| The Only Way to Build a Distributed Global Network to Reduce Latency |
| Goldman Sachs defines multi-tenant as an architecture where customers share physical instances of application, while a single-tenant architecture has a dedicated instance of application for each customer. A good example of single-tenant architecture is Siebel’s sales force automation system, where there is a dedicated server for each customer. A good example of multi-tenant architecture is Salesforce.com, where multiple customers share the same instance of application. |
| Hosted Applications (Single-tenant Architecture) |
| Today’s security appliances are single-tenant; they are designed to be deployed at a single location and cannot be used to handle Internet traffic coming from multiple customers. Vendors trying to offer SaaS web security service may take traditional proxies, such as Squids, and try to put a load balancer in front of them to make them multi-tenant. But in this approach, a customer is still tied to either a specific system or a specific data center. If the data center is in San Jose, all Houston traffic has to be re-routed through San Jose for policy enforcement, which introduces significant latency. Furthermore, this is not a scalable and viable business model to handle thousands of customers. |
 |
|
In single tenant—or a pseudo multi-tenant architecture—a customer is tied to a specific system or a specific data center. |
|
In a multi-tenant architecture, a customer policy can be executed in any of the data centers, reducing latency. |
|
|
| Multi-tenant Architecture |
| As described above, a SaaS service needs to be multi-tenant, like Salesforce.com. However, SaaS web security may be even more challenging than a SaaS application. In the case of Salesforce.com, end users log on to a specific system. A SaaS web security service, on the other hand, is sitting in data path of a web user and another web server, which introduces routing latency. A number of distributed proxies around the globe are required to minimize this routing latency. |
| Gateways receive traffic from multiple customers and apply each customer’s appropriate policy before sending traffic to the Internet. A network of distributed gateways near each metropolitan area provides an Internet onramp close to the user. A user in DC has her traffic routed to the gateway deployed in DC and the San Jose user has his traffic routed to the San Jose gateway—rather than backhauling traffic across the country. Routing a user’s traffic to the nearest node significantly minimizes latency. |
| For Web security, a multi-tenant architecture is required in order for this distributed network to be possible. Multi-tenant architecture enables our cloud nodes to handle multiple customers using a single instance of our infrastructure. Each gateway is able to handle the traffic of multiple customers, while enforcing policies of individual users. |
| A multi-tenant architecture enables the deployment of Zscaler Distributed Global network, which reduces the latency of traffic re-routing by providing an Internet onramp close to users. |
| |
| |
