FIG. 1B shows a simplified block diagram for load balancing in a dynamic service chain, with organization network 102 with user interface 152 usable by security administrators to interact with the network security system and cloud-based services described relative to FIG. 1A. Data center 152 includes Netskope cloud access security broker (N-CASB) 155 with services 160. Many possible services can be selected by tenants for processing data flows of their users. The services selected for a tenant are referred to in the service chain for the tenant. A single tenant can have multiple service chains configured for different types of data packets and service chains can be reconfigured as the needs of a tenant evolve. One security service is a native service implemented by the security service provider. Another security service is Internet Protocol Security (IPsec) 161, a suite of protocols used in virtual private networks (VPNs) to authenticate and encrypt the packets of data sent over the Internet protocol network (IPN). Another security service is app firewall 162 that controls input, output, and access from, to, or by an application, by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured security services policy. An example app firewall is web application firewall (WAF) for HTTP applications. Another security service is proxy analyzer 163 that examines and classifies data files as sensitive or not using content evaluation techniques described in U.S. Non Provisional application Ser. No. 15/368,246, entitled “MIDDLE WARE SECURITY LAYER FOR CLOUD COMPUTING SERVICES” which is incorporated in full herein. Proxy analyzer 163 can function as a firewall service in one implementation. Yet another security service is intrusion prevention system (IPS) 164 that monitors a tenant's network for malicious activity or policy violations, often using a security information and event management (SIEM) system to collect malicious activity and policy violations centrally. Services 160 also includes IP network address translation (NAT) 166, which can remap one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. User-by-user data and the file-by-file security data is stored in metadata store 178. In one implementation, the user-by-user data and the file-by-file data is stored in a semi-structured data format like JSON, BSON (Binary JSON), XML, Protobuf, Avro, or Thrift object, which comprises fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, and objects.