Every company today is in the digital experience business. And, in the wake of COVID-19, because those experiences are now the primary way that people interact and transact with just about every organization, customer expectations are higher than ever.
Applications are at the core of digital experiences. Whenever you are interacting with a company online, whether through their website or their mobile app, the applications those organizations design, build, and operate are the face to their customers.
The digital experience enabled through these applications is not only critical, but can be fragile: According to AppDynamics’ App Attention Index, nearly 80 percent have sought discounts or refunds due to a poor digital experience. And 32 percent report that they’d abandon a brand they’ve previously been loyal to because of one bad experience—just one!
Clearly expectations surrounding today’s apps are incredibly high and are only getting higher. They are being driven higher by innovators—Amazon, Apple, Uber, to name a few—that continue to find new ways to disrupt and differentiate through digital experiences. But most companies struggle to keep pace with customers’ rising expectations.
Many companies have vast application portfolios that enable them to connect with customers, employees, and partners. Because of factors like cost, risk, and compliance, these apps are often a complicated mix of services and functionality stitched together with traditional and modern technologies. Think of a bank with a slick, modern mobile app that serves up account information or calls on business logic sourced from an archaic back-end system—which must be maintained to ensure reliability and continuity with complex systems that can’t all be changed at once.
Challenges around security are also daunting and appear to be getting worse. One reason is complexity. Our latest State of Application Services report, published in January 2020, highlighted the difficulty organizations have managing the security of their applications in today’s multi-cloud environments. Another reason is the rapidly evolving threat landscape, where the cost of sophisticated attacks keeps dropping, but the cost of defense keeps increasing. In particular, the huge number of data breaches in the last decade have made it possible for nearly any cybercriminal in the world to take over application accounts by checking to see where users have reused passwords across websites. F5 Labs research finds that eighty-six percent of cyberattacks target applications or identities associated with them. The number of attacks on apps increases every year and, amid the global pandemic, we’ve seen an unprecedented spike.
And then there’s the challenge of visibility. Part of delivering a compelling digital experience is being able to optimize the performance of each app. Gaining insight into how application traffic is flowing—and where and how to tune it—requires granular, end-to-end visibility. However, the infrastructure and services supporting these apps are complex and siloed, so very few organizations have developed this capability for even their most critical customer-facing apps.
All these issues are further compounded by sheer scale. In the age of microservices and distributed computing, it is not possible to stay on top of an expanding growing app portfolio without increasingly sophisticated automation.
F5 believes an important element of this more sophisticated automation is enabling applications to adapt. Much like a living organism, adaptive applications grow, shrink, defend, and heal themselves based on the environment they’re in and how they’re being used. This applies to born-in-the cloud, digital-native organizations as much as established companies with a complex mix of traditional and modern architectures.
Practically, what does this look like? I’ve written previously about something called the application data path—the pathway through which application traffic flows to reach an end user—and application services—the set of capabilities that sit along the application data path to provide end users secure and reliable access to the application business logic. Application services include capabilities that facilitate application delivery, such as app servers, web servers, ingress controllers, load balancers, DNS lookup, and CDNs. A different set of application services facilitate application security, including web application firewalls (WAFs), secure application access, anti-DDoS technologies, anti-bot technologies, and defenses against fraud and abuse. Essentially, these app services are the foundation for digital customer experiences. Over the past year, we’ve used the term “code to customer” to refer to this set of capabilities along the application data path.
Each of these application services generate valuable data about what's going on with the application traffic, such as latency, steering, and policy enforcement. Harvesting that telemetry creates the necessary granular visibility to then be able to change controls and configurations to optimize performance and security along the application data path.
Many of these capabilities are in place already, but to take the next big step toward adaptive applications, we need to layer a few more on top—a layer of analytics and automation that takes in the telemetry coming off the application services and passes configuration back down to them. Machine learning and other AI techniques can enable the system to learn from historical or similar traffic patterns and provide insight into exactly what's happening as well as the best path forward for optimization.
An adaptive application can act on this telemetry to grow, shrink, and adjust behavior on demand. Think about it this way: your favorite global coffee purveyor probably has a mobile app that you can use to find the closest store, order drinks from your phone, pay directly from an e-wallet, and acquire rewards points. All of those interactions need support to keep them performant and secure. Because coffee drinking spikes in the morning, you don’t need the same resources distributed evenly across the globe twenty-four hours a day—your resources are going to change based on business needs. With adaptive apps you can scale up performance, security and experiential resources to meet the morning rush in London and then redeploy them in data centers or points-of-presence (PoPs) on the US East Coast to support peak caffeination times in New York…and keep following the sun west.
And adaptive apps can defend and heal themselves. So if a bad actor tries to attack or defraud the application to steal data or money or rewards, through AI the app can learn and apply that knowledge across the network to block further attempts from that actor or similar activity from other actors. At the most basic level, this is how Shape Security works today. Using AI techniques, Shape distinguishes automated traffic (bots) from humans as well as malicious traffic from benign. Based on that, the organization can pre-define policies to allow Shape to automatically block the malicious traffic or facilitate access for human customers.
Building on Shape’s AI systems, F5 is able to analyze the telemetry coming from its vast portfolio of data path technologies—everything from BIG-IP load balancers and WAF solutions to NGINX web servers and API gateways to F5 Cloud Services and Silverline managed services. Leveraging the telemetry from those components, we can achieve granular visibility into how application traffic is flowing. Patterns can be inferred over time and thresholds established to detect anomalies and signal when an intervention is needed. In addition to flagging an app or a specific application service for intervention, we can also do some of the troubleshooting to suggest likely root causes for the issue.
Human operators can then set rules about how similar issues should be handled. In this way, the adaptive application is not just scaling and securing, it's actually learning and improving over time.
Right now, the general norm is that these things do not happen automatically in hybrid or multi-cloud environments. A great deal of manually implemented policies and scripting are required to establish what is effectively hardcoded adaptability. Most companies operate in a world today where if a customer experience is poor, they hear about it first through Twitter and then must scramble to track down enough specifics to narrow in on a resolution. This method of managing applications, this static process where the organization manages its resources in a manual way, does not scale to deliver against the sky-high customer experience expectations companies are faced with today.
In an adaptable app world, app services independently scale themselves depending on demand. They defend themselves and provide alerts to the overall system if they're suffering from any challenges. They coalesce into an end user experience that’s as adaptable as possible, with the ability to configure and orchestrate into different kinds of experiences. With the ultimate result being an extraordinary digital experience for the end user of the application.
Through F5’s existing investments, we are well on our way to delivering this vision for customers. We’re building an application services platform that will fundamentally change the way applications are delivered and secured—ultimately helping customers deliver the differentiated digital experiences that have become so important for every organization.