Love at First Flight — How to Fly Direct with dope.security

In the following series, Love at First Flight: How to Fly Direct with dope.security, we will dive into how we have built the dope.swg Fly Direct architecture, detailing how each component works together to deliver a DOPE experience.

As we know, stopover secure web gateways (SWGs) have a lot of problems. The dope.swg solves many of them by using a new patented architecture — Fly Direct. It isn’t just a feature; it’s a brand new distributed architecture that dramatically improves upon the current state of the SWG market, and offers tangible benefits in the following key areas: performance, reliability, privacy, and costs.

To understand how Fly Direct improves upon a legacy [stopover] SWG architecture, consider the following capabilities of an SWG product:

• Management (define user policies and other configurations)
• Enforcement (filter traffic according to policies)
• Content classification (identifying malicious domains, malware)
• Connectivity (ensure devices only connect to the internet via SWG)
• Analytics (provide metrics insight on user activity)

With legacy SWGs, each capability is deployed in a particular way — enforcement for example happens in the cloud. The only thing that happens on the device is connectivity to the Internet. Does it have to be this way? We don’t think so.

It’s important to understand the history and origins of a technology (see: What If We Could Fly Direct?) so that we can understand what is a fundamental constraint versus a design decision or just a consequence of history. Do we have to do it this way? Or have we simply always done it this way and never tried anything else? In the case of SWGs, enforcement in the cloud is not a fundamental constraint. This understanding is what led us to completely reinvent the SWG architecture.

The dope.swg architecture uses a fully distributed enforcement model. The heart of the architecture is local policy enforcement, done directly by the endpoint, with a custom, high-performance local enforcement engine.

The dope.endpoint(1) performs all URL filtering, cloud application controls, anti-malware, and policy enforcement on-device without any stopover datacenters. The dope.cloud(2) is in lock-step to deliver security services and APIs to the endpoint fleet.

The other key piece of the dope.swg Fly Direct architecture is realized by taking advantage of some of the latest technologies that are often overlooked by other SWG vendors. For example:

• Managed multi-region active-active global tables
• Multiple regions of transaction data residency
• Serverless Architecture

The dope.cloud performs management capabilities (policy configuration and various settings) and efficiently distributes configurations to a global endpoint fleet. These management capabilities give the cloud workload a completely different profile that lets us leverage modern concepts like serverless.

The dope.cloud also maintains up-to-date content classification data in order to leverage the size and scale of multi-GB content databases and models. dope.cloud and dope.endpoint work together to distribute this information effectively using cache models that allow the endpoints to perform over 95% of their enforcement decisions without making calls to the cloud.

At a high level, the flow works like this: when the user is browsing the internet, the dope.endpoint is continuously monitoring the domains to enforce the security policy set by the admin. Whenever the endpoint encounters an unknown domain, it reaches out to the cloud to retrieve information about this domain, which will be cached for faster access in the future. The dope.cloud automatically updates its content database several times a day.

The dope.endpoint communicates with the dope.cloud to submit data and retrieve website category information as needed. The dope.cloud maintains up-to-date category information and computes and serves analytics for customers.

The dope.endpoint keeps track of which websites and internet content the user accesses. Periodically, the dope.endpoint will update minimal metadata about these transactions to the dope.cloud. dope.cloud uses this metadata to compute user analytics. Analytics results are pre-computed daily, to enable speedy display in the admin console.

To support data residency, customers pick a single region to host their transactions metadata in. Endpoints will upload exclusively to that region. The analytics engine is also region aware — analytics are computed in the region where the data is hosted — data never leaves the region.

In the coming articles of this series, we will dig deeper into how we built the aforementioned capabilities and how they work together. If we’ve piqued your interest in our product, give it a try yourself.

Footnotes

1. The dope.endpoint is the on-device proxy that manages and enforces a company-defined policy. It autonomously performs all SWG functions, even when there is no cloud connection, so users remain safe at all times.
2. The dope.cloud is a set of security services and APIs that power the dope.endpoint and dope.console. It maintains a connection with the dope.endpoint and dope.console to apply policies, perform malware analysis, and deliver real-time analytics for administrators.