CloudFlare Unveils Keyless SSL for Security in the Cloud
Up until now, banking Web sites and other high-security online services looking to prevent hacking attacks have had to make sure their in-house IT infrastructure was up to the task. But CloudFlare, which provides speeded-up access to Web sites through the cloud, has come out with an alternative solution: Keyless SSL that keeps sites secure without the need for organizations to share their private SSL keys with third-party service providers.
"Private clouds are an oxymoron," CloudFlare CEO Matthew Prince said in a blog post on his company's site Thursday. With Keyless SSL, however, he said organizations can take advantage of the cloud's flexibility "without having to turn over their most guarded secrets: their private SSL keys."
SSL keys are cryptographic keys used to authenticate the identity of someone communicating with another party online. They enable data exchanged between the parties to be encrypted before sending and decrypted upon receipt so communications can be handled securely. Because they don't want to share their private SSL keys with third parties, privacy-minded businesses like banks have had to provide this level of security using their own in-house hardware and software. This makes it harder to scale up network services in times of high demand, something that cloud-based services are designed to do.
In Private Beta for Six Months
We reached out to Prince to learn more about the new Keyless SSL offering.
"We've had the technology in private beta for six months now," Prince told us by e-mail. "Most (of) the organizations using it are large financial institutions who have asked us not to disclose their identity. However, Goldman Sachs has allowed us to reveal that they worked with us on developing the technology and are one of our beta users."
He added: "Keyless SSL is designed to allow companies that had previously needed to use on-premise hardware to now get the infinite scalability and infinite elasticity of a cloud service. The primary competitor to the technology is hardware you install yourself to perform firewall, load balancing, performance optimization, and other functionality. Unfortunately, that on-premise software suffers from limitations when organizations need it to scale."
CloudFlare can get a client "up and running on Keyless SSL within hours in most cases," Prince said. The service is enabled by "installing a small agent somewhere on their infrastructure."
The agent allows users to establish secure connections in the cloud while keeping their private SSL keys in house and separate from the cloud-based servers delivering content.
Inspired by 2012 DDoS Attacks
The idea for Keyless SSL first took shape in the fall of 2012, when numerous online banking sites in the U.S. were paralyzed by a series of distributed denial-of-service (DDoS) attacks. The attacks flooded banks' online systems with more traffic than they could handle, leaving them unusable by customers.
Following those attacks, CloudFlare was contacted by one bank's chief information security officer, who asked for the company's help. Prince wrote in his blog post that he and two of CloudFlare's engineers flew out to New York to meet with bank officials and came away with one conclusion: "the only way organizations that had the highest standards of SSL security could ever adopt the benefits of the cloud is if we never took possession of their SSL keys."
CloudFlare engineer Sebastien Pahl eventually came up with a rough solution to the problem, and the company's team moved from that to a prototype that it has since tested with a number of beta clients.
Prince said Keyless SSL is designed for "any organizations that have high security requirements around their key management. We've had interest in the technology from financial institutions, medical providers, high-profile consumer sites, governments, and Fortune 500 companies."