Security without sacrifice — Safeguarding Drata’s compliance automation platform with Cloudflare Zero Trust

In mid-2020, Drata’s co-founders set out to help companies of all sizes achieve and maintain compliance by creating a software-as-a-service (SaaS) platform that champions an automation-led approach to streamline risk and compliance. In two years, the company has quickly become the security and compliance automation platform of choice for thousands of companies across the world, with over 14 compliance frameworks, standards, and regulations (including SOC 2, ISO 27001, HIPAA, GDPR, among others), a dynamic Trust Center, comprehensive Risk Management offering, as well as its Open API, empowering customers with the ability to architect creative solutions specific to their risk and compliance needs.

Challenge: Securing a security and compliance platform

Given their focus on compliance, the Drata co-founders were hyper-security conscious from the start.

“We were entering the cyber security industry, so we understood from day one that security had to be the core of Drata’s foundations. It was the one place we could never bend or compromise,” says Daniel Marashlian, Drata Co-Founder and CTO.

Drata needed to secure its employees, resources, and infrastructure. But, while they required stringent security, the Drata co-founders also needed a system that did not overburden administrators or feel intrusive to their end users.

“We wanted to lock everything down, but we didn’t want to make it hard for our people to actually work,” says Marashlian. “We needed the best tools and security methodologies without going overboard and becoming obstructive.”

Drata faced another challenge — the company’s growing profile attracted attention from attackers.

“Simply being in the cyber security industry, we are a target,” says Marashlian. “As we grew, we saw an increasing number of bot attacks on our marketing pages. We had to strike a balance that blocked the bots without disrupting potential customers.”

The company also needed to secure and manage their online Trust Center — a dynamic and customizable page integrated into their website that proactively displays critical elements of their security posture for customers, auditors, administrators, and prospects looking for greater transparency into a company’s security and compliance program.

“With the Drata Trust Center, every customer can easily spotlight the quality of their security programs, but as we grow, democratizing that information for each company over HTTPS means maintaining thousands of SSL certificates,” says Marashlian.

Solution: A familiar partnership and a fresh start with Cloudflare Zero Trust

Even when Drata was still a proof-of-concept, Marashlian and his co-founders knew they wanted Cloudflare to secure their future workforce. They based this decision on prior positive experiences with Cloudflare.

“I have always been a Cloudflare proponent, so procuring Cloudflare services was one of our first line items,” says Marashlian.

Today, Drata uses Cloudflare Zero Trust to secure access to internal applications for nearly 400 employees spread across the globe. Cloudflare secures connections from users and devices to the applications, environments, and infrastructure crucial to the development of their core compliance platform.

“When we started our enterprise plan with Cloudflare, we did an internal security audit and knew we did not want any exposed ports or open machines because that is where attacks happen,” says Marashlian. “When a team member anywhere wants to use our internal tools or systems, they can only get to them using Cloudflare Zero Trust.”

Cloudflare’s native integration with Okta, Drata’s identity provider, made it simple to strengthen security with identity-based Zero Trust policies across applications. This integration equips IT and security administrators with granular control over who can access what. In addition, Drata has layered on additional verification steps like multi-factor authentication (MFA).

“Cloudflare Zero Trust has removed our back doors and other vulnerabilities and provides us with the proper tools in a proper trust chain, enabling us to secure our information using biometrics and multi-factor identification,” says Marashlian.

Cloudflare Zero Trust also saves Drata a significant amount of time and resources. It has substantially reduced administrative overhead for configuring and distributing specialized equipment when onboarding employees and contractors.

“Before Cloudflare, we had very specific workstation requirements for anyone that needed to use our internal tools,” says Marashlian. “A year ago we would have had to ship specially configured laptops to new staff or contractors. With Zero Trust in place, we can just point them towards a software download and give them login information.”

Blocking automated credential stuffers and false bookings with Cloudflare Bot Management

As a new company, Drata secured its sites and infrastructure using the Cloudflare Web Application Firewall (WAF) and Layer 7 protection. As the company grew, however, it attracted malicious traffic that resulted in inflated data sets and false conversion information that made life difficult for Drata’s marketing team.

“When we saw our traffic and bandwidth usage increasing due to false form submissions, fake demo requests, and automated input data, we stopped it at the edge — we blocked the IP addresses using the Cloudflare WAF,” says Marashlian. “But, the bots kept coming back, and they were a little more sophisticated each time around.”

Consulting with their Cloudflare account team, Drata decided to implement Bot Management, which uses behavioral analysis, machine learning, and fingerprinting to differentiate between good and bad bots and stop unwanted on-page activity.

“Bot Management was simple to install and get running — after a month we had everything fine-tuned,” says Marashlian. “It was the right decision.”

With its bot management dialed in and automated, Drata reduced its bandwidth consumption and improved the quality of data its marketing teams have to work with. Having Cloudflare at work in the background helps also lighten the load for Drata’s technical staff.

“Knowing that attacks will never stop and that Drata will continue to grow as a target, it is good to have Cloudflare Bot Management to alert us if something goes wrong,” says Marashlian. “It allows our security team to focus on other issues.”

Simplifying Customer Trust Center management with SSL for SaaS

Trust Center is a core offering for Drata, providing transparency in the form of compliance status with various frameworks, standards, and regulations, security reports, policy documentation, an inventory of continuous monitoring processes, and a list of authorized data sub-processors. With each Trust Center dynamically hosted on a client domain and requiring its own SSL certificate, maintaining them for a rapidly growing customer base became a logistical challenge.

Using SSL for SaaS — the Cloudflare product which automates SSL lifecycle management and reduces SSL certificate deployment times and overheads — the Drata engineers created a solution that allows their customer service team to administer Trust Center pages without direct access to the Cloudflare Enterprise dashboard.

“We created a tool that interfaces with the Cloudflare SSL for SaaS API and allows our people to provision and maintain SSL certificates with a few mouse clicks,” says Marashlian. “It's flexible, secure, works flawlessly, and only takes our people minutes per customer.”

In addition to Cloudflare’s rich, integrated security and the strength of its Zero Trust toolset, customer service made it the obvious choice for the Drata co-founders. As Drata matures, Cloudflare customer service and support continue to exceed their expectations.

“Whenever anything comes up, the Cloudflare team is on it immediately to help us determine a solution — the response is always positive,” says Marashlian. “Cloudflare is the ideal security partner for a cyber security company on the compliance vertical — it provides excellent support and works like a charm allowing us to always put our best foot forward.”

Related Case Studies
Key Results
  • Reduced bandwidth consumption with automated bot mitigation, improved marketing data and easing IT staff workloads while cutting costs

  • Improved client website security and accelerated the creation and management of SSL certificates

  • Simplified employee onboarding by eliminating the need for custom-configured secure workstations

Cloudflare is the ideal security partner for a cyber security company on the compliance vertical — it provides excellent support and works like a charm, allowing us to always put our best foot forward.

Daniel Marashlian
Co-Founder and CTO

Cloudflare Zero Trust has removed our back doors and other vulnerabilities and provides us with the proper tools in a proper trust chain, enabling us to secure our information using biometrics and multi-factor identification.

Daniel Marshlian
Co-Founder and CTO