CyberSecurity CDN Shield, Packet Security

CloudFlare CEO Matthew Prince (Prince) sits down with CEO of Chase and says “I know you spend $200M annually on cybersecurity, give me $100M, and I’ll protect you from cyber theft”. Then Prince sits down with Home Depot CEO, and says give me 50% of your annual cyber security budget, and I will protect you from cyber theft”. Prince continues with this message and signs up 90% of the Fortune 1000, capturing a big chunk of the cyber security market, and becoming the first CDN to break $100B+ in market valuation. Can CloudFlare become the CyberSecurity CDN mentioned above?

The current problem with cyber security defense is threefold 1) Large enterprises require dozens of security products from different vendors for adequate protection, making it difficult to manage the security ecosystem 2) Cloud applications like Facebook, LinkedIn, and Snapchat increase the entry points of attack by orders of magnitude 3) Governance is great, but governance’s biggest problem is governance, in that some folks don’t like to be governed, and do the very minimum when it comes to following the security rules and procedures. What is needed is the radical re-architecture of the security mindset. Here is one concept I call the CyberSecurity CDN Shield that offers 100% cyber theft protection by encapsulating the Internet, and taking deep packet inspection to a whole new level: not only analyzing the contents of a single packet, but altering it and sanitizing it in the process.

CyberSecurity CDN Shield Architecture

CyberSecurity CDN Shield

Many security products are static in nature, and can be only at one place at a time. In addition, many security services that are cloud based are located in a handful of data centers, making it impossible to withstand a large multi-vector attack. The Solution: If I’m CloudFlare, Akamai, EdgeCast or Incapsula, I create a security service the encapsulates the Internet for customers like Home Depot. Thus, the request / response interaction continues as is at the edge (last mile). However, every packet is forced to go through the CDN Edge POP, where it is filtered and cleansed from malicious content.

Deep Packet Inspection becomes Deep Packet Enhancement

The process can even go much further, where packet and header data is transferred to a special packet created by the CDN, and a security code is injected into the packet, similar to a time stamp, in order that the packet may be tracked anywhere in the world. In the case of Target, if malware is uploaded to the POS system, it won’t be able to do anything, because the hacker controlled server must send all traffic (ftp, http, https, etc) through the CDN POP, where it will be sanitized. In addition, the CDN can monitor packet transit in real time, and disallow it to certain destinations. The CyberSecurity CDN Shield offers 100% prevention.