WHITEPAPER The rapid emergence of software-as-a-service (SaaS) applications over the last four or five years has empowered businesses to increase revenue and reduce operational costs. Salesforce.com, NetSuite, Workday and other SaaS applications have been deployed by thousands of companies, from multinational corporations to small businesses. Their performance and reliability have become critical to business operations because they deliver core functionalities including CRM, ERP, accounting, communications and training. CORE BUSINESS NEED SAAS APPLICATION BANDWIDTH CONSUMPTION Ongoing training and education Weekly, monthly, quarterly reports or statements on business operations Large documents such as reports, CAD files, or presentations Protection against loss of data; recovering data after a disaster On-line audio/video training (Examples: Taleo, SumTotal, SuccessFactors) Data queries, dashboards and business intelligence information (Examples: Salesforce.com, NetSuite, Workday) Large document transfer (Examples: Office365; Box.net; Yousendit) Cloud storage/backup (Examples: evault; CrashPlan; Mozy; Carbonite) 200Kbps Mobile Device 400Kbps 1Mbps - Desktop 200Kbps 1Mbps - Desktop 50Kbps 200Kbps 100Kbps 1Mbps SaaS applications are easily and quickly deployed. But they present a new challenge: the whole SaaS infrastructure application servers, storage and network connectivity is outside the control of business IT. Here are a few of the many ways in which unpredictable access or performance of core SaaS applications can affect a business: 1. Missed order bookings before the end of a reporting period 2. Incomplete financial reporting 3. Loss of compliance with industry and regulatory statutes for training 4. Delays in construction projects due to holdups in design completion and review Another effect of SaaS performance and reliability issues is the impact of user complaints on IT. Users don t call Salesforce.com or Workday about performance or access problems; they call IT. The burdens of trouble ticket capture, review and reporting impact IT personnel and IT projects designed to expand business services or reduce costs. SaaS Traffic Load Examples Of course, SaaS applications consume bandwidth. This can range from smaller amounts of bandwidth from incremental database updates to very large video downloads for learning management systems. Impact of Recreational Traffic on SaaS Performance SaaS applications come into a business network through Internet connections. These connections also serve VPN traffic from remote users who are trying to access internal applications. Meanwhile, employees are using the same Internet access points for recreational purposes. The reality is that core SaaS applications are fighting for bandwidth with YouTube videos, online gaming, and uploads of photos from the family trip to Disneyland. Here are some examples of bandwidth consumption by recreational traffic: 1
RECREATIONAL ACTIVITY YouTube video viewing BYOD OS update IMPACT ON NETWORK BANDWIDTH 200Kbps Mobile phone 400Kbps - Tablet 1Mbps 1.5Mbps Desktop/laptop 50MB 920MB size @ 500Kbps 50MB 14 minutes 920-4.25 hours Online gaming 50Kbps 100Kbps 50Kbps @ 30 minutes = 10.8 MBs 100Kbps @ 20 minutes = 14.4 MBs Uploading a 1-minute child s birthday party video (230MB) 500Kbps upload = 1 hour 4 minutes What Options Do You Have for Ensuring SaaS App Access and Performance? built into all routers, and any network administrator should know how to login and configure QoS on them. So if SaaS applications consume bandwidth and compete for bandwidth with other applications, what are the options for managing performance over the network? Here are the five most common alternatives: 1. Buy additional Internet bandwidth. IT simply grows the Internet access point(s) with external providers. Pro: Adding bandwidth is easy. Vendors will gladly offer quotes and time frames. Con: New capacity is expensive, and is quickly consumed by nonbusiness applications because most networks have neither Layer 7 visibility nor control of bandwidth consumption. With no optimization (protocol optimization, compression, or caching) in place, redundant traffic like BYOD OS or application updates continues to traverse the network unabated. This leads to a vicious cycle of adding costly bandwidth to improve SaaS performance and watching non-business traffic expand to consume it. 2. Turn on or tune QoS on routers. All network routers can maintain a basic quality of service (QoS) level on network traffic coming across the ports. Pro: Using the command line interface (CLI) level, setting up a QoS configuration for traffic on router ports is fast and easy. The feature is Con: Routers lack the application and content intelligence necessary to make QoS useful. They create risk and cannot manage inbound QoS. Intelligence refers to the ability to differentiate Salesforce.com, Webex, NetSuite, or Office365 from YouTube, BBC and ESPN. To a router, it s all port 80 traffic. Even if you can identify the traffic, creating complex ACLs on routers is often viewed as a dangerous operational step. Most network operations groups prefer to limit router QoS to setting MPLS CoS classes; more advanced ACLs are very difficult to scale across a large distributed environment, and can destabilize the core router functions. Lastly, routers use queuing for QoS. That s great on outbound traffic, but inbound queuing happens after contention has taken place, making it an ineffective approach. 3. Implement application and content QoS. IT can install and configure an appliance or a virtual appliance application (VA) that provides visibility or control (QoS) by application and content. Pro: This approach allows network administrators to allocate and prioritize Internet connectivity bandwidth according to the business value of each application. This protects Internet bandwidth for key SaaS applications and ensures that recreational traffic is contained, so the vicious cycle of bandwidth-buying is avoided. Con: Application and content visibility applications don t provide optimization leverage to mitigate the flow of redundant data across the network. 2
4. Use traditional symmetric WAN optimization. Pro: Traditional WAN optimization uses a symmetric model to accelerate most types of WAN traffic, including CIFS, FTP, TCP and iscsi. It can make application performance feel like local performance even from 7,000 miles away on another continent and reduce bandwidth by up to 90 percent. Con: Symmetric WAN optimization is impractical for SaaS applications. For it to work, it would have to be deployed as an appliance or a virtual appliance at each SaaS vendor s data center, which would present management and cost challenges. It would also require IT to go to all SaaS vendors and get them to agree to install a WAN optimization solution in their infrastructures. Setup, maintenance and support would have to be negotiated. Not by any means an easily scalable or repeatable structure. Additionally, the QoS mechanisms on WAN optimization equipment are much like those of routers they re very coarse, lack the application and content intelligence to be effective, and only affect OUTBOUND traffic. 5. Implement asymmetric caching and splitting. Asymmetric caching and splitting is the dynamic caching of data by a single appliance and splitting and serving it as needed. When the content is no longer being accessed, it s aged out of the cache. Pro: Asymmetric caching stores rich web content that is accessed repeatedly. It splits live video (such as a CEO webcast) and caches and splits on-demand video (like music videos from YouTube). It optimizes both enterprise cloud applications and general Internet traffic to reduce bandwidth consumption. Con: Asymmetric caching typically works only with HTTP, HTTPS and video traffic (not with legacy or storage protocols). It only optimizes repeat access to a specific piece of content, such as a video file, a document, or a dashboard element. Clearly, none of these options can ensure reliable access and performance for SaaS applications. Let s review the capabilities of a complete SaaS performance solution which Blue Coat can provide. Best Practices for Ensuring SaaS Access and Performance The Basic Question: How Does Network Bandwidth Usage Align with Goals? To compare Internet network capacity with operational goals, businesses must have visibility into the traffic on the network, a means of controlling and prioritizing it and, finally, a way to accelerate and optimize applications and protocols. Blue Coat provides tools that enable you to implement effective strategies. 1. Reserve Internet Bandwidth for Critical SaaS Applications Cloud and SaaS applications are typically accessed via Internet links. Those links can suffer contention due to spikes in usage, which slow delivery of cloud applications. By reserving bandwidth for cloud applications, you can better assure performance. To do this, however, you need QoS systems that are intelligent enough to identify cloud applications and differentiate them from other port 80/443 traffic. Step 1 illustrates an application and content level view of traffic that can drive QoS policy on a Blue Coat PacketShaper. Here s what this enables you to do: lnternet links can be partitioned to reserve 25 percent of bandwidth for cloud applications. 3
Priorities can provide a simple way to allocate bandwidth, giving more important SaaS applications higher priority. They can also prioritize access to burstable partitions. Dynamic sub-partitions can allocate bandwidth fairly on the whole link or within a partition among active users. This can be beneficial for individual SaaS application sessions or virtual desktop deployments. Application-based MPLS tagging allows you to set DiffServ, TOS bits and even MPLS labels at an application level, saving you from complex router ACLs. 2. Contain Contentious Applications with Specialized Asymmetric QoS Video traffic YouTube, BBC and other media outlets move huge amounts of video that is consuming 80 percent of all Internet capacity today. The volume of traffic generated by celebrity deaths, tragedies, news events or just everyday usage can crowd out SaaS applications. Then there s the mind-boggling traffic from iphones, ipads and Androids: app downloads, content downloads, OS downloads, video and picture uploads and cloud drive/backup systems that together have created a 20-200GB network data load per user. You can manage this traffic with a containment partition. Most QoS technologies, however, work as queues; they can t control the remote servers that can flood your network with traffic. With Blue Coat, the combination of application-level QoS and asymmetric TCP rate-control technologies can intelligently manipulate window sizes and ACKs to throttle the sending rates of remote servers, effectively enforcing QoS policies: Partitions can limit recreational traffic to 10 or 20 percent of capacity. A low priority for bursting gives recreational traffic access to additional bandwidth when excess capacity is low. If business-critical cloud applications need the bandwidth, their higher priority to burstable bandwidth will take effect. Application-based MPLS tagging allows you to set DiffServ, TOS bits and even MPLS labels at an application level, saving you from complex router ACLs. All these policies are driven by the Blue Coat application-level view of traffic and are simple to implement. You can immediately contain the impact of undesirable traffic and assure bandwidth availability for key applications. 3. Monitor Response Times As you manage bandwidth, smart tools can passively monitor the response times of key applications. By tracking network delay, server delay and total delay, you can set proactive alarms that alert when you dip below expected performance levels for example, an SNMP trap when Salesforce.com normalized network delay exceeds 1000ms. You can then be aware of degrading conditions before users start phoning in complaints. There are a number of response time statistics onboard PacketShaper. These statistics are passively calculated based on TCP data transaction heuristics. They are not perfect end user views, but rather indicators of when performance is degrading. Normalized Network Delay is one of the key statistics; it tracks transaction times on the network, normalized across transactions with small data sets (http page load) or very large dataset transfers (FTP of a 100MB file). You can: Break out top 5 SaaS applications onto the traffic tree. Monitor performance levels to identify baselines of normal performance, noting spikes in response times. Set a total delay threshold at 1000ms (base); set a normalized network delay baseline of 300ms or a Round Trip Time (RTT) at the expected link latency (e.g. 60ms for a domestic MPLS link, 150ms for an Internet link). Configure an SNMP trap to trigger when either of the two thresholds are violated. 4
4. Leverage Asymmetric Acceleration to Speed Performance and Reduce Bandwidth of SaaS WAN optimization technologies are used to reduce bandwidth and accelerate performance. Because they typically require something on each side of the transaction, they are mostly useless for SaaS apps, where vendors don t use that type of optimization. Asymmetric caching technologies a single appliance or virtual appliance at the branch office and/or Internet ingress can speed delivery significantly. You can intelligently cache entire video files, dashboard queries, business Intelligence reports accelerating performance 25X and multiplying bandwidth to 500X. The impact of video and application downloads to mobile devices can be minimized by object-caching on the Blue Coat ProxySG/MACH5 appliance. The ProxySG/MACH5 caches the first download. Subsequent requests for that download will be served directly from the local appliance instead of the WAN and the Internet. When demand ceases, the video, download, or web-page screen build will age out and be removed from the cache. It s critical that all popular video delivery methods be supported to mitigate the impact of video on business operations. ProxySG/MACH5 supports all popular video formats. It communicates with video-serving servers to pull down a single stream to a requesting location and split it into as many real-time streams as local branch users have requested. The same principle applies to on-demand video, but in that case the ProxySG/MACH5 caches the video for users who call up the video later for example, when they receive an emailed URL from a coworker. ProxySG (ProxyEdition or MACH5) accelerates and optimizes: 5. Gain Visibility into Usage of Network Resources with a Real-Time, Granular View of Internet Traffic To manage application traffic on your network you must have a granular view of it granular enough to let you differentiate web-based applications and content. Knowing that traffic is coming via Port 80 or Port 443 doesn t help you to understand what s impacting internal applications. Your visibility into Internet traffic must be granular enough to let you identify it by flow (business vs. recreational) and in real time, so you can see traffic bursts, respond quickly, and see instant results. Email 10% Online meetings 2% Remote access 2% SAP 4% VoIP 2% Entire videos, BI dashboards, files and web content cached on box Distribute fresh content from cache multiple times to authorized users Accelerate performance 25x Reduce bandwidth 20-70% Information 10% At-risk 5% SaaS app screen builds and applications: HTTP objects, screen builds, Java Applets, business intelligence dashboards, documents and more File Services 4% Commerce 5% Leisure 4% Video (news, YouTube, social networks, regional television): Adobe Flash, native and encrypted (RTMP, RTMPe); Microsoft Silverlight (HTTP/RTSP); HTML5; Apple QuickTime; HTTP/SSL BYOD: ios and Android OS updates, app downloads and updates, photo and video uploads and downloads Social networks: webpage screen builds, online games, photo and video uploads and downloads Backup 4% Facebook Video 8% Facebook Games 7% Facebook Wall 2% IM 1% YouTube 14% BBC 5% Other MM 5% Health 3% Society 2% Banking 2% 5
The problem is that the huge number of applications and websites makes it very difficult to get a clear understanding of traffic. That s why Blue Coat PacketShaper provides real-time traffic classification of hundreds of applications and millions of websites, measuring utilization and response times and recording a hundred stats for each class. PacketShaper technology gives you the ability to classify and differentiate: Hundreds of enterprise applications, with sub-classification of key applications like Microsoft, SAP and Oracle Internet applications that use multiple techniques to evade detection P2P, IM, gaming, Skype, proxy avoidance Tens of millions of websites in 84 categories Applications within complex social media sites like Facebook, using detailed sub-classification for effective segmentation and control This real-time visibility gives you a clear picture of what s happening on your network, and a path to traffic control. Re-architect Your Network for Today s Applications Cloud/SaaS, as well as video, BYOD and other recreational traffic, comes from outside the enterprise from the Internet. Yet networks are architected for Internal applications, with Internet access backhauled over the WAN. With new cloud security architectures, you can now safely connect branch offices to the Internet. You can maintain proper usage and protection from malware, while reducing networking costs 67 percent and improve cloud performance by removing that extra hop of latency through the data center. Branch appliance caches SaaS and recreational content, removes traffic from WAN backhaul. Same appliance forwards traffic to Cloud. Cloud prevents malware, enforces web usage policies, provides detailed logging. Overall network expense drops 67 percent due to reduction in backhaul traffic. Removal of extra hop of latency through the data center speeds performance of cloud applications and reduces contention over the WAN, improving internal application performance as well. Blue Coat Provides a Complete Solution to Ensure SaaS Application Performance and Reliability Blue Coat technology gives businesses complete visibility, control and optimization of SaaS application traffic. It minimizes the impact of recreational traffic on business operations while allowing employees to access Internet-based SaaS applications. Our unique combination of capabilities allows you to re-architect your network for tomorrow s applications. Contact Blue Coat for the complete story. 6
Blue Coat Systems Inc. www.bluecoat.com Corporate Headquarters Sunnyvale, CA +1.408.220.2200 EMEA Headquarters Hampshire, UK +44.1252.554600 APAC Headquarters Singapore +65.6826.7000 2013 Blue Coat Systems, Inc. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Information contained in this document is believed to be accurate and reliable as of the date of publication; however, it should not be interpreted to be a commitment on the part of Blue Coat, and Blue Coat cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. The information contained in this document was developed for products and services offered in the U.S. Blue Coat may not offer the products, services, or features discussed in this document in other countries. Consult your local Blue Coat representative for information on the products and services currently available in your area. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. Blue Coat may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. v.wp-assuring-performance-cloud-based-apps-en-v2c-0813 7