Founded in 1957, INSEAD is an international graduate business school with campuses in France, Singapore, and Abu Dhabi, with a San Francisco location coming soon. The school consistently ranks among the world’s top business programs, and its nearly 60,000 alumni represent 175 countries and 166 nationalities.
Prior to partnering with Cloudflare, INSEAD lacked a web application firewall (WAF) to protect both its WordPress websites and external applications like its payment gateway. “We had an on-prem WAF for apps hosted on-prem, and for external apps, we relied on our app providers’ security settings,” explains Ar Kar Oo, Senior Manager, Cyber Security. “We were struggling with malicious threats trying to execute JavaScript exploits, and we knew we needed a WAF to protect against these threats.”
Internal application access was also a challenge. INSEAD used a combination of VPNs and allow-listing to give developers access to these applications, which was complex and time-consuming to manage. INSEAD needed more flexibility than the VPN could provide, including the ability to deploy single sign-on (SSO) to simplify logins when developers had different credentials for different environments.
INSEAD partnered with Cloudflare in early 2020 and deployed the Cloudflare WAF as a small-scale proof of concept. When this proved successful, INSEAD began rolling out the Cloudflare WAF across all its websites and apps.
“We mostly use the WAF’s preconfigured rules,” Ar Kar Oo says. “The configuration and implementation were very smooth. We only needed to contact Cloudflare a few times to get advice on configuring the rules and checking the logs. We like that once we configure the app for one site or app, we can use the same configuration for other sites and apps.”
The Cloudflare’s WAF now blocks approximately 100,000 threats a month from reaching INSEAD’s web properties and applications, and the school benefits from the increased visibility the WAF provides. “We didn’t have detailed information on cyber threats and traffic levels before. Now, we can see exactly how cybercriminals are trying to access our sites,” Ar Kar Oo says. “Whenever a WAF rule is triggered, we know we need to investigate further. Also, DDoS attacks are picking up again, and having Cloudflare protecting our sites is a value-added benefit.”
INSEAD decided to deploy Cloudflare Access, which provides access control for cloud and on-premise applications without the need for a VPN, while its proof of concept for the WAF was still ongoing. “We have a very large portfolio of apps, all of which would benefit greatly from the increased security and flexibility that Cloudflare Access can provide,” says Alexandre Papadopoulos, Director of Cyber Security.
“We’re also looking into expanding how we are using our environment,” adds Ar Kar Oo. “Most of our users are on mobile, and we want to use Access to accommodate them.”
Both Papadopoulos and Ar Kar Oo found the implementation of Cloudflare WAF and CDN to be quite easy. The team was concerned about negatively impacting performance for China-based users, but these fears turned out to be unfounded. “Our sites are very complex, so we are very cautious about implementing new solutions,” Papadopoulos says. Access has also improved internal efficiency. Prior to implementing Access, INSEAD’s admins had to do a lot of location-based allowlisting, and if they wanted to make any changes to an app, they had to seek permissions, which created bottlenecks. “Access lets us set up custom policies, and we’ve been able to reduce our dependence on VPNs and IP allow-listing for development environments. Additionally, our developers and testers aren't required to login from specific locations, and we’ve been able to deploy an SSO solution to simplify the login process,” Papadopoulos recalls.
“Access is easier to manage than VPNs and other remote access solutions, which has removed pressure from our IT teams,” Papadopoulos adds. “They can focus on internal projects instead of spending time managing remote access.”
In addition to Access and the Cloudflare WAF, INSEAD is also in the process of implementing the Cloudflare CDN. Currently, INSEAD serves about 1.5 terabytes of traffic a month through the CDN.
“I would definitely recommend Cloudflare to colleagues,” says Ar Kar Oo. “I’d used Cloudflare previously, but this was my first time using Access, and I quite like it.”
“Everything has gone smoothly,” adds Papadopoulos. “Cloudflare’s solutions are easy to deploy, they’re user-friendly, and they immediately show value. Getting developers to buy into a security product can be tricky. Developers tend to view a new security solution as something that’s going to add to their workload, but they had no resistance or complaints about Cloudflare. Access and Cloudflare WAF have made their jobs easier.”
The Cloudflare WAF blocks 100,000 threats per month from reaching INSEAD’s sites and apps.
Cloudflare Access allowed INSEAD to deploy an SSO solution and minimize their dependence on VPNs and allow-listing.
Cloudflare CDN serves about 1.5 terabytes of traffic per month for INSEAD.
“Cloudflare’s solutions are easy to deploy, they’re user-friendly, and they immediately show value. Getting developers to buy into a security product can be tricky. Developers tend to view a new security solution as something that’s going to add to their workload, but they had no resistance or complaints about Cloudflare. Access and Cloudflare WAF have made their jobs easier.”
Alexandre Papadopoulos
Director of Cyber Security