Cato Global Private Backbone
The Largest Independent Global Backbone
Global NoC and SoC
Secure Access Service Edge (SASE)
What is SASE?
Secure Access Service Edge, or SASE, is an enterprise networking and security category introduced by Gartner. SASE converges SD-WAN and Security Service Edge (SSE) functions, including FWaaS, CASB, DLP, SWG, and ZTNA, into a unified, cloud-native service.
With SASE, enterprises can eliminate the effort and costs required to maintain complex and fragmented infrastructure made of point solutions, reduce the risk for breach and data loss with optimal security posture, enable secure work from anywhere, and improve access to global applications on premises and in the cloud.
Market Guide for Single-Vendor SASE
Why is SASE Necessary?
The transition to remote work and the emergence of a cloud-first culture are having a major impact on enterprise networks and information security. Networking patterns have changed, and organizations need to deploy new services and cater to new requirements faster than ever before.
A SASE architecture provides the agility and flexibility needed in this new environment. SASE makes it possible to deploy new branches remotely with low overhead. It also provides the security stack to ensure employees and contractors can access systems securely from anywhere.
As a result, Gartner predicts that 20% of organizations will soon use SWG, ZTNA, and FWaas from the same vendor. By 2024, at least 40% of organizations will have an official SASE adoption strategy.
How Does SASE Work?
SASE provides a single cloud-based network that connects and secures any physical, cloud, or mobile enterprise resource, in any location. A SASE architecture has four main characteristics:
User and resource identities determine the level of access, networking experience, and quality of service for every network connection, based on a unified organizational policy.
SASE is elastic, self-healing, and self-maintaining. Its cloud native nature allows it to rapidly adapt to business needs and make network services available from any location.
Support for All Edges
SASE can equally service any edge including on-premise data centers, branch offices, cloud resources, and mobile users on the go.
SASE operates on a global scale to deliver all networking and security capabilities with high performance and low latency experience for all edges.
What are the key components of SASE?
Software-Defined WAN (SD-WAN)
SD-WAN enables optimal WAN management. SASE leverages SD-WAN capabilities to provide optimized network routing, global connectivity, WAN and Internet security, cloud acceleration, and remote access.
Zero-Trust Network Access (ZTNA)
ZTNA offers a modern approach to securing application access for users. It embraces a zero-trust policy, where application access dynamically adjusts based on user identity, location, device type, and more.
Secure Web Gateway (SWG)
SWG solutions protect users against malware, phishing, and other web-borne threats. SASE offers SWG protection to all users, at all locations, and eliminates the need to maintain policies across multiple point solutions.
Firewall as a Service (FWaaS)
A firewall is the foundation of any network security stack. SASE includes FWaaS to provide the scalability and elasticity needed for the digital business and to extend a full network security stack wherever needed.
Cloud Access Security Broker (CASB)
CASB helps enterprises adapt to the new threats that come with cloud computing. When delivered as part of a SASE service, the complexity of integrating CASB with other point security solutions is eliminated.
SASE solves the complexity of managing multiple disparate products. A true SASE allows users to monitor and manage all network and security solutions from a single pane of glass.
What are the Benefits of SASE?
Performance and Security.
With SASE, it is easy to deploy new resources. All you need is to deploy an edge client and connect it to the SASE platform. There is no need to maintain on-premise infrastructure.
Security via Unified Policies
SASE provides a full security stack, protecting all resources with a unified security policy. It provides full visibility into WAN and Internet traffic with no blind spots.
Single Software Stack
SASE provides a simpler network and security stack by consolidating multiple point solutions. It reduces upfront costs and eliminates the need for in-house management.
The SASE architecture leverages key cloud capabilities including elasticity and scalability. This provides a platform that instantly adapts to emerging business needs, such as connecting a remote workforce with just a click of a button; or provisioning new resources easily for quick global expansion.
Single Pass Processing
True SASE implements a single-pass engine that processes each packet for multiple networking and security objectives in parallel. This delivers maximum flexibility with minimal latency and resource requirements.
Cato’s globally distributed PoPs ensure that all networking and security capabilities are available everywhere, delivering the best possible experience to all edges.
Managing an ever-growing pile of point solutions is becoming too complex, too slow. One of the SASE benefits is that, management becomes simple via a single-pane-of-glass that provides control across an entire enterprise.
IT is relieved of maintenance tasks like patching and hardware replacements, and can focus efforts on responding quickly to evolving business challenges.
With SASE, IT has complete visibility into the network as all WAN and Internet traffic passes through the SASE Cloud. There are no blind spots and IT is able to easily maintain control of the entire network.
What are the Cost Benefits of SASE?
SASE enables augmenting or replacing MPLS altogether. This offers an immediate, significant cost-saving compared to the expensive MPLS links.
Optimized Cost Model
SASE eliminates the need for any CAPEX purchases and in-house management and maintenance. All costs are transformed to OPEX.
SASE minimizes both visible and hidden costs:
Visible costs – SASE includes all networking and security functions, eliminating the cost of purchasing point solutions.
Hidden costs – With legacy solutions, IT is busy agonizing over how to handle the network and unintentionally slowing down business. With SASE, the burden of sizing, deploying, configuring, patching, upgrading, and maintaining multiple point solutions is removed, turning IT into a business enabler.
Cato Networks is the World’s First SASE Platform
Cato SASE Cloud is a proven SASE platform you can deploy today. Cato’s cloud-native architecture converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices.
Customers easily connect physical locations, cloud resources, and mobile users to Cato SASE Cloud, and IT teams immediately benefit from the agility of a unified network and security service managed through a single, self-service console.
”With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users integrated together and at a fraction of the cost.Willem-Jan HerckenrathManager ICT, Alewijnse
What Isn’t SASE?
When Gartner published “The Future of Network Security Is in the Cloud” in 2019 they did two things. First, they accurately identified and described where enterprise network and security architectures were headed in the next decade. Second, to describe this new approach they created one of the biggest IT buzzwords of the time: SASE short for “Secure Access Service Edge”.
Because of all the buzz around SASE, many “SASE vendors” are marketing solutions that have features found in SASE. However, most of these solutions miss the mark when it comes to achieving SASE’s promise of a holistic and converged network security solution. Here, we’ll look at what is not SASE to help identify what value SASE vendors should deliver to enterprises.
SD-WAN Isn’t SASE
In some contexts, SASE is viewed as the next generation of SD-WAN. From the perspective of bringing agility and convergence to network infrastructure, it’s understandable why the comparison gets made. In fact, the ability to optimally route traffic and abstract away the underlying physical medium (which are core benefits of SD-WAN) is an important part of SASE.
However, SD-WAN alone is only a piece of a broader solution SASE vendors should provide. Further, not all SD-WAN implementations are created equal. For example, SASE aims to support all network edges (WAN, edge computing, cloud computing, and mobile), but with many SD-WAN appliances, mobile support is lacking or non-existent.
Cloud-Based Security Isn’t SASE
As with SD-WAN, there are many security features that are important parts of a SASE solution. Examples include IPS (intrusion prevention system), NGFW (next-generation firewall), and SWG (secure web gateway).
Since identity-driven security and cloud native architecture are key characteristics of SASE, it may be easy to buy into the idea that a feature rich cloud-based firewall can serve as a method to implement SASE. However, in practice, this doesn’t work out well. Security is only half SASE architecture, and a cloud-based firewall and IPS alone can’t help with routing and WAN optimization at a global scale.
Again, as with SD-WAN the benefits of these technologies make them an important part of SASE, but even while bundled-together they are not in and of themselves SASE.
Multiple Appliances Patched Together Isn’t SASE
The SD-WAN functionality that enables agile and efficient routing is an important part of SASE. Similarly, security features such as IPS, SWG, and NGFW are an important part of SASE. However, simply deploying appliances and solutions from “SASE providers” that check all the boxes of the SASE feature set won’t deliver the promise of SASE.
This is because creating a patchwork of network and security appliances and cloud solutions simply can’t provide the agility, visibility, simplicity, and performance a single converged solution can. Sourcing, deploying, managing, and integrating multiple products not only drives up costs, but it also increases network complexity. As a result, a patchwork of solutions that look good on paper often create operational bottlenecks and security oversights at scale. While some may argue for shifting the complexity to a service provider, this doesn’t resolve the underlying issues and often leads to higher costs for sub-optimal performance.
Virtual Appliances on Edge Devices Isn’t SASE
Running virtual appliances on an edge device reduces the hardware footprint but does little for operational costs. Appliances still need to be deployed, integrated, upgraded, deployed, and maintained. The underlying silos and complexity don’t go away. True SASE platforms eliminate the appliance form factor. Functions are delivered as a multi-tenant, cloud-native platform. SASE providers manage and maintain the underlying platform for the benefit of all customers. Neither the enterprise nor the provider incur the operational overhead of managing appliances.
Security Service Edge (SSE)
What is SSE?
In 2021, Gartner introduced a new category, the Security Service Edge (SSE), to describe the convergence of certain network security functions in the cloud. SSE converged SWG, CASB/DLP, and ZTNA, into a single cloud service. SSE is a subset of the security layer of SASE that can be deployed as a standalone capability or as a step in a full SASE transformation journey.
Security Service Edge provides secure access to internet- and cloud-based applications without directly addressing global application access optimization and east-west WAN traffic security. Extended visibility and control to all traffic is a key feature in competing SSE architectures.
Cato SSE 360
What is Driving Adoption of SSE?
Legacy Networks Built Around Physical Data Centers
The move to the cloud forces a re-architecture of networking and security to support users access to internal applications in physical and cloud datacenters, and public cloud applications, anytime and anywhere.
Backhauled Internet Traffic Slows Secure Cloud Access
As the volume of Internet and cloud-bound traffic increases, it doesn’t make sense to send all traffic through the datacenter firewalls. Direct secure internet access must be enabled at every location and down to every remote user to enforce full visibility and control in a way that doesn’t impact the user experience.
Enterprise IT Goes Hybrid
With the shift to a hybrid work model, enterprise IT security must also adapt. Work from anywhere requires a platform with the agility and scalability to ensure full security and policy enforcement across all edges (users, locations, applications, application, clouds), wherever they are located.
Legacy Security Applications Can’t Scale
Legacy security appliances are incompatible with today’s enterprise requirements: they’re location-bound, require constant maintenance, and cannot scale with increased load. Supporting a hybrid workforce requires a flexible, and scalable security architecture that can secure the entire workforce at any location: in the office, at home, or on the road.
Disjointed Solutions Introduce Complex Management
Point solutions increase the manual work IT needs to perform in patching and upgrading, and the potential for errors and oversights. As-a-service delivery model can eliminate the need to update security infrastructure and maintain security posture.
Benefits of Security Service Edge?
Consistent Policy Enforcement
SSE establishes a global fabric that connects all edges into a common security platform. All traffic between any two edges is inspected, and corporate policies are enforced for threat prevention and data protection.
Reduced Attack Surface
SSE implements zero trust access, ensuring users only have access to authorized applications via least privilege access. Application traffic is continuously monitored for anomalies, threats, attacks, and sensitive data loss.
High-Performance Security Inspection
SSE is a cloud-native solution, delivered through a global backbone of PoPs. Security Service Edge seamlessly inspects all traffic, scales vertically and horizontally with traffic growth and minimize latency with each PoP residing within 25 ms of every user and location.
Improved Security Posture
SSE offloads IT of the burden of manually deploying mitigations for emerging threats. The expertise of the Security Service Edge provider’s SOC ensures that end-users are always protected, and the enterprise attack surface is minimized.
Reduced IT Workload
The SSE provider continuously enhances all cloud-delivered capabilities as part of a self-maintaining service. This reduces IT workload and shifts focus to business-critical activities, rather than having to focus on “keeping the lights on.”
Introducing Cato SSE 360
Total visibility and control for all WAN, Cloud and Internet.
Cato SSE 360 goes beyond the convergence scope of SSE to provide total visibility, optimization, and security for all traffic, users, devices, and applications everywhere.
Most traditional Security Service Edge solutions provide secure access to the internet and cloud applications, as well selected internal applications. But enterprises need to optimize and secure all traffic, to all WAN, cloud and internet applications and resources, and across all ports and protocols. This requires additional point solutions like firewalls and global backbones to fill these security gaps.
And, when combined with Cato Edge SD-WAN, Cato SSE 360 offers a clear path to SASE convergence.
”Security at the core of the infrastructure helps us meet our audit and business requirements and maintain standards without having to maintain and manage a lot of security appliances. We can gather information about circuit quality at each branch and get security alerts for quick remediation of attacks or malware infection.Dave OliverIT Manager, Grant and Stone
How Does Cato SSE 360 Work?
Total Visibility, Optimization, and Control for All Traffic
SSE 360 sees traffic from all edges, across all ports and protocols, and in all directions: WAN, Internet, and Cloud. SSE 360 uniformly applies all security inspections and optimizations to all traffic across users, devices, applications, and locations.
High-Performance Security, Everywhere
SSE 360 is deployed across 75+ cloud PoPs (Points of Presence), that are built for multi-gig traffic processing, to ensure low latency (<25ms from every user and locations) and high performance over the “middle-mile” to both cloud and WAN destinations.
Converged Management Console
All SSE 360 policies, events and analytics are accessed through a single pane of glass and allow for granular policy management. All events across users, threats, data, and application access are available in a single, unified, analytics dashboard.
Future-Proof, Resilient SSE Service
A converged, single-pass architecture easily allows for new security capabilities to be seamlessly added via the SSE 360 cloud service. The SSE 360 cloud is designed with high availability to ensure continued security inspection in case of a PoP or network failure.
Seamless Path to SASE
Cato SSE 360 offers a seamless path to full Cato SASE deployment by expanding the deployment to converged Cato’s SD-WAN and WAN optimization further streamlining customer’s IT infrastructure.
What Are the Components of Cato SSE 360?
Cloud-Native Security Service Edge
Cato’s Single-Pass Cloud Engine (SPACE) is the foundation of Cato’s global, converged, cloud-native service that delivers multi-gig packet processing and real time policy enforcement. Current SPACE capabilities powering Cato SSE 360 include: SWG, ZTNA, CASB/DLP, FWaaS and Advanced Threat Prevention (IPS, Next Generation Anti-Malware).
Cato Global Private Backbone
Cato’s global, geographically distributed, SLA-backed network of 75+ PoPs interconnects multiple, Tier 1 carriers. Each PoP runs the full set of SSE capabilities across multiple compute nodes and SPACEs to ensure minimal latency, deliver global routing optimization, and fully automated self-healing service.
Cato ZTNA/SDP Clients for Users
Users connect via lightweight clients to Cato. They can optimally and securely access the internet, internal applications, on-premises and in cloud datacenters, and global public cloud apps. Clientless access through an application portal is available for 3rd parties.
IPsec-Enabled Devices and Cato Socket SD-WAN for Locations
Physical and cloud locations connect with an IPsec enabled third-party devices or Cato Socket SD-WAN edges. Customers can opt to use current firewalls or SD-WAN edges that reside on their networks and benefit from Cato’s deep security capabilities. The Cato Sockets provide last mile resiliency and QoS and overcome blackouts and brownouts with application-based dynamic path selection and packet loss mitigation.
Comprehensive Management Application
Our comprehensive management application provides clear security and network analytics, with full, granular policy configuration. Managed services include site deployment, intelligent last-mile monitoring, network configuration, security policy change, and MDR.
- +What is Security Service Edge (SSE)?
- In 2021, Gartner introduced the Security Service Edge (SSE). SSE converges secure application access functions including SWG, ZTNA and CASB/DLP, into a single cloud service. SSE enables enterprises to move away from rigid, disjointed IT architecture to a converged security platform delivered as a cloud-native service. With SSE, enterprise IT can rapidly address new business and security requirements such as cloud migration, adoption of public cloud applications, and work from anywhere. SSE’s converged architecture reduces cost and complexity with simple management through a single pane of glass, self-healing infrastructure, and automatically evolving defenses that seamlessly mitigate emerging threats.
- +What is the difference between security point solutions and SSE?
- Traditionally, enterprise IT built a security stack featuring multiple point solutions and legacy appliances. Enterprises are increasingly slow to adapt to ever-changing business and technical requirements and the evolving threat landscape. This is compounded by scarcity of cybersecurity skills, limited resources and budgets, and the high cost of outsourced support.
- +Why is Security Service Edge important?
- SSE is a first step in achieving security-driven transformation, by converging secure, consistent access to all applications for all users. SSE, that is part of a single vendor SASE platform, keeps the path open for a full SASE transformation at a later stage, with converged SD-WAN and WAN optimization. The deeper the IT convergence, the more an enterprise enjoys the benefits of increased visibility, lower cost, greater operations savings and added business agility.
- +What is the relationship between SSE and SASE?
- Two years after introducing SASE (Secure Access Service Edge), Gartner introduced SSE (Security Service Edge.) SASE converges SD-WAN and cloud-native security (FWaaS, CASB, SWG and ZTNA,) into a single cloud service. SSE defines a more limited scope of converged network security functions, consisting of SWG, CASB / DLP and ZTNA. SSE is focused on providing secure access to applications, without addressing end-to-end optimized network connectivity and east-west WAN security.
- +What is the difference between traditional SSE providers and Cato SSE 360?
- Traditional SSE solutions are based on a web proxy architecture that supports access to web sites and SaaS applications. To enable ZTNA for all applications, transitional SSE vendors had to introduce yet another architecture of application connectors. Even with that extension traffic generated by enterprise edges like IoT, app-to-app traffic, and most WAN traffic remain outside the scope of SSE.
Cato SSE 360 is built on the Cato Single Pass Cloud Engine architecture to provide total visibility, optimization, and control of all traffic (WAN, Internet, and Cloud) and across all edges (users, locations, applications, and clouds). Cato SSE 360 optimizes global access using a global private backbone with built-in traffic acceleration that outperforms the unpredictable public Interent. Lastly, Cato offers a seamless path to full SASE transformation by expanding the deployment to include Cato Socket Edge SD-WAN devices.
Software-Defined Wide-Area-Network (SD-WAN)
SD-WAN: What is Software-Defined WAN?
Software-Defined Wide-Area-Network (SD-WAN) is defined as a virtual WAN architecture that allows enterprises to securely and efficiently connect users to applications. This technology solution brings unparalleled agility and cost savings to networking. With SD-WAN, organizations can deliver more responsive, more predictable applications at lower cost in less time than the managed MPLS services traditionally used by the enterprise. IT becomes far more agile, deploying sites in minutes; leveraging any available data service such as MPLS, dedicated Internet access (DIA), broadband or wireless; being able to reconfigure sites instantly; and more easily supporting migration to hybrid cloud.
SD-WAN does this by separating applications from the underlying network services with a policy-based, virtual overlay. This overlay monitors the real-time performance characteristics of the underlying networks and selects the optimum network for each application based on configuration policies.
Firewall as a Service (FWaaS)
What is FWaaS?
Firewall as a Service (FWaaS) is a new and revolutionary way of delivering firewall and other network security capabilities as a cloud service. Enterprises have always deployed next generation firewalls as appliances. While form factor varies between physical and virtual appliances, deployed on-premises or in the cloud, customers need to support the full appliance life cycle. Distributed locations need dedicated appliances that have to be sized and upgraded to accommodate business growth. Appliance software has to be patched and upgraded, and policy management must be done on an appliance basis.
FWaaS is a new type of a next-generation firewall. It doesn’t merely hide physical firewall appliances behind a “cloud duct tape”, but truly eliminates the appliance form factor, making network security (URL Filtering, IPS, Malware preventions, Analytics) available everywhere. In essence, the entire organization is connected to a single, logical global firewall with a unified application-aware security policy. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.