CDN security
15 Jun 2015

CDN security questions

Bigger growth of CDN use among all kind of businesses puts bigger queries for a security. The need to protect CDN data arises from the essence of Content Delivery Network mechanism.

CDNs are based on a principle of geographically close location of data to end users. That makes request time from the server faster. As a result, the website performance is improving too. To make this possible, CDN customers allow CDN’s to locate the selected data on the edge servers.

Some of CDN companies have a very large number of such servers. And they can be distributed all over the globe. For example, Amazon CloudFront has 52 PoPs (Points of Presence) all over the world. CDNsun has even more – over 80 PoPs all over the world – 25 in America, 44 in Europe and 16 in Asia Pacific.

Thereby, the important data will be stored not only on the main server, but on a large number of CDN servers. And this information has to be protected. Surely, it is just a general explanation of the CDN mechanism. But it shows the relevance of CDN security.

There are several steps to protect the website’s data, which is located on CDN servers. First seemingly banal step is to ensure that password to a CDN account is complex. It is better to use a password, which is unique and not repeated in other accounts. Usually, CDN companies provide two-step access to a CDN account, with a variety of confirmation methods. The second important step is to protect CDN data with a SSL.

SSL or Secure Sockets Layer is created to provide a secure connection. To authenticate the key exchange, SSL uses asymmetric cryptography. Symmetric cipher provides confidentiality. To ensure messages integrity, SSL uses message authentication codes. Thereby, SSL secure channel will have such properties, as privacy and safety. The SSL secure channel is private, because it uses encryption for all messages after the simple dialog (to determine the secret key). The channel is safety, because transportation of messages includes an integrity check. At the same time, SSL secure channel is authenticated.

However, the server side of the dialogue is always authenticated, client side – optionally. The big advantage of SSL is that it is independent from the application protocol. That means, that such protocols, as HTTP, FTP and TELNET can work with SSL with the same efficiency.

SSL negotiates the encryption algorithm and session key. It also authenticate the server before the application protocol transmits or receives the first byte of the message. CDN SSL can be provided by CDN companies in two ways. First way is to use custom SSL to protect data on CDN servers. That gives bigger control. If website uses custom SSL, such encryption will be carried at all stages of data transmission – from the website to the edge server, and from the edge server to the end user. The other way is to use Edge SSL options, provided by a CDN company.

Such way is attractive in its simplicity. All customer needs to do in this case – is to make SSL enable in a CDN account. Usually it will start working immediately, without any installations.