Glass Class - How Bitglass' Reverse Proxy Enables Full Application Robustness
Hi, my name is Rich Campagna and thanks for joining Glass Class. Today we're going be talking about reverse proxies and how Bitglass has been able to achieve full application robustness and resilience with it's reverse proxy solution.
We have a very simple diagram pre-drawn here in the slide. We have a cloud application. It can be any cloud app: Salesforce, Office 365 and any device. It may be a managed Windows laptop, it may be a BYOD iPad, as an example. With the cloud Access security broker, typically what you want to is intermediate. You want to sit in between the cloud app and the point of consumption, whatever the device may be and it must be any device. Not just the managed Windows laptop in which you can install profiles or BPN's and the like but you also have to support things like BYOD where you're installing software and taking control of the device may not be appropriate.
As a result, you need to have a mode of deployment or a mode of access that allows the user to pick up any device and gain access to that cloud based application. But we want to do it in a secured and controlled way. So, this is where the reverse proxy comes into play. Reverse proxy intermediates and slips between the cloud app and the point of consumption or the device itself. The way that this works: we'll just go through the example of maybe a web browser mode where a user over to the web browser and attempts to access, maybe Outlook online within Office 365.
What's going to happen is, this cloud app is going to serve some content up to the proxy and then the proxy is going to do the security controls that it typically does and serve content down to the device. Today's web applications have a lot of different types of content. But there may be things like HTML which is static content executed on the server side and there may be things like AJAX or various different forms of Java Script or Client Site Code that's executed not on the server but in the browser.
When you try to do a reverse proxy, what most competitive approaches do are going to focus here. They are going to use the technique called server side rewriting which is basically going to take the HTML that's served up from the back end cloud application and it's going to rewrite it. What I mean by rewriting is gonna take all the lengths and URL's inside of a particular piece of content and they're gonna rewrite them so that instead of pointing back to Outlook online, they are instead gonna point back to the proxy itself. As the user clicks on these links, it's gonna go back into the proxy. Instead of bypassing the proxy and going direct to the app which is gonna lead to breakage.
For this static content like HTML, that works perfectly. The problem is, this is where most cloud access security brokers stop when attempting to build a reverse proxy. The challenge here is this client site code is also executing, is also making calls back to the application itself. Let's say the cloud app vendor comes and makes some changes to their application and it's unbeknownst to the cloud app security broker that that app starts all of a sudden serving up some different content both in the HTML side and on the client side. Now all of a sudden their problem is that this HTML for most proxies will continue to work but the AJAX stuff will break. This is why the number of our competitors have large numbers of engineers on staff so they can scramble and try to fix these breakages and outages before it's days or weeks on the customer side but typically it's an order of days.
What we've done is, we do the server side rewriting but we also wrapped this AJAX code. We call this the AJAX VM. The AJAX Virtual Machine acts exactly as it sounds. This client side code as it executes thinks it's talking to the browser itself. Instead, what it's doing is talking to the big glass AJAX Virtual Machine. So that if this, at any point in time, this client side code changes, it'll still continue talking to the AJAX Virtual Machine; where we can get in the middle and insure that these calls go back through the proxy instead of bypassing the proxy. The result is a truly resilient, reverse proxy based infrastructure that allows us to work with the most modern cloud applications that you'll see out there; without any outages or downtime on the customer side. Without the need to install agents and software on the end point device.
Thanks for joining this session. My name's Rich Campagna.