Republic of Estonia Information Security Authority

Cloudflare security solutions protect the Republic of Estonia’s digital economy from cyber threats

In the 1990s, policymakers in the Republic of Estonia laid the groundwork for building a new technology infrastructure from scratch. The IT strategy called for creating low-cost, cutting-edge systems based around accessibility and efficiency.

The result: Today’s Estonia is a digital society. It’s the first country to move its IT infrastructure into the cloud, with critical databases and services backed up in a high-security data center in Luxembourg. Citizens can vote, sign documents, pay parking fees and taxes, order prescriptions, and more from their smartphones and computers.

Digital services make life easier for citizens while also making more efficient use of taxpayer money. But in a digital society, robust security is vital to protecting personal data and the many digital services people rely on. CERT Estonia, the cyber security branch of Estonia’s Information System Authority, has implemented Cloudflare solutions not only to harden its security posture but also to maintain strict compliance with regulations and standards for data privacy and protection.

Challenge: Thwart malicious attacks and achieve compliance with government and industry regulations

In 2021, organizations around the world experienced an unprecedented increase in new vulnerability exploits, ransomware, phishing, and distributed denial-of-service (DDoS) attacks. CERT Estonia registered twice as many DDoS attacks in 2021 versus 2020, and received 20% more reports of fraud affecting businesses and individuals.

In response, the CERT team aggressively implemented tools and resources to strengthen its security posture. These efforts have accelerated threat identification and response. Cloudflare application security products play a major role in the CERT security strategy:

  • Cloudflare DDoS services protect web services, applications and network infrastructure
  • Cloudflare Bot Management manages good and bad bots in real time
  • Cloudflare Rate Limiting enables the team to establish rules that prevent requests from overloading a server

The team has also begun implementing the Cloudflare Data Localization Suite (DLS) to handle expectations and requirements for keeping certain data within the borders of Estonia or the European Union.

Mitigating DDoS attacks, bot attacks, and excessive server traffic

With the increase in attacks of all types, the CERT team began investigating and testing various security solutions. The team found that Cloudflare excelled in its ability to detect and mitigate DDoS attacks, malicious bot intrusions, and traffic overload on servers.

Cloudflare DDoS protection addresses the rising number of DDoS attacks, protecting Estonia’s web services, applications, and network. “DDoS protection was easy to set up,” notes Tõnu Tammer, Director of CERT Estonia. “And we now have significantly stronger protection against random scanning, software vulnerabilities, and so forth.”

Because not every bot is bad, the CERT team seeks to manage bots in a way that does not interfere with good bots. Cloudflare Bot Management uses machine learning and behavioral analysis to recognize requests that are likely coming from bots. It creates and maintains a list of acceptable bots to ensure that requests from them pass through. By blocking bad bot traffic, Cloudflare Bot Management ensures that the Information System Authority’s backend systems are available for efficiently handling valid traffic.

Cloudflare Advanced Rate Limiting employs a rules-based approach to stop requests from overloading a server. The solution is a leap forward in throttling technology. It counts requests based on virtually any characteristics of the HTTP request, regardless of its source IP, providing a strong defense against brute force, scraping, and targeted DDoS attacks.

“What is especially good about Cloudflare’s approach is that we can layer the DDoS, Bot Management, and Rate Limiting tools with complementary rules to protect more fully against malicious traffic,” Tammer says. “The tools work together to quickly identify threats and apply rate limiting to keep traffic to servers at a manageable level.”

Realizing quantifiable results

Since implementing the Cloudflare solutions, the CERT team has dramatically improved its ability to block threats. For example, Cloudflare blocked 384 million threats in a single 30-day period. The solutions are also enhancing efficiency and reducing costs. The team reports a bandwidth and data egress cost savings of 75% in a 30-day period.

Ensuring compliance with the GDPR and adherence to standards

Like all EU and European Economic Area (EEA) countries, Estonia must ensure that its IT systems comply with the General Data Protection Regulation (GDPR). The GDPR requires that the processing and storage of personal information must occur within the borders of EU and EEA countries.

Cloudflare’s network is private and compliant by design, maintaining ISO 27001 certification. The Cloudflare Data Localization Suite enables Cloudflare to extend the same rigorous level of privacy into application data.

Tammer says that a major advantage of Cloudflare is its physical presence in Estonia. Most Information System Authority services run within Estonia as well. The implementation of DLS with Cloudflare Spectrum, a reverse proxy product that extends the benefits of Cloudflare to all TCP/UDP applications, reduces the risks associated with connecting to the public internet. “The Spectrum default configuration on our IPs ensures that data processing takes place inside the European Union,” Tammer remarks. CERT is the first customer to use Spectrum static IPs.

The CERT team is impressed with Cloudflare’s adherence to standards and timely adaptation to emerging standards. Cloudflare supports the current Transport Layer Security (TLS) 1.3 standard and will offer support for post-quantum cryptography standards as they are finalized in the future.

“New privacy standards are designed with greater security in mind. Cloudflare is committed to adopting these standards with products like the Data Localization Suite. We benefit from this constantly improving security without any impact to our performance or availability,” said Tammer.

CERT Estonia is ready for the continued onslaught of threats in the years ahead

The security team at CERT Estonia is realistic about the future. Cyber threats are not going away — instead, they will constantly increase in volume and sophistication.

With Cloudflare, however, Estonia’s Information System Authority is fully prepared for vulnerability exploits (like those directed at the Log4j logging application), the growing number of DDoS attacks, phishing attacks, and other threats. Moreover, team members are confident that the partnership with Cloudflare will empower them to stay ahead of criminal groups and individual attackers who target Estonian citizens, businesses, and government agencies.

Republic of Estonia Information Security Authority
Key Results
  • Cloudflare Data Localization Suite helps CERT Estonia meet requirements for processing/maintaining data within the borders of Estonia/EU

  • Cloudflare blocked 384 million threats in a single 30-day period

  • Bandwidth savings of 75% in a 30-day period

Cloudflare provides an additional layer of defense for our critical government sites. Each day, I check the previous night's activity to find out what kinds of attacks occurred. With Cloudflare, I see that nothing got through and none of our services were interrupted. So I sleep better at night.

Tõnu Tammer