Cloudflare is best known for its content delivery network and DDoS mitigation services, but it has been steadily expanding into other areas of web security over the past few years.
This week, the company made three product announcements, all aimed at protecting its customers from online threats, including new offerings for API security, web applications, and email.
In 2020, Cloudflare said that its network was touching more than 25 million websites. It sees a lot of traffic, and, as a content delivery network, is extremely motivated to stop bad traffic before it clogs up its pipes.
New API security offering
One kind of bad traffic is automated API requests. Attackers use brute force methods or known vulnerabilities to try to break into company APIs and steal data or do other damage.
"For us, 50% of web traffic that we see is API traffic," Cloudflare CTO John Graham-Cumming said.
And the category is growing fast. According to a January report, API traffic grew 21% last year, compared to just 10% for overall web traffic.
This morning, Cloudflare announced a new API Gateway service to help companies manage their API security at a low cost.
"We see some of the API gateway products out there are crazy expensive," Graham-Cumming told Data Center Knowledge. "You shouldn’t be spending a fortune on core functionality."
Some API security was already built into Cloudflare's existing services, he said.
"Web application firewalls, DDoS protection – all of those things can be used for APIs," he added.
Now all of this tech is going to be part of a single, comprehensive package. Companies will be able to use Cloudflare's service to find the APIs active in their environments, validate them, analyze incoming traffic, protect against abuse, set up custom API routing, enforce SSL, and get analytics.
In addition, customers will be able to create and manage APIs directly and offload authentication and authorization to Cloudflare.
API schema validation, API discovery, and API abuse detection are all available today, and other features will be coming later on this year.
Unlike some of Cloudflare's other offerings, there will not be a free tier for the API gateway, and the company hasn't yet announced pricing.
"It will be significantly cheaper than what they're using today," Graham-Cumming said.
This could be a big deal. There's been a spate of API-based attacks recently. Notable victims include Peloton, Equifax, Instagram, Facebook, Amazon, and PayPal.
In fact, according to an IBM Security X-Force report released last fall, two-thirds of all cloud breaches are now due to misconfigured APIs.
And according to the latest data from Salt Security, API attacks increased 681% in 2021, while API traffic went up 321%.
According to the Salt Security survey, 62% of companies have slowed the roll-out of a new application because of API security concerns, and 95% of companies had an API-related security incident in the past 12 months.
New email protection
A free service that customers should be seeing soon is email protection.
In September, Cloudflare announced free email forwarding, allowing customers to forward email from a Cloudflare domain to another domain.
"A lot of people use that for a vanity domain," Graham-Cumming said.
But the new toolkit isn’t limited to forwarding. As part of the free service, Cloudflare also offers basic configuration management, to help users ensure that their email is set up to be as secure as possible. That includes settings for SPF, or sender policy framework, DKIM, or domain keys identified mail, and DMARC, or domain-based message authentication, reporting, and conformance.
"If you think about the threats to business, a lot of it comes through email," Graham-Cumming said. "In fact, it's the number one threat."
On Monday, Cloudflare announced that it will be integrating technology from recently-acquired email security vendor Area 1 Security to significantly expand its email security offerings.
"We will be actually scanning email and blocking email," Graham-Cumming said.
The new service won't be available to Cloudflare's non-paying users, but anyone on a paid plan can sign up at no additional charge, he said. Business can sign up now, he added, and the service will become available once the Area 1 acquisition closes.
New Web Application Firewall tools
Those non-paying users did get a freebie this week. On Tuesday, Cloudflare announced that it will now offer a Web Application Firewall management console for free.
Cloudflare has always had a WAF for its paid plans, Graham-Cumming said. The tool protects websites against attacks like SQL injections, credential stuffing, cross-site scripting, and Layer 7 DDoS attacks.
In times of emergency, the service was sometimes extended to cover non-paying customers.
"Over the last ten years, we’ve occasionally seen an attack on a web application that was so serious and widespread that we gave a version of the WAF to everyone on our free plans," he said. For example, in 2014, Cloudflare began protecting all its customers against Shellshock.
"At the end of last year, we gave everyone protection for the Log4j vulnerability," he added.
But this protection was behind-the-scenes, he said. "If you were a free customer, you got the protection but you couldn't turn the functionality off or see any analytics around it."
On Tuesday, that changed, and even free customers will now get access to the WAF console.
"If there's a high-severity vulnerability, they'll have a user interface for it, and see analytics for it."