Carousell

Securing Carousell’s internal networks and providing seamless remote employee access with Cloudflare Zero Trust

In 2012, Quek Siu Rui, Lucas Ngoo, and Marcus Tan had an idea — a smartphone- and web-based marketplace that made buying goods as easy as chatting and selling them as simple as taking a picture. Carousell is that idea made a reality.

Today, Carousell is one of Asia's largest C2C ecommerce marketplaces. They are one of the top lifestyle shopping apps in Singapore, Hong Kong, and Taiwan, and have a rapidly growing presence across Indonesia, Malaysia, Australia, and the Philippines. Carousell users turn to the site to buy cars, property, fashion, household appliances, assistive devices, and electronics. The site also hosts job listings and offers services across a continually expanding range of industries.

More than a quarter of Singapore’s population uses Carousell, and that figure continues to grow as more Singaporean and international users gravitate to the site.

The Cloudflare WAF and global cloud network — a successful partnership since 2016

In 2016, Carousell turned to Cloudflare to serve over 1 PB of images per month and provided a frictionless user experience for its customers. As traffic increased, Cloudflare enabled Carousell to meet its intensive performance requirements, ensuring uptime during high-traffic events like the company’s regular flash sales. Using Cloudflare to cache dynamic pages on an as-needed basis, Carousell is able to handle spikes over 3x of its typical traffic without strain — a level of performance competing CDN providers were unable to match despite higher costs for similar data volumes.

“Our relationship with Cloudflare started off as a solution for our DNS and SSL termination requirements. Then we started exploring the Cloudflare Cache and started moving our assets over from a different CDN,” explains Sanjeev Jaiswal, the Carousell Group’s Senior Director of DevOps, SR (Site Reliability), Platform and Cybersecurity Engineering. “Now we are 100% cached. Cloudflare’s global edge network handles our CDN, WAF, caching, SSL endpoints, and DNS requirements. Cloudflare helps us meet our business objectives and gives us an excellent return on our investment.”

In addition to speeding up and scaling the platform, Cloudflare protects Carousell against volumetric security threats like DDoS attacks and resource-draining bots, as well as malicious activity like cross-site scripting (XSS). The Cloudflare Web Application Firewall (WAF) leverages collective threat intelligence to identify and prevent malicious requests, empowering Carousell to proactively defend against incoming attacks and ensure application availability.

“The Cloudflare WAF ticks all of our boxes with OWASP (Open Web Application Security Project) and Cloudflare specialized rules. We can also easily add custom rules, making Cloudflare a perfect fit for our needs,” recalls Jaiswal. “After turning on the firewall features, there was no measurable hit on latency. Cloudflare security features don’t impact our overall site performance, and our user experience doesn’t degrade as we put more checks in place. That is one of the biggest ongoing benefits we see using Cloudflare.”

Solving workforce security challenges with Cloudflare Zero Trust

Since 2019, Carousell has progressively embraced remote work to navigate the COVID-19 pandemic and to support an increasing international employee and contractor workforce. In light of these fundamental changes, Carousell began a strategic reexamination of its own organizational security. This meant a renewed focus on protecting internal infrastructure while providing secure employee access to corporate applications.

“We are looking at everything with a fresh set of eyes, onboarding an expanded security team, working with external auditors to put new security policies in place, and participating in a bug bounty program with security researchers and ethical hackers,” says Jaiswal. “The goal is to take our findings from these initiatives, enhance site capabilities, and improve access to the Carousell infrastructure and applications while refining our approach to identity and privilege management.”

Before Cloudflare, the company evaluated a competitor and early entrant into the Zero Trust Network Access (ZTNA) category. But that vendor’s complexity proved prohibitive from both the adoption and end-user perspectives.

“Carousell didn’t have a great architecture in terms of security or ease of access. It was very cumbersome, and we didn't want to repeat that level of complexity moving forward,” says Jaiswal. “The other solution we considered was far too complicated to implement. It required multiple command line parameters for simple SSH access to a single machine. In comparison, the Cloudflare Zero Trust solution was easy to implement and very well-defined,” he adds.

Carousell implemented Cloudflare Zero Trust to safeguard access to its internal applications, websites, and domains across cloud and on-premise environments. The solution eliminated the company’s concerns about using riskier alternative access methods, such as IP- and geolocation-based controls or catch-all passwords.

With Cloudflare, Carousell now grants application access based on verification with its preferred identity provider, and administrators build stronger security policies based on user role and group membership on a per-app basis. In the process, Carousell has been able to shift away from its traditional VPN as a single point of access and has regained visibility across every access event.

Carousell saw immediate benefits from Cloudflare Zero Trust. They saved time and improved efficiency for both employees authenticating to applications and the security team that configures access.

“Cloudflare streamlines our developers' remote connections and improves productivity. Instead of downloading VPN profiles, configuring access, and figuring out which resource they need to connect to, the Zero Trust solution provides a single, easily-configured agent with pre-defined routing. It's simple to connect seamlessly to our production or non-production resources. That alone saves a minimum of 15 minutes per user every month,” says Jaiswal.

“On the SRE team’s side, the savings are much greater. We don’t need to troubleshoot and maintain availability on multiple unreliable VPN tunnels for different production environments,” continued Jaiswal. “Cloudflare saves us hours of pain and friction and gives us back time to focus on our bigger projects and initiatives.”

Implementing Zero Trust Network Access has also reduced the time Carousell spends maintaining its internal security policies. Centralized administration means user roles are easily created and maintained, and authorizations are just as easily revoked as staff turns over.

“Because Cloudflare ties a user’s credentials back to their role, when an employee leaves, it is a simple matter for the SRE team to disable and remove accounts and prohibit firewall access,” says Jaiswal. “Having that single point of administration greatly simplifies things.”

Carousell started with 500 Zero Trust licenses, and is currently looking to expand across business units to a total of 800-1000 technical and non-technical employees.

The Carousell SRE team is also exploring ways to integrate Cloudflare Rate Limiting with its existing cloud infrastructure. They intend to replace a competing product that costs up to 5 times more but provides near-identical functionality.

Having never worked with Cloudflare solutions before, but with plenty of experience in products that claim to provide similar services, Jaiswal was particularly impressed with the Cloudflare’s ease of use and ongoing customer support.

“Based on clear Cloudflare onboarding tutorials and training materials, we were able to put together our own internal videos to accelerate the learning curve,” he says. “More importantly, Cloudflare account teams communicate very well, from answering queries to resolving our issues and even providing future roadmap announcements.”

“Cloudflare efficiently delivers a complex Zero Trust security solution that is easy to use and reliable as clockwork,” Jaiswal adds. “It is cheaper, works out of the box, and integrates seamlessly with our existing cloud environment and infrastructure."