Grace Under Pressure: CloudFlare’s Security Breach & Transparent Response

Security breaches occur. We’ve seen it time and again, but sometimes a company’s response and transparency about what happened – and why – can more than restore its customers’ confidence, but also showcase the type of company it is.

Such is the case with CloudFlare, a web performance and security company that experienced a security breach last week. On Friday, CloudFlare announced that a hacker had bypassed the company’s sophisticated security measures to access customer accounts through the personal Gmail account of Matt Prince, CloudFlare’s CEO. While the breach was a serious one, and especially troubling because the hacker was able to compromise Google’s two-part authentication process, Prince and CloudFlare handled the situation in an exemplary manner.

From the beginning, the company approached the situation with transparency. When the breach happened CloudFlare immediately alerted its customers and kept them informed about what was being done to mitigate the situation. Prince openly acknowledged where he and the company had made mistakes. For example, when it was discovered that the initial attack occurred in Prince’s personal Gmail account, he quickly responded by acknowledging the misstep and severing the connection between his personal and work accounts. CloudFlare owned the mistakes and provided clear insight into what was being done to rectify them.

Compare this with the evasive approach that RSA took during its breach last year.

RSA was hacked in March 2011, but the company didn’t announce the breach until June. For months, customers were left in the dark about their security vulnerabilities. When the company finally admitted that secure information might have been compromised, both customers and security experts alike expressed deep concern over the company’s long silence. By not transparently addressing the issue, RSA put their customers at yet more risk.

There’s a lot to learn here, from both a processes and transparency perspective. It’s not enough for organizations to simply run through a security checklist and be satisfied with checking off boxes. And it’s not enough to deflect serious security breaches with an afterthought acknowledgment. Security measures, especially as they relate to mobile devices and web-based apps, need to be carefully thought out — and the more open companies are about the steps they’re taking and on missteps and how they’re correcting them, the better. Real cloud companies are aligned with their customers’ interests and should take a page from CloudFlare’s book (not the RSAs of the world) when things go wrong. No deflection. No finger pointing. No spin.