Since opening its first shop in 1960, Carrefour has become the eighth largest retailer in the world by revenue. The group boasts a network of 12,000+ stores in more than 30 countries and records more than 11 million transactions every day.
Carrefour is constantly evolving in ways that drive transformation in the retail industry. In 1963, for example, the group opened the first European hypermarché, which combines a large supermarket and a department store under one roof. And when the digital age arrived, the company swiftly embraced ecommerce. Today, online sales represent a growing percentage of revenue, as customers prefer to shop online and either pick up orders in-store or have orders delivered to their homes.
In recent years, Carrefour’s ecommerce sites experienced an upsurge in highly targeted and increasingly sophisticated cyber attacks, including DDoS, bots, phishing, and ransomware. The previous security approach, which included bot management tools, web application firewall, multiple vendors for content optimization, traffic management, and customer account management, was no longer adequate. The staff had to manage five security tools independently, which hampered incident resolution. Moreover, significant latency issues were negatively impacting the customer experience in some geographies.
"The interlacing of multiple tools complicated coordination and control of the architecture and required specific skills spread across different departments. Our operational staff had to struggle to manage the infrastructure effectively,” Cécile recalls. “Additionally, the lack of integration across tools made investigating and resolving security and performance issues a complex and time-consuming effort."
According to Cécile, the IT staff began looking for a solution to strengthen the security of Carrefour’s retail sites. "With the number and scope of attacks constantly increasing, we were reaching the end of what our existing setup was capable of handling,” he notes.
The operations team devised a plan to enhance site security by initially integrating system responses at the application level. However, they realized that this approach was not enough and a complementary approach would be needed to deal with the large volume of applications. The team then decided to explore alternative solutions that would not only maintain a high level of perimeter security but also leverage existing functionalities, such as content acceleration, waiting rooms, and bot management. By taking this approach, the team was able to create a more comprehensive strategy that effectively tackled the issue while maximizing the utility of the platform's features. "By reducing the number of tools to two or three, we were already seeing big results in terms of simplicity, performance, investigation times, and security," Cécile explains.
However, Carrefour needed even more robust security and faster performance to support its ambitious ecommerce strategy.
Cloudflare turned out to be the ideal solution for Carrefour’s security and performance enhancements. "We were pleasantly surprised to discover that with Cloudflare’s comprehensive and fully integrated approach, we could replace five security tools with a single platform,” Cécile says.“ Plus, the functionality is clearly better than that of other vendors. Bot Management is especially effective, delivering very few false positives."
The Cloudflare Web Application Firewall (WAF) provides visibility into and protection against security threats to applications with WAF attack scores calculated by machine learning and content scanning analytics. Cloudflare Bot Management enables the operational security team to distinguish between good bots and bad ones and to block malicious bot traffic on Carrefour ecommerce sites.
With its global edge network, Cloudflare serves content much closer to Carrefour customers. Consequently, Carrefour was able to eliminate latency issues, which had been problematic for customers in South America. "With Cloudflare's many points of operation around the world, our performance issues disappeared," says Cécile. ”The result is a significantly improved customer experience.” Carrefour is also benefiting from functionality such as rate limiting and smart traffic routing, which yield additional performance improvements. Rate limiting protects websites and API endpoints from suspicious and excessive requests, while smart routing chooses less congested routes through the network to speed content delivery.
Carrefour conducted a phased rollout of Cloudflare, initially limiting the scope of the project to its French ecommerce site. That site handles approximately 1.5 million requests per day with a daily network load of 4TB.
"The initial results assured us that Cloudflare could bear the load," Cécile explains. “The results were so conclusive that we decided to quickly switch all of our sites, about 400 worldwide, to Cloudflare. Cloudflare works with APIs, which greatly simplifies deployment. As a result, we were able to set up our first sites in less than a day. And thanks to a small script we created, additional site setups take less than 10 minutes each. So we were able to complete the entire rollout in a few months.”
As a result of vendor consolidation, Carrefour has not only optimized architecture costs but also achieved stronger security and increased visibility over and control of its environment. All acceleration, optimization, and security tasks are now centralized in the operational security team, boosting efficiency.
“We are now accomplishing more with a smaller team and are more responsive when issues arise,” Cécile notes. “We can now find the source of an incident and resolve it in 25% of the time it previously took.” Cécile adds that Carrefour also gains consistency through a global policy based on predefined rules for all sites.
Adopting Cloudflare also benefits Carrefour customers. Stronger security, reduced incident resolution times, and more effective bot detection translate into a smoother and more secure customer experience, and that means a higher level of customer satisfaction for more durable customer loyalty.
Consolidated five separate tools for more simplicity, flexibility, and agility
Reduced incident resolution time by 75%
400 ecommerce sites worldwide are protected by a unified security platform
Predefined rules ensures application of a consistent global policy across all sites
“Cloudflare works with APIs, which greatly simplifies deployment. In less than a day, we had onboarded our first sites. And thanks to a script we created, we can set up future sites in less than 10 minutes.”
Operational Security Manager
“We were pleasantly surprised to discover that with Cloudflare’s comprehensive and fully integrated approach, we could replace five security tools with a single platform. Plus, the functionality is clearly better than that of other vendors.”
Operational Security Manager