Network-as-a-service lets a shoe retailer take steps toward Zero Trust

Nigel Williams-Lucas, director of Information Technology at Maryland-based footwear retailer DTLR, faced a challenge that most IT execs will recognize: the business was pushing hard on digital transformation, and the IT infrastructure was struggling to keep pace.

Store managers were seeking better data analytics and business intelligence from backend systems like inventory and sales. The business wanted IT systems to support customers ordering online and picking up at a physical store within two hours.

The network needed to securely support real-time, bandwidth-intensive IP security cameras. And Williams-Lucas wanted to roll out beaconing technology, in which the network gathers information about customer in-store activity via Bluetooth or Wi-Fi, and can send discount offers to a customer’s phone based on where they are in the store and what they appear to be interested in.

There’s another wrinkle specific to DTLR that created challenges for IT. The company, which specialises in sneakers, clothing, and accessories, creates original programming from its own radio station in Maryland. The station also goes on the road. For example, DTLR Radio, which is available on a mobile app, was broadcasting live from the Grammy’s. Williams-Lucas needed to make sure he could safely push that content out to DTLR’s 250 stores.

To address the security aspect of his laundry list of challenges, Williams-Lucas chose a network-as-a-service (NaaS) offering from Cloudflare that puts him on the road to Zero Trust without having to make a capital expense or swap out any hardware. He says NaaS is a somewhat nebulous term that can mean different things to different organisations, but for DTLR, “NaaS is our phased approach to Zero Trust.”

Shifts from IPSec VPN and toward cloud

DTLR’s IT style is to move cautiously and take small steps. Says Williams-Lucas, “I need to be very strict about how I roll things out. I could shut down the business, and nobody wants that.

“We don’t have massive amounts of resources; we don’t have a large engineering team. I want to enable the business to grow, but I need to do that in a controlled and smart way. We need to have a single view for our team to be able to execute changes that take effect across our retail stores without having to go around to each one. We want to be able to audit things to make sure they’re correct. And for cybersecurity, I need to be able to see traffic moving in and out.”

DTLR (formerly Downtown Locker Room) is known for its retro-type sneakers, like Air Jordans. Unfortunately, the company’s IT infrastructure is also pretty retro, with legacy hardware that requires plenty of maintenance and lacks the features and capabilities the company needs. “We still have vestiges of the old infrastructure where everything was on-premises,” says Williams-Lucas.

DTLR is shifting to the cloud, but taking a methodical approach, migrating some resources from its VMware-based data centre servers to a colocation provider, and moving other resources directly to Microsoft Azure.

Until recently, the company relied exclusively on off-the-shelf software—it uses Aptos for core retail systems, like warehousing and point-of-sale.  But DTLR recently hired its own developers and wants to transition to a cloud-first development environment. For the time being, however, the company’s Kubernetes development environment is running on-prem. 

Williams-Lucas was also dealing with a castle-and-moat security framework from the ‘90s that includes IPSec VPNs connecting the stores to a centralised location. This created a single point of failure and did not provide his team with the necessary visibility and control over network traffic. “There was a complete lack of control from IT’s point of view,” he says.

An evolving relationship with Cloudflare

DTLR’s relationship with Cloudflare dates back to 2017, when Williams-Lucas signed up for the company’s secure DNS service. By funnelling all DNS requests through Cloudflare, DTLR was able to gain some assurance that employees weren’t connecting to known bad sites, it gained protection against DDoS attacks, and it also gained some visibility into what employees were doing on the network.

Williams-Lucas sees his relationship with Cloudflare as symbiotic, with DTLR’s needs and requirements meshing with Cloudflare’s rapidly expanding product portfolio. He told Cloudflare that DTLR wanted to boost security at the network edge but also didn’t have the CapEx resources to replace its edge devices.

The answer was to deploy Cloudflare Tunnel, a network service that provides a secure, encrypted link to Cloudflare without a publicly routable IP address. The Cloudflare Tunnel is a way to deploy applications in a Zero Trust model by ensuring all requests for resources pass through Cloudflare’s security filters. Williams-Lucas didn’t have to change out his firewalls; he simply installed a software agent that creates an outbound-only connection to the Cloudflare control plane.

One of the first benefits was the ability to gain visibility into endpoint traffic flows. He points out that prior to the Cloudflare service, endpoints at the 35-year-old company had never been properly audited. He discovered legacy endpoints that were no longer being used and was able to shut them down.

The next step was to deploy Zero Trust access controls. The way it works is that the Cloudflare service taps into DTLR’s Active Directory running in the Azure cloud and enforces Zero Trust policies based on Active Directory identity-based rules.

For example, retail stores and corporate headquarters need to be treated differently. It’s possible to enforce strict access control policies on the stores, but, “We don’t want to cripple people in the corporate office,” says Williams-Lucas.

In the midst of deploying the Cloudflare NaaS, his developer team finished off a game-changing internal application that has proven to be “crucially successful for our business.”

The application collects and correlates internal metrics and presents that data to store managers. Previously, store managers had to go into multiple portals in order to access data related to customers, sales, inventory, etc. Now, store managers have visibility into that data in a single view.

“The store manager sees numbers that matter to them, and they can see it live now,” says Williams Lucas. The new app was instrumental in enabling the company to roll out its two-hour pickup service.

The advantage of having Cloudflare NaaS is that all employees, no matter what type of device they’re using or where they’re located, access the new application through the secure tunnel. “They all adhere to our rules for authentication, and it all happens in milliseconds; you just click, and it goes.”

NaaS improves cost posture, network performance and more.

The Cloudflare NaaS service has delivered these additional benefits to DTLR:

• Cost Avoidance: “In today’s world you can’t go two days without reading about a hack or DDoS attack,” says Williams-Lucas, so avoiding a costly breach is important for the company.
• Network Performance: The network visibility provided by Cloudflare helps his team proactively avoid outages. In addition, each store now connects directly to the nearest Cloudflare point-of-presence, and traffic runs on Cloudflare’s high-speed backbone, so performance is boosted.
• Staff Efficiency: Prior to Cloudflare NaaS, his team had to go to multiple portals from multiple vendors in order to conduct monitoring and troubleshooting. That has been consolidated into a couple of dashboards, which enables his team to be more focused and more productive.
• Improved security-audit results: The company undergoes periodic security assessments from independent cyber-insurance firms. “They’ve been watching what we’re implementing at different stages, and we’ve gotten progressively better scores,” says Williams-Lucas.
• Improved security posture: “We now understand what flows through our networks, so we should be able to build out a better, stronger security posture for tomorrow,” he adds.

Plans to use Magic WAN edge service

The phased approach enabled DTLR to gain the benefits of Zero Trust at a pace that fits the company’s style and also fits its budget. He says Cloudflare charges per location rather than on a usage basis, which gives him a steady, predictable cost structure.

“The beauty of the way we approached it, I could budget for it. Instead of waiting three years to gain the benefits, I was able to get different parts and pieces turned on. For the most part, you can attack this by doing pieces at a time that supplement each other; they just add on. All it does is get stronger,” he says.

“We now have systems that enable the general business to be digitally relevant in 2023 and going forward. Things like beaconing we couldn’t do with the old infrastructure. We can do it now and not sacrifice security or performance along the way.”

And the journey isn’t over, Williams-Lucas says. The next step is to replace his ageing edge devices with Cloudflare’s Magic WAN service, a SaaS-based alternative to network edge hardware.