare need certain types of networks – transits – to be present. In almost all cases, Cloudflare doesn’t actually host the website or service an Internet user is trying to reach; we protect them, but aren’t the original source. To get content from the original source, we need access to transit networks. The City of Montgomery did the hard work of building up the IX network by network.

MGMix now has a who’s-who of the Internet in Alabama as members. Some are ISPs like Charter, Wide Open West, Uniti Fiber, and Troy Cablevision. Some are big institutions like the State of Alabama, Alabama State University, the City of Montgomery. And still others are the providers of content and services, like Cloudflare, Meta, and Akamai.

From Cloudflare’s perspective, it was an easy decision to join MGMix. We followed the development closely, and joined soon after it opened. After all, it means better Internet performance for a group of southern states that have been historically underserved. Now that it’s established, it’s essentially maintenance-free. It’s set-it-and-forget-it for better Internet performance.

Below is a chart of our traffic through MGMix over the course of November. We see daily spikes in traffic outbound from Cloudflare to other networks that are members of the IX. Interestingly, the traffic is lower from the 20th of November through the 27th of November which is the week of Thanksgiving in the US. It looks like Internet users in Alabama were enjoying a restful week with their families and not using the Internet (as much as usual).

It has apparently been going so well that MGMix just announced they’re expanding to Auburn, Alabama.

Steven Reed, the current mayor of Montgomery, said of the expansion: “This is a step forward to achieving digital equity across the region, benefiting individuals who live in underserved rural communities. By extending our network fabric to a datacenter in Auburn, the MGMix will improve the efficiency and resiliency of the Internet for the Montgomery area, colleges and businesses along the I-85 corridor, and the entire River Region.”

We couldn’t have said it better. IXs are a critical part of a strong Internet interconnection ecosystem. We’re proud members of the MGMix, and will continue to join IXs globally where we can reach Internet users more efficiently and effectively.

Cloudflare expands Project Pangea to connect and protect (even) more community networks

2022-12-13 Ben Ritter

Post Syndicated from Ben Ritter original https://blog.cloudflare.com/project-pangea-expansion/

Cloudflare expands Project Pangea to connect and protect (even) more community networks

In July 2021, Cloudflare announced Project Pangea to help underserved community networks get access to the Internet for free. Today, as part of Impact Week, we’re excited to expand this program to support even more communities by relaxing the technical requirements to participate.

Previously, in order to be eligible for Project Pangea, participants would need to bring at least a /24 block of IP space for Cloudflare to advertise on their behalf (referred to as “Bring Your Own IP”). But everyone should have secure, fast, and reliable access to the Internet, without being gated by costly network resources like IPv4 space. Starting now, participants no longer need to bring a /24 in order to access Pangea services: Internet connectivity, DDoS protection, network firewalling, traffic acceleration, and more, are available for free for eligible networks.

How is Project Pangea helping community networks?

The Internet Society, or ISOC, describes community networks as “when people come together to build and maintain the necessary infrastructure for Internet connection.” Most often, community networks emerge from need, and in response to the lack or absence of available Internet connectivity.

Cloudflare’s global network, which spans more than 275 cities across the world, provides us with the unique opportunity to help community networks of all shapes and sizes. Cloudflare offers community networks secure, fast, and reliable Internet access through Magic Transit, and frees up time for community network operators by mitigating malicious traffic. This empowers operators to focus more on managing the last mile connections to network users.

By placing a community network behind Cloudflare with Magic Transit, those networks are automatically protected against Distributed Denial of Service attacks which often overwhelm network and security devices, or undersized Internet connections. Beyond mitigating DDoS attacks, Cloudflare also offers Magic Firewall through Project Pangea. Magic Firewall is a firewall as a service, and enables operators to remove physical firewalls and still enforce network level firewall rules. Implementing Magic Firewall in place of a physical firewall removes a single point of failure, and another device which needs to be upgraded during a maintenance window.

As community networks grow to support more users, the bandwidth required and the exposure to attack traffic also grows. One challenge with growing a network and providing security is that on premise firewalls need to be replaced or upgraded when they hit specific bandwidth limitations. The security appliance is often an expensive bottleneck to upgrade, preventing networks from helping more users. One unique benefit to using Cloudflare for network connectivity is that unlike an on premise network firewall, operators never need to upgrade Cloudflare. Incoming traffic is distributed across hundreds of locations, allowing Cloudflare to provide security services, and block attacks across the whole Cloudflare network.

Pangea participant highlight: Ayva Networks

Ayva Networks is a not-for-profit Wireless Internet Service Provider that provides backbone and Internet services to approximately 400 households in the rural mountain areas west of Boulder, Colorado. In 2023, they will grow their network to provide more gigabit network access. Nick Wilson from Ayva Networks explains that “reliable Internet in our community isn’t a privilege, it’s an essential utility, and often provides the only means of communication for many homes in our region as cellular service is generally rare.“

After connecting through Magic Transit, Nick shared “speeds are noticeably better on Magic Transit, especially for those who work with cloud resources” and that “our firewalls deal with a lot less background noise” due to all the attack traffic mitigated by Cloudflare.

Colorado’s environment can be pretty extreme, and present many challenges to running a Wireless Internet Service Provider. Ayva Networks responds to 100+ mph wind, massive hail, blizzards, flooding, insects, lightning, and fire. By using Magic Transit, Ayva Networks is better able “to engineer traffic flows much more granularly than we otherwise are able to with BGP alone, and has become an essential tool for us in mitigating and responding to outages.“

What have we learned since launching Project Pangea?

We’ve been privileged to help a lot of great organizations like Ayva Networks connect more people to the Internet. Many community networks are passion projects, and are run by volunteers who want to make a difference in their community. Volunteers often only have limited time to contribute, and this has emphasized how simple we need to make it for organizations of any size to get up and running behind Cloudflare.

Another challenge we did not foresee is that many community networks do not have their own network IP address space. IP addresses are needed by all computers to communicate on the Internet. Until today, Magic Transit and Magic Firewall required that community networks provide their own IP addresses. We recently extended Magic Transit to support customers without their own IP address space with Magic Transit with Cloudflare IPs, and we’re excited to bring this functionality to community networks via Project Pangea.

How can my community network get involved?

Check out our landing page to learn more and apply for Project Pangea today.

The US government is working on an “Internet for all” plan. We’re on board.

2022-12-13 Mike Conlow

Post Syndicated from Mike Conlow original https://blog.cloudflare.com/internet-for-all-us/

The US government is working on an “Internet for all” plan. We’re on board.

Recently, the United States Department of Commerce announced that all 50 states and every eligible territory had signed on to the “Internet for All” initiative. Internet for All is the US government’s $65 billion initiative to close the Digital Divide once and for all through new broadband deployment and digital equity programs. Cloudflare is on a mission to help build a better Internet, and we support initiatives like this because we want more people using the Internet on high-throughput, low-latency, resilient and affordable Internet connections. It’s been written often since the start of the pandemic because it’s true: it isn’t acceptable that students need to go to a Taco Bell parking lot to do their homework, and a good Internet connection is increasingly important for doing adult jobs as well.

The Internet for All initiative is the result of $65 billion in broadband-related funding appropriated by the US Congress as part of the Infrastructure Investment and Jobs Act (IIJA). It’s been called a “once in a generation” funding opportunity, and compared with the Rural Electrification Act which brought power lines to rural America in the 1930s. The components of the broadband portion of the Infrastructure bill are:

\$42.5 billion for broadband deployment – new wires and wireless radios in places that don’t have them – called the Broadband Equity, Access, and Deployment Program (BEAD).
\$14.2 billion to make permanent a $30 per month subsidy for low-income families to purchase a home Internet subscription.
\$2.75 billion to establish a grant program that will improve digital equity, which means teaching Americans how to make the most of the Internet and their home connection.
\$2 billion for new connectivity on tribal lands.
\$1 billion to establish new “middle-mile” capacity, which will connect rural communities to the Internet “backbone”.

The US should be applauded for making this kind of investment in broadband infrastructure. By appropriating federal funds, the government is able to ensure the money is used as it’s intended. For example, federal rules will require that areas with no infrastructure and disadvantaged urban areas will receive priority funding. Individual states will have the option of adding their own rules.

There’s significant work to do. According to the latest numbers from the Federal Communications Commission, 12% of Americans lack access to home broadband with throughput of at least 100 Mbps download and 20 Mbps upload.

There’s another way to think about access to broadband. A wire running near your house doesn’t do any good if the residents can’t afford it, or don’t know how to use the Internet. According to Pew Research, 23% of Americans say they don’t have an Internet connection at home. Those aren’t just rural areas without broadband infrastructure, it’s also urban areas where the connection is too expensive.

Cloudflare isn’t a disinterested observer. When Internet users don’t have access to good broadband, their experience with our services – the websites, APIs and security products we offer – won’t work as well as they should. In the map below, we use the Resource Timing API to measure the latency between Internet users and the major Content Delivery Networks (CDNs), including Cloudflare. We see rural and southern states have worse performance than the northeastern United States, with Hawaii and Alaska being off the charts in terms of their poor speed.

50th percentile TCP Connect Time (ms) to Major Content Delivery Networks

Access technology, which is how Internet users connect to the Internet (cable, fiber, DSL, wireless, satellite), is one important part of the overall quality of their connection, but there are other, less talked about factors. Another factor is how close geographically the user is to the content and services they are accessing. Midwestern states where requests for data need to travel to Internet hubs in Chicago or Dallas are going to be slower than requests for data from Washington, DC, served by the giant Internet hub around Ashburn, Virginia. To be as close as possible to users geographically, Cloudflare has servers in 51 locations across 28 states in the US, and is still growing.

Programs that provide funding for deployment are one piece of the puzzle, but there are important non-financial initiatives as well. For example, the IIJA directed the Federal Communications Commission to come up with “broadband nutrition labels” that will be shown to consumers at the point of purchase for any Internet service. Just a few weeks ago, the FCC announced their implementation. Cloudflare filed comments with the FCC with our suggestions for how to make these labels informative, future-proof, and easy for consumers to understand. We also wrote about it here.

We’d be remiss to not also mention our own contribution to digital divide initiatives – Project Pangea. For community and non-profit networks that have invested in last-mile infrastructure but need a connection to the Internet – “transit” in industry terms – the network can connect to Cloudflare, and we’ll provide that Internet transit at no charge to the network. It’s one piece of the puzzle, and we’re always looking for additional ways to help.

One thing everyone can do is help the FCC build the most accurate broadband map possible by going to the map, entering your address, and verifying the data. The map will show your individual location and all ISPs that claim to serve your address. If there’s a problem – and there can be, it’s a new map and new process – you can file a challenge right from the FCC’s mapping site.

It’s laudable that the US government is stepping up with billions of dollars in funding for broadband networks and digital equity programs. In the shared project of helping build a better Internet, this is an important and big step.

Expanding Area 1 email security to the Athenian Project

2022-12-12 Jocelyn Woolbright

Post Syndicated from Jocelyn Woolbright original https://blog.cloudflare.com/expanding-area-1-email-security-to-the-athenian-project/

Expanding Area 1 email security to the Athenian Project

This post is also available in 简体中文, Deutsch, Français and Español.

Election security encompasses a wide variety of measures, including the protection of voting machines, election office networks, voter registration databases, and other systems that manage the electoral process. At Cloudflare, we have reported on threats to state and local governments under the Athenian Project, how we prepare political campaigns and state parties under Cloudflare for Campaigns for election season, and our work with organizations that report on election results and voting rights groups under Project Galileo.

Since the 2022 US midterm elections, we have been thinking about how we help state and local governments deflect larger cyber threats that target the election community and have been analyzing the biggest problems they are facing. In October 2022, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, said, “The current election threat environment is more complex than it has ever been.” Amid threats, intimidation toward election workers, and cyber attacks against election infrastructure and operations, preparing for elections is no easy task.

At Cloudflare, our mission is to help build a better Internet. The Internet plays a key role in promoting democracy and ensuring constituents’ access to information. With this, we are excited to share that we have grown our offering under the Athenian Project to include Cloudflare’s Area 1 email security suite to help state and local governments protect against a broad spectrum of phishing attacks to keep voter data safe and secure.

Our work in protecting elections

To understand why we have expanded our product set, we need to look back on how our services have helped state and local governments during election time. Under the Athenian Project, we have provided our highest level of Cloudflare services—the Enterprise plan—for free to state and governments that run elections. The idea originally was that, just like every other Internet property, election websites need to be fast, they need to be reliable, and they need to be secure. Yet, scarce budgets too often prevent governments from getting the right resources to prevent attacks and stay online.

With this, we launched the Athenian Project in 2017. It includes many of our core web services, such as DDoS protection, Web Application Firewall, SSL encryption, and more security features that focus on web applications. We have been able to provide these services to local governments in 31 states and currently protect 359 election entities in the United States.

We have expanded our product set at Cloudflare with Workers, Pages, Zero Trust, and network security solutions. With this, we wanted to understand how we can better support the election community that we work with every day on the Athenian Project.

We knew we could provide more

Internally, we brainstormed on the most pressing issues that face the election community and overall Internet ecosystem. We also asked new and existing Athenian participants on the largest pain points they have when it comes to securing their internal networks and applications. We received a range of answers, from fears of a DDoS attack on election night, to zero-day exploits, on-path attacks, and malware attacks. Many of the same themes came up, especially for small counties that run elections with a huge fear of phishing and ransomware attacks.

Despite email’s importance as a communication method, many types of email security still are not built into email by default. As a result, email is a major attack vector for organizations large and small, and for individual people as well. We have seen firsthand phishing attempts that take advantage of human psychology to encourage quick —and unfortunate— decision-making. Once an attacker has infiltrated a network, they can easily move laterally undetected and impact a wide range of sensitive internal systems.

That is why email security plays a critical role in preemptive defenses against ransomware attacks. Since many of these attacks start with a malicious or phishing email, effective email security can act as a frontline defense against ransomware, and stop these attacks before they reach inboxes. Due to the ease with which threats can be blocked before they reach an election official’s inbox, we were excited to work with those in the election space to find the best way to make these products available.

Typically, when we offer new security products under our Impact projects, we collaborate with external stakeholders. One example is the civil society groups that we partner with under Project Galileo; many of them work in the election community and at government agencies, such as CISA’s Joint Cyber Defense Collaborative (JCDC). These partnerships help us understand how to provide these security tools in a responsible and sustainable way.

How one North Carolina county uses Area 1 email security

Months before the 2022 US midterm elections, we reached out to a few state and local governments that currently use Zero Trust products, such as Access and Gateway, to discuss email security.

One of our Athenian participants that was eager to work with us on this expansion was Rowan County, North Carolina. For Randy Cress, CIO for Rowan County, election season means all hands on deck for IT staff in order to secure their .gov site that provides accurate, secure information to voters.

In 2020, Rowan County reported that Cloudflare helped them tackle a 400% increase in traffic on a limited budget which allowed them to refocus resources on other county initiatives. When it comes to phishing attacks, Randy wanted to shield county employees from phishing attacks and block malicious threats automatically.

“Prior to Area 1 Security, we were using Office 365 email protection with limited insight for the specifics for messages that were quarantined. While cloud services from Microsoft are continually evolving, we were looking to reduce complexity to support security functions within our environment, allowing us to continue implementing new layers of defense.”

Deploying Area 1 gave the county the ability to preemptively discover and eliminate phishing attacks before they inflict damage in their environment. Randy added, “Our team was able to fully onboard prior to the official onboarding call in less than 30 minutes with Cloudflare. We were able to focus on features and specifics of the product offering in lieu of time spent in configuration mode and troubleshooting. Since we are using Cloudflare for DNS and DDoS protection, the changes were extremely easy and there were no interruptions to our mail delivery process.”

For the 2022 US midterm elections, Randy reported, “Leading up to the elections, reports within our Area 1 dashboard indicated 2x as many inbound malicious emails from the same time period in October 2022. We saw credential harvesting as the top threat, and we are easily able to see which users are targeted for email compromise. With Area 1 Security under the Athenian Project, we were able to add additional layers of security to our organization, as it allowed us to preemptively defend against malicious messages before an employee can click on a malicious link. This gives us comfort knowing that Cloudflare is our first line of defense, so we can focus on providing a secure voting process for the constituents of Rowan County.”

Area 1 and the Athenian Project

Cloudflare Area 1 email security is a cloud-native service that stops phishing attacks and can be used with Enterprise accounts under the Athenian Project. If you are a state or local government that is interested in learning more about the Athenian Project, please apply on our website: https://www.cloudflare.com/athenian/.

Democratizing access to Zero Trust with Project Galileo

2022-12-12 Jocelyn Woolbright

Post Syndicated from Jocelyn Woolbright original https://blog.cloudflare.com/democratizing-access-to-zero-trust-with-project-galileo/

Democratizing access to Zero Trust with Project Galileo

Project Galileo was started in 2014 to protect free expression from cyber attacks. Many of the organizations in the world that champion new ideas are underfunded and lack the resources to properly secure themselves. This means they are exposed to Internet attacks aimed at thwarting and suppressing legitimate free speech.

In the last eight years, we have worked with 50 partners across civil society to onboard more than 2,000 organizations in 111 countries to provide our powerful cyber security products to those who work in sensitive yet critical areas of human rights and democracy building.

New security needs for a new threat environment

As Cloudflare has grown as a company, we have adapted and evolved Project Galileo especially amid global events such as COVID-19, social justice movements after the death of George Floyd, the war in Ukraine, and emerging threats to these groups intended to silence them. Early in the pandemic, as organizations had to quickly implement work-from-home solutions, new risks stemmed from this shift.

In our conversations with partners and participants, we noticed a theme. The digital divide in terms of cyber security products on the market and the “one size fits all” model mean that only large enterprises with a dedicated security team and extensive budgets have the ability to keep their internal resources and data secure. For Project Galileo, we work with a range of organizations that vary in size, internal capacity, and technical expertise. Especially since many of these groups rely on their online presence to collect donations, organize volunteers, and promote their mission, one size fits all security products do not match the needs and expertise for these groups.

Announcing new Zero Trust tools for Project Galileo participants

With this, we have extended our Zero Trust products to all domains under Project Galileo, as we want organizations to have access to Enterprise-level cyber security products no matter their size and budgets. Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This allows organizations of any size to solve the common security problems such as data loss, malware and phishing so these organizations can focus on their unique missions.

For Impact Week, we are excited to share how Project Galileo participants and partners use Cloudflare’s Zero Trust products to keep their operations running smoothly.

CyberPeace Institute

We started partnering with the CyberPeace Institute for Project Galileo in 2022. As part of our partnership, we have worked to provide our cyber security services to at-risk organizations around the world.

Established in 2019, the CyberPeace Institute is an independent and neutral nongovernmental organization, headquartered in Switzerland, whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The Institute works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. By analyzing cyberattacks, the Institute exposes their societal impact, how international laws and norms are being violated, and advances responsible behavior to enforce cyberpeace.
Since our partnership, we’ve been working to onboard their organization to Cloudflare Zero Trust, to secure critical applications and protect employees from online threats.

“The CyberPeace Institute works with humanitarian non-governmental organizations (NGOs) to protect their operations and build their cyber capabilities, data and resources in an increasingly complex digital environment. Both the Institute and Cloudflare share a core motivation to ensure the rights of people to security, dignity and equity in cyberspace. This alignment gives us confidence that Cloudflare is the right strategic partner as we evolve with our mission. We are grateful for the support of Project Galileo” stated Stéphane Duguin, Chief Executive Officer, CyberPeace Institute.

The Information Technology Disaster Resource Center

The Information Technology Disaster Resource Center is a nonprofit composed of thousands of service oriented technical professionals and private sector partners that assist in disaster response operations in the United States. These teams train and work in collaboration with NGOs and first responders to deliver emergency communications and technical solutions to aid communities in crisis. ITDRC provides connectivity, Wi-Fi hotspots, cell phone charging stations, and Internet-enabled computers for shelters, fire camps, and community recovery. A key part of their mission is to leverage technology to connect survivors and responders amid crises.

ITDRC started using Cloudflare in 2020 when they were accepted to Project Galileo. Since then, they have implemented many Zero Trust products to secure their volunteers and employees.

Chris Hillis, Co-founder at ITDRC says, “Cloudflare Zero Trust is essential to securing our employees, volunteers, and disaster survivors on site and in the field. Cloudflare delivers secure, reliable, and fast connectivity to the Internet and critical applications that our teams need to respond to disasters effectively. Setting up policies has been simple for our administrators, and our team benefits from a safer, faster experience, whether accessing internally hosted applications, or the broader Internet. With Cloudflare Access, we are able to ensure that team members receive a consistent user experience accessing internal applications based on their role, all while utilizing our existing identity provider and securing our infrastructure. Utilizing Cloudflare Gateway adds an additional layer of security to our networks and devices, helping to protect our users from external threats, and themselves.”

Meedan

Meedan is a global technology not-for-profit that builds software and programmatic initiatives to strengthen journalism, digital literacy, and accessibility of information online and off. They develop open-source tools for creating and sharing context on digital media through crowdsourcing, annotation, verification, archival, and translation. Their projects span issues including election monitoring, pandemic response, and human rights documentation.

Aaron Huslage, Director of Systems and Security at Meedan says, “Meedan and Cloudflare both share a vision of a more equitable, safer Internet. We were proud to be a founding member of Project Galileo in 2014 and support the work that program has done to protect Human Rights Defenders around the world. Closer to home Cloudflare helps our employees be more secure and productive when creating and distributing our open source software.”

Organization of American States

The Organization of American States is the world’s oldest regional organization, dating back to the First International Conference of American States, held in Washington, D.C., from October 1889 to April 1890. Its 35 members focus on four main pillars — democracy, human rights, security, and development. It serves as a home for multilateral dialogue on topics such as the rights of indigenous peoples, territorial disputes, and regional goals for education.

“The partnership with Cloudflare will help the Organization of American States (OAS) democratize best-in-class security to modernize and strengthen our internal cybersecurity posture with a Zero Trust approach, delivered in the cloud, without sacrificing our workforce performance.” Andrew Vanjani, OAS Chief Information Officer.

How do I get started?

First, we want to thank all of our civil society partners that we work alongside to offer Cloudflare protection and work with us to extend even more products to organizations around the world. If you are an organization looking for protection under Project Galileo, please visit our website: cloudflare.com/galileo.

Two months later: Internet use in Iran during the Mahsa Amini Protests

2022-12-12 James Allworth

Post Syndicated from James Allworth original https://blog.cloudflare.com/two-months-later-internet-use-in-iran-during-the-mahsa-amini-protests/

Two months later: Internet use in Iran during the Mahsa Amini Protests

A series of protests began in Iran on September 16, following the death in custody of Mahsa Amini — a 22-year-old who had been arrested for violating Iran’s mandatory hijab law. The protests and civil unrest have continued to this day. But the impact hasn’t just been on the ground in Iran — the impact of the civil unrest can be seen in Internet usage inside the country, as well.

With the proliferation of smartphones and the ubiquity of the Internet that has resulted, it’s no longer simply the offline world impacting the Internet; what happens on the Internet is impacting the offline world, too. For that reason, it’s not surprising that in order to limit the spread of the protests — both news of it happening and the further organization of civil unrest — the Iranian government introduced limits on the Internet. This included banning certain social media and communications tools: most notably including Instagram and WhatsApp, which are estimated to be used by over 50% of the Iranian population.

But despite the threat that the protests pose, and the Internet’s enabling role in them, it has not been cut off altogether. In fact, from the perspective of Cloudflare, Internet use in Iran has surged since the beginning of the protests.

This is a story of how critical the Internet has become to life, even in authoritarian regimes — and how even, after 12 years of planning, Iran has been unable to consistently cut off access to the Internet outside the country.

A history of control

Kafinet — Internet cafés — emerged in Iran in the late 90s and early 2000s. Internet use became prolific. But in 2005, it began to change under the election of the conservative President Ahmadinejad. The idea of an “Iranian Internet” was proposed — one that was consistent with the policies and principles of the Iranian government, and able to be controlled and regulated domestically — as opposed to how the Internet operated overseas. From a technical perspective, the hope was an Iranian Internet would still be able to work inside the country, even if it was fully disconnected from the outside world. While the idea was discussed, no real work on it truly began until 2009, when the Green protests — a series of mass protests following the disputed reelection of President Ahmadinejad — caused the government to appreciate the potential risk that the Internet posed. It was around this time that ISPs needed approval from the government to operate, and were required to filter content in order to continue to gain that approval.

In 2013, Iran took things a step further, and began work on a National Infrastructure Network (NIN), with the aim of recreating within Iran all the essential Internet services like search and messaging that had traditionally been provided by organizations outside of Iran. It was coupled with policies that subsidized and encouraged the use of these local services; which, as they were hosted domestically, made monitoring and filtering much more feasible.

It was not quite as extreme as the Chinese approach to the Internet, where similar overseas services were banned altogether, but it was certainly a shift in that direction. And given the limited number of physical network connections from Iran to the outside world, it was much more feasible for the government to take the step of cutting off Internet outside the country — while allowing select infrastructure within it (such as banking and government services) to remain online.

Iran has deployed such tactics previously: most notably during protests in November 2019, triggered by an increase in fuel prices.

The initial response

Our earlier blog covered the initial response to the protests extensively.

To provide context (measured over the last week) four providers in Iran account for 85% of traffic in Iran: three mobile and one fixed/wireline.

As a baseline, the following traffic mix is what Cloudflare saw from these four major network providers in Iran the week before the protests started:

The protests began on September 16. You can see the government’s response in the Internet traffic, with a shutdown implemented that lasts the better part of a day:

However, the following days, it appears to return to a somewhat normal pattern.

What happened subsequently

Looking after that week, however, shows Internet usage picks up massively from the baseline as the protests spread across the country. Also of note: the “curfews” on the mobile networks that were implemented in that first week continued. You can see the troughs for all but the fixed Internet provider as traffic drops to near zero.

What traffic looks like now

Looking at a more recent week, two things stand out: the level of network activity across the major providers in Iran remains much higher than it was previously. Also, the curfews appear to have been lifted, with Internet traffic declining overnight, but not “flatlining” as it was in the graphs above.

The web persists, even in Iran

While the initial response of the Iranian government to the protests was to dramatically scale back access to the Internet, the government did not persist with the policy. Our hypothesis is that the Internet has become too important to economic activity and also everyday life for the country to be able to continue to operate without it. Despite having spent almost 10 years developing a NIN — an Iranian Internet — it appears that, in part because of the protests, traffic from the major Iranian networks to Cloudflare has picked up substantially, and the curfews have ceased.

While certain Internet properties continue to be blocked without access to a VPN — WhatsApp, for example — the idea that a country can simply disconnect itself from the Internet into a country-specific “splinternet” is being further and further tested. Even in a country like Iran, subject to sanctions and with a government-led policy of attempting to recreate core services within a country, access to the broader Internet is too important to simply shut off.

The latest on attacks, traffic patterns and cyber protection in Ukraine

2022-12-12 Alissa Starzak

Post Syndicated from Alissa Starzak original https://blog.cloudflare.com/ukraine-update/

The latest on attacks, traffic patterns and cyber protection in Ukraine

On February 24, 2022, when Russia invaded Ukraine, Cloudflare jumped into action to provide services that could help prevent potentially destructive cyber attacks and keep the global Internet flowing. In the nearly 10 months since that day, we’ve posted about our actions, network traffic patterns, cyberattacks and network outages we’ve seen during the conflict.

During Impact Week, we want to provide an update on where things currently stand, the role of security companies like Cloudflare, and some of our takeaways from the conflict so far.

Cyberattacks on Ukrainian infrastructure and Cloudflare’s assistance

Since the time of the invasion, Ukrainian government and civilian infrastructure has come under a barrage of DDoS and other common cyberattacks. Although the public perception has been that cyberattacks have not played a significant role in the conflict, cyberspace has been an active battlefield. Ukrainian websites saw a significant spike in application layer firewall mitigated attacks in March 2022 and another spike in mid-September. Ukrainian sites have also seen a significant increase in the percentage of requests that were mitigated as attack traffic on a daily average, when compared with Q4 2021. Those spikes are shown below, using a seven-day rolling average:

Nor have the attacks abated as the conflict has worn on. Although we’ve seen a reduction in firewall mitigations, in recent months we have seen spikes in DDoS attacks. On a number of occasions in September and October, DDoS attack traffic amounted to more than 80 percent of all traffic to sites on the .ua top level domain, as shown in the chart below.

Cloudflare was proud to play a role in ensuring that these types of widespread DDoS and other cyberattacks did not disrupt the Ukrainian Internet. Cloudflare has offered free services and support to a wide variety of Ukrainian government and infrastructure providers to help address those attacks since the beginning of the conflict. We currently protect approximately 130 Ukrainian domains in this program, run by more than 50 different Ukrainian government agencies and companies.

Many nonprofit groups trying to operate in the region by helping refugees, documenting war crimes, sharing information and providing local services have also had to contend with cyberattacks. We expedited the onboarding of these groups onto Cloudflare’s Project Galileo, Cloudflare’s project to provide free services to vulnerable non-profits and human rights defenders. Since the invasion, we have onboarded 54 organizations in Ukraine to Project Galileo. Overall, we protect 79 organizations in Ukraine. We currently protect 130 organizations in the broader region, with 77 organizations (including those in Ukraine) onboarded to the project during the crisis.

New models of security

As Russian troops advanced deep into Ukraine earlier this year, the physical security of Ukrainian Internet infrastructure became as much a concern as the digital security. Companies and data centers operating in the region had to plan for possible degradation of the infrastructure through power outages or bombings as well as the possibility that Russian forces might get physical access to their offices or equipment. This reality raised both security and data destruction concerns.

Cloudflare took steps to secure our infrastructure in the region, configuring our machines to brick themselves if they lost power or connectivity. We carefully monitored activity in the region, ensuring that we would be aware of any notable changes in circumstances. We also secured our customers’ data, moving customer key material out of our data centers in the region. We’ve continued to operate our services in the region with Keyless SSL.

The Russian occupation of Ukraine highlighted the importance of having networks and digital defense systems that extend beyond a single country’s borders. Ukrainian government agencies and companies looking to make sure they could continue to provide vital services migrated their data to public clouds, allowing them to move it to safety in data centers throughout Europe. Cloudflare’s massive global network allowed those same entities to easily mitigate cyberattacks in the country where the attacks originated, rather than battling massive influxes of traffic and attacks inside Ukraine.

The possibility that Russian troops would get physical access to work locations also brought into sharp view the need for entities to have granular control over access to internal systems and applications. Companies needed to be able to quickly and efficiently withdraw access for those who might have remained in the region. Cloudflare saw a spike in demand for our zero trust solutions, prompted by those concerns about possible lateral movement in the event of a breach, as well as the need for VPN availability and performance.

Internet disruptions and routing as tools in armed conflict

The world has been watching as the Ukrainian Internet has become a tool in the ongoing conflict. Internet shutdowns in war torn areas disrupt critical communications, making it challenging for people to learn about the safety of their loved ones and to disseminate information about events on the ground to the world.

At Cloudflare, we have tracked dozens of Internet outages in Ukraine since the beginning of the conflict, caused by power outages and Russian attacks. We continue to publicly report on outages in the Cloudflare Radar Outages Center.

Some of these outages also raise significant questions. On September 1, 2022, for example, the day the International Atomic Energy Agency (IAEA) inspectors arrived at the Zaporizhzhia Nuclear Power Plant, there were Internet outages in two local ISPs that service the area. Those outages lasted until September 10, as shown in the charts below.

The Russian military also took advantage of its occupation of parts of Ukraine to manipulate Internet access. In multiple instances, they took charge of local telecoms, forcing the rerouting of Internet traffic through Russia or even a complete change of traffic to a Russian Internet service provider. Between May 1, 2022, and September 1, 2022, Cloudflare tracked more than 20 networks whose routing was altered to a Russian Internet service provider. Eleven of those networks had routes altered between May 29, 2022, and May 31, 2022, just as Ukraine announced its counteroffensive in Kherson. Those actions resulted in imposition of the same Russian controls, surveillance, and censorship as the Internet within Russia, giving Russia significant control over the information environment in the affected areas.

What’s next?

We can’t predict how long the war in Ukraine will last, but we do know that the need for a secure and reliable Internet there is as critical as ever. At Cloudflare, we’re committed to continue providing tools that protect critical services from cyber attack, improve security for those operating in the region, and share information about what is happening with the Internet inside Ukraine.

How Cloudflare helps secure the inboxes of democracy

2022-12-12 Ayush Kumar

Post Syndicated from Ayush Kumar original https://blog.cloudflare.com/securing-the-inboxes-of-democracy/

How Cloudflare helps secure the inboxes of democracy

We at Cloudflare believe that every candidate, no matter their political affiliation, should be able to operate their campaign without having to worry about the risk of cyberattacks. Malicious attackers such as nation-state threat actors, those seeking monetary reward, or those with too much time on their hands often disagree with our mission and aim to wreak havoc on the democratic process.

Protecting Email Inboxes Is Key In Stopping Attacks

In the past years, malicious actors have used email as their primary threat vector when trying to disrupt election campaigns. A quick search online shows how active attackers still are in trying to compromise election official’s email inboxes.¹ Over 90% of damages done to any organization are caused by a phishing attack, making protecting email inboxes a key focus. A well crafted phishing email paired, or an errant click could give an attacker the opportunity to see sensitive information, disseminate false information to voters, or steal campaign donations.

For the United States 2022 midterm elections, Cloudflare protected the inboxes of over 100 campaigns, election officials and public organizations supporting elections. These campaigns ranged from new officials seeking spots in their local elections to incumbents in the national government. In the three months leading up to the recent elections, Cloudflare processed over 20 million emails and stopped around 150K phishing attacks from making their way into campaign officials’ email inboxes.

Political Campaigns Are Attacked Consistently

Some campaigns were targeted more than others. For example, the campaign of a specific incumbent seeking re-election in the US Senate saw their staff members receiving over 35 malicious emails on average every day. And attackers were not just phishing for credentials but also trying to impersonate officials. We saw over 10 thousand emails sent in the three-month span that were using the names of those running for office without their permission.

Below are the metrics we saw from a senator’s campaign who attackers frequently tried to phish.

A candidate for the US House of Representatives saw their staff members receive an email with the subject “Staff Payroll Review” that asked them to access a document link.

Looking at the email, it would be tough to distinguish it from a valid internal email. It contained a valid email footer and branding that is consistent with the campaign. However, Area 1 models found several discrepancies within the metadata of the email and marked it as malicious.

Our models found that the domain sending these emails was suspicious based on how similar it was to the representative’s actual campaign email. We refer to this as domain proximity. Also analyzing the link found in the email found that it was recently registered, further adding suspicion to the validity of the email.

Taking in all the data points, Area 1 made sure that the email never made it to any campaign staff’s mailbox and prevented the loss of data and money.

Another common attack campaigns see is the use of malicious attachments. These attachments can range from containing ransomware to data uploaders. The goal is to either slow down the politician’s campaign or exfiltrate sensitive information.

Attackers will use misdirection by either changing the extension of the attached file or by mentioning in the body of the email that the attachment is something more innocuous. We saw this in action for another campaign where a staffer was sent a targeted email asking them to download a purchase order.

Someone who processes hundreds of purchase orders a day does not have the time to thoroughly scrutinize every email and instead will focus on getting the money paid, so operations are not halted. Area 1’s models saved the staffer time and assessed this email to be malicious.

Our models first noticed that the attachment was a 7-Zip file called PO567.7z. Most purchase orders are sent via PDF so seeing it being sent as a 7z compressed file was concerning. Another data point the models assessed as being anomalous was the poor sentiment. The email not only has a glaring grammatical mistake (i.e. “Dear Info,”) but also had poor message tone since it lacked common information found in legitimate purchase order emails.

All these signals, combined with the fact that this is the first time the recipient has ever received communications from the sender, triggered Area 1 to stop the email from making it into any mailbox.

These examples speak about the trust that campaigns place in Cloudflare. Our ability to scan millions of emails and prevent dangerous ones from making it into mailboxes while allowing safe ones to reach their intended recipients with no interruptions is why so many campaigns chose Cloudflare’s Area 1 product to secure their mailboxes and by extension secure our democratic institutions.

Cloudflare’s Area 1 Solution

All this is possible because of Area 1’s preemptive campaign discovery and machine learning algorithms which analyze various threat signals, from email attachments, to the sender’s domain, to sentiment within the email itself in order to assess whether an email is malicious or not.

We also made Area 1 easily deployable, ensuring that campaigns are protected right away rather than having to spend time configuring hardware, agents, or appliances. Cloudflare also knows that election campaigns struggle to apply the appropriate email hygiene and authentication controls, stipulated by industry standards (such as SPF / DKIM / DMARC).

These can be complex and take time to implement. The rapid cycle of new campaigns makes it harder to set up the right email authentication controls that conform with industry best practices. Given that, it is all the more vital to ensure there are strong inbound technical controls against phishing and email-based attacks; letting campaigns focus on what’s most important – spreading their message to their constituents in the most effective & secure manner possible.
We know that those who seek to become political leaders have a target on their backs from attackers looking to disrupt the democratic process.

At Cloudflare, we believe in creating a better Internet and that means ensuring that inboxes remain secure. If you would like to learn more about how Area 1 works and other ways we protect email inboxes, please check out the Area 1 product page here.

…
¹⁾ https://www.cbsnews.com/feature/election-hacking/

The challenges of sanctioning the Internet

2022-12-12 Laura Klick

Post Syndicated from Laura Klick original https://blog.cloudflare.com/the-challenges-of-sanctioning-the-internet/

The challenges of sanctioning the Internet

Following Russia’s invasion of Ukraine, governments around the world, including the US, UK, and EU announced sweeping sanctions targeting the Russian and Belarussian economies. These sanctions prohibit a specified level of economic activity in an effort to use economic influences to punish targeted countries. Almost overnight, we saw unprecedented restrictions put in place for multinational companies doing business in Russia or Belarus.

Separately, recent events in Iran led the US government to authorize additional Internet/communications activities, which were being used widely by average Iranians protesting against the government. This was done by expanding some existing licenses, or exceptions, to sanctions the US has imposed on Iran.

While the use of sanctions as a tool for responding to foreign relations crises is nothing new, the wide-ranging multilateral sanctions that have been imposed on Russia and the recent authorizations in Iran are significant and provide fresh examples of how sanctions can affect access to a free and open global Internet.

Balancing interests in sanctions policy

Cloudflare is committed to complying with all applicable sanctions, including US, UK, and EU sanctions, and we have put in place programs to ensure that compliance. At the same time, we recognize the important role we and other Internet infrastructure companies play in protecting a key human right and principle also supported by the US, UK, and EU governments: free expression online.

One overarching principle of sanctions policy is that sanctions are intended to increase the cost of violating international norms and ultimately force authoritarian regimes and malicious actors to change behavior. The purpose of sanctions is not to punish or isolate ordinary citizens of a particular country or region. In fact, ordinary citizens can be powerful catalysts for the policy changes that sanctions are seeking to achieve. However, as we’ve seen over and over again, changes in policy, particularly in countries that have authoritarian regimes, do not happen overnight, and they often depend on the ability of individuals to communicate with each other and with the rest of the world. For example, in Iran, we’ve witnessed the important role that social media has played in helping support and spread the protest movement sparked by the killing of Mahsa Amini. Similarly, in the wake of Russia’s invasion of Ukraine, ordinary Russians continue to look for ways to access non-Russian news sources via private Internet access tools and VPNs.

It’s a tricky balance to impose costs on bad actors while maintaining open lines of communication for ordinary citizens, but it’s a balance that we’ve seen the US Government take a leading role in preserving, even in areas where most other transactions/activities might otherwise be prohibited. For example, the key US law authorizing the executive branch to deploy sanctions exempts “any postal, telegraphic, telephonic or other personal communication, which does not involve a transfer of anything of value.” The US government also has a long tradition of issuing authorizations, also known as General Licenses, permitting additional telecommunications and Internet-related activities, including in Cuba, Iran, Russia, Syria, and certain restricted regions of Ukraine. This means that US companies, like Cloudflare, can continue to provide many products and services that support free and secure Internet communications.

Although these exemptions and licenses can help the US Government establish the policy goal of supporting Internet freedom, they are only effective if private sector companies make use of them. That may be easier said than done. Because of the financial and reputational penalties that can be imposed if a company violates sanctions, even inadvertently, companies often have an incentive to take a simple and blunt approach to sanctions compliance without trying to do the nuanced thing and availing themselves of the exceptions in the General Licenses. Companies have to invest significant time and money into understanding the legal requirements and applicable exemptions and licenses when deciding whether to provide services in high risk countries. Cloudflare has made these investments because they align with our goal of helping build a better Internet and making a free and secure Internet accessible to all.

As governments continue to use sanctions as a foreign policy tool, we think it’s important that Internet infrastructure companies discuss how the legal framework is impacting their ability to support a global Internet. Described below are some of the key issues we’ve identified and ways that regulators can help balance the policy goals of sanctions with the need to support the free flow of communications for ordinary citizens around the world.

Legal framework

There are two broad categories of sanctions: (1) country-/region-based, and (2) individual/entity list-based. Sanctions can vary across jurisdictions, meaning that US sanctions look different from EU and UK sanctions and there can be significant differences. Companies that operate around the world have to pay close attention to individual rules and regulations to ensure compliance with sanctions.

Country-/region-based sanctions

With respect to country-/region-based sanctions, the US government has imposed comprehensive sanctions on doing business in Cuba, Iran, North Korea, Syria, and certain restricted regions of Ukraine (Crimea, Luhansk, and Donetsk). The purpose of comprehensive sanctions is to impose severe punishments on state actors in these countries by denying them access to valuable US goods/services. You might think that this means that Internet companies are therefore barred from providing services to these countries/regions, but that’s where things get complicated. The US government has issued General Licenses, which authorize US companies to engage in certain Internet- and telecommunications-related activities.

While these General Licenses are helpful in that they may authorize peering services, VPN, SSL certificates, and other services incident to the exchange of communications over the Internet, the activities authorized vary across sanctioned jurisdictions. In some countries/regions (e.g., Cuba, Iran, and the Donetsk and Luhansk regions), except for government parties, some free and paid services are authorized, but in other instances (e.g., Crimea and Syria), all authorized services must be available at no cost to the user. Along the same lines, some General Licenses list specific types of services/products that may be provided, while others leave it up to a company to make their own determination whether a product/service is authorized by the terms of the license. Neither the UK nor the EU has issued any Internet-related General Licenses, which has become a particular issue in the context of Russia where there are now significant restrictions in place.

With respect to Iran, the US government recently issued a new General License that broadens the products/services authorized and provides other clarifications to make it easier for companies to provide Internet services to ordinary Iranians. The new General License is encouraging for companies, like Cloudflare, that would like to help support access to the broader Internet for ordinary Iranian citizens. But as with any new policy, it takes time for companies to understand the changes and make decisions about whether to invest additional time and resources to expand services offerings in a high risk country like Iran. Given the significant restrictions that have been imposed on doing business in Iran over the years, there are a number of logistical challenges with seeking to enter a market where so many activities remain prohibited. Moreover, there is always a risk that sanctions policies can change, so companies will take this into account when weighing whether to deploy expensive hardware/equipment or make other long-term investments.

Party-based sanctions

Apart from country-based sanctions, many governments, including the US, UK, and EU maintain list-based sanctions, which prohibit dealings with specific listed parties. Like many multinational companies, Cloudflare screens customers and other third parties to identify links to sanctioned parties. We do not engage in any transactions with or provide services to any parties that have been listed on applicable sanctions lists or any parties that are owned or controlled by such parties and our Terms of Service prohibit sanctioned parties from using our services.

Over the years, the US government has continued to add parties to its sanctions list. Notably, when the US government adds a party to the sanctions list, it will include corresponding identifying information, including possible aliases, physical address, as well as email address and domain names to the extent they are known. The UK has also started adding domains and email addresses, but those domains and email addresses do not always align with what is on the US list, creating further complexities for multinational companies in this space.

While there are a number of sanctions screening providers that will help companies conduct due diligence on third parties they are considering doing business with, email addresses and domains are not automatically screened. This can be challenging for Internet infrastructure companies for whom email addresses and domain names are critical pieces of data when onboarding a customer. With limited automated solutions, companies must invest significant time and resources building proprietary tools that block sanctioned domains and email addresses from signing up for their services.

Cloudflare may also receive abuse reports alleging that domains are operated by sanctioned parties. However, unless a domain is listed on a sanctions list, it can be challenging to determine if a domain is subject to sanctions. Without clear guidance from regulators, companies must develop their own processes for reviewing these reports. While it is important that companies terminate services to domains owned or operated by a sanctioned party, it’s also critical that they do so in a way that is fair and consistent.

Implications for a free and open Internet

Sanctions are an important tool for responding to geopolitical challenges, and they can help impose economic costs on parties that violate international norms, including human rights. However, sanctions can also have unintended consequences when they are not properly deployed. While regulators have learned a number of lessons over the years when imposing sanctions on more traditional sanctions targets, like the financial and energy sectors, the global Internet remains a complicated area that has only recently become a more prominent focus of sanctions. With the technology constantly evolving and a number of different parties involved in maintaining a secure and reliable Internet, it is critical that regulators are clear about their expectations and seek to minimize any chilling effects.

Key stakeholders involved in maintaining a free and open Internet are likely to continue exiting sensitive markets in the absence of clear guidance from regulators. This will only lead to further fragmentation of the global Internet and open the door for authoritarian governments to monitor and control global communications – an outcome that clearly undermines the policy goals of the sanctions. These are complicated issues, and we don’t pretend to have all the answers. But, there are things that regulators can do to mitigate unintended consequences of sanctions policies and promote a free and open Internet. Here are a few key points that we advocate to policymakers:

Continue partnering with stakeholders to understand practical implications before imposing new sanctions and determine where additional clarifying guidance might be helpful.
Apply a consistent and coordinated approach to exemptions/authorizations to make it easier for multinational companies to provide services in challenging jurisdictions.
Provide clear guidelines for Internet-related companies as to when a domain or user may be subject to sanctions (i.e., adding domain names and email addresses to applicable sanctions lists) and ensure consistency across jurisdictions.

Looking forward

An integral part of Cloudflare’s mission to help build a better Internet involves making sure that ordinary individuals have access to a free and secure Internet. While global sanctions will continue to present challenges to Internet infrastructure companies, like Cloudflare, we are committed to both compliance with applicable sanctions and helping to maintain open lines of communication around the world–and we will continue to advocate for policies that do the same.

Cloudflare Zero Trust for Project Galileo and the Athenian Project

2022-12-12 Sam Rhea

Post Syndicated from Sam Rhea original https://blog.cloudflare.com/cloudflare-zero-trust-for-galileo-and-athenian/

Cloudflare Zero Trust for Project Galileo and the Athenian Project

This post is also available in 日本語, Deutsch, Français, Español.

The organizations served by Projects Galileo and Athenian face the same security challenges as some of the world’s largest companies, but lack the budget to protect themselves. Sophisticated phishing campaigns attempt to compromise user credentials. Bad actors find ways to disrupt connectivity to critical resources. However, the tools to defend against these threats have historically only been available to the largest enterprises.

We’re excited to help fix that. Starting today, we are making the Cloudflare One Zero Trust suite available to teams that qualify for Project Galileo or Athenian at no cost. Cloudflare One includes the same Zero Trust security and connectivity solutions used by over 10,000 customers today to connect their users and safeguard their data.

Same problem, different missions

Athenian Project candidates work to safeguard elections in the United States. Project Galileo applicants launched their causes to support journalists, encourage artistic expression, or protect persecuted groups. They each set out to fix difficult and painful problems. None of the applications to our programs wrote their mission statement to deal with phishing attacks or internal data loss.

However, security problems plague these teams. Instead of being able to focus on their unique mission, these groups spend money, time, and energy attempting to defend from attacks. The headaches range from expensive distractions to outright breaches. Even the mundane work to connect employees to important tools continues to be a headache. Every chore or incident takes away from the ability of these organizations to advance their cause.

We built Cloudflare One to solve the common security problems that can derail any team. Our mission is to help build a better Internet and, in doing so, we create tools that allow the groups served by the Athenian Project and Project Galileo spend as much of their day solving their own unique challenges.

The products we are making available today provide security against a broad, and growing, range of attacks that target how a team works together on the Internet. Project Galileo and Athenian candidates can choose to start in any place depending on their existing security challenges. If you need a guide on where to get started, we’ve broken down three common first steps that we recommend.

1) Stop phishing attacks

Many phishing attacks start with a malicious link buried in a single email from a sender that seems trustworthy. A user in your organization clicks on that link, believing it to be from a teammate or manager, and lands on a website that looks almost identical to your identity provider or one of the web applications they use every day. They input their username and password, sending their credentials directly to the attacker.

Cloudflare One’s email security, our Area 1 product, is our first line of phishing defense. Area 1 scans the emails headed to your organization for the presence of potential phishing campaigns and other types of security attacks. Malicious messages never arrive without interrupting the emails that your team should receive. You can deploy Area 1 in minutes with a few changes to your DNS records to safeguard your Microsoft 365, Gmail, or nearly any other email deployment.

As part of today’s announcement, we are making Area 1 available to Project Galileo and Athenian organizations at no cost. The same level of protection trusted by large corporations from Werner Enterprises to Fortune 500 consumer packaged goods firms is now available to your team.

In some cases, an email evades detection or the phishing link reaches your users through other channels. Cloudflare One can still help. When your team members navigate the Internet, they rely on DNS queries made by their device in order to translate the hostname of a website to the IP address of the server. Their device sends those queries to a DNS resolver.

Cloudflare runs the world’s fastest DNS resolver, 1.1.1.1, and we offer a security version that also filters DNS queries made to destinations that are known to be malicious. If a user accidentally clicks on a link from a text message or in a website, their device first sends that DNS query to Cloudflare. If dangerous, we stop the query before the malicious destination can load. If benign, we’ll respond with the destination faster than other resolvers.

Cloudflare’s DNS filtering keeps the US Federal Government safe, but can be deployed by teams of any size. You can secure entire office networks with the change of one router setting or deploy our roaming agent to keep your users safe wherever they work. Together with email protection, your team can filter out phishing attacks in a defense-in-depth approach.

2) Connect employees and partners

Many teams that qualify for Project Galileo had to find ways to work across geographies long before the pandemic sent employees home from other companies. These teams typically deployed a legacy virtual private network (VPN) to allow team members from across the world to reach the tools they needed to collect data, file stories, or submit research. At best, those VPN deployments slowed down user connectivity and introduced maintenance headaches. At worst, they gave anyone on the network overly broad access to nearly any resource.

With Cloudflare One, your team can operate in any location and still reach your internal tools while controlling exactly who can access which application or service. Organizations that need to operate a traditional private network can run one on Cloudflare by deploying our device client (WARP) on user endpoints and establishing outbound connections to our global network via Cloudflare Tunnel. Users enjoy the performance and availability of Cloudflare’s network while administrators can build granular permissions without the need for additional application development.

We also know that many Galileo and Athenian organizations work alongside hundreds or thousands of partners and volunteers. Those users need to also reach internal resources but are not willing or able to install software on their personal devices.

To solve that challenge, Cloudflare One can be deployed in a fully clientless mode that can use multiple identity providers including consumer options like Google, Facebook, and LinkedIn. Users authenticate with the single-sign on option they already use from any mobile or desktop device. Administrators control which users can reach specific applications while logging every attempt.

3) Secure your team’s path to the Internet

Beyond phishing attacks, bad actors target organizations with other types of threats like malware hidden in downloads. Researchers and journalists exploring a topic with untrusted sources can bring ransomware back into the entire organization. Team members connecting to the Internet from a hotel Wi-Fi network can have unencrypted DNS queries monitored and reported.

Cloudflare One provides every member of your team with an encrypted, secured on-ramp to the entire Internet. Powered by the same Cloudflare WARP agent that helps millions of users enjoy a more private Internet connection, Cloudflare’s Secure Web Gateway filters all Internet-bound for hidden threats.

When users inadvertently connect to a malicious destination, Cloudflare One will block the attempt and present them with a page explaining what just happened. In the other direction, Cloudflare’s network scans downloads for malware and blocks the download before the user can open it.

The same filtering can be extended to keep sensitive data from leaving your organization. You can build rules that flag file uploads that contain personal information or patterns that are unique to your team or focus area. With just a few clicks, you can create policies that prevent the accidental or malicious loss of data while also restricting uploads to approved destinations.

All without the need for an enterprise IT department

Today’s announcement makes the security technology deployed by the world’s largest enterprises available to organizations of any size. And, despite the broad impact of Athenian and Galileo organizations, that size tends to be smaller.

The teams supported by Project Galileo focus limited resources on advancing journalism, artistic expression, human rights, and other causes. The state and local governments who qualify for the Athenian Project spend their days protecting democracy in the United States. Both groups tend to lack the resources of a Fortune 500 to staff and operate a large IT department.

We built Cloudflare One as a service that a team could configure and deploy in a matter of hours and still benefit from comprehensive Zero Trust security. We’ve published a Zero Trust Roadmap that your team can use to determine how to get started with guidelines for the time required at each step.

How to get started

We’re excited to extend Projects Galileo and Athenian to include Cloudflare One. Are you an existing qualified organization or interested in applying? Follow the link here and here to get started.

If you are not part of Project Galileo or Athenian, but still want to begin deploying Cloudflare One, we make the service available at no cost to teams of up to 50 users. Click here to sign up.

Welcome to Cloudflare’s Impact Week

2022-12-11 Matthew Prince

Post Syndicated from Matthew Prince original https://blog.cloudflare.com/welcome-to-cloudflares-impact-week/

Welcome to Cloudflare’s Impact Week

In the early days of Cloudflare, we made it a policy that every new hire had to interview with either me or my co-founder Michelle. It’s still the case today, though we now have more than 3,000 employees, continue to hire great people as we find them, and, because there are only so many hours in the day, have had to enlist a few more senior executives to help with these final calls.

At first, these calls were about helping screen for new members of our small team. But, as our team grew, the purpose of these calls changed. Today, by the time I do the final call with someone we’ve made the decision to hire them, so it’s rarely about screening. Instead, the primary purpose is to make sure everyone joining has had a positive conversation with a senior member of our team, so if in the future they ever see something going wrong they’ll hopefully feel a bit more comfortable letting one of us know. I think because of that these calls are some of the most important work I do.

But, for me, there’s another purpose. I get to hear first-hand why people chose to apply. That’s a barometer for what we’re doing right, evaluated by someone with a perspective outside the organization. And, nearly every day, I hear some version of the same thing: the most consistent reason new employees want to join Cloudflare is because of our mission and the breadth of our impact.

Our team wants the work they do to have a real, positive impact for the millions of users of our services and the billions of Internet users our decisions affect downstream. It makes me smile every time someone we’re about to extend an offer to says something along the lines of “when Cloudflare pushes a new feature or product, you’re changing the entire Internet for the better. And I want to be part of that.” That’s why I continue to be excited about my job too.

It may seem like our mission to “help build a better Internet” has been around forever, but it wasn’t something we had at the beginning. It developed as the natural outgrowth of the team we assembled and the products we built. Today, it’s integral to Cloudflare’s DNA. Our team has always been optimistic about the Internet and its potential to do good, especially if it is founded on respect for certain values like security, privacy, interoperability, and wide availability.

That’s why the focus on privacy over the past few years was always easy for us. We never sold customer data to marketers — that just didn’t seem like what would be a part of a better Internet — so when it came time to comply with new privacy laws, we didn’t have to pull back operations or cut off lines of revenue. Instead, we rolled out the use of Universal SSL to expand encryption broadly for the Internet, and we created our first consumer-facing product, a privacy-first DNS resolver.

As we kick off this year’s Impact Week, we certainly see a number of challenges for the Internet, though we think the opportunities for the Internet continue to far outweigh those challenges. Around the world, we see a number of countries rejecting the opportunity to maximize the potential of the Internet, and instead, passing new laws and regulations seeking to assert narrow control of the Internet for their own self-interested purposes, including in some cases for things like commercial advantage, censorship, or surveillance.

For example, around the Russian invasion of Ukraine, we’ve seen the Russian government launch cyberattacks and use targeted Internet outages to further torment the people in Ukraine, while at the same time pressing citizens in Russia to only use Internet tools and view information controlled by the Russian government.

Yet for all those challenges, we saw a disparate group of people and companies, including Cloudflare, come together to defend Ukraine from these attacks and do everything in their power to get the Internet back online as soon as possible. Nearly a year into the war, and despite the relentless efforts of a very powerful nation, the Internet remains a positive force for good in Ukraine, a way for them to get the message out about the horrific actions of the Russian government, and a tool for dissidents inside Russia to escape the attempted grip of censorship. When Russia personally sanctioned me earlier this year I took it as a badge of honor we were doing something right.

At the same time, the promise of the Internet continues to bring increased opportunity, especially in still developing parts of the world. Increased access to reliable and secure Internet in those countries will enable education, healthcare, and commerce in ways humanity has been struggling to advance for decades.

And we’ve seen recently in Iran that the Internet remains the leading tool for liberation for oppressed voices who seek to shake the control of authoritarian governments. This led to the somewhat unusual step by the US government of relaxing some of the sanctions against Iran in order to permit companies like Cloudflare greater freedom to ensure that the general population in Iran can have access to the Internet to support their cause.

Although issues like war, oppression, and misinformation are as old as humanity itself, the Internet is novel in its ability to bring together marginalized people who previously were unable to find and engage with each other based on distance, repression, or resources. To make sure the Internet fulfills that part of its promise, Project Galileo celebrated its 8th anniversary this year, and continues to support groups that unite underprivileged girls in India, the LGBTQIA+ community in the Nile River Valley, refugees needing health care services in a private environment. In total, through Project Galileo we provide Cloudflare’s services for free to more than 2,100 organizations in over 100 countries. That’s some of the work I’m the most proud of.

Over the course of this Impact Week, we will tell other stories about the way that the Internet, and Cloudflare specifically, provide an optimistic opportunity to improve our world. And that includes the entire world, especially as the Internet is poised to further close the gaps that have existed in Internet services to the developing world since its founding.

We will describe the way Cloudflare is focused on our own impact through emissions and the lessons we are applying to our products and operations to make sure that we are being responsible stewards of the Earth’s resources. We will review the ways that we are working to ensure that the necessary resources needed to benefit from the Internet aren’t limited to large companies with big budgets and the resources to buy the best tools.

From individuals and small businesses, to nonprofits and other community organizations, we want to make sure that the costs of cybersecurity and reliability don’t exclude those poised to benefit the most from the Internet. Specifically this year, we’re focused on making sure that sensitive groups — including local governments and critical infrastructure — are benefiting from new Zero Trust tools that are increasingly necessary for all organizations.

At the end of the week, we’ll release our annual Impact Report that provides a comprehensive review of our approach to these issues, especially when it comes to sustainability and ensuring that the Internet remains a widely-available and principled place.

We take pride in the principles that lie at the core of what we do as a company. Although many of us wake up every day scanning the Internet for the latest cyberattacks that we have to address or the latest congestion on the Internet to relieve, we are energized by the Internet’s ongoing promise to make life better for billions of people. This Impact Week we get to wake up and focus on those stories and share with you why all of us are here. We hope you are as excited as we are.

Cloudflare Innovation Weeks 2021

2022-01-07 Reagan Russell

Post Syndicated from Reagan Russell original https://blog.cloudflare.com/2021-innovations-weeks/

Cloudflare Innovation Weeks 2021

One of the things that makes Cloudflare unique is our Innovation Weeks. Rather than having one large conference annually, we have multiple Innovation Weeks throughout the year to highlight new product announcements, beta products opening up to general availability, and share how our customers are using Cloudflare to help build a better Internet.

Internally, these weeks generate a lot of energy and excitement as well, as they provide an opportunity for teams from across Cloudflare to work together on product delivery and celebrate company-wide successes. In 2021, we had seven Cloudflare Innovation Weeks. As we start planning our 2022 Innovation Weeks, we are reflecting back on the highlights from each of these weeks.

Security Week March 21-26, 2021

Patrick Donahue

Security Week kicked off Cloudflare’s 2021 Innovation Weeks with a series of foundational security announcements. The Internet wasn’t built with security in mind, but the products and partnerships announced this week continued Cloudflare’s core mission of helping build a better Internet—one that companies of all sizes can plug into and be protected by default from the types of attacks that have historically resulted in loss of data, computing resources, and customer confidence.

At the start of the week, we took on the task of replacing MPLS, the core network technology that many organizations use to connect their offices and data centers, with a more secure and cost-effective alternative. Next, we tackled the biggest risk to everyday users of the web by opening our remote browser isolation technology to teams of all sizes and protecting against malicious code injection. Following those announcements, we inverted the slow, network chokepoint model of data loss prevention by building zero trust controls over data directly into every aspect of the Cloudflare One suite. And to round out the week, we democratized access to bot-fighting technology previously only available to the largest enterprises while also deepening our solutions for novel threats facing APIs.

View all Security Week 2021 Blog Posts
View all Security Week 2021 Cloudflare TV Series

Developer Week April 11-17, 2021

Alyson Cabral

With Developer Week, we had one focus – to make developers’ lives easier. Our announcements included Cloudflare Pages being made generally available, Introducing Web Socket Support in Workers, Workers Unbound, Free Tunnels, Partnering with Nvidia to bring AI to the Edge and many more announcements throughout the week. In addition to the announcements, we also launched our first ever Developer Challenge series. Each day, a new challenge was announced to encourage developers from across the globe to level up their skills by trying new features and approaches. Solutions were revealed the following day, with the bonus round solution wrapping up the week. To keep up to date on the next round of challenges, join our Cloudflare Developer community.

View all Developer Week 2021 Blog Posts
View all Developer Week 2021 Cloudflare TV Series

Impact Week July 26-31, 2021

Patrick Day

During our first Impact Week, we reflected on how we are achieving Cloudflare’s mission–helping build a better Internet– and why we continue to prioritize projects that give back to the Internet. Impact Week highlighted some of the things we are doing as a company around environmental, social and governance initiatives. We launched Project Pangea, a free program to provide secure, reliable access to the Internet for community networks that support under-served communities. We also shared how we are committed to helping build a green Internet through efficiency, renewable energy, and providing developers a choice to run their workloads in the most energy efficient data centers. In addition, we published our first human rights policy in order to better serve our mission and core values.

View all Impact Week 2021 Blog Posts
View all Impact Week 2021 Cloudflare TV Series

Speed Week Sept 12-17, 2021

Marc Lamik

Helping make the Internet faster is one of Cloudflare’s core priorities. During Speed Week we shared how fast Cloudflare’s Network is as well as the amazing performance of Workers and Pages’ lightning fast speed. We expanded the size of Cloudflare’s network, so it’s closer to more people than ever.

We launched two amazing performance features with Signed Exchanges reducing load times and increasing SEO rankings with one click as well as Early Hints which can reduce loading times by 30%.

As part of Speed week, we also announced Cloudflare Images which stores, resizes, optimizes and serves images so that all of our customers can build a scalable, affordable image pipeline.

View all Speed Week 2021 Blog Posts
View all Speed Week 2021 Cloudflare TV Series

Cloudflare Birthday Week Sept 26-Oct 1, 2021

Dane Knecht and Jennifer Taylor

This is the week in which we celebrate Cloudflare’s birthday. We launched the company 11 years ago: September 27, 2010. It has been our tradition, since our first birthday, to use this week to launch innovative products that we think of as our gift back to the Internet. In 2021, we announced Cloudflare R2, our object-based storage with no egress fees, tackled solutions to Email Spoofing and Phishing, shared how we are expanding our network into office buildings as well as many more product announcements and Cloudflare TV executive fireside chats and product discussions.

View all Birthday Week Blog Posts
View all Birthday Week Cloudflare TV Series

Full Stack Week Nov 14-19, 2021

Rita Kozlov

During Full Stack Week, we brought the vision of the Network is the Computer to life — allowing developers to build their entire application on our network, soup to nuts. Over the course of the week, we made a series of announcements, each providing another critical piece of the puzzle, necessary to build a full stack application.

We started with the foundation — data, announcing the general availability of Durable Objects, and ability to connect to databases, alongside partnerships with MongoDB and Prisma. Cloudflare Pages, our Jamstack platform also took a step deeper down the stack by introducing support for seamless deployment of functions. We want development on our platform to be an enjoyable experience, so we announced the new version of wrangler, our CLI, and Services, a better way for teams to build applications. And while we want developers to have fun, we also want them to be able to monetize their efforts, which they now can do using the Stripe SDK on Workers.

View all Full Stack Week 2021 Blog Posts
View all Full Stack Week Cloudflare TV Series

CIO Week Dec 5-10, 2021

Annika Garbers

To wrap up the year, we demonstrated how Cloudflare One, our Zero Trust Network-as-a-Service, is helping Chief Information Officers transform their corporate networks. We launched new capabilities in Cloudflare One to help customers replace their hardware firewalls and a chance to win a trip to Oahu in the process, a Log Storage platform built on Cloudflare R2, a new premium DNS offering, and Cloudflare Security Center, which helps customers map their attack surface and mitigate potential security risks with just a few clicks. We also announced our acquisition of Zaraz to boost website speed and security without sacrificing privacy, as well as new partnerships with Microsoft and leading cyber insurance providers, among many other exciting announcements throughout the week.

View all CIO Week 2021 Blog Posts
View all CIO Week 2021 Cloudflare TV Series

The Future of Work at Cloudflare

2021-07-30 Matthew Prince

Post Syndicated from Matthew Prince original https://blog.cloudflare.com/the-future-of-work-at-cloudflare/

The Future of Work at Cloudflare

During Impact Week, we’ve shared how Cloudflare is providing tools for our customers to minimize their environmental impact as well as what we, as a company, are doing to help society at large. But some critical stakeholders we haven’t talked much about yet are Cloudflare’s more than 2,000 employees: who build our services, support and educate our customers, keep our finances in order, work through difficult policy issues, and empower us to accomplish everything we have.

Over the last year and a half, we’ve all challenged a lot of the assumptions about what it means to “work.” Prior to the start of the pandemic, Cloudflare was very much a work-from-office culture. And so when, on March 13, 2020, we closed all our offices and asked everyone to work from home, the two of us were extremely nervous.

And then something unexpected happened: a lot of things got better.

As a company, productivity increased — when measured by our success selling our products, our pace of shipping new products, and even things like the time it takes for our finance team to close our books.

Other day-to-day things got better, too. We noticed a marked increase in participation in meetings by women, team members from whom English wasn’t their first language, junior team members, and other traditionally underrepresented groups. It turns out, putting everyone in a Brady-bunch like box on a screen smooths out some of the other social cues that, when in-person, make some people less comfortable, willing, or able to fully participate.

Virtually More Inclusive

It’s not unreasonable to speculate that the increase in productivity was driven, in no small part, by the increase in overall participation by people who previously felt reluctant to do so. And this further aligned with job surveys that we conducted over the last year and a half which showed that while the things people wanted us to improve remained the same, overall satisfaction with jobs increased.

We also noticed that the diversity of the candidates that were applying to work for us increased as we allowed people to work remotely. We were now an option for people who did not live in, or could not move to, the cities we had offices in. At Cloudflare, we’ve always believed in having a diverse team. Not to look good in a government report, but because it’s the right business strategy: more diverse teams win.

We all have different perspectives formed by our experiences that inherently give us insights and blind spots. If everyone on a team has the same insights and blind spots then there will be less unique and creative solutions proposed to whatever problems we face. Just as it’s important to have genetic diversity in a species, having diversity on every dimension in hiring makes us a stronger, more creative company. Prioritizing a diverse team is the right strategy if you’re optimizing for innovation, like we are at Cloudflare.

But not everything got better when we switched to remote; some things definitely got worse. We’re social creatures. We thrive through human interaction that is still difficult to replicate virtually. Even with improvements in video conferencing, online interactions still mute some of the social cues and make misunderstanding more likely. The osmosis for our team of learning by watching others is harder, especially for team members early in their career. And, unfortunately, for some the office is a refuge from difficult situations at home and so not having it as a place to get away can amplify those challenges.

What We’ve Learned… So Far

So we’ve been thinking a lot about what the future of work looks like at Cloudflare and wanted to share publicly what we’ve been talking about for some time internally. Here are some things we think we know.

First, we don’t know what the long term future of work will be like and so we’ve been hesitant to lay down broad proclamations. Instead, we expect that as we get past the pandemic and are able to work in-person safely again, we will do what Cloudflare has always done: run a number of experiments ourselves, watch what our peers are doing, and figure out what works for us. The one thing we feel pretty sure of is that wherever we start the experiment is highly unlikely to be exactly the place where we end up. The future of work won’t be set in stone sometime in the coming months, but evolve over the coming years.

Second, no matter what, the future of work will be more flexible. There’s no way we are putting the genie of remote work back in the bottle. Why would we want to if we’ve learned that we’ve been more productive and more satisfied with their jobs while we’ve been remote? Flexibility is the number one requested work benefit, and one of the silver linings of the pandemic for us has been that we ran a forced experiment that proved we could make it work.

Third, we are incredibly reluctant to impose arbitrary rules. Requiring team members to come in every Monday, Tuesday, and Thursday begs the question: why those days? Saying you need to come in if you’re below a certain seniority level also seems weirdly arbitrary. Instead of rules, we’re much more likely to start with general standards outlining what success as a member of the team at Cloudflare looks like and giving guidelines. We may need rules at some point, but we want to develop those rules over time based on what we learn.

Fourth, just opening offices and hoping for the best doesn’t work. What we’ve seen ourselves, and confirmed with others, is that what makes working from an office great is getting to work side-by-side with your colleagues. But if Alyssa comes in on Monday, and Blake comes in on Tuesday, and Carlos comes in on Wednesday, and Deeksha comes in on Thursday, and Ellen comes in on Friday, and they all hoped that they would get to connect, then none of them has a good experience and none of them come in the following week. If in-person work is going to work, there needs to be some deliberate structure and planning.

Fifth, we believe more in carrots than sticks. We’d rather we create an environment where people want to come in than where they have to come in. Based on our internal surveys, about 10% of our team wants to come in every day. We want to make the environment such that 100% of our team wants to come in at least some days.

Sixth, a more flexible way of working will require a more flexible physical space. The base “lego brick” we used to design all our offices pre-pandemic was the 6-person conference room. And, while none of our offices started this way, they all evolved into a sea of white, adjustable desks in neat rows as we found spots for our growing team. That already feels anachronistic. We think we need to redesign spaces to accommodate teams coming together to collaborate as well as individuals looking for a quiet spot for heads-down work.

Seventh, mixed meetings suck. When some people are in-person and some people are virtual the experience is bad for everyone. Part of why we think the last year and a half has worked is because everyone is in the same boat. We believe part of the reason why hybrid work environments have traditionally not worked is because they, left to their own devices, will tend to devolve to an experience that’s bad for everyone. The future of flexible work needs to acknowledge that most hybrid work experiments in the past haven’t worked.

Eighth, we’re a very global company. We have team members in countries around the world and need to operate our business around the clock. One of the benefits of being fully remote over the last year and a half is that it made all our offices feel like they were on equal footing. That’s something we believe is important for us to maintain.

Navigating Through the Fog

So what’s our plan? Again, we don’t pretend to have all the answers. Instead, we expect that we’ll start somewhere and experiment. So we’re starting by being more flexible about where we hire people. We still believe that people will tend to cluster in hubs around cities where we have physical offices, but we are now open to hiring for nearly all of our roles in any location where we have a legal entity setup that allows us to hire.

We are tearing apart our offices in San Francisco and London to remake them into flexible work spaces. We’re designing them to allow for teams of 10, 20, or 30 employees to get together and collaborate. We’re also creating “Zoom villages” with one-person spaces and high quality AV equipment to let people jump on conference calls.

One of the few rules that we plan on starting with is that in meetings if any person is remote then everyone in the meeting is remote. We know that will create some awkward situations where some of our team will literally be sitting next to each other at desks talking on a video conference call. But we believe this is a rule worth having, in spite of our hesitation to impose strict rules, to help keep the playing field level for all our colleagues, wherever they’re working.

We’re going to rethink the purpose of the offices as spaces where teams can come together to collaborate. Internally, we’re calling these “on-site off-sites” — though everyone agrees we need a better name. The idea being that teams can call an in-person meeting and reserve space in any of our offices to come together. We expect different teams will set different cadences of these meetings, but expect most people to have at least some time in an office at least once a quarter.

We’re planning for what we’ve termed a “Czar of Serendipity” who will coordinate cross-group lunches and other activities to help facilitate teams who may not work directly together to have the opportunity if they want to meet colleagues they may not otherwise know. They’ll also help arrange in-person speakers and other activities aligned with whatever teams or groups are physically in the office each week.

And we’re hunting for carrots to encourage our team, and especially members who are earlier in their career, to come in. One we’re working on is what we’re calling Orange Card. We hope to turn every team member’s ID into a charge card. The card will only activate after someone badges in for the day and will only work to purchase food at restaurants that are within a 10-minute walk from the office with pre-tax dollars.

It’s in Cloudflare’s interest to encourage people to come in physically to work. Across the industry, however, we think jobs that require in-person work will look increasingly anachronistic. We also believe that, rather than operating private cafeterias inside our own spaces, it’s important for us to support local businesses near our offices — especially as so many of them were hit hard during COVID. If with Orange Card we can do this and find a way to let employees pay for lunches when they’re in the office at an effective discount, then it will check both boxes: giving employees a reason to come in and also supporting the local community.

We don’t know how many of these things will work, but it’s a sense of the experiments we intend to run as we try and find the future of work that works for our team.

In many ways we were fortunate that Cloudflare’s product could be of specific help during an incredibly difficult time for the world. The superheros of the last year and a half have been the medical professionals and scientists who have taken care of the sick and looked for cures for this disease. But the Internet has been the faithful sidekick that has helped many continue to work, stay connected with loved ones, and keep ourselves entertained through this trying time. As one of the defenders of the Internet, our work at Cloudflare has been incredibly rewarding. We hope we can create a future of work that remains incredibly rewarding even long past the pandemic.

The thoughts above are just a starting place. We expect that we’re going to learn a lot not only from our own experiments, but also from what we learn works (and doesn’t work) at peer companies. We would have never tried this experiment in remote work but for the pandemic. Now, having realized that we can continue to execute in a more flexible work environment, we don’t plan to forget the lessons we learned. We’re hopeful that we, along with our peer companies, will continue to run experiments and, over time, develop a new future of work that is more flexible, more inclusive, and more productive.

PS – We’re hiring.

The Cloudflare Startup Enterprise Plan: helping new startups bootstrap

2021-07-30 Jade Q. Wang

Post Syndicated from Jade Q. Wang original https://blog.cloudflare.com/the-cloudflare-startup-enterprise-plan-helping-new-startups-bootstrap/

The Cloudflare Startup Enterprise Plan: helping new startups bootstrap

Early in the life of most startups, there is a time of incredible hustle, creative problem solving, and making the impossible possible through out-of-the-box thinking and elbow grease. Grizzled veterans, who have lived through those days of running on coffee and shoestring budgets, look back on that time and fascinate the newcomers with war stories of back in the day, of adventures and first wins, when they kept the lights on by sheer force of will.

To help early stage startups get going, Cloudflare is giving away one year of the Startup Enterprise plan to all early stage startups in participating accelerator programs. That early stage time is special for product development, and entrepreneurs unlock worlds of possibilities when they have advanced tools on their hands, such as the power of the Cloudflare network.

What’s included in the Startup Enterprise plan?

In addition to the core offerings in the Pro and Business plans (e.g., CDN, DNS, WAF, custom SSL cert, 50 page rules), when founders sign up for the Startup Enterprise plan they’ll get special access to:

Cloudflare Workers: 50 million requests / month.
- Deploy serverless code instantly across the globe to give it exceptional performance, reliability, and scale.
Cloudflare for Teams: 50 seats.
- Zero Trust security platform, unified network security as-a-service built natively into the Cloudflare network
Cloudflare Stream: 500K min/month; 100K minutes storage.
- An affordable, scalable, on-demand video platform with simple, comprehensive APIs.

Additionally, when there are new Cloudflare products that are still in early access, participants on the Startup Enterprise plan can tell us about their use case for the product managers’ consideration for early access.

What startups are eligible for the Startup Enterprise plan?

To be eligible for the Startup Enterprise plan, a startup must be currently enrolled in a participating accelerator program or be a recent graduate. Additional eligibility criteria will be listed on the vendor perk info page of the accelerator program.

Get started

If you are a founder in a participating accelerator program, find the Cloudflare perk from your program’s vendor perk page and follow the instructions there.
If you are a founder in a program that is not yet a partner, drop us a line at [email protected], or ask the folks who run the vendor perk program at your accelerator program to drop us a line at [email protected].If you run or work for an accelerator program, or are friends with folks who do, do drop us a line at [email protected]. We’d love to make our tools available to your portfolio companies.

Cloudflare is joining Pledge 1%

2021-07-30 Michelle Zatlyn

Post Syndicated from Michelle Zatlyn original https://blog.cloudflare.com/cloudflare-is-joining-pledge-1/

Cloudflare is joining Pledge 1%

One theme we’ve prioritized this year at Cloudflare is how we can “level up” — level up service to our customers, level up the growth of our network, level up speed and creativity as we innovate.

In addition to our products and business, “leveling up” should also apply to the way Cloudflare gives back. Since our founding, giving back has been part of Cloudflare’s DNA, whether it’s through free services like Unmetered DDoS Mitigation or Universal SSL, giving gifts to the Internet every year during Birthday Week, or through free programs like Project Galileo that helps protect at-risk public interest organizations all over the world: for example, human rights activists and journalists. As the capabilities of our network continue to grow, we know there is more we can do. As we started to plan our first Impact Week, it seemed like the right time to figure out how we can level up how we give back to our communities.

To help us get there, I am excited to announce that Cloudflare is joining Pledge 1%. We’re joining the more than 12,000 companies in 100 countries that are committed to making a tangible, positive impact in their communities. As part of Cloudflare’s pledge to give 1%, we’re committing to donate 1% of our products and 1% of our time to give back to our local communities as well as all the communities we support online around the world.

Pledge 1%

Pledge 1% launched in 2014 with a mission to create a new normal where giving back is integrated into the foundation of companies at all stages of development, from startups to the Fortune 500. As part of the commitment, companies are encouraged to commit to donating to charitable causes one percent of any combination of their products, profits, time or equity.

1% of Product

Part of Cloudflare’s commitment to Pledge 1% will be to grow and expand our donated services programs. Donating free products and services is a part of Cloudflare’s story. We started our company with the basic idea that high-end networking services like security, content delivery, and reliability features should be available for everyone.

In 2014 we launched Project Galileo with the simple idea that we could offer services to journalists and human rights activities around the world for free. Today, Cloudflare protects over 1,500 organizations in 111 countries, and has donated more than $8 million worth of services through that program alone. After the 2016 US election, we launched the Athenian Project to provide state and local governments with our highest level security and reliability services for free, to ensure voters would be able to access election and voter registration information. We now have 292 government entities across 30 states participating in the program, and just yesterday, we announced that the Athenian Project is now available globally.

This week, we also announced our newest program: Project Pangea. Pangea will help community networks for underserved populations, including those in rural and developing locations, connect to the Internet for free.

We think we are only scratching the surface of how we can leverage one of the world’s fastest, most secure, most reliable networks to help underserved communities access and stay safe online. We’re excited to partner with Pledge 1% and all the great companies that are participating in the movement to help move us forward.

1% of Time

Maybe the most exciting part about Cloudflare joining Pledge 1% is our new commitment to give one percent of our team’s time. To meet that goal, Cloudflare is now offering all employees three days additional annual leave to volunteer in their communities.

Volunteering is an important part of our culture at Cloudflare. Prior to COVID, our team could dedicate one week every year to local volunteer efforts, which we called Cloudflare Cares. Coordinated across many of our large office locations, we would dedicate each day for a full week volunteering at employee-nominated, local non-profit organizations. Our participation pivoted to virtual during COVID, and it’s been incredible to see the impact one can make in their communities virtually, as well as in person. However, like a lot of folks, we are excited to return to in-person as soon as we are able to. We are looking forward to leveraging our 1% initiative to take Cloudflare Cares to a higher level of community engagement, around all of our global offices.

Although 1% of time is a significant investment — we expect this to net out at somewhere in the order of 70,000 hours of Cloudflarian time dedicated to this initiative next year — we think it has the potential to bring our teams closer together, to bring our offices closer to their communities, and attract active and engaged people to come join our team. It’s a big part of our mission to help build a better Internet.

Moving Forward

We’re incredibly proud to be joining Pledge 1%. Their goals are consistent with Cloudflare’s goals, and their methods will help us live up to those values consistently and intentionally. We’ve always been excited to find ways to build products that give back to the world. It is also great to find ways for our team building those products to give back to their communities.

We’re just getting started.

Building a sustainable workforce, through communities

2021-07-30 Janet Van Huysse

Post Syndicated from Janet Van Huysse original https://blog.cloudflare.com/building-a-sustainable-workforce-through-communities/

Building a sustainable workforce, through communities

At Cloudflare, we have our eyes set on an ambitious goal: to help build a better Internet. Today the company runs one of the world’s largest networks that powers approximately 25 million Internet properties. This is made possible by our 1,900 team members around the world. We believe the key to achieving our potential is to build diverse teams and create an environment where everyone can do their best work.

That is why we place a lot of value on the importance of diversity, equity and inclusion. Diversity, equity, and inclusion lead to better outcomes through improved decision-making, more innovative teams, stronger financial returns and simply a better place to work for everyone.

To become more diverse, equitable, and inclusive, we believe it’s important to focus on communities within and around our company.

Building internal communities at Cloudflare

At Cloudflare, like most workplaces, there are built-in communities: your direct team, your cross-functional partners and (because we take onboarding very seriously) your new hire class. These communities, especially the first two, are important to help you get your job done. But we want more than that for our team at Cloudflare. We believe that community builds connection and fosters a sense of belonging.

Because of that, we have supported the growth of over 16 Employee Resource Groups (ERG’s). We use the term ERG broadly at Cloudflare. We have many ERG’s focused on traditionally under-represented groups in tech: Afroflare (Black, African diaspora), Latinflare, and Womenflare; groups that have been historically marginalized: Proudflare (LGBTQIA+), Cloudflarents (parents and caregivers); as well as interest and affinity groups like Mindflare and Soberflare. To read more about all of our ERGs, visit our diversity, equity, and inclusion webpage or read about them on our blog. In addition to creating a community of support and belonging, our ERGs also work to enhance career development of their members and contribute to the development of a more inclusive culture at Cloudflare.

Building the skills to build communities

We define an inclusive culture as one where everyone feels safe, welcome and respected with a sense of belonging. We do not leave this to chance. We make investments in training and programs to develop and deepen the skills needed to nurture and preserve inclusive communities at Cloudflare.

One of our earliest offerings was Ally Skills training. The aim of this workshop is to help build awareness of the types of behavior and language which can be harmful to inclusivity at Cloudflare, and teach simple, everyday ways to support people who are targets of systemic oppression. During the workshop, team members share strategies on how to act as allies and how to create a long-lasting, inclusive culture at Cloudflare. As the program was being rolled out, the management team did the workshop together and quickly realized these were not skills reserved for ‘allies’ but it was our expectation that this was how all of our team members treated each other. These were necessary skills to be successful at Cloudflare. As a result, we reworked some pieces of the workshop and renamed it: How We Work Together.

We have also partnered with Paradigm IQ and Included to create a three-part Unconscious Bias Education Program. These workshops are a mix of eLearning and facilitated workshops where we learn about how to help mitigate unconscious bias and make our company a more welcoming and inclusive place for everyone. tEQuitable is an additional comprehensive resource which helps us create a safe, inclusive, and equitable workplace. They provide an independent sounding board where our employees may confidentially raise a concern, access a just-in-time learning platform, and get advice from professional Ombuds. They also help us identify systemic workplace issues and provide us with actionable recommendations for how to improve our workplace culture. What we especially love about tEQuitable is that it’s all about empowering our employees with tools and resources to address issues that may be impacting them, or they may witness impacting others, so we all play an active role in maintaining and nurturing our culture.

One other program worth highlighting is our Week On: Learning and Inclusion. This program came as a response to the murder of George Floyd in the US at the end of May 2020. Our Afroflare global leaders suggested we use Juneteenth as a full-day of deep learning from external experts on topics ranging from the history of race and racism to the psychological impact of racism on people of color. In 2021, we expanded it from a one-day program to a week full of programming with topics ranging from antiracism keynotes, inclusive people management workshops and inclusive recruiting practices.

Holding ourselves accountable to an inclusive culture

Increasing awareness and skill-building is valuable, but it is not enough. We also have to hold ourselves accountable by analyzing data, setting goals and measuring progress objectively. Each year we set company-wide goals around our diversity, and for the last few years we’ve added individual goals for managers — one focused on building a more diverse team, and one focused on building an inclusive team culture.

We also place a high value on behaviors at Cloudflare. This is imperative because we believe that culture is defined by the behaviors we reward. So in order to have a healthy and inclusive culture, we must reward the behaviors that promote and preserve that. We have defined these behaviors as our Cloudflare Capabilities.

We screen for these Capabilities during our interview process, and they are used in performance and promotion conversations. We hold ourselves accountable by using a very simple formula: Performance = results + behaviors. Equally weighted.

Our Recruiting Efforts

Speaking of interviewing, hiring is an important part of our diversity story. We believe that diverse teams win, and we put in a lot of effort to build diverse teams across the company. We have many team members who took unconventional paths into tech, and we believe that makes us stronger as a company. In fact, many of our job descriptions read: We realize people do not fit into neat boxes. We are looking for curious and empathetic individuals who are committed to developing themselves and learning new skills, and we are ready to help you do that. We cannot complete our mission without building a diverse and inclusive team.

In addition to an inclusive and expansive mindset around hiring, we also have interviews dedicated specifically to fit against our Capabilities, as well as leveraging technology and tools to help identify great talent who help to increase the diversity of our teams.

We have also made investments in events and partnerships that help support our diversity recruiting efforts. In August 2016, Cloudflare was one of the first companies to partner with Path Forward when it first launched its program in California. [Fun fact: that’s how I learned about Cloudflare and became interested in working here]. In Singapore, we have a similar partnership with Mums@Work.

We also engage with organizations and participate in events that help us reach talent from underrepresented groups. We have sponsored and spoke on stage at events like Lesbians Who Tech and Grace Hopper, where our co-founder, President and COO, Michelle Zatlyn, delivered the keynote in 2020. We regularly attend events and conferences hosted by AfroTech, Women Who Code, Girls Who Code, TAPIA, NSN, and more.

Engaging with external communities

Our ethos is to support and connect with external communities as well. Prior to the pandemic, when our offices were fully open and social and professional events were a thing, we regularly hosted external organizations to host events in our communal spaces. One example of such an organization is Wu Yee Children’s Services, a San Francisco Chinatown-based nonprofit that connects parents and caregivers to affordable childcare options, offers payment assistance to low-income families, and other family and community services. We were honored to host their orientation session. Another organization we hosted was Women Who Code SF. We regularly hosted their “ algorithm and interview prep” workshops, which helped women coders gain the skills they need to land good jobs in the tech industry. Unlike many of our tech company peers, we did not offer free lunch five days a week. It was important to us that our team members got out of the office and supported local businesses and restaurants. It is important that we do not isolate ourselves, but rather are part of a larger community.

We also believe in giving back to our local communities. Prior to COVID, Cloudflare dedicated one week every year to volunteer efforts. Coordinated across many of our large office locations, we would dedicate each day for a full week volunteering at employee-nominated, local non-profit organizations. Our participation pivoted to virtual during COVID, but we are anxious to return to in-person giving when we can.

While we are proud of these efforts, it is in using Cloudflare products and services for good that is truly special. Cloudflare’s mission to help build a better Internet means we are in a unique position to help vulnerable websites, applications and services be safer, faster and more reliable online.

A few to highlight:

Project Galileo

Organizations working in the arts, human rights, civil society, journalism, or democracy, may apply for Project Galileo to get Cloudflare’s cybersecurity protection, for free. Since 2014, we’ve been leveraging our services to support vulnerable public interest web properties including, but are not limited to: minority rights organizations, human rights organizations, independent media outlets, arts groups, and democracy and voter protection programs.

Our support of one of these organizations has blossomed over the years. We are proud to announce our partnership with The Trevor Project. Founded in 1998 by the creators of the Academy Award®-winning short film TREVOR, The Trevor Project is the leading national organization providing crisis intervention and suicide prevention services to lesbian, gay, bisexual, transgender, queer & questioning (LGBTQ) young people under 25. We support the organization through monetary donations, a partnership with our LGBTQIA+ Employee Resource Group, Proudflare, and free Cloudflare services through our Project Galileo Program.

Since 2017, we have donated about $8 million in cybersecurity tools under Project Galileo.

Athenian Project

Cloudflare launched the Athenian Project in 2017 to provide our highest level of cybersecurity services for free to state and local governments in the United States that run elections. The project is designed to protect these websites tied to elections including information related to voting and polling places, voter registration and sites that publish election results. And voter data from cyberattack, and keep them online. During the 2020 U.S. election, we worked closely with civil society and government agencies to share threat information that we saw targeted against these participants and protected more than 292 websites in 30 states, including the Missouri Secretary of State, Solano County in California and The Colorado Department of State.

In recognition that election security is a global issue, we recently announced our partnerships with the International Foundation for Electoral Systems, National Democratic Institute and International Republican Institute to extend our cybersecurity protections to election management bodies around the world, as well as organizations that support free and fair elections. We look forward to continuing our work to protect resources in the voting process and help build trust in democratic institutions around the world.

Project Fairshot

Around the world, governments, hospitals, and pharmacies are struggling to distribute the COVID-19 vaccine. Technical limitations are causing vaccine registration sites to crash under the load of registrations. At Cloudflare, we want to help. Cloudflare’s Waiting Room feature allows organizations with more demand for a resource — be it concert tickets, new edition sneakers, or vaccines — to allow individuals to queue and then allocate access. Waiting Rooms can be deployed in front of any existing registration website without requiring code changes. As we watched the world struggle to fairly and efficiently distribute the COVID-19 vaccine we wanted to lend our technologies and expertise to help. Under Project Fair Shot, Cloudflare is providing Waiting Room to any government agency, hospital, pharmacy, or other organization facilitating the distribution of the COVID-19 vaccine for free until anyone who wants to be vaccinated can be, until at least 31-December 2021.

We all need to work together to get past this incredibly difficult time worldwide and are humbled to have helped so many different organizations around the world such as the County of San Luis Obispo, Verto Health, and the Ministry of Health for the Republic of Latvia, and more!

Why we are publishing our diversity data

At Cloudflare, we believe in being principled, curious and transparent. Publishing our diversity report is aligned with these values.

We are Principled: One of the Cloudflare Capabilities is “Do the Right Thing” — that includes long-term thinking about how we build an innovative and sustainable workforce. We have a fundamental belief that fairness is the right thing. We believe that equity is the right thing.

We are Curious: Creating a more diverse and sustainable workforce is hard work. We want to draw lessons from the things we try, and we want to learn from what others are trying. Sustainable communities is not a zero-sum game, and we believe we can all benefit as an active part of the broader community.

We believe in Transparency: For many years, we have been transparent with our team about our diversity data and our goals, and we have measured our progress regularly. Now we are taking the step to share publicly because we believe in accountability and accept the responsibility to build a diverse and sustainable workforce.

You can check out our Diversity, Equity, and Inclusion webpage with our diversity report here.

While there is always more work to be done, we are grateful for the empathetic and curious team that makes Cloudflare what it is today. Together, we are optimistic we can build a better — and more inclusive — Internet.

How Employee Resource Groups (ERGs) can change an organization

2021-07-30 Andrew Fitch

Post Syndicated from Andrew Fitch original https://blog.cloudflare.com/how-employee-resource-groups-ergs-can-change-an-organization/

How Employee Resource Groups (ERGs) can change an organization

Employee resource groups (ERGs) are important to a company’s success. They foster community and a sense of belonging, help drive organizational change, and improve the overall quality of an organization’s culture. Most importantly, they help organizations become more diverse, equitable, and inclusive. I’d love to share the history of ERGs at Cloudflare, as well as how they function and help influence the company.

The history of ERGs at Cloudflare

When I joined Cloudflare in 2017, one of the first things I did was search “LGBTQ” in our company chat. A chat room of a dozen or so employees titled “LGBT at Cloudflare” popped up. There was evidence of some historic chatter in the room, and it was clear some employees had gathered for drinks after work before. I immediately introduced myself to the group, and asked if they would be okay with me setting up a meet & greet event. We booked a conference room, ordered lunch, found an article to discuss, introduced ourselves, and collectively decided we wanted to continue hosting such events. In our second meeting, we decided we should make things official by deciding on a name. This was the birth of Proudflare, our employee resource group (ERG) for LGBTQIA+ employees and our allies, and the first official Cloudflare ERG. I was honored to serve as Proudflare’s first global leader.

Cloudflare employees have founded and advanced fifteen other ERGs since 2017. Afroflare, our ERG for people of the African Diaspora, was the next ERG to form, later in 2017. The most recent is Flarability, our accessibility ERG. All of our groups are focused on fostering community, celebrating diversity, supporting career development, and educating those around us, but serve different communities. We decided early on that if each ERG focuses on education, celebration, and inclusion, we’ll be successful in supporting our underrepresented communities and stimulating positive change at our company. We have come a long way and still have a lot of change to make, but I can safely say that we have definitely helped make Cloudflare more diverse, inclusive, and equitable.

Scroll down to read the mission statements of each of Cloudflare’s ERGs. You may also read more about our ERGs through blog posts they’ve published at Cloudflare.

What is an ERG?

Our definition: At Cloudflare, ERGs are employee-led and company-supported groups of underrepresented and/or marginalized employees or groups of employees who are focused on key Corporate Social Responsibility initiatives. These employees join together in the workplace based on shared characteristics, life experiences, or initiatives. ERGs are generally based on creating a community of support and belonging, enhancing career development of their members, and contributing to the development of a more inclusive culture at Cloudflare.

ERGs are led by passionate volunteer employees who serve in roles as global leaders, regional leads, initiative leads, communications leads, and executive advocates. We ERG leaders agreed early on to support each other in our work, so we formed an Inclusion Council. This council is made up of all ERG leaders as well as Cloudflare’s inclusion workshop facilitators and serves as a steering committee in order to surface and incite feedback on diversity, equity, and inclusion (DEI) topics. We meet monthly, in rotating time zones so we may include leaders from all regions. Some of our most successful ERG partnership initiatives were forged in our Inclusion Council meetings between Womenflare and Afroflare, Asianflare and Desiflare, Mindflare and Proudflare, Latinflare and Afroflare, and more.

Most ERGs leverage executive advocates to help gain support from our senior executives and help those executives become more involved in DEI initiatives. Advocates meet regularly with ERG leaders, review company-wide or external-facing ERG communications, amplify the voices and visibility of ERGs through written communications and participation in events, and advocate for the ERG at the executive level. An example of a successful partnership between an Executive Advocate and an ERG is our CTO, John Graham-Cumming and Womenflare. John has held several meetings with Womenflare members to listen to their needs and experiences, share company decisions, and find ways to better advocate for the women of Cloudflare. He also meets with Womenflare’s leaders biweekly to help with major initiatives and any roadblocks to progress.

How do ERGs impact organizations?

The most important function of an ERG is to create a sense of belonging and community amongst their members and allies through chat room conversations and regular connection opportunities. ERGs typically also produce initiatives around global education and celebration opportunities such as Women’s Empowerment Month, Black History Month, Hispanic Heritage Month, etc. These initiatives include DEI discussion events, company-wide presentations, company-wide emails, blog posts, social media campaigns, Cloudflare TV segments, publication of antiracism resources, spotlighting of underrepresented and marginalized employees, advising Cloudflare teams on decisions such as inclusive benefits package selection and accessible office space construction, and helping to promote inclusion education programs.

Through these connection opportunities and initiatives, ERGs influence the overall organization. They attract more allies and encourage them to take DEI actions, help educate employees on systemic barriers to DEI, and help make the workplace more inclusive and enjoyable for everyone. I see ERGs as impactful grass-roots movements within a company and I’ve witnessed their positive impact firsthand.

Thank you for reading about Cloudflare’s ERGs. Sixteen ERGs is a good number, but I’m really looking forward to supporting the foundation and growth of even more, and helping our existing ERGs flourish. If you are interested in starting an ERG at your company or learning more about ERG best practices, I encourage you to check out the Human Rights Campaign’s article, Establishing an Employee Resource Group.

Cloudflare ERG mission statements:

Afroflare

Our mission is to help build a better Global Afro-community at Cloudflare and beyond. We support each other’s growth, share our community’s stories, and help to make Cloudflare a more diverse and inclusive company.

Asianflare

We provide a supportive environment for all employees of Asian and Pacific Islander heritage, work to create more awareness of the struggles our community has faced and continues to face today, and celebrate our rich shared cultures.

Cloudflarents

We provide community and resources for parents and families, and welcome allies, people who are interested in becoming a parent, or who are family-oriented.

Desiflare

We foster networking and build a sense of community amongst Cloudflare employees using the rich South Asian culture as a platform to bring people together.

Flarability

We curate and share resources about disabilities, provide a community space for those with disabilities and our allies to find support and thrive, and encourage and guide Cloudflare’s accessibility programs.

Greencloud: Sustainability Group

Greencloud is a sustainability-focused working group made up of Cloudflare employees who are passionate about the environment and addressing the climate crisis.

Judeoflare

We provide a forum for the Jewish people of Cloudflare where we support each other and celebrate our shared heritage.

Latinflare

The mission of Latinflare is to help create a more diverse workplace, create a sense of community + belonging for Latinx employees, and connect with the communities where we work.

Mindflare

We provide the Cloudflare community resources around mental health, as well as increase awareness and destigmatize mental health more broadly throughout our communities.

Nativeflare

With a shared goal of education, we recognize the heritage and cultural presence of Native American employees at Cloudflare and illuminate the historical impact of policies and racism that continue to fuel prejudice and injustice, even to this day.

Proudflare

Our mission is to Educate and Celebrate, Globally! We find ways to support and provide resources for the LGBTQIA+ community and make sure that the Cloudflare community is a welcoming, inclusive place for all.

Soberflare

Ensure the Cloudflare community is welcoming and inclusive to those abstaining from alcohol and/or drug use by increasing awareness and destigmatizing the decision to choose sobriety.

Vetflare

We encourage the recruitment and retention of veterans of military service from any military around the world. We also provide a supportive environment and community space for those who have served to network.

Women in Engineering

Our mission is supporting women’s professional development and success within Cloudflare.

Women in Sales

Our mission is to provide community experience and resources to help women in our sales organization to grow professionally and support each other collectively.

Womenflare

Womenflare’s mission is to create a community where all who identify as women feel supported and represented at Cloudflare.

Introducing Greencloud

2021-07-30 Annika Garbers

Post Syndicated from Annika Garbers original https://blog.cloudflare.com/introducing-greencloud/

Introducing Greencloud

Over the past few days, as part of Cloudflare’s Impact Week, we’ve written about the work we’re doing to help build a greener Internet. We’re making bold climate commitments for our own network and facilities and introducing new capabilities that help customers understand and reduce their impact. And in addition to organization-level initiatives, we also recognize the importance of individual impact — which is why we’re excited to publicly introduce Greencloud, our sustainability-focused employee working group.

What is Greencloud?

Greencloud is a coalition of Cloudflare employees who are passionate about the environment. Initially founded in 2019, we’re a cross-functional, global team with a few areas of focus:

Awareness: Greencloud compiles and shares resources about environmental activism with each other and the broader organization. We believe that collective action — not just conscious consumerism, but also engagement in local policy and community movements — is critical to a more sustainable future, and that the ability to affect change starts with education. We’re also consistently inspired by the great work other folks in tech are doing in this space, and love sharing updates from peers that push us to do better within our own spheres of influence.
Support: Our membership includes Cloudflare team members from across the org chart, which enables us to be helpful in supporting multidisciplinary projects led by functional teams within Cloudflare.
Advocacy: We recognize the importance of both individual and organization-level action. We continue to challenge ourselves, each other and the broader organization to think about environmental impact in every decision we make as a company.

Our vision is to contribute on every level to addressing the climate crisis and creating a more sustainable future, helping Cloudflare become a clear leader in sustainable practices among tech companies. Moreover, we want to empower our colleagues to make more sustainable decisions in each of our individual lives.

What has Greencloud done so far?

Since launching in 2019, Greencloud has created a space for conversation and idea generation around Cloudflare’s sustainability initiatives, many of which have been implemented across our organization. As a group, we’ve created content to educate ourselves and external audiences about a broad range of sustainability topics:

Benchmarked Cloudflare’s sustainability practices against peer companies to understand our baseline and source ideas for improvement.
Curated guides for colleagues on peer-reviewed content, product recommendations, and “low-hanging fruit” actions we all have the ability to take, such as choosing a sustainable 401k investment plan and using a paperless option for all employee documents.
Hosted events such as sustainability-themed trivia/quiz nights to spark discussion and teach participants techniques for making more sustainable decisions in our own homes and lives.

In addition to creating “evergreen” resources and hosting events, Greencloud threw a special celebration for April 22, 2021 — the 51st global Earth Day. For the surrounding week, we hosted a series of events to engage our employees and community in sustainability education and actions.

Greencloud TV Takeover

You can catch reruns of our Earth Week content on Cloudflare TV, covering a broad range of topics:

Tuesday: Infrastructure
A chat with Michael Aylward, Head of Cloudflare’s Network Partners Program and renewable energy expert, about the carbon footprint of Internet infrastructure. We explored how the Internet contributes to climate change and what tech companies, including Cloudflare, are doing to minimize this footprint.

Wednesday: Policy
An interview with Doug Kramer, Cloudflare’s General Counsel, and Patrick Day, Cloudflare’s Senior Policy Counsel, on the overlap between sustainability, tech, and public policy. We dove into how tech companies, including Cloudflare, are working with policymakers to build a more sustainable future.

Thursday: Cloudflare and the Climate
Francisco Ponce de León interviewed Sagar Aryal, the CTO of Plant for the Planet, an organization of young Climate Justice Ambassadors with the goal of planting one trillion trees. Plant for the Planet is a participant in Project Galileo, Cloudflare’s program providing free protection for at-risk public interest groups.

In addition, Amy Bibeau, our Greencloud Places team lead, interviewed Cloudflare’s Head Of Real Estate and Workplace Operations, Caroline Quick and LinkedIn’s Dana Jennings, Senior Project Manager, Global Sustainability for a look into the opportunities and challenges around creating sustainable workplaces. Like most companies, Cloudflare is re-thinking what our workplace will look like post-COVID. Baking sustainability into those plans, and being a model for other companies, can be game changing.

Friday: Personal Impact & Trivia
A panel of Greencloud employees addressed the challenge of personal versus collective/system-level action and broke down some of the highest value actions we’re working on taking in our own lives.

Finally, Greencloud took over Cloudflare TV’s signature game show Silicon Valley Squares with Earth Day-themed questions!

Get engaged

No one person, group, or organization working alone can save our planet — the degree of collective action required to reverse climate change is staggering, but we’re excited and inspired by the work that leaders across every industry are pitching in every day. We’d love for you and/or your organization to join us in this calling to create a more sustainable planet and tell us about your initiatives to exchange ideas.