1. Field of the Invention
The present invention relates to network communications and provides methods, systems and related software components for communicating information between networked processors, and applications running on those processors. In its preferred form, the invention is particularly, although not necessarily exclusively, applicable to communication between a user processor (e.g within a corporate environment) and the processor of an Internet-level network processing service (e.g. a web-security service)
2. Description of the Related Art
Traditionally corporate software has been installed on each individual workstation within the corporate network. This approach has the advantage of locating the software on the same physical machine as the data on which it operates, however it also has several disadvantages, particularly with regards to maintenance. Installing a new version of the software involves creating a catalog of all machines where the software is installed, and then sending staff to each individual machine in turn to upgrade the software.
This maintenance cost, which is substantial, has led organizations to gradually remove software from the workstation, and instead provide the software as a network data-processing service. Initially such services were focused on security concerns, with anti-virus software moved off the desktop and onto the network perimeter, scanning web, e-mail and instant messaging (IM) traffic as it passed through the corporate network to the workstation itself. However such methods still present maintenance costs: notably maintenance of server hardware & software and network infrastructure. Thus it has become common to outsource such services: the services are hosted on an external network and accessed by workstations (or client devices) via the Internet.
This mechanism for providing data services over a network has become known as “software-as-a-service” (SaaS) or “cloud computing” and has seen significant growth in recent years [Hayes 2008, Gartner 2008]. The advantages it provides are that the maintenance of the software and hardware are taken care of by a third party, which specializes in this service, and handles all updates of hardware and software. Further, as the service is provided to several users, the service-provider may have several servers providing the service, allowing it to freely route around hardware and software failures.
There are challenges associated with this method of providing data-processing services, however. One such issue is that as the server devices providing the service are on a completely separate network to the client workstation, so information available to the workstation may not be available to the service device. Typically this is due to necessary security measures implemented on the client network. Such information may, for example, include user-identifying information, necessary to provide different functionality to different users, or—in the case of a web-filtering service—record users' web-surfing habits. However it is not limited to such data: depending on the networked data-processing being provided, there are many types and volumes of data which may need to be transferred.
Previous work in the art has sought to re-transmit [Edwards 2006] this data with each network communication in an encrypted form. By re-transmitting the data with each network communication, it is possible for the service to be provided by several server devices on the service network, with each communication optionally being handled by a separate device, according to some load-balancing strategy. This method has several disadvantages: firstly, by re-transmitting the data with every network communication, it increases the bandwidth required to provide the service; secondly, in order to ensure confidentiality, the data must be encrypted by the client device, and decrypted by the service device on receipt, which increases the processing burden on both sides; lastly, the requirement to retransmit and encrypt places significant limits on the data that can be transmitted (and therefore used) to ensure the service is provided in a timely manner.
Thus there is a need, where a data-service is provided on a service network consisting of several service-devices which handle different requests from different client devices on a different client network, for a method to securely and reliably provide data required by the service-devices but available only on the client network. Such a service, to be practicable, must cause minimal disruption to client devices and network.