CloudFlare is a new kind of security-as-a-service company that promises not only to offer a comprehensive level of attack-pattern recognition, but also to deliver that ability from 70 locations around the world.
In other words, it is not only a cloud service but a service at a scale that's able to reach a global customer base with little latency.
Becoming one that is both isn't necessarily easy.
CloudFlare has had not only to invest in its protection system and its ability to automatically identify, capture the pattern of, and counter an attack, but also to disperse that knowledge quickly over a network that looks something like an Akamai or Amazon CloudFront content-delivery network. Both of those are extensive CDNs with servers strategically placed close to large populations of users.
"We're equivalent to CloudFront, Amazon's Edge product, but we're built to have more flexibility," said Matthew Prince, cofounder and CEO of CloudFlare in San Francisco.
Prince was literally moving between 665 Third Street and 101 Townsend Street, CloudFlare's new home, when InformationWeek caught up with him in the South of Market section of the city, not far from where the Giants baseball team plays at AT&T Stadium.
CloudFlare's building is still a work in progress -- a former warehouse converted to offices a long time ago but still needing a lot of modernization and some finishing touches. The move was delayed by the need to get the building rezoned for offices.
CloudFlare connects its data centers with high-speed protocols that take advantage of both the Internet and private lines. To make the service work, the company has established its own DNS network so that a customer's network traffic can be automatically rerouted through the CloudFlare inspection process, and then returned to its final destination without adding significant time to the process.
"When we started, we wanted to be sure we didn't add latency. Everyone had told us, 'You will slow things down,' and they wouldn't be interested," Prince recalled.
As a result, CloudFlare can spot a distributed denial of service attack on a customer website and stop it as the first messages arrive. It can check on whether SSL certificates are up to date and weed out invalid ones.
When the Heartbleed vulnerability in the DNS naming system was revealed to the public on April 7, 2014, CloudFlare had already learned of it and updated its Domain Name System so that its servers were protected from it. That also meant that the two million websites and Web properties that used CloudFlare's service were also protected.
"The scale of what we're doing is hard to comprehend. Ten million requests a second flow through our network. Two billion individuals are passing through on a monthly basis," Prince said.
The scale exposes CloudFlare to the latest malware and attack activity on the Internet and allows it to constantly update its attack database. "The system as a whole functions something like a neighborhood watch. If Goldman Sachs is attacked, we learn about the attacker. When the same attack is launched against 'state.gov', we have already seen it and can stop it," he said.
The service "acts as an immune system" for a large and complex organism. An attack on one part becomes the knowledge of all parts, which can then be used in their defense, he added.
[Want to learn more about Amazon's CloudFront CDN service? See Amazon CloudFront CDN: Goodbye 404 Messages.]
Prince thinks CloudFlare, with its customer-facing DNS system, attack-pattern recognition, and network of data centers, is well positioned to offer additional services on top of its security service, such as load balancing or even content delivery. It started with five data centers in Chicago, San Jose, Ashburn, Va., Amsterdam, and Tokyo. Now it has ten locations in the US and Canada, seventeen across China, and three in India, among other places.
CloudFlare has 240 employees. It has been profitable for the past 18 months and has raised a total of $180 million in venture capital funding. Microsoft, Google, Baidu, and Qualcomm are among its investors.
CloudFlare has a closer relationship with Google Cloud Platform and Microsoft Azure than with AWS. In the former two cases, customers don't have to pay the cloud provider if their data comes out of the cloud, passes through the CloudFlare inspection, and is then returned. Normally there are egress fees.
Gartner predicts security-as-a-service will grow to a $4.1 billion market by 2017.