In the quest to accommodate demand for high-quality, secure web experiences and using SSL/TLS security standards what are you doing to provide a quality and secure CDN offering.
Security is very important for us at Varnish Software and our Varnish user base. Recently, the internet has seen a large movement in adopting transport level security, SSL/TLS. This is great and has done a lot in helping increase overall security on the internet. We still have a long way to go in terms of making the internet and our applications more secure. We need stronger security practices in our applications. A WAF can address those needs by applying security layer in front of applications. Also, we need stronger security on our data, especially on CDNs. This means encrypting every byte of customer data that sits on a CDN, even if it’s only in memory. Data security isn't just about protecting customer data from bad guys, it also means protecting it from bugs which can appear in the actual CDN code. At Varnish Software, we address all aspects of security when it comes to CDNs and content delivery and we are always on the lookout for what our customers want and need when it comes to content security.
What are your views on SSL key required vs Keyless Overlay Network?
It is really up to the customer to decide how they would like to implement security for their content delivery. As long as they are properly educated in the pros and cons of each choice, we feel that leaving the decision up to the customer is the best strategy. Obviously your CDN needs the software and know how to actually deliver on these different security choices.
With edge service performed by overlay networks being greatly important as this leads to content that is of sensitive being exposed across edge nodes, what are you doing to mitigate against this?
For us at Varnish Software, a secure CDN is end-to-end TLS transport security. Total Cache Encryption with unique per object 256bit AES keys. A policy based WAF which implements OWASP top 10 rules.
Overall how do you see the industry moving towards more secure overlay networks?
I think right now CDNs are still trying to adopt SSL/TLS end to end. WAFs also seems to be taking foot in these networks. As CloudBleed has shown, I still think there are some weaknesses when it comes to actual data and software security. This can change very soon.