what defines a highly available are Web security architecture?

Everyone is saying that all the web security products have all the same bells and whistles. That's not true if you study the high-availability architectures of the products.

Most Web security Agents (Policy Enforcement Points) call back to a central Policy Server (combination of Policy Decision Point & Policy Management Point) to have any decisions made ... so, what happens when you have remote sites with slow connections, or have a high volume? Well, either the agent doesn't work, or the Policy Server dies from overload. Yes, you can horizontally and vertically scale the Policy Servers, but that only goes so-far.

Therefore, one should look for a solution which puts the PEP & PDP together. Tivoli Access Manager is one product that took this course. TAM distributes the rules from the PMP to the PDP to be executed locally. This means each application protected by the Web security domain can scale independantly, without also having to also scale any shared infrastructure. This is very beneficial for those organizations whose line-of-business have their own budgets, and don't like to pool their monies together. The other benefit is that the PEP/PDP pair (if given a small directory replica) can run fairly independantly, even if disconnected from the PMP and master Directory. Very useful for Plants in Brazil, where the link is a 56K DS0 over Satellite.