Today Reblaze released Curiefense: a free, open-source web security platform that extends Envoy Proxy to include WAF, Bot Management, application-layer DDoS, and more. We at Reblaze are already receiving questions. “What is Curiefense about? Why have you released it as open source? And what does this mean for Reblaze?”
To many people, open-sourcing most of our platform is a radical concept. And in some ways, it is. But this is the logical outcome of our original vision for Reblaze.
Reblaze was founded with one goal: to make the web a safer place for everyone by harnessing emerging technologies. At the time (2011), the cloud was still in its infancy, but we already saw its potential: that we could use it to deploy a powerful autoscaling security solution, deployed in a dedicated VPC for each customer, and geolocated immediately in front of the protected network. Later, as more cloud capabilities became widely available (such as data warehousing, Machine Learning, etc.), we leveraged them as well.
Of course, other companies were also moving into this space with us. However, there was a key difference. At Reblaze, our decisions are driven by a simple principle: choose the options that will provide the best protection for our customers. And every significant decision we’ve made is derived from that point of view.
We have always believed that cloud technologies enable a robust single-tenant solution that is still SaaS. Cloud users should be able to benefit from all the advantages of a SaaS model (automatic updates, scalability, fully managed services…), without compromising on key principles such as privacy and security. It makes no sense that one should have to share private keys and application traffic with a third party (and worse, to do this in a multi-tenant environment), in order to add security layers.
Therefore, since Reblaze’s inception, we have taken this single-tenant approach. Every Reblaze deployment runs in a unique VPC, dedicated for that customer’s exclusive use (and unless otherwise required, running in that customer’s account). This eliminates the privacy and other issues produced by multi-tenant solutions.
Since then, the web has evolved, and microservice architectures have become very popular. New services are constantly being introduced, and existing ones are frequently altered. This means that proxying with an external entity sometimes introduces overhead when keeping the systems in sync. Thus, we have chosen to move into the service mesh itself, and extend the proxy in use there, to remove the need for an additional layer.
This approach—moving all traffic processing into the customer’s perimeter—provides complete privacy and maximum efficiency. Back when Reblaze was founded, this was not possible. But today, it is. And so, that’s exactly what Curiefense does.
Other aspects of Curiefense—such as providing full traffic transparency, using Machine Learning to adapt to evolving threat environments, and so on—are derived directly from Reblaze. Curiefense has given us an opportunity to reimagine the “ideal” web security platform, and we’ve built it from the ground up based on goals and fundamental principles learned from our years of accumulated experience, serving hundreds of enterprise customers.
(For a full explanation of Curiefense’s foundational principles, see the Manifesto.)
But you might still be wondering: Why have we released Curiefense as open source? Why don’t we sell it as a proprietary product, and benefit from the (multiple) ways it advances the state of the art?
We’re open-sourcing the Curiefense platform for multiple reasons. First, we believe that open source is an inherently superior approach to software development and distribution: a powerful way to allow the intellect and talents of entire communities to create better tools, for the benefit of us all.
Second, by making it freely available, many organizations will be able to access and use this platform, including some that otherwise would not be able to do so.
Third, Reblaze is transitioning to become a development and service company for Curiefense. (It’s already being used by Cisco and other organizations.) We will continue to extend the platform and add even more capabilities. We will also offer premium services and support: see the Features page for more detail on this.
Throughout it all, our original vision remains, and we view Curiefense as the next logical step. By freely offering this platform to the cloud native community, we can make it more powerful and more flexible than we could alone. At the same time, we will see many more organizations adopting it, and baking security into the very foundation of their infrastructures.
And that will help make the web a safer place for everyone.