Enterprise

Cloudflare’s unique network could make it the most essential security vendor of the zero-trust era

As Cloudflare seeks to win over enterprises with its array of zero-trust security services, CEO Matthew Prince told Protocol, “We just come at [cybersecurity] differently than all of the other vendors that are out there.” The company will need to take on some of the most-established vendors in the industry to achieve its vision.

Signage reading "Cloudflare" outside the company headquarters in San Francisco

The company has aggressively sought to expand beyond its roots in application security and into zero-trust services.

Photo: Michael Short/Bloomberg via Getty Images

Cloudflare is positioning itself to become nothing short of the most important and enduring platform for enterprise network security, declared Cloudflare co-founder and CEO Matthew Prince in a recent interview, emphasizing its drive to offer all of the services needed for securing a cloud-based corporate network.

For the last several years the company has aggressively sought to expand beyond its roots in application security and into zero-trust services, an increasingly pivotal focus for enterprise cybersecurity departments. And in that push, Cloudflare brings unique advantages — particularly its global network — that could be setting it up for serious growth in the enterprise security market, according to Prince, industry experts and equity research analysts who spoke with Protocol.

Looking ahead, Prince believes the biggest winners in cybersecurity will be those who can deliver security combined with an assortment of other cloud-based services that businesses need to operate in the modern world. Ten years from now, he predicted, "our customers will think of it less as cybersecurity and think of it more just as the network that they need to get their jobs done."

To be sure, deeply entrenched enterprise vendors can be harder to displace by upstarts than it might seem, and customers can have many reasons for their buying decisions. And for many enterprise buyers, Cloudflare is going to look very different from the vendors they’ve been traditionally familiar with, which Prince is quick to admit.

"We just come at [cybersecurity] differently than all of the other vendors that are out there," Prince told Protocol. In his view, Cloudflare will likely end up being more comparable to AWS than to any of the existing stand-alone security vendors given its recent investments in compute, storage and other application services.

As businesses look to shift their network security spend from hardware to cloud services, “I think they'll increasingly be choosing Cloudflare for their complete network security offering,” Prince said. Ultimately, “we want to solve all the network security issues that a company faces.”

"We just come at [cybersecurity] differently than all of the other vendors that are out there."

The road to achieving that vision will include having to take on some of the heavyweights of the cybersecurity industry — something that's already started happening more frequently, Prince said. Security vendors that specialize in zero trust such as Palo Alto Networks, Zscaler and Netskope "need to pay attention to the moves that Cloudflare is making," said Adam Borg, director in equity research at Stifel.

It will take time for this to play out, as Cloudflare builds up its enterprise salesforce and achieves enterprise-grade maturity for its products, Borg said. However, "there's no reason to think that they won't have success on the zero-trust side like they've had on the application security side," he said.

Network effects

Cloudflare is far from new to cybersecurity, of course. The company, founded in 2009, has long offered web security services such as distributed denial-of-service (DDoS) mitigation and web application firewalls. From early on, "we had to get good at stopping DDoS because it was the only way that we could help make sure our other services" functioned properly, Prince said.

Experts say that Cloudflare's worldwide network makes it one of the few vendors that can deliver a true zero-trust architecture for customers, particularly over the longer-term, as customers seek to consolidate vendors and tools.

Cloudflare's network covers 270 cities across more than 100 countries, allowing the company to reliably serve customers worldwide. The fact that Cloudflare doesn't rely on someone else's infrastructure is a key differentiator, enabling not only strong performance and security but also highly competitive pricing, analysts said.

Cloudflare's global network "is their critical advantage," said David Holmes, senior analyst at Forrester. "When everyone wants to consume something as a service, the bigger and faster your network is for delivering these services, the better the experience for the users."

It's no simple undertaking to build a network such as this, Holmes said. "A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

Ultimately, "having a network like this is so important for all of the next technologies that everyone's going to consume as a service," he said.

"A competitor can't come in and just say, 'Hey, we are now competing with Cloudflare.'"

It also gives Cloudflare a view into major cyber events that few others have. Prince has become known for sharing some of the earliest details about such incidents on Twitter, such as the 2016 Mirai DDoS attacks that crippled servers across the Eastern U.S. and the worldwide exploitation of critical vulnerabilities in Apache Log4j in December 2021.

The advantages that Cloudflare's network provides could almost be called "unfair advantages" — due to how big of a leg-up they offer over some competitors — but they’ve been "fairly won” through the company’s continued efforts, said Jay Leek, the former CISO of The Blackstone Group and now managing partner at SYN Ventures.

All in on zero trust

Cloudflare is now seeking to leverage its network to simplify zero trust, a concept that many customers find overly complex. And simplicity has always been a strength for the company, said Andy Ellis, the former longtime chief security officer of Akamai, a perennial rival to Cloudflare in web content delivery services.

"One thing that Cloudflare has always been really good at is easy-to-consume security," said Ellis, who left Akamai in 2021 and is now an operating partner at YL Ventures. "Cloudflare really does try to shrink-wrap security when they deliver it."

The promise of zero trust is to ensure that only legitimate users are able to access corporate applications and data, a top priority for enterprises with distributed workforces, which are no longer protected effectively by traditional network security tools. Most organizations are expected to embrace zero trust as the starting point for their security strategies within the next few years, according to a recent Gartner survey.

Cloudflare has also invested heavily in recent years to assemble a portfolio of zero-trust services such as secure application access (also known as zero-trust network access, or ZTNA) as well as browser isolation and secure web gateway. As a result, "what we have really seen in the last six months is that we are getting pulled into more and more deals" with large customers, Prince told Protocol.

More than 15% of the company's paying customer base — or, more than 23,000 customers — have now adopted at least one of Cloudflare's zero-trust services, the company told Protocol. Overall revenue for the company's most recently reported quarter surged 54% year-over-year to $212.2 million.

"They're now in these discussions. And they weren't three years ago," said Neil MacDonald, vice president and distinguished analyst at Gartner. "They're quite credible on the security services side of things."

But today Cloudflare's wide range of services across web performance, security and infrastructure is both an advantage and also a bit tough to grasp for some. Prince acknowledged that, as the much-used analogy goes, people tend to focus on "different parts of the elephant" when it comes to their understanding of Cloudflare.

"They're now in these discussions. And they weren't three years ago."

What Prince hopes customers will start to see, however, is that Cloudflare is now a full platform for modern network security.

“We think that we have the network and the innovation machine that allows us to — regardless of what you need to do with network security — be able to solve it as a single vendor, in a way which will always be better than what point solutions can provide in other spaces,” he said.

What Cloudflare doesn't plan to pursue are products for endpoint or identity security, where there are already well-established players that the company partners with, he said.

But "between those two things, there's a role for network security. We want to play in every part of that space," Prince said.

Within that framework, Cloudflare recently expanded into email security with the $162 million acquisition of Area 1 Security. It also recently added cloud access security broker (CASB) capabilities with the acquisition of Vectrix. The company's overarching platform that unifies these capabilities, Cloudflare One, lines up with the very buzzy category of secure access service edge (SASE).

With Cloudflare One — which originally debuted in October 2020 and is now front and center in the company's product marketing — "I think we fit the model of what Gartner calls SASE better than any other company," Prince said. SASE is a cloud-driven architecture meant to secure all applications, data, users and devices using principles such as zero trust.

In SASE, "I fully expect them to be a player now," Gartner's MacDonald said. "They're investing, and they're taking advantage of their worldwide network of points of presence to do the new security functions."

Tool consolidation

Cloudflare's track record of taking a "mishmash of technologies, simplifying them and then creating a platform" is highly disruptive to traditional approaches, said Joel Fishbein, managing director at Truist Securities.

But even though Cloudflare's moves have been ambitious — even gutsy, he said — the company has "done everything and more that they've said they would do."

For customer Werner Enterprises, the opportunity to potentially consolidate cybersecurity tools with Cloudflare is highly appealing, according to CIO Daragh Mahon. Like many large businesses, the transportation and logistics company has a major problem with tool sprawl. "We're trying to just use a single vendor, as much as possible," Mahon said.

So far, Werner Enterprises has deployed Cloudflare's web application firewall and its Area 1 email security offering, and the company is now about to start a test of the Cloudflare One platform, to hopefully consolidate even further with Cloudflare. "So far, we've liked everything Cloudflare has sent our way," Mahon said.

The misperception that Cloudflare only serves small businesses is a hangover from how the company initially went to market, Prince said.

In cybersecurity, Cloudflare started out catering to businesses that were "completely underserved" by the existing security vendors at the time, he said. The company then moved upmarket over time; now, according to Prince, 13 of the world's 20 largest companies are customers of Cloudflare's security services.

Going forward, "you will see us in many more of those deals that come through system integrators and partners, which is a bit of a newer skill for us," he said. Still, practitioner-led deals have "always been the bread and butter of how we've gone to market. And I think that that's something that neither Palo [Alto Networks] or Zscaler are able to match," Prince said.

Cloudflare has been making plenty of big moves outside cybersecurity, too. The company offers a serverless compute service, Workers, and a cloud storage object service, R2, that went into open beta in May. R2 aims to stand out from Amazon S3 by not charging data-egress fees, and the company has said that, even apart from that, it will be 10% cheaper to operate than S3.

With Cloudflare's moves into infrastructure services, "this is your next AWS in the making," said Shaul Eyal, managing director at Cowen.

Prince previously told Protocol that Cloudflare is, in fact, "aiming to be the fourth major public cloud." In the most recent interview, he painted that potential outcome as a by-product of Cloudflare's strategy rather than the ultimate goal.

"It may be that the final step in this is that, yeah, we look like the fourth cloud, or whatever you want to call it," Prince said. "But we really think of ourselves as the network that connects together anything that's going to be online."

In other words, Cloudflare is looking to enable customers to reliably and securely use whatever cloud-based services they might want, including from other platforms, he said: "maybe storage from AWS, Office from Microsoft, machine learning from Google, post-quantum work from IBM, a database from Oracle." Cloudflare's larger goal, Prince said, is to provide the "programmable, secure network that hooks that all together."

Being able to provide that network combined with zero trust and other security services is something that'll have broad appeal among customers going forward, he said.

"The architects of the digital world have let [customers] down."

In the future, "I think the companies that are able to take cybersecurity and do it well — and build out a true cloud platform themselves — will dwarf anything that we're seeing in the cybersecurity space today," Prince said.

Prince is not alone in holding this view of the future.

Amid rampant ransomware attacks, the sentiment among many customers right now is that "the architects of the digital world have let them down," said Forrester's Holmes. What customers will demand more and more, he said, is to be able to work with "one trusted vendor, whom you trust with all of your network traffic and your cybersecurity."

From a customer point of view, "it's a single-vendor game in the distant future," Holmes said. "This might take 10 years or 15 years — we might be in year two or three."

That doesn't equate to having just one vendor to choose from, but the list of vendors able to provide all of that won't be lengthy — maybe five in the U.S. and 10 worldwide, akin to what's happened in public cloud, according to Holmes. And Cloudflare is a strong contender for becoming one of those five vendors in the U.S., he said.

"They've got the huge network. They have an understanding of zero trust. They're assembling the cybersecurity portfolio," Holmes said. "Things are looking good for them."

Fintech

Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.
Sponsored Content

How cybercrime is going small time

Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime

Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.

That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.

Enterprise

Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Fintech

Binance’s co-founder could remake its crypto deal-making

Yi He is overseeing a $7.5 billion portfolio, with more investments to come, making her one of the most powerful investors in the industry.

Binance co-founder Yi He will oversee $7.5 billion in assets.

Photo: Binance

Binance co-founder Yi He isn’t as well known as the crypto giant’s colorful and controversial CEO, Changpeng “CZ” Zhao.

That could soon change. The 35-year-old executive is taking on a new, higher-profile role at the world’s largest crypto exchange as head of Binance Labs, the company’s venture capital arm. With $7.5 billion in assets to oversee, that instantly makes her one of the most powerful VC investors in crypto.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Policy

Trump ordered social media visa screening. Biden's defending it.

The Knight First Amendment Institute just lost a battle to force the Biden administration to provide a report on the collection of social media handles from millions of visa applicants every year.

Visa applicants have to give up any of their social media handles from the past five years.

Photo: belterz/Getty Images

Would you feel comfortable if a U.S. immigration official reviewed all that you post on Facebook, Reddit, Snapchat, Twitter or even YouTube? Would it change what you decide to post or whom you talk to online? Perhaps you’ve said something critical of the U.S. government. Perhaps you’ve jokingly threatened to whack someone.

If you’ve applied for a U.S. visa, there’s a chance your online missives have been subjected to this kind of scrutiny, all in the name of keeping America safe. But three years after the Trump administration ordered enhanced vetting of visa applications, the Biden White House has not only continued the program, but is defending it — despite refusing to say if it’s had any impact.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (Twitter: @ anna_c_kramer, email: akramer@protocol.com), where she writes about labor and workplace issues. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

Latest Stories
Bulletins