Highlight text to annotate itX
Welcome to MovieLine Monday.
My name is Krishna.
And today's MovieLine is Monty Python and the Holy Grail.
"Come and see the violence inherent in the system." We
are going to talk about some sledgehammer approaches and
how the avoid them.
So let us look at a typical distributed enterprise.
And distributed enterprise has a bunch of campuses, where
most of the workforces, small branch offices where there are
sales or smaller development teams working.
Then you have remote workers working from home.
And also traveling people and even other employees are on
the road and accessing information using smart phones
All of these accesses go down to apps sitting inside the
So most of the apps are sitting
inside the data center.
And in order to apply policy, you have security devices,
like firewalls and VPNs, providing access controls as
the traffic comes in.
So what we see is that it's a central policy enforcement
There, before the apps are accessed, you know who's
accessing the apps and if they're allowed to or not.
Now, this is an easy approach, because all of the apps are
sitting in a single data center or a small number of
Now, imagine the trend that we are witnessing right now,
which is apps popping up all over the place in
terms of the SaaS apps.
So you have cloud apps coming up all over.
So you have your sales force here, you may have a DropBox
here, you maybe have box here, right?
And these are not going to be in a single place.
They're going to be in many different data centers.
And users are starting to [INAUDIBLE] apps.
So basically, they're trying to go here, and so on.
Now, if we have to deploy policies on this traffic,
there are a bunch of approaches.
Let's talk about the sledgehammer approach, which
is to bring all the traffic back to the data center, where
you have all the security gear, and apply
the policies there.
Which is very wasteful.
So if you look at this, you go here and then you come to your
So another approach is to apply the policies at the
various apps themselves, which, again, is very
difficult, because these apps are not under
the enterprises control.
So what is a good way then?
Let's look at an ideal way in which this
problem can be solved.
If we were to have enforcement points distributed over of the
internet in such a way that users accessing any one of the
applications have to first go through a security enforcement
point that is distributed and close to the user, then you
solve the problem in a scalable manner.
And what is important is for all of these distributed
enforcement points, there's a central control point that you
develop you policies and then distribute the policies to
these enforcement points.
So this way what happens is traffic going to the apps gets
the least amount of latency in terms of not having to bounce
around in different places.
But at the same time, you get to keep all of the security
policies in place.
So we believe that you should get rid of all the
sledgehammer approaches and look at more scalable
distributed policy enforcement approaches for
solving this problem.