[myalphabet]

It’s always nice reading about a company taking security seriously, and Cloudflare has some decent write ups for their hardware/software security, but I sure wish they would take other forms of security more seriously.

I visited Cloudflare’s Austin office. The door to the office is an old unlocked door with a glass pane and an old deadbolt. There is no reception desk or even anyone watching the door. I was able to walk in completely unnoticed and walk around for a couple minutes trying to get someone’s attention to figure out where I needed to go (not the best job interview experience, but that’s a different topic), while desks full of unattended and unlocked computers were fully available to me.

For a company that bills itself as an internet security company, it wasn’t very inspiring security.

edit to add: this was over a year ago so it’s possible things have improved since then. My understanding is that the Austin office is relatively new so maybe at the time they were still working out the kinks (still not great security but more understandable at least)

[Hikikomori]

We had a guy from another company walk into our office behind someone by mistake, find our it support people behind more internal doors, and asked them for help with with his laptop. Still just as easy, we're a large fintech company.

[zackbloom]

I work at Cloudflare Austin. I can't speak to this specific experience, but we have badges and a security person like every other office. It is true we don't have a reception desk in the lobby as it's a shared building.

[myalphabet]

When did you join the Austin office? I'm guessing things changed over time. When I visited there definitely was not a security person (not for the building nor for the Cloudflare suite in the building) and there were no badges. I was able to walk into the Cloudflare office through the unlocked door and walk around inside the office for at least a couple minutes before anyone paid any attention to me (and even that was only because I was trying to get someone's attention to tell me where to go).

Regarding the reception desk, it shouldn't matter if it's a shared building. Unless it's a small company (CF is not), even in shared buildings it's common to have at least one person sitting at a desk in the office suite to act as a gatekeeper and assist visitors, etc.

[noahmbarr]

Before posting this, did you give them this feedback directly?

[myalphabet]

One of the folks I talked to while there was one of the senior security team members, and I mentioned it to him during the interview but felt like it was brushed off (honestly that’s not that uncommon, I’ve worked in security for years and while software people are always really critical on software security, they really don’t care about physical security). I’ve been back once and nothing had changed at that time, but that was over a year ago so hopefully in the past year things have improved.

[jgrahamc]

I went ahead and copied your comment to our internal security team. We do take this stuff seriously and I was surprised to hear about unlocked machines and easy access.

[myalphabet]

That’s good to hear! I edited my original comment to say that this was over a year ago and was still when the Austin office was relatively new so perhaps it was just the effects of adjusting to a new space, and hopefully things are different now. Still, glad that it’s taken seriously.

[ksec]

Very often Middle Management just dont care ( Security or not ). It is not their Job to care. Unless this get escalated to C / SVP feel.

[latchkey]

Right above this comment is the CTO saying he cares. =)

[yjftsjthsd-h]

While it may actually mean something here... every CTO says they care. The more candid ones will follow up with comments about prioritization and profitability and cost control. But what matters are the actual actions they take. Now again, I gives CF better than usual chances, just... I wouldn't take it too much to heart.

[latchkey]

I have been a customer and follower of CF from almost day one. I also know a couple employees. While they haven't been perfect over the years, I tend to trust him on his word.