In-depth

Malware protection in the 21st century

CloudFlare's CEO talks security with Steve Cassidy

There are some very peculiar tribal divides in our business. Even though security is these days much more about education than it is about arcane and ever-changing automated attack and detection software, it's still thought of as being "what firewalls do" or "that's in anti-virus on the PC". Even though lots of businesses have the web running through the whole of their daily lives, from business model to server setup and more besides.

Advertisement - Article continues below

So why, then, do we think of stuff on the web as being at arms length from "IT" and - certainly in the minds of most cloud salesman - as a replacement for it?

I don't see that distinction at all. Especially at the very worst of times, when the chips are quite literally down and various fantasies about running a light-out business with everything up the wire evaporate in as long as it takes for someone who knows their stuff to confirm that yes, the link's gone cold or the servers are not responding.

This is normally the point at which in one especially painful scenario that of the Distributed Denial of Service attack the cloud or hosting-dependent business has a sudden introduction to the business of web server security and attack responses. Some of this is treated as arcane knowledge within the hosting business, with dark comments about good and bad hosters for vulnerability to attack but that can all be filed under puff-chested industry self-delusion, because affected businesses tend to jump rapidly back to the people they know they can trust, and that starts with the internal IT people, many of whom do not deserve the inefficient or difficult label they are landed with.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

My impression is that the general hosting environment is in many ways less securable, and as a result actually less secure, than a well-run Company Windows LAN. Tight control of user roles and logging of activities is only really maturing now, which is why web hosting toolkit makers Parallels wanted everyone to understand what could be done to minimise risk provided that you were starting with the new release of their Plesk control panel application platform.

To do this, in true Parallels style, it invited various businesses and individuals with long security track records to come and make up a panel session at the recent Parallels summit in New Orleans. I know, it might sound as if sitting in a freezing over-airconditioned room listening earnestly to opinions on security would be poorly attended with the French Quarter only a 10-minute walk away but trust me on this if there's ever a topic on which the inside track is quite literally company-saving stuff, it's this one.

Advertisement - Article continues below

For me the most interesting presentation and answers to questions from the floor were from Matt Prince, CEO of Cloudflare. Even a few minutes talking to him showed me that my somewhat traditional, Windows mindset as to what makes up good security and how to form a response to an attack whose source you can't contact, whose motives are hidden, and whose end is nowhere in sight.

It seemed to me that one practical outcome of the difference between "IT guy" security and "Web Guy" security is that the Web Guy Stuff is all post-facto. You wait for something to go bang, and then you apply the kind of traffic redirection and gateway filtering that  Cloudflare offers. Hey presto as happened with pathe Film and the Eurovision Song Contest sites the minute they even tick the basic service offering at $20/month, the botnet simply goes away. Matt agreed that this is the traditional approach (there were some funny stories in there about Eurovision too), but took the whole concept and turned my head inside out just using these simple examples.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The first gold-plated aside was that apparently, if you go into the Dark Net and look around with some care, the open market in hack capacity available to hit targets on receipt of payments is essentially a gargantuan product review system. Matt likes this because the verdict on Cloudflare is extremely simple. Price for taking down a non-Cloudflare site: $50. Price for with-Cloudlfare: $2,000.

More subtly, though, the Cloudflare approach of routing all your site traffic through their homegrown, non-standard, proprietary analysing smart traffic gateways allows them to break rules which underpin not just the ease of entry for a hacker and their army of home-alone drone PCs: The gatewaying system also cheapens your hosting traffic charges, by cutting out inefficiencies inherent to plain old HTTP over IP.

(in case you think I am in the thrall of Cloudflare here, I should point out that all the answers coming from the Wordpress security expert on the panel started with him jerking his thumb at Matt Prince and saying "hire these guys, then do this")

Advertisement - Article continues below

The final semi-accidental aside that I thought worthy of thinking about under the heading of "pause for thought for IT types with web roles" was Matt's justification for the sunny day signup option. Yes, DDOS attacks are relatively rare, though they do tend to crop up as a result of high growth or public attention. Yes, after the attack starts the 90 percentile quick fix is easy to apply and doesn't have to involve web host people or HTTP jockeys. However; if you are already signed up even just to the free version of Cloudflare's services then its custom gateways can collect web traffic analystics and metrics, and thereby come up with a reasonable summary of what your legitimate site traffic looks like.

The longer they have doing this, the more accurate their division of good and bad traffic can be when the fell day dawns that you are (as seemed to be the case with Pathe News) the end-of-course exam target for a hacker school somewhere in China.

As quick views into the heart of a massive body of expertise gained out on the front line of a desperate problem, I thought that was definitely worth your attention. It surely got mine.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/operating-systems/microsoft-windows/355105/microsoft-puts-windows-development-on-lockdown
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020