CloudFlare’s New Keyless SSL Could Unlock Cloud For Financial Institutions

Financial institutions crave cloud scalability, but have been reluctant to jump on the cloud bandwagon because of security concerns. In particular, they have been hesitant to expose their precious SSL keys to the open internet. The key identifies them as a financial institution and lets the other party know they can accept or send funds. As you can imagine, they don’t ever want this information escaping their control.

CloudFlare, a company that is trying to move all of the traditional networking hardware you typically have in an on-premises data center into the cloud, figured out how to let financial institutions have have it both ways. According to CloudFlare CEO Matthew Prince they can use the CloudFlare service, yet still hide the SSL key behind the institution’s firewall, therefore never exposing it to the open internet. This process allows these companies (and others who use SSL keys) to use the cloud while maintaining complete control of the SSL key.

Prince said he began having conversations with financial institutions about getting them to use his company’s services starting two years ago when banks began being subjected to network attacks by hackers that were bringing down their networks.”Two years ago, we got frantic phone calls from the world’s largest banks that the were getting attacked by Iranian hackers who were knocking them offline,” Prince told me.

He met with officials from these institutions and they described the rock and hard place they were between. The hackers were flooding the networks and the on-premises hardware couldn’t handle the traffic. He said that no matter how smart the software they were using was, the hardware couldn’t keep up. It’s a problem that CloudFlare has the potential to solve because virtual hardware can scale to meet the increased demand (and CloudFlare is designed to help block these types of attacks, as well), but the banks couldn’t take advantage because they didn’t want to put their SSL keys into the cloud.

Prince wasn’t sure he could actually solve this conundrum for the banks, but one of his engineers decided to attack the problem and came up with an idea shortly thereafter. As it turned out, it was complex enough that it took until now to fully flesh out into product.

What they realized was that the SSL process was a series of steps and there was only one step where the SSL key was exposed. They reckoned if they could find a way to hide the SSL key during that step, they could solve the problem, but of course figuring out how to do that was not a simple matter.

The solution eventually involved splitting the SSL protocol into two parts. Prince explained the first is known as key negotiation which involves using software running within that financial institution’s datacenter to make a temporary key from the organization’s private key. This is all carried out within the organization’s control and limits key access to a single user.

The second step involves transporting and encrypting the data traffic between the end-user browser and CloudFlare using the temporary per-user key. The institution maintains control and can cut off CloudFlare access from its end at any time, but the important part is that the key travels over a special encrypted channel and is never exposed to the open internet. That’s because when a visitor makes an SSL key request, CloudFlare makes a connection back to the keyless server that is running on financial institution site and that site is only up for a time period specified by the institution itself.

CloudFlare launched in 2009 and has received $72M in funding so far across 3 rounds. Customers include this publication, Reddit, Tumblr, the UK government, the Australian government and many others. In all they have two million customers worldwide and Prince says they have been growing compounded year over year at 350 percent and are profitable all the way to the bottom line.

This is has been an intractable problem for financial institutions to this point, but if CloudFlare can pull this off, it will provide access to the cloud they couldn’t have before because of their huge security concerns.