Cloudflare CEO Matthew Prince: Most Zero Trust Security Tools ‘Slow You Down’
In an interview with CRN, Prince said that with Cloudflare’s zero-trust security products, the ‘digital experience is going to be significantly better than any of our competitors.’
Cloudflare’s Zero Trust Push
As one of the up-and-coming challengers in the space of zero trust security and secure access service edge (SASE), Cloudflare has much to prove to partners and customers alike. But the company is making big strides in the arena, and its offerings bring major advantages that its competitors can’t easily replicate, Cloudflare CEO Matthew Prince said in an interview with CRN.
Above all, Cloudflare’s global network remains its core differentiator when it comes to delivering zero trust-related security services, according to Prince — just as it has been for more than a decade at the company in areas such as web content delivery and distributed denial-of-service (DDoS) mitigation. The Cloudflare network covers 300 cities across more than 100 countries, and offers some upsides in the delivery of security services like zero trust network access (ZTNA) that may not be obvious, he said.
For instance, while competing vendors offer tools that “provide a level of security, they actually slow your performance down pretty substantially,” he told CRN. But when partners and customers use the Cloudflare network, “we don’t slow you down, but speed you up. And that’s why I think we’re seeing more and more customers that are adopting Cloudflare’s complete zero trust security [offering].”
In other words, maybe speed isn’t always the enemy of security after all. Enabling high performance even with security tools deployed “actually makes organizations more secure because of the fact that it means that your users are going to be happy to use those products — as opposed to always trying to find how to get around using that product,” Prince said. Ultimately, “with Cloudflare’s products, regardless of what you’re doing online, the digital experience is going to be significantly better than any of our competitors,” he said.
In the recent interview with CRN, Prince also discussed how the move into zero trust security has opened up significant new opportunities for working with channel partners. Prince, who co-founded Cloudflare in 2009, said the company expects an increasing portion of its revenue to derive through the channel thanks to its newer product lines. “We may not have had that when we first started, but as we’re increasingly in zero trust and developer services, today I think we’re perfectly positioned to be a partner,” he said.
Just over a year ago, the company debuted the Cloudflare One Partner Program, which aims to enable channel partners such as resellers and system integrators to more effectively deliver Cloudflare’s SASE platform to customers. And today, “where I’m spending a lot more time is with our partners — making sure that we’ve got a robust partner program, making sure that we’re supporting that channel well, making sure that we’ve got clear pricing and that we’ve got clear ways of working with various partners around the world,” Prince said. For the 12 months that concluded at the end of March, the company’s revenue through channel partners increased 68 percent year-over-year, according to Cloudflare, above the 66-percent growth rate for the company’s direct sales during that period.
What follows is an edited and condensed portion of CRN’s interview with Prince.
What are the biggest things you want people to know about Cloudflare’s expansion into technologies for enabling a zero trust security posture?
While we’ve had been at it for a while, this is a newer space that Cloudflare has gotten into. I’ve been extremely proud of our team at how quickly they’ve been able to leverage our network, to be able to build what today I think is one of the only true full SASE solutions. We’re providing a true secure access service edge and providing all the elements of that — from access control, Gateway, email security, defending your edge with products like WAF and DDoS mitigation. And so increasingly, I think what we’re seeing is that not only are customers recognizing that Cloudflare can solve the problems that they have around control of a modern network. But now we’re getting that recognition from analyst firms, which have recognized us as leaders in email security, zero trust network access, worldwide network edge as-a-service. That I think is real validation, that the work that we’re doing is powerful.
One of the biggest objections that we’ve heard from customers — around a lot of the other solutions that are in the market — is that while they provide a level of security, they actually slow your performance down pretty substantially. And so the fact that we can use Cloudflare’s global network, that we can use everything from some of our older products to actually make internet connections faster — really makes it a win-win for customers. Not only do they get the leading security services that are out there, but by using Cloudflare’s global network, we also do that in a way that we don’t slow you down, but speed you up. And that’s why I think we’re seeing more and more customers that are adopting Cloudflare’s complete zero trust security [offering]. And increasingly, we are our customer’s network.
What are some of the practical advantages of your network for deploying a zero trust security strategy?
If you look at some of the solutions where you don’t have a network, what that means is you’ve got to pay somebody for that network at some level. What you end up doing is stacking, one on top of another, different solutions that provide part of the solution. What we’ve seen is that ends up being not only more complex, but also less secure — and significantly more expensive for customers to be able to administer. If you’ve got somebody who’s just doing your access controls, and somebody else is doing a gateway, and then you’re buying MPLS connections, and you’ve also got your ISP connections and you’ve got hardware that’s sitting in all the places just to connect all the bits together.
What’s powerful about Cloudflare is that we can do all of those things, and we can provide it as one service. We’re able to give people an even better experience, a unified control plane, and usually — if they adopt the entire Cloudflare suite around this — we’re able to save them about 50 percent over what they were spending by trying to cobble together multiple different solutions.
But even in the cases where someone like Zscaler that does run a network, and they have PoPs around the world — what is unique about Cloudflare versus a solution like Zscaler is just the scale that we’re able to operate at. We have about 100 times Zscaler’s published capacity across our network. And when you buy network capacity at a wholesale level and you buy a certain amount of out [traffic], you get an equal amount of in. Or if you buy a certain amount of in, you get an equal amount of out.
And so because we have this enormous business around DDoS mitigation and WAF and load balancing and everything else, we’ve paid effectively for that outbound capacity, but that frees up this enormous amount of inbound capacity to provide those zero-trust, forward-proxy services. So we could onboard 100 Zscalers on the existing network that we have, and we wouldn’t have to buy a single new machine. We have that capacity in place. And that’s really important for companies that sometimes today are having to wait a significant amount of time to get network capacity. Sometimes they’re being charged an enormous amount for that.
We also run our own backbone that spans the entire globe and connects most of that together. For our customers, if they’re going from their branch office across something like Cloudflare Magic WAN or Cloudflare Magic Transit, you are never even touching the public Internet. You’re passing across Cloudflare’s backbone end-to-end, in most cases. And that allows us to have a quality of service and a level of security that nobody else in this space can match.
Do you feel like you’ve also got differentiators in terms of avoiding outages?
I think it’s telling that even companies that compete with us, like Zscaler, use us for DDoS mitigation, because we’re just so good at that. And the network that we have is incredibly resilient on a global basis. Now again, we all learn from the mistakes of the past. When COVID hit in April 2020, network usage globally doubled in two weeks. Imagine any utility out there — the electrical grid or the sewer system or the freeways — if they all of a sudden had twice as much use, it would be a real problem. And yet, the internet held itself together. But what that period of time showed us was where the bottlenecks were in our network. So in 2021, we undertook an entire redesign of the architecture of our system to eliminate those bottlenecks. If I’m totally honest, 2021 was — from a reliability standpoint — about as bad as it’s been at Cloudflare. Because it turns out as you’re fixing things, you also end up breaking some things along the way. We had some embarrassing challenges during that period of time. But what came out the other end was a much more resilient network, where there are almost no single points of failure across the entire network that can cause any type of massive outage.
We built that to be able to stand up to the largest denial-of-service attacks. I’m incredibly proud that a lot of the Ukrainian public service and government infrastructure has relied on Cloudflare and faced some of the largest DDoS attacks in history. But for a zero trust [deployment], we get that same resiliency and that same performance, no matter how big an organization you are. We have customers today that have signed up hundreds of thousands of seats in a very short amount of time. And we can get them up and running in hours or days — where, if we look at almost everyone else in the space, the provisioning time is going to take weeks or months to get up and running. And even then, they’re going to have a lot more bottlenecks, a lot more brittleness, a lot more outages.
Is zero trust starting to drive significant growth in your business, or is that still a ways off?
It’s the fastest-growing area of our business. It’s starting from a smaller base, but we’re seeing customers large and small adopt it very quickly. Honestly, the problem with the term “zero trust” is still elicits eyerolls. It’s a terrible name for the product. The only name that was worse was what Google originally termed it, which was “Beyond Corp.”, which I still don’t totally know what that meant. Zero trust is probably more directionally accurate. But fundamentally, when I have conversations with customers, what they’re telling me is, they feel out of control. They’ve got all of these things running across their network. They’ve got a legacy, 40-year-old mainframe that there’s no way to install two-factor authentication to protect. And yet it’s making critical pricing decisions for how they price whatever it is that they’re selling. They’ve got individual developers that are signing up for who knows what SaaS service. They’ve got a whole shadow IT organization. And now they increasingly have a shadow AI organization, where more employees are turning to these AI tools, whether or not they’ve got the permission to use it. They’ve got a proliferation of different clouds — even if they think that they’re trying to be all in on AWS are all in on Azure, they’ve done an acquisition at some point in time, where they’ve brought some other tool. And that creates a level of complexity.
Is there a better term, in your view, instead of zero trust?
Every CTO, every CIO, every CISO, when I talk to them and I say, “How do you feel?” — they say, “As complexity has increased, I just feel more and more out of control.” And so maybe a better term for zero trust is total control. Because what that 40-year-old mainframe, what every SaaS service that you provide, what everything is able to do is you’re able to restrict all of those things to basically say, “Don’t allow connections unless they come from this particular network.” And then if you have the programmability in the network to say, I’m going to enforce every time somebody passes through the network, that we’re going to make sure that we’re using a modern identity provider, make sure that we’re checking for a second factor of authentication, make sure that this is coming from a user which has the credentials and the permission to access either this application or this piece of data. And then use that network in order to ensure that as data flows back out, it isn’t flowing in a way that shouldn’t be — so that you’re actually looking at what is the DLP on and what the inspection that you can do on the information. If you can put one network in front of all the different services that you have within your company, forget about zero trust, talk about total control.
Fundamentally, I think that’s what more and more customers are seeing and why they come to someone like Cloudflare. Because we can make sure that if someone is using an AI service inside of your organization, that you can control what information flows out of it. We can ensure that if you’ve got an old mainframe, that it’s got modern authentication that’s sitting in front of it to control access to it. That’s what having a programmable network like Cloudflare gives you. So I think we’re still, as an industry, searching for exactly what the right term is. Zero trust is one of those things where I still get tons of eyerolls. But when I say, “What we can deliver to you is total control over how your organization uses your network, and how information flows to and from your network” — that’s something that is causing customer after customer to say, “I need that right now.” And I think that’s what’s driving so much success for Cloudflare in terms of our rapid adoption in this space.
What’s the opportunity for channel partners in working with Cloudflare, and what is your strategy there?
I would say that since our earliest days, we’ve always wanted to be a good partner. But I think that some of our early products weren’t really set up to make us a great partner. We were always excited to be a partner out there, but we would talk to partners, whether they’re systems integrators or value-added resellers — and we’d say, “We’d love to have you sell this.” And they’d say, “Yeah, but the tagline on your website is, ‘Give us five minutes and we’ll supercharge your internet.’ And if it only takes five minutes to sign up, yeah, maybe you’ll give me a percentage of the sale — but that’s just not that interesting. All I am, effectively, is a Rolodex.” For a long time, I think we had a willingness to partner but we didn’t have the right products to be a good partner. I think that all changed both with us going into the zero trust space and with us going into the developer services space.
The way I think of it is as “acts” of products. So our Act One products are things like DDoS mitigation, WAF, load balancing, WAN optimization. Our Act Two products are the zero trust products — access, gateway, browser isolation, email security. Our Act Three products are around our developer platform and our developer services — our Workers developer platform. The Act One products are very easy to install. The Act Two products require a lot more integration. And while we have all those integrations built, that partner is really critical for us to be able to help our customers get the most out of the products and get the best integrations possible. In addition, what we’re seeing with our developer services products is that partners like IBM and Accenture are building their own intellectual property on the Workers platform for specific verticals.
Why has this been such a big change, in terms of Cloudflare’s ability to be a strong vendor partner for the channel?
I think the difference today versus when we started is that not only do we have this extreme willingness to be a partner, but we have the right products where we can work with partners — so that they can go to their customers and add value, have services that help deliver that value, and can make it so that our products work much better for that end customer. Our partner portion of our business is growing faster than the rest of our business. I think over time, it’s going to be a larger and larger component of our business. I think if you fast-forward five years from now, more than half of our business will come from various partners. What I’ve come to appreciate is it’s not just enough that you want to partner. You also need to have the right products to be a good partner. We may not have had that when we first started, but as we’re increasingly in zero trust and developer services, today I think we’re perfectly positioned to be a partner. And where I’m spending a lot more time is with our partners — making sure that we’ve got a robust partner program, making sure that we’re supporting that channel well, making sure that we’ve got clear pricing and that we’ve got clear ways of working with various partners around the world. And I think it’s an extremely exciting time to be partnering with Cloudflare.
What are you focused on optimizing when it comes to working with channel partners?
We brought in Marc Boroditsky about nine months ago to run our revenue operations. He’s focused on making sure that any of the legacy [structures] that we have — that aren’t structured to be the best thing for partners — are oriented around being as fast and as accessible to partners as possible. One of the core things is just making clear what our price list is, and here’s what we can work with partners on — and being extremely clear about that. And then making sure that there’s partner enablement — so that our partners can have the training to understand our products and very quickly bring them to market.
The good news for us, I think, is because of the fact that we’ve always designed our products to be very self-service, very easy to use — I think that DNA actually helps us be a better partner with organizations around the world. I think that’s something that we’re constantly learning, based on what we see in the market. But more and more partners are having real success, generating significant revenue based on selling Cloudflare’s business. And I want to be the No. 1 partner for all the big systems integrators, for all the VARs that are out there — where they can know that Cloudflare is going to support them, take care of them, honor our commitments to them — and is going to be reliable and consistent. That’s what we’re working towards. And I think Marc is doing a great job. And I’m spending a lot of my time also making sure that we’re supporting our partners — because, again, we anticipate that over time a majority of our business will come from those partners.
With SASE, a lot of the idea is that the network and the security aren’t separate things, but are interlinked. Do you feel like you saw that earlier than most?
I think that there are three components to security. There’s identity, there’s network and there’s endpoint. And you need those three components. I think we have been very clear from the beginning that we want to partner with all the best identity providers, we want to partner with all the best endpoint [security] providers. But whether you’re concerned about bad guys getting in, data leaking out, overwhelming DDoS attacks — or you’re concerned about making sure that your network helps control helps provide a centralized layer of total control for how access and privileges are administered across your organization — I think the network is a key piece of security. And we fundamentally are running one of the biggest, most-resilient, most-programmable networks. You want to have security built into that.
What we see ourselves doing is thinking about, if we could start over and rebuild the internet the way it should have been built from the beginning — build in all the controls, all the systems, all the process that you need to have in order to be online — what would that look like? I think because we have that network, when we see new trends like SASE emerging, it’s very easy for us to extend that network to very quickly catch up. And because the underlying network is so flexible, so performant, has so many controls that are built into it — because it’s so global, where today we’re in over 200 cities worldwide, over 120 countries worldwide — because of that, it means that regardless of where a company is, regardless of what they’re trying to accomplish, regardless of whether they’re tiny and just trying to get the most out of every dollar they spend, or they’re a massive multinational with offices around the world — Cloudflare’s network is perfectly positioned to provide that absolute performance, absolute reliability, absolute efficiency and privacy. But security first and foremost. Because we control our network, that’s allowing us to just deliver a much higher quality of service for these products than for people that don’t have that. And that vertically integrated solution, I think, is exactly the right way to provide the best service, with the highest ROI, to customers over time.
Are there any new areas in security that you’re looking to expand into, or do more around, in the near future?
One of the things that we just launched products around is digital experience monitoring — as I’ve got people working outside of the office, from their home, how do I know that they’re actually getting a good experience? And so both our DEX product — digital experience monitoring — as well as Cloudflare Observatory allow you to understand how networks are performing. And I think that’s really important for security. What we’re seeing with our competitors is that their security products slow the end user down. When a developer can’t get a fast response from a server — or when whatever [an employee is] trying to do online is slower than it would be without that security product — people inside organizations find ways around those products. The problem is that if you’ve got a whole bunch of IT support tickets that are getting filed, and then people are opening up basically holes in the firewall to let people through, or in the zero trust solution to let people through — then very quickly, you go from total control to no control at all. So I think that being able to see what the digital experience is that people are having, and being able to understand that, is actually critical to security. I think the fact that we have that background in being able to deliver high-performance networking gives us a huge advantage.
That actually makes organizations more secure because of the fact that it means that your users are going to be happy to use those products — as opposed to always trying to find how to get around using that product, pestering the IT support desk enough that they’ll basically just disable it. Security has to be fast. It’s not acceptable if it’s slow. And the fact that we’re twice as fast as Zscaler, significantly faster than Palo Alto Networks, significantly faster than Netskope — I think that that’s one of the things that we’re seeing actually makes organizations more secure. Because security needs to be usable, and usability is fundamentally about performance. I’m super excited about how we can now demonstrate that with Cloudflare’s products, regardless of what you’re doing online, the digital experience is going to be significantly better than any of our competitors.