Like most small website owners, I have a very limited view of what really goes on under the covers at Chaotic Flow. I know my own source code and I have Google Analytics and basic Web logs, but without a fleet of operations and security IT staff, I really have no clue who is coming to my website beyond the browser types, IP addresses and keywords they use. I routinely have to battle comment spam and I’ve definitely fended off a couple of real attempts to hack my site. It’s amazing when you consider just how small a part of the Internet Chaotic Flow represents, yet the bad guys have sufficient time and processing power to spend it on little old me. Pretty scary.
Since email spam and desktop virus protection are proven, large markets, you’d think that by now someone would have cracked the nut of protecting websites. There are security options out there, particularly if you are a large site and can afford them. Most provide a combination of site scanning for detection with locally installed security software and hardware for prevention, but to my knowledge no one really provides attack detection and prevention for the Web with the kind of SaaS simplicity and effectiveness of email and desktop equivalents. Until CloudFlare.
CloudFlare is a creative and rapidly growing SaaS startup that wants to eliminate website spam the way Postini did for email, only more, a lot more. So much more that the two year old Cloudflare is already rumored to be valued in excess of $1B. I recently sat down with Matthew Prince, CEO of CloudFlare, to talk about what makes CloudFlare unique. He had no shortage of answers.
This is the first article in a new “Cloud Disrupters” interview-based series that will highlight recently launched SaaS companies and products that have the potential to be real game changers. In keeping with the long standing Chaotic Flow theme, the purpose of this series is not news and friendly buzz, but an exploration of the Internet strategies and technologies that make these companies unique and disruptive. And, maybe a little unsolicited advice.
CloudFlare’s Secret Sauce
The simple, game-changing element of CloudFlare is its approach to the website protection problem at the network transaction level, rather than the Web application level. CloudFlare asks nothing more than that you redirect all your Web traffic through CloudFlare, and CloudFlare will make sure only the good guys get through to your website. Technically, it’s completely analogous to Postini, except as opposed to swapping out MX records, you change your DNS settings.Cloudflare attacks the website security problem at the network layer,
making sure only the good guys get through to your website.
However, access to all website traffic
opens up myriad business opportunities beyond security.
This approach has the double whammy of being incredibly simple for customers to adopt, while empowering CloudFlare with the maximum amount of community knowledge, business opportunity and network effects to become a truly valuable service and formidable competitive force on the Internet. More on this later.
Community Leverage Lies at the Heart of The CloudFlare Strategy
Growing out of Project Honeypot, an open community-driven experiment to identify and quash website spam, CloudFlare has been community-centric since day one, and the company has reaped the benefits. Prince has a great story about how CloudFlare’s first pre-funding servers were donated by its community. The real competitive advantage of the CloudFlare community is the pooled knowledge of all that web traffic. In Princes own words below.
“Traditionally security is a very siloed market…and if you try to get Yahoo to share security information they won’t for lots and lots of reasons..it’s very isolated….From the beginning the [CloudFlare] idea was how do you create a community that gets stronger as it gets bigger…as data flows through our network, knowledge about that traffic is captured and we can then provide a better and better and better service for everyone.”
Unlike a lot of Internet companies where network effects are fuzzy at best, the network effect at CloudFlare is unusually tangible. CloudFlare’s freemium customers may not pay in cash, but they do pay in knowledge. Knowledge that according to Prince outweighs their costs, alleviating one of the biggest roadblocks to freemium success.
CloudFlare Adoption Costs, Velocity and Scale
I don’t think I’ve ever seen a better demonstration of the inverse relationship between organic growth velocity and adoption costs than CloudFlare. In the ideal CloudFlare world, 100% of Internet traffic will some day flow through its network. “We’re rebuilding the Web,” says Prince. Are you listening Google? While that vision may be a tad bit aggressive, after only 15 months in production, 450 million users pass through CloudFlare’s network every day and their website adoption rate is in the thousands per day (I am not quoting a specific number as it is increasing faster than I can write).
Had CloudFlare taken a less bold approach than the one-click traffic redirection to their “Web proxy cloud,” then its entire business model would fall apart like a house of cards. Too much complexity would produce lower adoption volume, inexorably leading to higher prices and weak network effects. While CloudFlare has zero salespeople and has done only very limited launch marketing like participating in the TechCrunch 50, it’s adoption rate is still through the roof.
C’mon CloudFlare, Show Me the Money
Unlike virtually every other B2B SaaS CEO I’ve met, Matthew Prince is not worried about money. He’s worried about scale. In a fashion more common to B2C startups, the reasoning goes that if CloudFlare reaches it’s natural scale, monetization will not be difficult. Strangely enough, I agree. The reason I agree is that by attacking the website security problem at the network layer, CloudFlare is essentially nominating itself as Web Traffic Control for the Internet. While the original premise might have been to filter the baddies out of incoming traffic, the result is that the CloudFlare cloud has access to ALL traffic, good, bad and otherwise, coming AND going. Generically, CloudFlare is a value-added channel that can augment, cleanse, filter or expedite any website interaction and is only limited in what it can accomplish in the tight window of opportunity between request and response.
In the short time since it’s launch, Cloudflare has gone beyond security to offer itself as a CDN that can speed up your content delivery, a content optimization tool to speed page loads, a website analytics dashboard that goes beyond Google Analystics to give deeper insight into your traffic, and an app marketplace with one-click features that can be easily added to your site. “Security is just a feature. CDN is a feature. Apps are a feature.”, according to Prince, “but they don’t fully describe the product.” Prince recognizes that CloudFlare faces a cloud category branding challenge. For now he’s thinking of what they do as network “operations-as-a-service,” something that only the big guys like Google, Amazon, and Facebook can afford to do for themselves and have whole sections of the org chart dedicated to it. Everyone else can only get that scale through a SaaS community such as CloudFlare.
CloudFlare Competitive Threats
Thus far it may sound like I’m on the CloudFlare payroll, but I’m not. I do think CloudFlare is attempting something very disruptive, interesting and ambitious. Which means I also expect the space will heat up fast. Here are some gotcha’s that I think could trip CloudFlare up along the way if they are not cautious.
- Do No Harm
Tampering with Internet packets is risky business. There is at least as much opportunity to screw things up as there is to improve them. Conventional website security products strive to eliminate every significant threat. It will get complicated and with more complexity will come more opportunity to break stuff, especially since CloudFlare is also overlaying all those other value added services. Given it’s super low adoption costs and gigantic target market (pretty much every website), I’d suggest that it’s more important to not break stuff than it is to fix stuff. So what if CloudFlare doesn’t do everything, as long as it does enough to make you push the button to enable it for free, and then upgrade to a couple of paid services, then it’s done enough. Alternatively, accidentally bringing down your site or cutting off your ad revenue in the interest of security will not play well with most Web publishers.
- Get Sticky Fast
While CloudFlare has a decent lead on the competition, particularly from the Project Honeypot connection, there are some established players with big pockets that might want part of this action. It only takes a second to adopt CloudFlare. By the same token it will only take a second to switch to a competitor. Services that are difficult to duplicate, but more importantly that increase in value the more they are used like site analytics should get priority on the CloudFlare product roadmap.
- Make the Intagible Tangible
After you enable CloudFlare, you’ll find that you are hard pressed to tell if it is making a significant improvement, particularly if you are a small site with limited traffic and analytics as a baseline for comparison. Much of what CloudFlare offers happens behind the scenes and on the security side, you’re counting negatives, i.e., I didn’t get attacked again this week. Making what CloudFlare does tangible to customers is an important marketing challenge. The analytics package is essential to this, but I also think more investment in the CloudFlare community, empowering CloudFlare customers to share their success stories and detailed technical knowledge of CloudFlare optimization and troubleshooting would go a long way here.
- No FailFlare
Let’s face it, when Twitter goes down (and it still does occasionally), no one really gets hurt all that much. Maybe a few advertisers and Twitter ecosystem apps. Not like it brings down your website, your business and your cash flow with it. More than anything, CloudFlare has to work. If the startup achieves anything near its ambitions, I give it one, two, maybe three real outages and then it’s all over. CloudFlare is built on the premise of high value at a low cost, but the price you pay is not the true cost, especially if you are paying nothing. It’s the risk. Downtime risk is the hidden adoption cost of CloudFlare and just like the more visible adoption costs, Cloudflare needs to reduce it to zero.
Best of luck to CloudFlare, Matthew and the rest of the team!