CloudFlare's Keyless SSL Takes New Approach to Cloud Security

Instead of requiring the cloud to hold an enterprise's private encryption key, the cloud security vendor has built a new approach.

cloud security

Cloud security vendor CloudFlare is out today with a new technology approach called Keyless SSL that aims to overcome a key barrier to organizations' adoption of the cloud.

CloudFlare provides a cloud-based security service that can protect organizations against multiple forms of attack, including large-scale distributed denial-of-service (DDoS) attacks. CloudFlare CEO Matthew Prince explained to eWEEK that some organizations have hesitated in moving to his service and the cloud because of concerns over where the organization's private SSL (Secure Socket Layers) key would sit.

SSL is the security technology used to encrypt data in motion on the Web. It requires the use of a private key to encrypt data, and traditionally that key needed to be on the Web server, where data flows through. The challenge is that larger organizations can be very risk-averse and want to maintain direct control and local ownership of their own private key, rather than allow it to reside on a remote cloud server that they don't control or operate.

That's where the Keyless SSL approach comes into play.

Prince said that his firm worked with large organizations to figure out and test the Keyless SSL system. At a high level, the way the Keyless SSL approach works is that SSL sessions are signed by the organization's own private key on-premises, while CloudFlare is still able to handle the data flow connection to provide security services.

"So now there is no way we can lose the SSL key and we aren't increasing the risk, since we [CloudFlare] are never trusted with the key," Prince said.

While the Keyless SSL process introduces a new flow for how data is protected, it doesn't actually change the SSL protocol and how Web browsers work.

"It is the same SSL certificate that an organization would have used before; the only difference is where the certificate sits," Prince said. "Previously, an organization had to upload the private key to their cloud provider."

Prince explained that the Keyless SSL approach does not require any changes to existing SSL Certificate Authorities (CA), and it does not require any changes to end-user applications, including mobile and desktop Web browsers.

"Keyless SSL is completely transparent," Prince said.

The Keyless SSL technology is not an open standard; it is a proprietary innovation built by CloudFlare. That said, Prince emphasized that the technology works with all of the existing standards.

To enable Keyless SSL, CloudFlare has had to modify a pair of open-source technologies—the openSSL cryptographic library and the nginx Web server project—that it leverages to operate its cloud platform. The changes included improvements to enable the Keyless SSL approach to work without any performance impact on the data flow.

The Keyless SSL service initially will be available for CloudFlare's Enterprise tier customers, Prince said. CloudFlare offers a number of different plans ranging from free to Enterprise, with the Enterprise tier costing approximately $5,000 a month.

"Over time I expect that we'll push this down to our lower tiers of service," Prince said. "We don't see Keyless SSL as being about raising our prices, but rather about expanding the number of organization that can take advantage of CloudFlare."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.