In a three-day spree, Cloudflare this week announced email security for all paying plans, a free, limited web-application firewall (WAF) and a low-cost API protection option.
Cloudflare organizes its product announcements into thematic, week-long blitzes. This week, security week, saw the email announcement Monday, the WAF on Tuesday and the API gateway on Wednesday.
"We have traditionally done protection for the web and other things connected to the internet, but haven't really focused on email. As we built our zero trust solution, which is really protecting internal applications in companies when they are connected to the network and letting people get access work from wherever they need to be glaring, there was obvious hole when we weren't protecting enterprise email," said Cloudflare chief technology officer John Graham-Cumming.
The email announcement follows Cloudflare's purchase of email protection firm Area 1, and will launch as soon as the sale closes.
Graham-Cumming sees advantages from not only cost, but also the convenience of not needing an additional vendor to add a solution and the ability to integrate data from Cloudflare's substantial footprint into protection.
The WAF is intended for the free tier of customers. It is not a full-featured product. Instead, it will allow free customers to customize Cloudflare's emergency protections against massive global threats like Heartbleed, ShellShock or Log4j. Cloudflare would already step in to defend against a Log4j, but did not have an available interface for customers monitor activity or turn it off if they wanted. The free WAF will fill that gap.
Graham-Cumming said he was most excited about the API gateway.
Cloudflare's internal data shows API's account for more than around 50% of the traffic it sees.
The new API services would provide a "competitive" product relying, in part, on many of the features customers already pay for. While pricing has not been announced, Cloudflare anticipates it costing a "fraction" of other vendor's services, not having to keep a meter running on the number of calls or bandwidth.
"We have all the components to make an API gateway. We have a developer platform. We have load balancing, we have rate limiting, we have security features, DNS everything. We should provide a service that will not require the user to pay what is a silly amount of money for something that we can provide to them," said Graham-Cumming.