On July 20, 2022, at least 76 employees at Cloudflare, a digital security provider, received text messages on their personal and work phones inviting them to click a link that looked like the Cloudflare Okta login page. The irony was that it was an attempt to breach the security of gatekeepers assigned to secure the system. 

Cloudflare claimed to have thwarted the attack using its own Cloudflare One products and physical security keys issued to every employee. “We have confirmed that no Cloudflare systems were compromised. Our Cloudforce One threat intelligence team was able to perform additional analysis to further dissect the mechanism of the attack and gather critical evidence to assist in tracking down the attacker,” said Samuel Sathyajith, head of India and SAARC region, Cloudflare.

Launched in 2010, Cloudflare claims to have a network in over 100 countries, and millions of customers, of which 151,000 are paid subscribers, including 29% Fortune 1000 companies. Cloudflare One is a zero-trust network-as-a-service platform that dynamically links users to enterprise resources while delivering identity-based security controls near the users, no matter where they are.

Fight attacks with zero trust

The first defining principle of the zero-trust model is ‘never trust, always verify’. Just because an acquaintance is on your corporate network, and carries that badge with an employee name on it, doesn’t mean they are who they say they are, or that they’re necessarily well-intentioned.

So the ‘always verify’ piece refers to the fact that every time something, like a user, device or application tries to make a new connection attempt, it should be rigorously authenticated and authorised, instead of simply trusted, because it’s coming  from inside the corporate network.

‘Implement least privilege’ is the second core principle of a zero-trust architecture which says you should provide the minimum amount of access to users that they need to perform their job effectively, and no more. Privileged access management is one the great ways of implementing least privilege for admin users.

And finally, ‘assume breach’, it encourages teams to plan for the worst-case scenario, and build robust incident response plans so that when attacks do occur, the time to respond is rapid and well-practised. Not only this, but this principle encourages organisations to shrink the target, and the impact zone of an attack, through networking principles like micro-segmentation. “We believe that the sudden surge in digital adaptation has further highlighted the need for developing the cybersecurity backbone for the country since large amounts of data is at risk,” said Sathyajith. 

According to Cloudflare’s 2021 report, ‘Data security in the Age of Zero Trust‘, there is high awareness of zero trust across countries like Australia, Japan, Singapore, Malaysia and India, with an almost universal awareness in Australia and Malaysia. However, of the top-5 highly aware countries, the lowest awareness level is in India, which needs to be addressed. 

In India, businesses across many industries, including BFSI, retail, healthcare, education, and telecom, are increasingly relying on cybersecurity in order to address organisational vulnerabilities like cyber threats, data leaks, phishing, and more. As a result, they are focusing their investment on strategies for implementing zero trust models. Security-related technology, software, and services will see greater investment over the next two years as a result of the expanding digitalisation of organisations and the growth of cybersecurity as a major industry concern.

As India’s internet base continues to widen, with the country set to have over 900 million internet users by 2025, a concurrent growth in cyber threats has become a matter of huge concern.

Ethical question: Arbiter or not

Early this month, Cloudflare announced the blocking of controversial website KiwiFarms, a right-wing platform accused of allegedly posting revolting contents, from using any of its services. The digital security provider eventually conceded after many demanded the website be blocked.

However, this has restarted the debate whether tech platforms can act as an arbiter to prioritise one platform over another. The company feels that the debate around content online is a familiar one, and one we’ve been vocal and transparent on over the last several years. Now that it’s fully in the public sphere, it’s become clear that the entire Internet ecosystem must grapple with these complicated questions and that there are unique considerations at every layer of the internet stack. 

“We have thoughtful teams that engage with our industry peers and policy makers on these issues, and we will continue to monitor how this debate evolves,” said Sathyajith.