Cloudflare's Plan to Protect the Whole Internet Comes Into Focus

One of the internet's biggest infrastructure companies is expanding its protections beyond the web.
Image may contain Machine
One of the internet's biggest infrastructure companies is expanding its protections beyond the web.Elena Lacey

The internet infrastructure company Cloudflare is adding an Internet of Things security service to its already long list of offerings. And though it that may seem unrelated to the free DDoS mitigation or expanded web browsing protections the company already provides, it's another incremental step that helps reveal a clearer picture of the company's overall approach to security. If Cloudflare is going to manage and optimize customer data flow around the world anyway, the thinking goes, it might as well also take the opportunity to act as a middleman between customer systems and the Wild West of the open internet.

In this vein, Cloudflare today announced a new enterprise service known as Spectrum, aimed at taking the protections the company has added for internet services like websites and web applications and extending those defenses to anything else a corporate customer is running that has an internet connection—from email or gaming servers to IoT devices.

"Our traditional customers have been people who are doing something on the web, whether that’s a website, an online application that you run in your browser or a mobile app," says Cloudflare CEO Matthew Prince. The idea of Spectrum, though, is to let systems that connect to the internet, but aren't part of the web, still virtually sit on Cloudflare's network to benefit from DDoS defense, and Cloudflare's initiatives to add data encryption to legacy protocols that can't independently support it.

During the milliseconds when customer data is passing through Cloudflare's network, the company can offer security services like temporarily interrupting connections to confirm that they're secure, creating encrypted digital tunnels to safely escort data across the web, screening incoming traffic to catch anything malicious before it can cause damage, and scrubbing out the bad apples.

As increasingly powerful DDoS attacks wallop corporate networks, enterprise DDoS defense has become a major priority in nearly every industry. And Cloudflare says that it can customize Spectrum to meet customers' specifications by adding tailored VPNs or other connection channels, or even establishing physical, fiber-optic links with clients to manage their defense. But other DDoS defense companies are years—and millions of dollars in investment—ahead on using physical connections for more robust DDoS protection.

"I think a VPN solution is great for small and medium businesses," says Barrett Lyon, head of research and development at Neustar Security Solutions. "If it's done right, it's perfect. But for big entities you need to provide a protected fiber connection to a defense network so everything in the network can be validated before getting passed on to the customer." Neustar is a Cloudflare competitor in this area that already offers such a "direct connect" service, meant to be a more secure alternative to digital-only links. Other large defenders like CenturyLink, Akamai, and Prolexic have also invested in this approach.

Regardless of the other offerings in the field, though, for Cloudflare's Prince the defining question is, "How could you go in and upgrade the parts of the internet that, if we had the opportunity to do it again, we would have done it differently?"

This approach of finding a Band-Aid for legacy vulnerabilities that likely aren't going to be solved another way is worthwhile, says Robert Graham, CEO of the threat intelligence and penetration testing firm Errata Security. Particularly for entrenched organizations that are too large to overhaul all of their systems, receiving workaround solutions from content delivery networks reduces pressing risks.

Graham notes, though, that the more responsibility Cloudflare and other similar companies have, and the more parts of everyone's systems they optimize and defend, the more they become a single point of failure for the internet. In recent years this concern has been reinforced by incidents in which massive cloud providers like Amazon Web Services experience outages that take numerous prominent web services down with them. "While we should cheer on CloudFlare improving the internet on one hand, we should boo them for consolidating the internet. Roughly five percent to 10 percent of web traffic now goes through CloudFlare," Graham notes.

Cloudflare's Prince argues that the company has taken adequate precautions to ensure that failures or problems in any one of its 150 data centers don't impact service overall, but he doesn't dispute that consolidation is Cloudflare's goal. "Our business model is simple," he says. "We’re always just trying to figure out how we can get more things to connect to our network."