Envato has grown from a garage startup in Sydney, Australia to a global business, shaping the creative industry with two of the most innovative and comprehensive creative products on the market: Envato Elements and Envato Market.
With over 2 million customers per year (ranging from independent designers and tech startups to established corporations like Google, Microsoft, Netflix, Nike, and Walmart) the business is dedicated to helping creatives thrive by enabling them to buy or sell creative assets across video, music, photo, graphics, fonts, website themes, code and more.
In 2022 Envato Authors (sellers) surpassed $1.3 billion USD in earnings across all its sites. Today, Envato has hundreds of staff across key offices in Melbourne, Guadalajara and in remote work locations wherever staff may live.
With a global customer base and a distributed workforce, navigating international security is one of Envato’s top priorities.
“Supporting and securing our customers and workforce is one of our focuses,” says Ross Simpson, Envato’s Senior Principal Security Engineer. “Because we work with creators and clients globally, we also need to pay special attention to international security requirements.”
With its prior vendors, Envato was vulnerable to cyber threats.
“Prior to partnering with Cloudflare over 5 years ago, we'd suffered denial of service and extortion attacks” says Simpson, “including one large-scale distributed denial of service attack that resulted in the entire Envato platform going down in one instance for a number of hours. This obviously is not ideal for an ecommerce company. It caused revenue and reputational damage to Envato.”
Envato recognized the need to find a more effective, more modern security vendor.
“Our research and the DDoS attack led us to Cloudflare,” says Simpson. “Although, like many organisations, we get attacks across our sites, now we rely on Cloudflare to secure us against significant threats.”
Envato uses Cloudflare’s application security services to protect their web apps, stop bad bots, and monitor for suspicious activity – all from a single management interface.
“Managed rules in the Cloudflare WAF block known attackers. We can also easily create and deploy custom rule sets to block bad behaviors specific to our sites. Cloudflare Rate Limiting adds another layer of protection to our sites and APIs against both malicious and accidental overloads,” says Simpson.
Envato favors automation and infrastructure-as-code, and Cloudflare’s systems are a good match. Configuration can be expressed in code, deployed within moments, and if needed, changes can be rolled back with little effort.
Leveraging Cloudflare as its content delivery network assists Envato to deliver consistently fast and reliable website experiences.
“Our origin servers are in the US, so we depend on the Cloudflare network in regions like South America, India, and Asia where we have large customer bases,” says Simpson. “Cloudflare gives us a significant increase in performance and reliability that assists us to deliver the experience our customers expect from Envato.”
Envato uses Argo Smart Routing to detect real-time congestion and route web traffic across the fastest and most reliable network paths.
“We have seen Cloudflare assist us in decreasing response times by ~50% on our flagship sites over a period of five years,” says Simpson. “That translates into a better user experience for our customers — when our sites are faster, customers engage.”
In addition to enhancing the customer experience, Cloudflare has contributed to reducing Envato’s bandwidth costs and helps them localize regional data.
“Since the introduction of Cloudflare, we have seen each month we offload more than 20 terabytes of data from our origin servers,” says Simpson. “That translates to monthly savings that wouldn't be possible without Cloudflare.”
With their public-facing websites secure and performant, Envato turned to Cloudflare to secure employee access to internal applications and infrastructure.
“We're a cloud-native company with a global workforce. Our staff need to access key company resources from wherever they are in the world,” says Simpson “Cloudflare Zero Trust was a really good fit — a secure, effective, and simpler approach than traditional access controls.”
Cloudflare Access, a Zero Trust Network Access (ZTNA) service, equips Envato’s IT and security teams with granular control over how users access internal applications – without maintaining lists of trusted IP addresses or complex VPN appliances.
“With Cloudflare, our employees enjoy seamless access to the tools they need to do their jobs. Cloudflare integrates with our existing identity provider to ensure consistent access across all of our internal apps,” says Simpson, “Cloudflare not only assists in protecting us, it simplifies our employee onboarding and offboarding processes.”
Envato uses the WARP client and the Cloudflare Secure Web Gateway to add more granular control to sensitive information.
“With Cloudflare Access we can easily protect our applications,” says Simpson. “We use the Secure Web Gateway with WARP on a user's machine to meet more complex security and regulatory requirements.”
Envato uses Workers, the Cloudflare developer service, to anonymize user data and remove sensitive information from requests to third-party and partner applications. Workers also adds security headers to responses before they go out to customers.
“Workers is an important tool in our developer toolbox — another way we prevent data leakage and increase our security posture,” says Simpson. “We have replaced some applications entirely with Workers. Our architects and developers often reach for Workers.”
According to Simpson, in addition to Cloudflare functionality, customer service has played an important role in Envato’s success using the Cloudflare platform.
“Support was excellent even before we committed to anything. Our early interactions with the team gave us confidence that Cloudflare was the solution for us,” he says. “That high level of customer service has continued to this day. It's been a great value, and we still have an incredible Cloudflare team supporting us.”
Moving forward, Envato plans to further improve their security posture using Cloudflare's advanced bot management and web security suites.
“Expanding with Cloudflare just makes sense,” Simpson says “Cloudflare takes care of the complex and tedious stuff required to secure and run our web applications and lets us focus on what we really care about — delivering better products and experiences to our customers.”
Saved thousands in bandwidth fees every month by offloading more than 20 terabytes of static data from the company’s origin servers
Reduced server response times by 50% for flagship sites, improving user experience and increasing customer engagement
Simplified employee access to company resources, eliminating high-maintenance IP address management tools and a complex VPN infrastructure
Improved third-party application security and reduced data leakage by stripping out sensitive information using developer tools on the network edge
“Cloudflare takes care of the complex and tedious stuff required to secure and run our web applications, allowing us to focus on what we really care about — delivering better products and experiences to our customers.”
Ross Simpson
Senior Principal Security Engineer, Envato
“Our staff needed to access key company resources from wherever they were in the world. Cloudflare Zero Trust was a really good fit — a more secure, more effective, and simpler approach than traditional access controls.”
Ross Simpson
Senior Principal Security Engineer, Envato