Cloudflare’s unique network could make it the most essential security vendor of the zero-trust era

As Cloudflare seeks to win over enterprises with its array of zero-trust security services, CEO Matthew Prince told Protocol, “We just come at [cybersecurity] differently than all of the other vendors that are out there.” The company will need to take on some of the most-established vendors in the industry to achieve its vision.

Signage reading "Cloudflare" outside the company headquarters in San Francisco

The company has aggressively sought to expand beyond its roots in application security and into zero-trust services.

Photo: Michael Short/Bloomberg via Getty Images

Cloudflare is positioning itself to become nothing short of the most important and enduring platform for enterprise network security, declared Cloudflare co-founder and CEO Matthew Prince in a recent interview, emphasizing its drive to offer all of the services needed for securing a cloud-based corporate network.

For the last several years the company has aggressively sought to expand beyond its roots in application security and into zero-trust services, an increasingly pivotal focus for enterprise cybersecurity departments. And in that push, Cloudflare brings unique advantages — particularly its global network — that could be setting it up for serious growth in the enterprise security market, according to Prince, industry experts and equity research analysts who spoke with Protocol.

Looking ahead, Prince believes the biggest winners in cybersecurity will be those who can deliver security combined with an assortment of other cloud-based services that businesses need to operate in the modern world. Ten years from now, he predicted, "our customers will think of it less as cybersecurity and think of it more just as the network that they need to get their jobs done."

To be sure, deeply entrenched enterprise vendors can be harder to displace by upstarts than it might seem, and customers can have many reasons for their buying decisions. And for many enterprise buyers, Cloudflare is going to look very different from the vendors they’ve been traditionally familiar with, which Prince is quick to admit.

"We just come at [cybersecurity] differently than all of the other vendors that are out there," Prince told Protocol. In his view, Cloudflare will likely end up being more comparable to AWS than to any of the existing stand-alone security vendors given its recent investments in compute, storage and other application services.

As businesses look to shift their network security spend from hardware to cloud services, “I think they'll increasingly be choosing Cloudflare for their complete network security offering,” Prince said. Ultimately, “we want to solve all the network security issues that a company faces.”

"We just come at [cybersecurity] differently than all of the other vendors that are out there."

The road to achieving that vision will include having to take on some of the heavyweights of the cybersecurity industry — something that's already started happening more frequently, Prince said. Security vendors that specialize in zero trust such as Palo Alto Networks, Zscaler and Netskope "need to pay attention to the moves that Cloudflare is making," said Adam Borg, director in equity research at Stifel.

It will take time for this to play out, as Cloudflare builds up its enterprise salesforce and achieves enterprise-grade maturity for its products, Borg said. However, "there's no reason to think that they won't have success on the zero-trust side like they've had on the application security side," he said.

Network effects

Cloudflare is far from new to cybersecurity, of course. The company, founded in 2009, has long offered web security services such as distributed denial-of-service (DDoS) mitigation and web application firewalls. From early on, "we had to get good at stopping DDoS because it was the only way that we could help make sure our other services" functioned properly, Prince said.

Experts say that Cloudflare's worldwide network makes it one of the few vendors that can deliver a true zero-trust architecture for customers, particularly over the longer-term, as customers seek to consolidate vendors and tools.

Cloudflare's network covers 270 cities across more than 100 countries, allowing the company to reliably serve customers worldwide. The fact that Cloudflare doesn't rely on someone else's infrastructure is a key differentiator, enabling not only strong performance and security but also highly competitive pricing, analysts said.

Cloudflare's global network "is their critical advantage," said David Holmes, senior analyst at Forrester. "When everyone wants to consume something as a service, the bigger and faster your network is for delivering these services, the better the experience for the users."

It's no simple undertaking to build a network such as this, Holmes said. "A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

Ultimately, "having a network like this is so important for all of the next technologies that everyone's going to consume as a service," he said.

"A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

It also gives Cloudflare a view into major cyber events that few others have. Prince has become known for sharing some of the earliest details about such incidents on Twitter, such as the 2016 Mirai DDoS attacks that crippled servers across the Eastern U.S. and the worldwide exploitation of critical vulnerabilities in Apache Log4j in December 2021.

The advantages that Cloudflare's network provides could almost be called "unfair advantages" — due to how big of a leg-up they offer over some competitors — but they’ve been "fairly won” through the company’s continued efforts, said Jay Leek, the former CISO of The Blackstone Group and now managing partner at SYN Ventures.

All in on zero trust

Cloudflare is now seeking to leverage its network to simplify zero trust, a concept that many customers find overly complex. And simplicity has always been a strength for the company, said Andy Ellis, the former longtime chief security officer of Akamai, a perennial rival to Cloudflare in web content delivery services.

"One thing that Cloudflare has always been really good at is easy-to-consume security," said Ellis, who left Akamai in 2021 and is now an operating partner at YL Ventures. "Cloudflare really does try to shrink-wrap security when they deliver it."

The promise of zero trust is to ensure that only legitimate users are able to access corporate applications and data, a top priority for enterprises with distributed workforces, which are no longer protected effectively by traditional network security tools. Most organizations are expected to embrace zero trust as the starting point for their security strategies within the next few years, according to a recent Gartner survey.

Cloudflare has also invested heavily in recent years to assemble a portfolio of zero-trust services such as secure application access (also known as zero-trust network access, or ZTNA) as well as browser isolation and secure web gateway. As a result, "what we have really seen in the last six months is that we are getting pulled into more and more deals" with large customers, Prince told Protocol.

More than 15% of the company's paying customer base — or, more than 23,000 customers — have now adopted at least one of Cloudflare's zero-trust services, the company told Protocol. Overall revenue for the company's most recently reported quarter surged 54% year-over-year to $212.2 million.

"They're now in these discussions. And they weren't three years ago," said Neil MacDonald, vice president and distinguished analyst at Gartner. "They're quite credible on the security services side of things."

But today Cloudflare's wide range of services across web performance, security and infrastructure is both an advantage and also a bit tough to grasp for some. Prince acknowledged that, as the much-used analogy goes, people tend to focus on "different parts of the elephant" when it comes to their understanding of Cloudflare.

"They're now in these discussions. And they weren't three years ago."

What Prince hopes customers will start to see, however, is that Cloudflare is now a full platform for modern network security.

“We think that we have the network and the innovation machine that allows us to — regardless of what you need to do with network security — be able to solve it as a single vendor, in a way which will always be better than what point solutions can provide in other spaces,” he said.

What Cloudflare doesn't plan to pursue are products for endpoint or identity security, where there are already well-established players that the company partners with, he said.

But "between those two things, there's a role for network security. We want to play in every part of that space," Prince said.

Within that framework, Cloudflare recently expanded into email security with the $162 million acquisition of Area 1 Security. It also recently added cloud access security broker (CASB) capabilities with the acquisition of Vectrix. The company's overarching platform that unifies these capabilities, Cloudflare One, lines up with the very buzzy category of secure access service edge (SASE).

With Cloudflare One — which originally debuted in October 2020 and is now front and center in the company's product marketing — "I think we fit the model of what Gartner calls SASE better than any other company," Prince said. SASE is a cloud-driven architecture meant to secure all applications, data, users and devices using principles such as zero trust.

In SASE, "I fully expect them to be a player now," Gartner's MacDonald said. "They're investing, and they're taking advantage of their worldwide network of points of presence to do the new security functions."

Tool consolidation

Cloudflare's track record of taking a "mishmash of technologies, simplifying them and then creating a platform" is highly disruptive to traditional approaches, said Joel Fishbein, managing director at Truist Securities.

But even though Cloudflare's moves have been ambitious — even gutsy, he said — the company has "done everything and more that they've said they would do."

For customer Werner Enterprises, the opportunity to potentially consolidate cybersecurity tools with Cloudflare is highly appealing, according to CIO Daragh Mahon. Like many large businesses, the transportation and logistics company has a major problem with tool sprawl. "We're trying to just use a single vendor, as much as possible," Mahon said.

So far, Werner Enterprises has deployed Cloudflare's web application firewall and its Area 1 email security offering, and the company is now about to start a test of the Cloudflare One platform, to hopefully consolidate even further with Cloudflare. "So far, we've liked everything Cloudflare has sent our way," Mahon said.

The misperception that Cloudflare only serves small businesses is a hangover from how the company initially went to market, Prince said.

In cybersecurity, Cloudflare started out catering to businesses that were "completely underserved" by the existing security vendors at the time, he said. The company then moved upmarket over time; now, according to Prince, 13 of the world's 20 largest companies are customers of Cloudflare's security services.

Going forward, "you will see us in many more of those deals that come through system integrators and partners, which is a bit of a newer skill for us," he said. Still, practitioner-led deals have "always been the bread and butter of how we've gone to market. And I think that that's something that neither Palo [Alto Networks] or Zscaler are able to match," Prince said.

Cloudflare has been making plenty of big moves outside cybersecurity, too. The company offers a serverless compute service, Workers, and a cloud storage object service, R2, that went into open beta in May. R2 aims to stand out from Amazon S3 by not charging data-egress fees, and the company has said that, even apart from that, it will be 10% cheaper to operate than S3.

With Cloudflare's moves into infrastructure services, "this is your next AWS in the making," said Shaul Eyal, managing director at Cowen.

Prince previously told Protocol that Cloudflare is, in fact, "aiming to be the fourth major public cloud." In the most recent interview, he painted that potential outcome as a by-product of Cloudflare's strategy rather than the ultimate goal.

"It may be that the final step in this is that, yeah, we look like the fourth cloud, or whatever you want to call it," Prince said. "But we really think of ourselves as the network that connects together anything that's going to be online."

In other words, Cloudflare is looking to enable customers to reliably and securely use whatever cloud-based services they might want, including from other platforms, he said: "maybe storage from AWS, Office from Microsoft, machine learning from Google, post-quantum work from IBM, a database from Oracle." Cloudflare's larger goal, Prince said, is to provide the "programmable, secure network that hooks that all together."

Being able to provide that network combined with zero trust and other security services is something that'll have broad appeal among customers going forward, he said.

"The architects of the digital world have let [customers] down."

In the future, "I think the companies that are able to take cybersecurity and do it well — and build out a true cloud platform themselves — will dwarf anything that we're seeing in the cybersecurity space today," Prince said.

Prince is not alone in holding this view of the future.

Amid rampant ransomware attacks, the sentiment among many customers right now is that "the architects of the digital world have let them down," said Forrester's Holmes. What customers will demand more and more, he said, is to be able to work with "one trusted vendor, whom you trust with all of your network traffic and your cybersecurity."

From a customer point of view, "it's a single-vendor game in the distant future," Holmes said. "This might take 10 years or 15 years — we might be in year two or three."

That doesn't equate to having just one vendor to choose from, but the list of vendors able to provide all of that won't be lengthy — maybe five in the U.S. and 10 worldwide, akin to what's happened in public cloud, according to Holmes. And Cloudflare is a strong contender for becoming one of those five vendors in the U.S., he said.

"They've got the huge network. They have an understanding of zero trust. They're assembling the cybersecurity portfolio," Holmes said. "Things are looking good for them."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories