Bouvet is an IT and digital communications consultancy in Northern Europe widely recognized for their focus on innovation, sustainability, and strong sense of social responsibility. Since 2006, the company has supported a variety of private and public sector companies’ digital transformations through software development, system integration, business intelligence, data analytics, cloud computing, and cybersecurity service expertise.
Prior to 2020, Bouvet’s employees worked across 17 offices in Norway and Sweden, but during the COVID-19 pandemic their staff began working remotely around the world. As the company’s slow and unreliable VPN struggled to handle the increased traffic and hurt productivity, securing access to corporate resources emerged as an IT priority.
“Overnight, we realized the bandwidth of our costly VPN concentrator was terrible. In some parts of Europe, our employees were seeing speeds of half a megabit,” says Persson, “In the mornings we would discover that another 10 people couldn’t work due to connectivity issues.”
The Ukraine invasion presented the company with yet another challenge. In response to the conflict, the company sought to make its already stringent security standards even more proactive.
“When the war in Ukraine started, we received many emails from customers and from authorities stating that Bouvet is a critical vendor and that we had to take every possible precaution to remain secure,” says Persson. “We have many security-sensitive customers and our top priority is keeping them safe in this new threat landscape.”
In addition to these greater external events, Bouvet’s most consistent threat vectors are email and web browsing.
“We saw a lot of phishing emails coming through our mail filters. It was just a matter of time before somebody actually gave away their credentials,” says Persson. “Phishing was our primary concern, but we wanted protection from everything on the web from ransom and malware to automatic download drive-by attacks.”
Bouvet needed a solution that would address its collective security and productivity challenges — preferably from a single vendor.
Shortly after the shift to remote work, Persson turned to Cloudflare to secure employee access to Bouvet resources. His initial confidence in Cloudflare was grounded in his own experiences securing his home IT environment with Cloudflare Access, a Zero Trust Network Access (ZTNA) service.
“I knew from personal experience Cloudflare Zero Trust services could protect Bouvet’s applications, and getting management approval to go with Cloudflare Access was simple,” he says. “Cloudflare’s policy of complete transparency when it comes to security matched our own. That made it easy to build trust.”
Bouvet’s initial Cloudflare pilot focused on securing remote access for dozens of consultants, whose movement was limited by COVID-19 travel restrictions. Encouraged by the pilot’s results, the company began rolling out Cloudflare Access to nearly 2,500 employees over the following year. Through these phases, Bouvet’s administrators found Cloudflare simple to set up and easy to maintain.
“We had Cloudflare Zero Trust up and running in no time. Using our old VPN, it took us days to provision new users in a secure manner where people could only access what they explicitly needed to access. As the VPN was set up in a traditional default-allow configuration, users would have more access than needed for their day-to-day work. Now we can onboard them in minutes,” says Persson, “It was really messy. Even with only 200 users on the VPN, we received multiple daily support tickets about the client crashing. When our VPN licenses expire, we won’t be renewing them.”
Switching to Cloudflare has helped improve efficiency not only for administrators but also for end users, who benefit from a more streamlined authentication experience and a more reliable connection. Plus, Bouvet has been able to improve its security posture by adopting identity-based, default-deny Zero Trust policies.
Based on their positive experience switching from its VPN to a cloud-delivered ZTNA service, Bouvet began to explore opportunities to deprecate other legacy IT and security systems and consolidate security onto Cloudflare’s Zero Trust platform.
For this next phase, Bouvet focused on modernizing their threat defense to support its current hybrid work model and reduce reliance on their on-prem security stack. Specifically, Bouvet onboarded Cloudflare’s Secure Web Gateway (SWG) to filter and inspect Internet traffic across remote users and office locations. Reducing the risk from online threats like ransomware has been critical, particularly as cyber-attacks increase across Europe due to the Ukraine conflict.
“My team and I sleep better at night without worrying whether we have the latest security patches or our third-party and legacy tech stacks are secure,” says Persson. We depend on Cloudflare to reduce our attack surface by securing our ports, filtering threats, and cleaning up our traffic. That is important when our users may be under attack or entering sensitive information as they submit support or feature requests.”
“We also use Cloudflare Gateway’s DNS resolver for our premises’ firewalls, where egress traffic is filtered for every client in the office/s, meaning we keep our employees, guests and customer equipment safe from online threats. And it’s all clientless.”
Next, Bouvet bolstered their protections against Internet threats even further by layering on Cloudflare’s Remote Browser Isolation (RBI) service. RBI reduces risk by running all browser code on Cloudflare’s global network – keeping any malware far away from local devices and insulating users from harm. Within isolated browsers, administrators can also control how users interact with data on websites, including preventing risky actions like downloads, uploads, copy-pastes, keyboard inputs, and more.
“People use their computers for everything, not just work, but with Cloudflare RBI we can seamlessly isolate malicious domains and stop users from entering their credentials into shady sites and harvesters,” says Persson. “By the time a user reports a security incident, Cloudflare has already isolated the threat. It's a huge benefit. ”
Bouvet has also taken a more proactive stance against phishing by adopting Cloudflare’s cloud email security service, Area 1, which preemptively hunts for and blocks email phishing infrastructure, sources, and delivery mechanisms from the cloud. During Bouvet’s initial testing, Cloudflare proved itself extremely effective at identifying sophisticated threat emails. The results solidified Area 1’s position as Bouvet’s first line of defense against phishing and other socially engineered email-based threats.
“Over 30 days and 265,000 messages, Cloudflare detected 908 malicious emails that our existing email security tools missed,” says Persson. “Area 1 protects us from potential data exfiltration and domain-wide ransom attacks. We no longer see email-related support tickets in our security reporting portal.”
While Cloudflare integrated Zero Trust services and Layer 7 security tools like the Web Application Firewall (WAF), Global Network, DDoS Protection, and Bot Management provide security and peace of mind that allow the company to focus on delivering innovative IT solutions, Cloudflare Premium Success support has also been invaluable to Bouvet.
“The Cloudflare Customer Success team is beyond competent. They know you as a customer. They understand your needs and environment, and they don’t try to sell you products you don't need,” says Persson. “They don’t run you through a checklist asking if you have rebooted your PC. They gather information the engineers need to solve your problems quickly — even when the problem is new and unfamiliar.”
Bouvet is also a Cloudflare reseller and Authorized Service Delivery Partner — the first in the Nordics.
“Transparency is the foundation for building trust — Cloudflare is so transparent with every single incident, it was easy to form a partnership,” he says. "It has been an excellent collaboration. We will continue to expand our use of Cloudflare services and solutions.”
Significant time savings in onboarding new users in a secure, default-deny manner — now in minutes, compared to days
Reduction in VPN-related support requests, even as concurrent users increased by 300%
Shields difficult-to-secure legacy hardware and network infrastructure from inbound threats with minimal implementation, configuration, and maintenance efforts
Seamlessly protect employees from credential harvesters and malicious domains by isolating browser-borne threats in the cloud
“My team and I sleep better at night without worrying if we have the latest security patches or if our third-party and legacy tech stacks are secure. Cloudflare reduces our attack surface by securing our ports, filtering our threats, and cleaning up our traffic.”
Security Operations Lead
“Transparency is the foundation for building trust — Cloudflare is so transparent with every single incident, it was easy to form a partnership. It has been an excellent collaboration. We will continue to do more and more with Cloudflare.”
Security Operations Lead