Room 641A [1] would be an example of just renting a room in the DC, making it look as boring and nondescript as possible, tap the fiber lines and send a copy of all data to that room
That requires cooperation from a couple people at the company. People that could do it for "patriotic duty", be payed off, simply be coerced, or be replaced by NSA agents (I wonder how many cloudflare employees are NSA plants?). If you want to go even more low-profile, tap the fiber lines a block further down outside the cloudflare PoP and use one of the above techniques to get the key material
Even if it takes the NSA a decade to get an NSA agent hired and moved up in the organization until they have a vector to extract private keys that's still an incredible return on investment
The difference is AT&T didn't publicly make statements that they didn't know about Room 641A and that they weren't helping the NSA. Google's response to PRISM was much more aggressive, and in the wake of the MUSCULAR tapping revelations, Google stepped up their encryption. I haven't worked at Cloudflare but I have worked at Google, so I can't speak to Cloudflare's internal company culture but I can say that Google was not happy about the NSA tapping their fibre.
That requires cooperation from a couple people at the company. People that could do it for "patriotic duty", be payed off, simply be coerced, or be replaced by NSA agents (I wonder how many cloudflare employees are NSA plants?). If you want to go even more low-profile, tap the fiber lines a block further down outside the cloudflare PoP and use one of the above techniques to get the key material
Even if it takes the NSA a decade to get an NSA agent hired and moved up in the organization until they have a vector to extract private keys that's still an incredible return on investment
1: https://en.wikipedia.org/wiki/Room_641A