Ocado Group

Ocado Group modernizes security and replaces legacy VPN to accelerate growth with Cloudflare

Ocado Group is a software and robotics platform business providing ecommerce, fulfillment and logistics technology to some of the world’s largest grocery retailers.

The company partners with leading grocery chains like Aeon (Japan), Alcampo (Spain), Kroger (USA, and Lotte (Korea). Within the UK, the company provides the technology behind Ocado Retail which operates as a joint venture between Ocado Group and Marks & Spencer Group. Ocado’s development arm, Ocado Technology, builds and supports the automation technology thanks to a 2500-strong team of technologists with leading capabilities in artificial intelligence, machine learning and robotics.

Its automated retrieval and storage technology is now also helping businesses outside of online grocery.

Challenge: Replacing legacy security to support growth

As their business matured, Ocado has always sought opportunities to modernize their security and IT architecture. For example, in recent years, the adoption of cloud apps, continued international expansion, and the shift to hybrid work created urgency to shift away from a legacy perimeter-based security toward a more distributed, cloud-delivered approach. In particular, Ocado recognized the need to replace their traditional VPN, which was slow for employees and inefficient to manage.

“Our protections were stopping people from getting into our network, but once they were in, we had relatively low levels of security,” explains James Donkin, Ocado’s Chief Technology Officer. “As we transitioned into an international business platform and became more reliant on SaaS apps and external, cloud-native technologies, we recognized we needed a more modern approach to security.

Adopting Cloudflare Zero Trust best practices has been central to that modernization strategy.

“We wanted a simpler, more efficient, cost-effective way to secure and connect our employees, resources, and networks, whether working in offices, client sites, or temporary locations,” Donkin adds.

Solution: Modernizing security, starting with replacing the legacy VPN with ZTNA

Recognizing that, as Donkin puts it, “Zero Trust is not something you can pick up off the shelf,” Ocado began RFI and RFP processes, which in turn led to testing Cloudflare against competitors. Evaluation began based on the discrete project to replace Ocado’s legacy VPN with Zero Trust Network Access (ZTNA), and ultimately Cloudflare was selected to enforce these default-deny, identity-based policies. Compared to other vendors, Cloudflare’s ZTNA service was easier to set up and configure for administrators, providing them with more granular visibility and dynamic controls.

“With Cloudflare, we can evaluate every access request in real-time based on the criticality of a resource,” says Donkin.

Adopting Cloudflare has also improved the experience for end users, especially for developers, engineers, and contractors who often require access to technical tools like CAD software or specific cloud environments from remote and customer locations. These users now benefit from faster, more reliable, more stable connectivity – without backhauling traffic through a VPN.

“Whether on customer sites repairing robots or developing software in any of our customers’ countries, it is crucial to have a unified solution where people can access what they need when they need it,” says Donkin. “Through Cloudflare, we’ve given everyone a better, more seamless way of working.”

Today, Cloudflare’s ZTNA is helping to modernize remote access for 10,000 employees.

Scaling across teams and regions has required buy-in. For example, there were some initial reservations and concerns, with colleagues wanting to understand exactly how Ocado was securing their devices and traffic. “We explained exactly what the tools were doing, and had open conversations with anyone who had questions,” says Donkin. “Cloudflare’s transparency and clear documentation helped us build trust and achieve widespread adoption.”

Continuing the SASE journey with consolidated web, SaaS, and network controls

During the competitive evaluation, that initial focus on VPN replacement expanded into broader conversations around unifying additional security and networking in a secure access service edge (SASE) architecture. Ocado was motivated to consolidate multiple disjointed and expensive point solutions and instead adopt a more unified, cloud-native platform.

To that end, Ocado and Cloudflare are partnering on additional security and networking use cases including:

• Protecting remote and office users from Internet threats with DNS filtering and Secure Web Gateway (SWG) controls
• Securing SaaS environments and mitigating risks of data leaks with Cloud Access Security Broker (CASB) controls
• Routing and securing traffic, including from IoT devices, with WAN controls

Converging security and networking onto Cloudflare simplifies Ocado’s tech stack, reducing administrative overhead and cutting hardware and software costs.

“We wanted to end the concept of the corporate network,” says Donkin. “That means using Cloudflare to create a consistent security layer between people, devices, and services — regardless of where they are or how they connect.”

When investing in this long-term strategy, Ocado credited not only Cloudflare’s technical competency but its ability to innovate rapidly and our vision for the future.

“The decision to use Cloudflare wasn’t about ticking boxes in a feature comparison — Zero Trust is a complex, multi-step program,” says Donkin, “To make Zero Trust work we were looking for cultural alignment and a partner that is the best at what they do. Cloudflare shared our vision. Connecting things globally is at the heart of what they do.”

Foundation for future growth

Partnering with Cloudflare aligns with Ocado’s continued growth ambitions. For example, Cloudflare’s uniform deployments and global scale make it simpler for Ocado to connect and protect its expanding international network of fulfillment centers, officers, and customer sites.

“As we scale up with more sites, configuring new networks can be as expensive as it is complex,” says Donkin. “Our vision is to get to a point where we can drop a device anywhere in the world and have it just work. Cloudflare is how we achieve that level of standardization and simplicity.”

Improving organizational efficiency with Cloudflare also helps Ocado serve its customers more effectively.

“With international grocery margins so low, even marginal gains matter — our technology always serves a business need,” explains Donkin. “Standardizing with Cloudflare is about putting tools in place that allow our teams to focus on solving business problems and bring greater efficiency to our customers.”

Looking ahead, Ocado plans to deepen their partnership with Cloudflare, exploring new use cases and building on the foundation they have established. From automating site deployments to further reducing network complexity, the company sees Cloudflare as a key enabler of continuing growth.

“With Cloudflare, we are collaborating to solve real business problems. We’re not just addressing today’s challenges — we’re working together to build a platform for the future,” Donkin concludes.