Nigel Williams-Lucas, director of information technology at DTLR, a Maryland-based shoe retailer, faced a challenge that most IT executives would recognize: The business was pushing hard for digital transformation, and the IT infrastructure was struggling to keep pace.
Store managers are looking for better data analytics and business intelligence from back-end systems such as inventory and sales. The company hopes that the IT system can support customers to order online and pick up the goods at the physical store within two hours.
The network needs to securely support real-time, bandwidth-intensive IP security cameras. Williams-Lucas hopes to launch beacon technology, a network that collects information about customers’ in-store activity via Bluetooth or Wi-Fi and can send discounts to customers’ phones based on where they are in the store and what they’re buying. Seems interested.
Another issue unique to DTLR creates challenges for IT. The company, which specializes in sneakers, apparel and accessories, produces original programming on its own radio station in Maryland. The station is also on the way. For example, DTLR Radio, available on the mobile app, broadcasts live from the Grammys. Williams-Lucas needed to make sure he could securely push content to DTLR’s 250 stores.
To address the security aspect of his list of challenges, Williams-Lucas chose a network-as-a-service (NaaS) offering from Cloudflare, which put him on the path to zero trust without having to incur capital expenditures or replace any hardware. He said NaaS is a somewhat vague term that can mean different things to different organizations, but for DTLR, “NaaS is our phased approach to zero trust.”
Moving from IPSec VPN to the cloud
DTLR’s IT style is to proceed cautiously and in small steps. Williams-Lucas said, “I need to be very disciplined about how to launch the product. I could shut down the company, but no one would.
“We don’t have a ton of resources; we don’t have a huge engineering team. I want the business to grow, but I need to do it in a controlled and smart way. We need to give our team a single view to be able to execute Changes that go into effect in our retail stores without having to look at each one individually. We want to be able to audit things to make sure they’re correct. For network security, I need to be able to see the traffic going in and out.”
DTLR (formerly Downtown Locker Room) is known for its retro sneakers, like the Air Jordan. Unfortunately, the company’s IT infrastructure was also quite outdated, with old hardware that required a lot of maintenance and lacked the features and functionality the company needed. “We still have vestiges of the old infrastructure where everything was local,” Williams-Lucas said.
DTLR is moving to the cloud but taking a methodical approach, migrating some resources from its VMware-based data center servers to a colocation provider and migrating other resources directly to Microsoft Azure.
Until recently, the company relied entirely on off-the-shelf software – it uses Aptos for core retail systems such as warehousing and point-of-sale. But DTLR recently hired its own developers and wants to transition to a cloud-first development environment. However, currently the company’s Kubernetes development environment runs locally.
Williams-Lucas is also working on a ’90s-era castle and moat security framework that includes IPSec VPNs that connect stores to centralized locations. This created a single point of failure and did not provide his team with the necessary visibility and control over network traffic. “From an IT perspective, there’s a total lack of control,” he said.
An evolving relationship with Cloudflare
DTLR’s relationship with Cloudflare dates back to 2017, when Williams-Lucas signed up for the company’s secure DNS service. By aggregating all DNS requests through Cloudflare, DTLR is able to ensure to a certain extent that employees are not connecting to known bad sites, it gains protection against DDoS attacks, and it also gains some visibility into what employees are doing on the network sex.
Williams-Lucas considers his relationship with Cloudflare to be symbiotic, with DTLR’s needs and requirements dovetailing with Cloudflare’s rapidly expanding product portfolio. He told Cloudflare that DTLR wanted to improve security at the edge of the network, but also didn’t have the capex resources to replace its edge equipment.
The answer is to deploy Cloudflare Tunnel, a network service that provides a secure, encrypted link to Cloudflare without exposing a routable IP address. Cloudflare Tunneling is a way to deploy applications in a zero-trust model by ensuring that all resource requests pass Cloudflare’s security filters. Williams-Lucas didn’t have to replace his firewall; he just installed a software agent that creates outbound-only connections to the Cloudflare control plane.
One of the first benefits is the ability to understand endpoint traffic. He noted that before Cloudflare’s service, the 35-year-old company’s endpoints had never been properly audited. He discovered legacy endpoints that were no longer in use and was able to shut them down.
The next step is to deploy zero trust access control. The way it works is that the Cloudflare service leverages DTLR Active Directory running in the Azure cloud and enforces a zero trust policy based on Active Directory identity-based rules.
For example, retail stores and corporate headquarters need to be treated differently. Strict access control policies can be implemented in stores, but, “We don’t want to undercut the people in the corporate office,” Williams-Lucas said.
In the process of deploying Cloudflare NaaS, his development team completed a game-changing internal application that has proven to be “critical to our business.”
The application collects and correlates internal metrics and presents that data to store managers. Previously, store managers had to enter multiple portals to access data related to customers, sales, inventory, and more. Store managers can now view this data in one view.
“Store managers see numbers that are important to them, and they can now see it in real time,” Williams Lucas said. The new app helps the company launch a two-hour pickup service.
The advantage of having Cloudflare NaaS is that all employees, no matter what type of device they use or where they are located, can access new applications through a secure tunnel. “They all adhere to our authentication rules and it all happens in milliseconds; you just click and it runs.”