In February 2017, Tavis Ormandy of Google's Project Zero discovered a serious bug at cloud service provider Cloudflare...
that exposed private customer data for potentially millions of websites hosted on Cloudflare's content delivery network (CDN). Because of this memory leak bug, Cloudflare's customer and hosted site data could potentially have been exposed to third parties during the lifetime of the bug (the company has maintained that no known breaches have occurred as a result).
This disclosure has led to many questions in the security community about the security and privacy ramifications of using a man-in-the-middle proxy model like Cloudflare's, which is similar to those of any CDN or cloud access security broker (CASB).
What actually happened with Cloudflare? In essence, some of the Cloudflare edge servers (those that users connect to for traffic processing and connectivity) exposed memory content past defined buffers due to a specific HTML parsing issue. While the extent of the bug was unknown, search engines like Google were caching content that may have been sensitive in nature from Cloudflare and other CDNs, and the security team at Cloudflare needed to not only disable features that could have led to potential data exposure, but also find the root cause and notify other online services, like Google, that may have inadvertently accessed and stored sensitive data.
Secure your data and boost CDN security
At the end of the day, security teams are left wondering how they can possibly protect data passing through CDNs or other intermediary security-as-a-service environments. There are several options available to improve CDN security, but there is no perfect solution to a scenario like this, unfortunately.
Before looking at specific CDN security services, it's critical to ask the right questions of any cloud provider or CDN/CASB service that you plan to use. What kind of security monitoring do they have in place for data leakage scenarios? What is their standard response process when notified by researchers that they have a flaw?
These answers should be clearly outlined in their contractual language, and are the best possible obligation you can get for notifications about these types of issues. The Cloud Security Alliance Consensus Assessments Initiative Questionnaire is a good place to start when asking risk-based questions of cloud providers of all types.
The next thing to focus on is your own security controls and options for deployment. First, customers can use a service like AT&T NetBond to control traffic to cloud services through a standard multiprotocol label switching (MPLS) VPN. If you are already leveraging a service like this, controlling your traffic across a semiprivate network may help to alleviate some risk in parts of the data transit path. This assumes, of course, that you trust the provider of the MPLS services.
Next, you can encrypt all of your data before it traverses any cloud environments. The potential drawback of this option is that encrypting data in transit can slow down your network traffic. However, this is always going to be the most effective solution because there is no risk of man-in-the-middle monitoring or data hijacking, since the data itself is encrypted before it ever passes through any of these intermediary network environments.
Finally, you could tokenize or modify data using some sort of network gateway on premises, which may also prevent sensitive data from traversing in-cloud environments that could expose sensitive information.
Whatever options you choose to improve CDN security, you should be wary of any cloud service providers that can intercept and potentially expose your sensitive data, and the range of service providers that fit this description is growing rapidly by the day.
Ask critical questions, look at ways you can secure the data before it ever leaves your environment and be sure to scrutinize the bug bounty and incident response programs of any providers with whom you choose to do business.
Find out more about the Cloudflare bug and its effect on incident response
Learn how to strategically implement CASBs in the enterprise
Discover how to pick the best CASB for your enterprise