Ukraine War Archive
Preserving the Digital Record:
How Cloudflare Protects the Ukraine War Archive
The Ukraine War Archive preserves the digital record of the Russian government's war in Ukraine. Since 2022, the organisation has built one of the most comprehensive digital archives of the war, managing over 290 terabytes of data across millions of media files. In an environment where digital evidence faces risks of deletion, manipulation, and cyberattacks, the Ukraine War Archive’s work depends on one thing above all: keeping the data secure, intact, and accessible. To protect the archive from escalating threats, the organisation has moved away from a patchwork of legacy tools toward a unified Zero Trust environment through Cloudflare’s Project Galileo.
Protecting the Fragility of Truth
For the Ukraine War Archive, cybersecurity is not a technical requirement—it is a necessity for historical preservation. Over its four years of operation, the organisation has experienced direct attacks on its servers, targeted phishing campaigns, and attempts to seize control of its infrastructure. Every month, team members receive personalised phishing attempts via email and phone calls—attacks tailored to specific individuals, not generic spam. Before Cloudflare, responding to these threats manually consumed significant operational capacity that could have been directed toward the archive's core mission. As Olha, Development Lead for the Archive, explains, the stakes of their digital security are existential for the record of the war:
“Truth is not self-preserving as we would like it to be. Digital evidence is fragmented across different platforms… without systematic preservation, justice processes weaken and historical records could become less likely to exist.” — Olha, Development Lead, the Ukraine War Archive
The stakes of the Ukraine War Archive's security go deeper than downtime. The archive holds data where a breach would not be merely an operational setback — it could directly endanger the safety of sources and compromise evidence chains relied upon by international courts. This is precisely why the organisation treats data protection as a core part of its mandate, not an operational afterthought.
Before Project Galileo, the Ukraine War Archive faced operational hurdles that scaled alongside its growth. Operating across a highly decentralised environment with team members scattered across thousands of kilometres, the organisation relied on a patchwork of disparate SaaS and open-source tools that required complex orchestration and suffered from stability and connection issues.
As a nonprofit, the Ukraine War Archive directs its funding toward its core mission, operating with a Bring Your Own Device (BYOD) model across its global network rather than provisioning managed corporate devices. This made it essential to find a security partner that could deliver enterprise-grade protection without requiring a large 24/7 security operations team.
“We were looking for a partner who understood the unique risks we face—specifically the attempt to suppress our voice through technical means. Project Galileo provided us with enterprise-grade protection that would otherwise have been financially prohibitive.” — Olha, Development Lead
This shifted significantly upon joining the programme. “It’s already feeling much more centralised, much more complete,” says Oleksii, Tech Lead. “We have one space where we can lock down and link our users to the services we built.”
A Zero Trust Foundation for Justice
The Archive operates on three core pillars: Justice, Memorialisation, and Knowledge. To support these, it requires a sophisticated access model capable of handling highly sensitive data across different levels of restriction. The transition to Cloudflare’s architecture allowed the team to move away from the legacy tools that had caused persistent connection issues and management complexity.
“We were using another VPN tool… we were looking for what we could use instead. Project Galileo looks much more pleasant in this regard. We started using tunnel services and access application tools so we can lock our servers and connect them more efficiently.” — Oleksii, Tech Lead
By implementing a Zero Trust model, the Ukraine War Archive shifted away from legacy VPN solutions that granted blanket trust to devices. Instead, every connection is now continuously authenticated and verified. Using Cloudflare Access, the team introduced MFA and role-based permissions—ensuring that only authorised individuals can reach restricted data, calibrated to their specific roles within the organisation.
The BYOD challenge — previously the organisation's most complex security consideration — became the area where the Zero Trust approach proved most valuable. Configuring Device Posture checks and access policies for staff members’ personal devices was the most time-consuming phase of the rollout, but it transformed what had been an unmanaged risk into a monitored, controlled part of the security stack.
“The ‘lightbulb moment’ for us was realising that Cloudflare isn’t just a collection of features, but a cohesive environment. Once that clicked, everything became easier.” — Oleksii, Tech Lead
Cloudflare Products & Impact
The Ukraine War Archive leverages several Cloudflare tools to maintain and secure its records:
- Cloudflare Access (Zero Trust): Replaces traditional VPNs with MFA-backed, role-based access control. The Ukraine War Archive uses it to verify every user and device attempting to reach sensitive data, ensuring that only authorised researchers can access restricted levels of information based on their specific roles.
- Cloudflare Tunnel: Creates secure, outbound-only connections between the Ukraine War Archive’s servers and Cloudflare’s network, effectively removing the organisation’s infrastructure from the public internet. Servers that were once visible—and targetable—are now invisible to external actors.
- DDoS Mitigation: Protects the platform from DDoS attacks that attempt to knock the Archive offline, a critical defence given the rise of sophisticated, AI-enhanced cyber threats.
- Web Application Firewall (WAF): Blocks SQL injections and exploits, adding automated detection for attack vectors that would be difficult for any small team to monitor manually.
- Centralised Dashboard: Simplifies management for a civil society team, providing a "singular dashboard" that allows them to manage infrastructure without the need for a massive, dedicated engineering department. The ability to assess device posture has become a critical capability for managing BYOD security at scale.
The analytics capabilities have been particularly valuable. They provide the team with insight into regional threat patterns and the nature of attacks—intelligence that helps them understand not just what is happening, but who is behind it.
"The difference is clarity. We now have a complete, real-time overview of our network systems — we can see exactly what's happening and respond before it becomes a problem." — Oleksii, Tech Lead
By utilising Cloudflare Access and Cloudflare Tunnel, the Archive has effectively removed its infrastructure from the public internet, shielding it from the types of DDoS attacks and remote intrusion attempts that are commonly directed at civil society organisations. This shift to a Zero Trust model ensures that only authorised researchers can access the repository, helping to prevent the sophisticated cybercrime and botnets that target civil society today. Without this protection, the organisation would be diverting critical resources from its mission to managing infrastructure security.
As the Russian government’s invasion enters its fourth year, the Ukraine War Archive remains committed to ensuring that the digital record stays intact, unbiased, and accessible for international justice. By removing the burden of technical survival, Project Galileo has allowed the team to focus on what matters: building a repository intended to endure for “over a hundred years”, ensuring that history cannot be erased by a cyber attack.
