CloudFlare Unveils ‘Keyless’ Security Product After HacksJack Clark
For a company that operates a computer network that 1.7 billion people come into contact with each month, CloudFlare Inc. keeps a low profile. Now the security startup’s new product may raise its prominence among banks faced with mounting cyberattacks.
The San Francisco-based company today is unveiling a security program called Keyless SSL that will help customers improve digital defenses and cut down hardware costs.
Companies that perform security and performance tasks associated with their websites today must either ask a third-party company for help or buy hardware and put it in their data centers. If the third party is compromised, then the companies’ own security is at risk. Keyless SSL enables customers to use Internet-based technology instead of typical hardware, without sharing their fundamental security information with a third-party, CloudFlare said.
The product is a response to the increased number of hacks at financial institutions, and illustrates how startups are offering more breach-prevention solutions for highly regulated industries. Last month, JPMorgan Chase & Co. was hit by hackers, leading to the theft of customer data, people with knowledge of the situation have said.
“We realized the financial institutions were between this rock and a hard place,” Matthew Prince, CloudFlare’s chief executive officer, said in an interview.
CloudFlare was founded in 2009 by Prince, Michelle Zatlyn and Lee Holloway. It has raised $72 million from investors such as Union Square Ventures and Pelion Venture Partners, including a $50 million round that the company announced in December. The startup is valued at more than $1 billion.
CloudFlare’s technology lets companies tap into a network of computers spread across 28 data centers worldwide. Through that network, the company gathers information on attacks from each of its customers and rapidly rolls out defenses to everyone once it has found a solution. That helps protect websites against hacking attacks, while also speeding up the delivery of data to people accessing the site.
CloudFlare offers free and paid products that start at $20 a month. Keyless SSL will be bundled into the price of CloudFlare’s enterprise plan, which costs about $5,000 a month. Prince said the company is profitable.
The company uses Keyless SSL internally to help secure its own infrastructure and prepare for a planned expansion into emerging markets, where it can’t depend on the security of the data centers it will place equipment in, Prince said.
The inspiration for Keyless SSL came two years ago when several U.S. bank websites were taken offline by hackers associated with Iran, Prince said. Many financial institutions contacted the startup in the wake of those incidents, he said. CloudFlare flew many of its staff to New York to meet with the banks, he said.
Among the customers for Keyless SSL is Goldman Sachs & Co., Prince said.
The product is called Keyless because it lets customers keep control of private digital keys. Those are bits of data that companies use to guarantee the security of a system. CloudFlare’s product doesn’t require customers to give up such keys.
“The reason you would want this capability is if you as an organization had wanted to maintain strict control over the ownership of your private keys,” Nick Sullivan, CloudFlare’s security engineering lead, said in an interview. Many large companies have guidelines or legal reasons that require them to maintain control of keys, Sullivan said.
Since Keyless SSL lets companies eliminate hardware, that may undercut equipment providers, Prince said. F5 Networks Inc., Riverbed Technology Inc., Palo Alto Networks Inc., Cisco Systems Inc., and others make money by selling hardware to companies to run within their data centers.
Google Inc. also competes with CloudFlare with services including Project Shield, Open Bidder, Google Cloud DNS and others.