Modern enterprise complexity is challenging cybersecurity programs. With the widespread adoption of cloud services and remote work, and the broadening distribution of applications and employees...
SSE Is a Proven Path for Getting To SASE Modern enterprise complexity is challenging cybersecurity programs. With the widespread adoption of cloud services and remote work, and the broadening distribution of applications and employees away from traditional corporate locations, organizations require a more flexible and scalable approach to network security. SASE technology can help address these issues, making SASE adoption a goal for many organizations worldwide. But adoption paths can vary widely.
To get an understanding of those adoption paths, and the challenges along the way, the Enterprise Strategy Group surveyed nearly 400 IT and cybersecurity professionals to learn of their experiences. Each survey respondent is in some way responsible for evaluating, purchasing, or managing network security technology products and services.
One popular strategy is to ease into SASE by starting with security service edge (SSE), a building block of SASE which integrates security capabilities directly into the network edge, close to where users or devices connect. Starting with SSE necessitates having an SSE provider with a smooth migration path to SASE. Relying on multiple vendors leads to integration challenges and deployment issues.
The survey report, SSE Leads the Way to SASE, outlines the experiences of these security adopters of SSE/SASE. The full report is available free for download. Meanwhile, we’ll summarize the highlights here.
Modernization Is Driving SASE Adoption
At its core, SASE is about the convergence of network and security technology. But even more so, it’s about modernizing technologies to better meet the needs of today’s distributed enterprise environment.
Asked what’s driving their interest in SASE, respondents’ most common response given is supporting network edge transformation (30%). This makes sense, considering the network edge is no longer contained to branch offices. Other leading drivers include improving security effectiveness (29%), reducing security risk (28%), and supporting hybrid work models (27%).
There are numerous use cases for SASE
The respondents list a wide variety of initial use cases for SASE adoption—everything from modernizing secure application access to supporting zero-trust initiatives. One-quarter of all respondents cite aligning network and security policies for applications and services as their top use case. Nearly as many also cite reducing/eliminating internet-facing attack surface for network and application resources and improving remote user security.
The report groups the wide variety of use cases into higher level themes such as improving operational efficiency, supporting flexible work models, and enabling more consistent security.
[boxlink link="https://www.catonetworks.com/resources/enterprise-strategy-group-report-sse-leads-the-way-to-sase/"] Enterprise Strategy Group Report: SSE Leads the Way to SASE | Get the Report [/boxlink]
Security Teams Face Numerous Challenges
One-third of respondents say that an increase in the threat landscape has the biggest impact on their work. This is certainly true as organizations’ attack surfaces now extend from the user device to the cloud.
The Internet of Things and users’ unmanaged devices pose significant challenges, as 31% of respondents say that securely connecting IoT devices in our environment is a big issue, while 29% say it’s tough to securely enable the use of unmanaged devices in our environment.
31% of respondents are challenged by having the right level of security knowledge, skills, and expertise to fight the good fight.
Overall, 98% of respondents cite a challenge of some sort in terms of securing remote user access to corporate applications and resources. More than one-third of respondents say their top remote access issue is providing secure access for BYOD devices. Others are vexed by the cost, poor security, and limited scalability of VPN infrastructure. What’s more, security professionals must deal with poor or unsatisfactory user experiences when having to connect remotely.
Companies Ease into SASE with SSE
To tame the security issues, respondents want a modern approach that provides consistent, distributed enforcement for users wherever they are, as well as a zero-trust approach to application access, and centralized policy management. These are all characteristics of SSE, the security component of SASE. Nearly three-quarters of respondents are taking the path of deploying SSE first before further delving into SASE.
SSE is not without its challenges, for example, supporting multiple architectures for different types of traffic, and ensuring that user experience is not impacted. Ensuring that traffic is properly inspected via proxy, firewall, or content analysis and in locations as close to the user as possible is critical to a successful implementation.
ESG’s report outlines the important attributes security professionals consider when selecting an SSE solution. Top of mind is having hybrid options to connect on-premises and cloud solutions to help transition to fully cloud-delivered over time.
Respondents Outline Their Core Security Functions of SSE
While organizations intend to eventually have a comprehensive security stack in their SSE, the top functions they are starting with are: secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), virtual private network (VPN), SSL decryption, firewall-as-a-service (FWaaS), data loss prevention (DLP), digital experience management (DEM), and next-generation firewall (NGFW).
Turning SSE into SASE is the Goal
While SSE gets companies their security stack, SASE provides the full convergence of security and networking. And although enterprise IT buyers like the idea of multi-sourcing, the reality is that those who have gone the route of multi-vendor SASE have not necessarily done so by choice. A significant number of respondents say they simply feel stuck with being multi-vendor due to lock-in from recent technology purchases, or because of established relationships.
Despite the multi-vendor approach some companies will take, many of the specific reasons respondents cite for their interest in SSE would be best addressed by a single-vendor approach. Among them are: improving integration of security controls for more efficient management, ensuring consistent enforcement and protection across distributed environments, and improving integration with data protection for more efficient management and operations—all of which can come about more easily by working with just one SSE/SASE vendor. It eliminates the time and cost of integration among vendor offerings and the “finger pointing” when something goes wrong.
Even Companies in Early Stages are Realizing Benefits
Most respondents remain in the early stages of their SSE journey. However, early adopters are experiencing success that should help others see the benefits of the architecture. For example, 60% say that cybersecurity has become somewhat or much easier than it was two years ago.
Those who have started the SASE journey have realized benefits, too. Nearly two-thirds report reduced costs across either security solutions, network solutions, security operations, or network operations. Similarly, 62% cite efficiency benefits of some kind, such as faster problem resolution, ease of management, faster onboarding, or reduction in complexity. Proof points like these should pique the interest of any organization thinking about SASE and SSE. View the full survey report, SSE Leads the Way to SASE, here.
Converging networking with security is fundamental to creating a robust and resilient IT infrastructure that can withstand the evolving cyber threat landscape. It not only...
Networking and Security Teams Are Converging, Says SASE Adoption Survey Converging networking with security is fundamental to creating a robust and resilient IT infrastructure that can withstand the evolving cyber threat landscape. It not only protects sensitive data and resources but also contributes to the overall success and trustworthiness of an organization.
And just as technologies are converging, networking and security teams are increasingly working together. In our new 2023 SASE Adoption Survey, nearly a quarter (24%) of respondents indicate security and networking are being handled by one team.
For those with separate teams, management is focusing on improving collaboration between networking and security teams. In some cases (8% of respondents), this takes the form of creating one networking and security group. In most cases, (74% of respondents) indicate management has an explicit strategy that teams must either work together or have shared processes.
The Advantages of Converging the Networking and Security Teams
When network engineers and security professionals work together, they share knowledge and insights, leading to improved efficiency and effectiveness in addressing network security challenges.
By integrating networking and security functions, companies can gain better visibility into network traffic and security events. Networking teams possess in-depth knowledge of network infrastructure, which security researchers often lack. By providing security teams with network information, organizations can hunt and remediate threats more effectively.
[boxlink link="https://www.catonetworks.com/resources/unveiling-insights-2023-sase-adoption-survey/"] Unveiling Insights: 2023 SASE Adoption Survey | Get the Report [/boxlink]
Closer collaboration enables quicker and more effective incident resolution, reducing the impact of cyber threats on business operations. Furthermore, by working together, the organization can optimize the performance of network resources while maintaining robust security measures, providing a seamless user experience without compromising protection.
There are other benefits, too, like streamlined operations, faster incident response, a holistic approach to risk management, and cost savings. All these advantages of a converged team help organizations attain a stronger security posture.
There’s a Preference for One Team, One Platform
Bringing teams together also enables the organization to implement security measures during network design and configuration, ensuring that security is an inherent part of the network architecture from the beginning.
Many organizations today (68%) use different platforms for security and networking management and operations. However, most (76%) believe that using just one platform for both purposes would improve collaboration between the networking and security teams. More than half also want a single data repository for networking and security events.
The preference for security and networking to work together extends to SASE selection. Which team leads on selecting a SASE solution—the networking or the security team? In most cases, it’s both.
When it comes to forming a SASE selection committee, about half (47% of respondents) say it’s a security team project with the networking team involved as necessary. Another 39% flip that script, with the networking team leading the project and involving the security team to vet the vendors.
As the teams come together, it makes great sense they would prefer to use a single, unified platform for their respective roles. Most respondents (62%) say having a single pane of glass for managing security and networking is an important SASE purchasing factor. More than half (54%) also want a single data repository for networking and security events.
Security and Networking Team Convergence Calls for Platform Convergence
Regardless, an effective SASE platform needs to accommodate the needs of all organizational structures whether teams are distinct or together. Essential in that role is rich role-based access control (RBAC) that allows granular access to various aspects of the SASE platform. In this way, IT organizations can create roles that reflect their unique structure – whether teams are converged or distinct. (Cato recently introduced RBAC+ for this reason. You can learn more here.)
As for SASE adoption, a single vendor approach was the most popular (63% of respondents). Post deployment would those who deployed SASE stay with the technology? The vast major (79% of respondents) say, “Yes.”
Additional finding from the survey shed light on
Future plans for remote and hybrid work
Current rate of SASE adoption
How to ensure security and performance for ALL applications
..and more. To learn more, download the report results here.
The enterprise networking and security market has seen no end to terms and acronyms. SASE, of course, is chief among them, but let us not...
The New Network Dictionary: AvidThink Explains SASE, SD-WAN, SSE, ZTNA, MCN, and NaaS The enterprise networking and security market has seen no end to terms and acronyms. SASE, of course, is chief among them, but let us not forget SD-WAN, SSE, ZTNA, and Multi-Cloud Networking (MCN). Then we get into specific capabilities like CASB, DLP, SWG, RBI, FWaaS, and micro-segmentation. This alphabet soup of jargon can confuse even the most diligent and capable CISOs and CIOs, especially when vendors continually redefine and reclassify each category to fit their needs.
AvidThink, an independent research and analysis firm, set out to fix that problem. The firm produced the “Enterprise Edge and Cloud Network” report that defines and contextualizes these concepts and terms. AvidThink founder and report author, Roy Chua, lays out the universal network fabric (UNF) -- the grand theoretical architectural model for how enterprises can seamlessly integrate disparate enterprise networking resources while providing a consistent and secure connectivity experience across all endpoints.
He correctly understands that no longer can networking and security stand apart:
“Traditional security measures are proving inadequate in the face of sophisticated threats, forcing organizations to seek security-centric network solutions. Integrating advanced security features directly into network architectures is now a critical requirement. Strong CISO interest in SASE, SSE, and ZTNA is evidence of this sentiment.”
And he correctly identifies that to address this need SD-WAN vendor are trying to remake themselves into SASE vendor:
“...all leading SD-WAN vendors are upgrading to becoming SASE solutions” or partnering with SSE vendors to deliver SASE as a response “...to customer demands for protection from an increasing number of cyberattacks, and to further simplify the messy collection of point products across customer remote and campus sites.”
AvidThink Sees Cato as the SASE Pioneer
But while numerous vendor market themselves as SASE vendors, Cato stands out: “...To be fair to Cato Networks, they were already espousing elements of the SASE architecture years before the SASE umbrella term was coined.”
With that four-year head start (SASE was defined in 2019), Cato’s been able to do SASE right. We didn’t cobble together products and slap on marketing labels to capitalize on a new market opportunity. We build a fully converged, cloud-native, single-pass SASE architecture that today spans 80+ Cato -owned and -operated PoP locations servicing 140+ countries and interconnected by our global private backbone.
[boxlink link="https://www.catonetworks.com/resources/enterprise-strategy-group-report-sse-leads-the-way-to-sase/"] Enterprise Strategy Group Report: SSE Leads the Way to SASE | Get the Report [/boxlink]
It’s this fully single–vendor, converged approach that’s so critical. As Chua reports hearing from one of our customers, “We believe in Cato’s single-vendor clean-slate architecture because it brings increased efficiency and we’re not bouncing between multiple vendors.”
SASE Is About Convergence Not Features
Cato did help sponsor the report, but it doesn’t mean we agree entirely with the author. If there's a weakness in the report, and every report has to stop somewhere, it’s in this area – the centrality of convergence to SASE. As we’ve mentioned many times in this blog, the individual components of SASE -- SD-WAN, NGFW, SWG, ZTNA, and more – have been around for ages. What hasn’t been around is the convergence of these capabilities into a global cloud-native platform.
Converging SASE capabilities enables better insight where networking information can be used to improve security analytics. Convergence also improves usability as enterprises finally gain a true single-pane-of-glass for a management console where objects are created once, and policies are unified, not the kind of “converged” console where when you dig a level deeper you find a new management console needs to be launched with all its own objects and policies.
And its convergence into a single-pass, cloud-native platform, which means optimum performance everywhere and deploying more infrastructure nowhere. All security processing can now be done in parallel at line rate. There are no sudden upgrades to branch or datacenters appliances when traffic levels surge or more capabilities are enabled. And since all the heavy “lifting” runs in the clouds, little or no additional infrastructure is needed to connect users, sites, or cloud resources.
It’s this convergence that’s allowed Cato customers to instantly respond to new requirements, like Juki ramping up its 2742 mobile users or Geosyntec adding 1200+ remote users worldwide in about 30 minutes both in response to COVID. It’s convergence that allows one person to efficiently manage the security and networking needs of companies on the scale of a Fortune 500 company. Convergence IS the story of SASE.
To read the report, download it from here.
Today, we announced that Carlsberg, the world-famous brewer, has selected Cato SASE Cloud for its global deployment. It’s a massive SASE deployment spanning 200+ locations...
Carlsberg Selects Cato, the “Apple of Networking,” for Global SASE Deployment Today, we announced that Carlsberg, the world-famous brewer, has selected Cato SASE Cloud for its global deployment. It’s a massive SASE deployment spanning 200+ locations and 25,000 remote users worldwide, replacing a combination of MPLS services, VPN services, SD-WAN devices, remote access VPNs, and security appliances.
The mix of technologies meant that Carlsberg faced the operational problems associated with building and maintaining different service packages. “Some users would receive higher availability and others better capabilities, but we couldn't bring it all together to create an à la carte set of services that could apply to any office anywhere and facilitate our global IT development," says Laurent Gaertner, Global Director of Networks at the Carlsberg Group.
With Cato, Carlsberg expects to do just that -- deliver a standard set of network and security services everywhere. Carlsberg will be replacing MPLS, VPN, and SD-WAN services with Cato SASE Cloud and Cato’s global private backbone. Remote VPN services will be replaced with Cato ZTNA. And the mix of security appliances will be replaced with the security capabilities built into Cato SASE Cloud.
All of this is possible because every Cato capability is available everywhere in the world. While our competitors talk about certain PoPs holding some capabilities but not others, Cato delivers the full scope of Cato SASE Cloud capabilities from all 80+ PoP locations worldwide, servicing 150+ countries. Chances are that wherever your users are located, Cato SASE Cloud can connect and secure them.
The Apple of Networking Makes Deployment Easy
Normally, the complexity of such a project would be daunting. Large budgets and many months would be spent assessing, deploying, and then integrating various point products and solutions.
Not so with Cato.
With Cato SASE Cloud, there’s one product to select, deploy, and manage – the Cato SASE Cloud. “Owning all of the hardware makes Cato so much simpler to deploy and use than competing solutions," says Tal Arad, Vice President of Global Security & Technology at Carlsberg. "We started referring to them as the Apple of networking.” With rapid deployment possible, Cato helps Carlsberg get value out SASE faster.
Nor is Carlsberg alone in that view. In February 2023, Häfele, a German family enterprise based in Nagold, Germany, suffered a severe ransomware attack forcing the company to shut down its computer systems and disconnect them from the internet. At the time, Häfele was in an RFP process to select a SASE vendor with Cato being one of the candidates.
[boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-identified-as-a-leader-download-the-report/"] Cato SASE Identified as a “Leader” in GigaOm Radar report | Get the Report [/boxlink]
Instead of paying the ransom, the Häfele team turned to Cato. Over the next four weeks, Häfele worked with Cato and restored its IT systems, installing Cato Sockets at 180+ sites across 50+ widely dispersed countries such as Argentina, Finland, Myanmar (Burma), and South Africa. “The deployment speed with Cato SASE Cloud was a game changer,” said Daniel Feinler, CISO, Häfele. “It was so fast that a competing SASE vendor didn’t believe us. Cato made it possible.”
The strategic benefits of being able to rapidly deliver a consistent set of services worldwide can’t be overemphasized. IT leaders have long realized the value of a single service catalog to offer the departments and business units they service. In theory, this would streamline service delivery and simplify management. Solutions could be fully tested and approved and then rolled out across the enterprise as necessary. Operational costs would be reduced by standardization.
Practically, though, worldwide service catalogs are frustrated by regional differences. MPLS services aren’t available everywhere so they can’t be applied to all offices. Even where MPLS services are available, their high costs may be difficult to justify for smaller offices and certainly for today’s home offices. Delivering security appliances also isn’t always possible, particularly when we’re speaking about securing remote users not sites. The end result? What IT thought was to be a standardized set of services and capabilities accumulates so many differences that the exception becomes the new standard.
With Cato’s ubiquity and ability to connect any edge, anywhere enables true service standardization. No matter the type of site or location of remote user, a standard set of security and networking services can be provided. With one set of proven services, IT can immediately reduce its operational overhead from having to kludge together custom solutions for every region – and worse – every site.
To learn more about the Carlsberg deployment, read the press release here.
SD-WAN has enabled new technology opportunities for businesses. But not all organizations have adopted SD-WAN in the same manner or are having the same SD-WAN...
Key Findings From “WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success” SD-WAN has enabled new technology opportunities for businesses. But not all organizations have adopted SD-WAN in the same manner or are having the same SD-WAN experience. As the market gravitates away from SD-WAN towards SASE, research and consulting firm EMA analyzed how businesses are managing this transition to SASE.
In this blog post, we present the key findings from their report, titled “WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success”. You can download the entire report from here.
Research Methodology
For this research, EMA surveyed 313 senior IT professionals from North America on their company’s SD-WAN strategy.
Most Enterprises Prefer SD-WAN as a Managed Service
66% of enterprises surveyed prefer procuring, implementing and consuming SD-WAN solutions as a managed service. Only 21% prefer a DIY approach, and the rest are still determining their preference.
EMA found that SD-WAN as a managed service provides organizations with network assurance, integration with other managed services, cost savings and the ability to avoid deployment complexity, among other benefits. The organizations that prefer the DIY approach, on the other hand, wish to maintain control to customize as they see fit. They also view the DIY approach as more cost-effective and as an opportunity to leverage the strengths of their internal engineering team.
Less Than Half of Enterprises Prefer a Single-Vendor SD-WAN
49% of enterprises surveyed used or planned to use only one SD-WAN vendor, nearly 44% preferred a multi-vendor approach, while the rest were undecided. According to the surveyed personnel, a multi-vendor approach was chosen due to functionality requirements, the nature and requirements of their sites, and the independent technology strategies of different business units, among other reasons.
Critical SD-WAN Features
Not all SD-WAN features were created equal. The most critical SD-WAN features are hybrid connectivity, i.e the ability to forward traffic over multiple network connections simultaneously (33.9%), integrated network security (30%), native network and application performance monitoring (28.8%), automated, secure site to-site connectivity (27.5%), application quality of service (24.3%), and centralized management and control, either cloud-based or on-premises (23.3%).
[boxlink link="https://www.catonetworks.com/resources/new-ema-report-wan-transformation-with-sd-wan-establishing-a-mature-foundation-for-sase-success/"] NEW EMA Report: Establishing a Mature Foundation for SASE Success | Download the Report [/boxlink]
SD-WAN Replaces MPLS
The internet has become a primary means of WAN connectivity for 63% of organizations. Almost all the other surveyed organizations actively embracing this trend. This shift impacts the use of MPLS, with the internet is being leveraged more often to boost overall bandwidth.
However, security remains a top concern, with 34.5% of surveyed enterprises viewing security as the biggest challenge for using the internet as their primary WAN connectivity. This is followed by the complexity of managing multiple ISP relationships (25.9%), and lack of effective monitoring/visibility (19.2%).
Operations and Observability
88.5% of surveyed enterprises are either satisfied or somewhat satisfied with their SD-WAN solutions’ native monitoring features. The main challenges revolve around granularity of data collection (32.3%), lack of data retention (30%), lack of relevant security information (28.4%), no drill downs (25.6%) and data formatting problems (25.6%). Perhaps this is why 72.5% of surveyed enterprises use, or plan to use, third-party monitoring tools.
WAN Application Performance Issues
Organizations are struggling with the performance on their WANs. The most common problems were:
Bandwidth limitations (38.7%)
Latency (38.3%)
Cloud outages (38.3%)
ISP congestion (32.9%)
Packet loss (25.9%)
Policy misconfiguration (25.6%)
Jitter (13.4%)
EMA found that cybersecurity teams were more likely to perceive bandwidth limits as a problem than network engineering teams. In addition, IT governance and network operations teams were more likely to mention cloud outages as a problem and the largest companies reported latency issues as their biggest problem.
Only 38% of Enterprises Believe They’ve Been Successful with SD-WAN
How do enterprises perceive their success with SD-WAN? Only 38% believe they’ve been successful and nearly 50% report being somewhat successful. Perhaps this could be the result of the SD-WAN business and technology challenges they are facing - a skills gap (40.9%), lack of defined processes and best practices (40.9%), vendor issues (36.7%), implementation complexity (26.2%) and integrating with the existing security architecture and policies (24%).
Integrating SD-WAN with SSE
There are a few paths an organization can take on their way to SASE. 54% of surveyed enterprises prefer adding SSE to their SD-WAN solution. Nearly 31% prefer expanding SD-WAN capabilities to achieve SASE and the rest prefer adapting SASE all at once or are still evaluating. In addition, EMA found that a mature SD-WAN foundation helped make the transition to SASE a smoother experience.
Transitioning to SASE
EMA views SD-WAN as “the foundation of SASE, which appears to be the future of networking and security.” Yet, enterprises are still unsure about their path to SASE and how to achieve it. Per EMA, a firm SD-WAN foundation is key for a successful SASE transition, and organizations should strive to deploy a strong SASE solution.
To read the complete report, click here.
In the original Top Gun movie, Tom Cruise famously declared the words, “I feel the need! The need for speed!”. At Cato Networks, we also...
Cato’s 5 Gbps SASE Speed Record is Good News for Multicloud and Hybrid Cloud Deployments In the original Top Gun movie, Tom Cruise famously declared the words, “I feel the need! The need for speed!”. At Cato Networks, we also feel the need for speed, and while we’re not breaking the sound barrier at 30,000 feet, we did just break the SASE speed barrier (again!). (We’re also getting our taste for speed through our partnership with the TAG Heuer Porsche Formula E Team, where Cato’s services ensure that Porsche has a fast, reliable, and secure network that’s imperative for its on-track success.)
Earlier last month, we announced that Cato reached a new SASE throughput record, achieving 5 Gbps on a single encrypted tunnel with all security inspections fully enabled. This tops our previous milestone of up to 3 Gbps per tunnel.
The need for 5 Gbps is happening on the most intensive, heavily used network connections within the enterprise, such as connections to data centers, between clouds in multi-cloud deployments, or to clouds housing shared applications, databases, and data stores in hybrid clouds. Not all companies have the need for 5 Gbps connections, but for large organizations that do have that need, it can make a significant difference in performance.
Only a Cloud-Delivered SASE Solution Can Offer Such Performance
The improved throughput underscores the benefits of Cato’s single-vendor, cloud-native SASE architecture. We were able to nearly double the performance of the Cato Socket, Cato’s edge SD-WAN device, without requiring any hardware changes – or anything at all, for that matter – on the customer’s side.
This big leap in performance was made possible through significant improvements to the Cato Single Pass Processing Engine (SPACE) running across the global network of Cato PoPs. The Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. Putting this in “traditional” product category terms, a Cato SPACE includes the capabilities of global route optimization, WAN and cloud access acceleration, and security as a service with next-generation firewall, secure web gateway, next-gen anti-malware, and IPS.
[boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | Download the White Paper [/boxlink]
These capabilities are the compute-intensive operations that normally degrade edge appliance performance—but Cato performs them in the cloud instead. All the security inspections and the bulk of the packet processing are conducted in parallel in the Cato PoP by the SPACE technology and not at the edge, like in appliance-based architectures. Cato Sockets are relatively simple with just enough intelligence to move traffic to the Cato PoP where the real magic happens.
The improvements enhanced Cato SPACE scalability, enabling the cloud architecture to take advantage of additional processing cores. By processing more traffic more efficiently, Cato SPACE can inspect and receive more traffic from the Cato Sockets. What’s more, all Cato PoPs run the exact same version of SPACE. Any existing customer using our X1700 Sockets – the version meant for data centers – will now automatically benefit from this performance update.
By contrast, competitors’ SASE solutions implemented as virtual machines in the cloud or modified web proxies remain limited to under 1 Gbps of throughput for a single encrypted tunnel, particularly when inspections are enabled. It’s just an added layer of complexity and risk that doesn’t exist in Cato’s solution.
New Cross-Connect Capabilities Enable High-Speed Cloud Networking Worldwide
Cato is also better supporting multicloud and hybrid cloud deployments by delivering 5 Gbps connections to other cloud providers. The new Cato cross-connect capability in our PoPs enables private, high-speed layer-2 connections between Cato and any other cloud provider connecting to the Equinix Cloud Exchange (ECX) or to Digital Reality. This is done by mapping a VLAN circuit from the customer’s Cato account to the customer’s tenant in the other cloud provider.
The new cross-connect enables a reliable and fast connection between our customers’ cloud instances and our PoPs that is entirely software-defined and doesn’t require any routers, IPsec configuration, or virtual sockets.
The high-speed cross-connect will be a real enabler for those enterprises with a multicloud or hybrid cloud environment, which, according to the Flexera 2023 State of the Cloud Report, is 87% of organizations. Companies need encrypted, secure high throughput between their clouds or to the central data centers in their hybrid deployments.
In addition, this new service provides legacy environments the ability to use the leading-edge network security measures of the Cato SASE platform. Enterprises with MPLS or third-party SD-WAN infrastructure can now leverage Cato’s SSE capabilities without changing their underlying networks.
Cato Engineers Put Innovation to Work
The new SASE throughput speed record and the cross-connect capabilities show that innovation never rests at Cato. (In fact, GigaOm did recognize Cato as an Outperformer “based on the speed of innovation compared to the industry in general.”) We’ll continue to look for ways to apply our innovative minds to further enhance our industry-leading single-vendor, cloud-native SASE solution.
Today Cato Networks announced the addition of the Cato RBI to our Cato SASE Cloud platform. It is an exciting day for us and for...
Q&A Chat with Eyal Webber-Zvik on Cato RBI Today Cato Networks announced the addition of the Cato RBI to our Cato SASE Cloud platform. It is an exciting day for us and for our customers. Why? Because Cato’s cloud-native, security stack just got better, and without any added complexity.
I sat down with Eyal Webber-Zvik, Vice President of Product Marketing and Strategic Alliances at Cato Networks, and asked him to provide his perspective on what is Cato RBI and what this means for Cato’s customers.
Why should enterprises care about RBI?
Enterprises need to care because with new websites popping up every day, they face a dilemma between the security risk of allowing employees to access uncategorized sites and the productivity and frustration impact of preventing this. With Cato RBI now integrated into our Cato SASE Cloud platform, we are giving enterprise IT teams the best of both worlds: productivity and security.
What is Cato RBI and why do enterprises need it?
Cato RBI is a security function that protects against malicious websites by running browser activity remotely from the user’s device, separating it from the web content. Cato RBI sends a safe version of the page to the device so that malicious code cannot reach it, without affecting the user experience.
Enterprises need Cato RBI to protect employees from malicious websites that are not yet blacklisted as such. When employees do reach unknown and malicious sites, Cato RBI protects the business by preventing code from running in their browsers. Cato RBI protects from human error while also saving users from the frustration of being blocked from unknown websites.
How does Cato RBI work?
An isolated browser session is set up, remote from the user’s device, which connects to the website and loads the content. Safe-rendered content is then streamed to the users’ browsers. Malicious code does not run on the user’s device and user interaction can be limited, for example, to prevent downloads.
Some solutions require that every browsing session uses RBI, but it is better invoked, when necessary, for example by a policy that is triggered when a user tries to visit an uncategorized website.
Cato RBI gives IT administrators a new option for uncategorized websites. Alongside “Block” and “Prompt,” they can now choose “Isolate.” Configuration of Cato RBI can be done in less than one minute by a customer’s IT administrator.
What if an enterprise already uses SWG, CASB, Firewall, IPS and/or anti-malware? Why do they need Cato RBI?
These solutions protect against a wide range of threats, but Cato RBI adds another important layer of protection specifically against web- and browser-based threats, such as phishing, cookie stealing, and drive-by downloads. Since Cato RBI prevents code from reaching devices, it will help protect a business against:
New attacks that are not documented.
New malicious sites that are not categorized.
User error, such as clicking on the link in a phishing email.
Cato RBI gives enterprises more peace of mind. It may allow organizations to operate a more relaxed policy on access to unknown websites, which is less intrusive and frustrating for users, who in turn will raise fewer tickets with their IT team.
What types of cyber threats does Cato RBI protect against?
Cato RBI provides protection against a wide range of browser-based attacks such as unintended downloads of malware and ransomware, malicious ads, cross-site scripting or XSS, browser vulnerabilities, malicious and exploited plug-ins, and phishing attacks.
What are the benefits of Cato RBI for enterprises and users?
There are five immediate benefits when using Cato RBI. They are:
To make web access safer by isolating malicious content from user devices.
To prevent your data from being stolen by making it more difficult for attackers to compromise user devices.
To protect against phishing email, ransomware, and malware attacks, by neutralizing the content in the target websites.
To defend against zero-day threats by isolating users from malicious websites that are new and not yet categorized.
To make users more productive by allowing them to visit websites even though they are not yet known to be safe.
Does Cato collaborate with other companies to offer Cato RBI?
Yes. We partner with Authentic8, a world leader in the field of RBI. Authentic8 is chosen by hundreds of government agencies and commercial enterprises and offers products that meet the needs of the most regulated organizations in the world. Authentic8’s RBI engine is cloud-native and globally available, and the integration into our Cato SASE Cloud is seamless and completely transparent.
Follow the links to learn more about Cato RBI, and about our SASE solution.
Windstream Enterprise recently announced the arrival of North America’s first and only comprehensive managed Security Service Edge (SSE) solution, powered by Cato Networks—offering sophisticated and...
A sit down with Windstream Enterprise CTO on Security Service Edge Windstream Enterprise recently announced the arrival of North America's first and only comprehensive managed Security Service Edge (SSE) solution, powered by Cato Networks—offering sophisticated and cloud-native security capabilities that can be rapidly implemented on almost any network for near-immediate ironclad protection. In the spirit of partnership, we sat down with Art Nichols, CTO of Windstream, to share insights into this SSE announcement and what this partnership brings to light.
Why did you decide to roll out SSE?
We are excited to expand upon our single-vendor security offerings with the launch of this single-vendor cloud-native SSE solution, powered by Cato Networks. This SSE architecture delivers near immediate and cost-effective ways for clients to protect their network, and the users and resources attached to it. It also supports the expanded remote access to cloud-based applications that customers and employees alike must utilize.
By rolling out SSE to our customers, our ultimate goal is to provide them with a seamless journey towards improving their organization's security posture. Most IT leaders are aware that in this era of constant digital change, businesses must make room for greater cloud migration, rising remote work demands and new security threats. SSE will help futureproof their network security by migrating away from outdated and disjointed security solutions that are limited in their ability to support customer and employee needs for greater use of cloud resources.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Download the White Paper [/boxlink]
Why did you choose Cato's SSE platform?
Partnering with Cato Networks was no doubt the right decision for Windstream Enterprise. While we considered multiple technology partners, Cato's solution was the only fully unified cloud-native solution. This architecture enables businesses to eliminate point solutions and on-premises devices by integrating the best available security components into their existing network environments without disruption. This partnership allowed us to enter the Secure Access Service Edge (SASE) and SSE market fast and be a key part of it as security needs continue to rapidly evolve.
Cato Networks is different from the competition because it was built to be a cloud-native SASE solution. As such, Cato's technology offers a better customer experience with greater visibility across the platform, as well as artificial intelligence that can swiftly evaluate all security layers and provide a faster resolution to security breaches and vulnerabilities.
Partnering with Cato has given us quite a competitive edge—and it's not just about the technology (although it's a big part of it); we feel that we get the unique opportunity to partner with the inventor of a true 360-degree SASE platform. Cato's SSE solution pairs perfectly with our professional services and market-leading service portfolio—backed by our industry-first service guarantees and our dedicated team of cybersecurity experts. We could not be more pleased with this partnership and look forward to what the future will bring.
You're already offering SASE, powered by Cato Networks. How will this be different?
SSE is a subset to SASE, which is meant to describe the convergence of cloud security functions. SASE takes a broader and more holistic approach to secure and optimized access by addressing both optimization of the user experience and securing all access and traffic against threats, attacks, and data loss.
What we've announced has similarities with a SASE solution in almost every way, but unlike SASE, an SSE solution can by overlayed onto any existing network, such as a SD-WAN, allowing it to be deployed near-immediately to secure all endpoints, users and applications. Because of this, SSE brings an added level of simplicity in that no network changes are required to implement this security framework.
What is driving the demand for solutions like SSE and SASE?
Gartner has predicted that "By 2025, 80% of organizations seeking to procure SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway and ZTNA offerings, up from 15% in 2021." These means there are many enterprises that are, or soon will be, searching for a comprehensive SSE solution. And since security for networks, applications and data continues to be a top concern for most C-level and IT executives, there are several reasons backing the strong demand for SSE and SASE:
Cybercriminals are becoming incredibly sophisticated in the ever-expanding threat landscape, and data breaches come with high price tags that can damage brand reputations and wallets.
Legacy networks were built around physical locations that don't scale easily. because they are premises based. Premises-based disjointed point solutions from multiple vendors often require manual maintenance.
With more applications moving to the cloud, SSE is a cloud-native framework specifically built for modern work environments (hybrid and remote). It delivers a self-maintaining service that continuously enhances all its components, resulting in reduced IT overhead and allowing enterprises to shift focus to business-critical activities. It also no longer makes sense for businesses to backhaul internet traffic though data center firewalls.
What can customers gain from a managed SSE solution?
SSE is a proven way to improve an organization's security posture by establishing a global fabric that connects all edges into a unified security platform and enables consistent policy enforcement. By choosing a managed SSE solution, you get near-instant protection on any network—integrating the best available cloud-native security components from Cato Networks into your existing network environment without any disruption. Customers gain this ironclad security architecture that seamlessly implements zero trust access, ensuring that all users only have access to company-authorized applications and relentlessly defends against anomalies, cyberthreats and sensitive data loss. And with Windstream Enterprise as your managed service provider for Cato's SSE technology, you get complete visibility via our WE Connect portal, along with the opportunity to integrate this view with additional Windstream solutions, such as OfficeSuite UC® for voice and collaboration and SD-WAN for network connectivity and access management. That means one single interface to control all your IT managed services—backed by industry-first service guarantees—to create real help you succeed in your businesses, on your terms.
Not to mention, we will act as an extension of your security team—so, not only do you seamlessly integrate these security components into one comprehensive offering, but you can rely on one trusted partner to deliver it all, with white glove support from our dedicated team of Cybersecurity Operations Center (CSOC) experts. This goes along way for organizations who are looking to increase their cybersecurity investments, while also adhering to the limitations posed by the ongoing IT skills gap that is leading to shrinking IT and Security teams.
To learn more about SSE from Windstream Enterprise, powered by Cato Networks technology, visit windstreamenterprise.com/sse
Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey By all accounts, 2023 is expected to see strong growth in...
Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey
By all accounts, 2023 is expected to see strong growth in the SASE market. Gartner has already predicted in The Top 5 Trends in Enterprise Networking and Why They Matter: A Gartner Trend Insight Report (subscription required) that by 2025, 50% of SD-WAN purchases will be part of a single vendor SASE offering, up from less than 10% in 2021. And in a recent audience poll at Gartner’s I&O Cloud conference, audience members were asked which of the five technologies were they most likely to invest in, 31% indicated SASE, making number two overall just behind Universal ZTNA (at 34%).
And Gartner isn’t the only one expecting SASE to perform well this year. Dell’Oro expects the SASE market to reach $8 billion in 2023. The drivers for this activity? The need for security everywhere particularly driven by hybrid work. “The internet is now a logical extension of the corporate network, and the need for security is as great as ever,” Dell’Oro Research Director Mauricio Sanchez told SDxCentral.
We couldn’t agree more. We just finished surveying more than 1661 IT leaders around 2023 SASE drivers for adoption. The survey gathered insight into their experiences with SASE and, for those who have not yet deployed SASE, the IT challenges confronting them moving forward.
What’s so striking when you look the data is the role remote access plays. More than half (51%) of respondents who have not yet adopted any kind SASE point to enabling remote access from anywhere as their number one challenge. The same is true for “Adopt zero trust security posture for all access.”
Why Remote Access VPNs Are Not the Answer for Hybrid Work
There are any number of reasons for why enterprises are looking at replacing legacy remote access solutions. “Traditional approaches anchored only to on-premises solutions at the corporate internet gateway no longer work in the new ‘anywhere, anytime, with any device’ environment that the pandemic accelerated, SDxCentral quoted Sanchez.”
[boxlink link="https://www.catonetworks.com/resources/have-it-the-old-way-or-enjoy-the-sase-way/"] Have it the Old Way or Enjoy the SASE Way | Download the White Paper [/boxlink]
More specifically, legacy VPNs suffer from five key problems:
Scaling and capacity Issues. VPN servers have a limited amount of capacity, as more users connect, performance degrades, and the user experience suffers. To increase VPN server capacity, IT must deploy new appliances or upgrade existing ones. Security and performance optimization challenges requires additional appliances to be purchased, deployed, and integrated, which only increases network complexity.
Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility.
Poor performance. All too often, remote users complain about their sluggishness of corporate application when access remotely. Part of that is an architecture issue, particularly when traffic needs to brought back to an inspection point, adding latency to the session. VPN traffic is also susceptible to the unpredictability and latency of Internet routing.
Rotten user experience. Remote users struggle with connecting using legacy VPN software. Too many parameters have to be configured to connect properly. Where once this might have been tolerated by a small subset of remote users, it becomes a very different story when the entire workforce operates remotely.
Growing security risk. VPN infrastructure itself has all too frequently been the target of attack. A brief search in the MITRE CVE database for “VPN Server” shows 622 CVE records. VPN servers showed so many security vulnerabilities that CERT warned that many VPN devices were storing session cookies improperly.
It shouldn’t be surprising to learn, then, that when we asked IT leaders further down the SASE adoption curve as to what triggered their SASE transformation project, “remote access VPN refresh” was the most common response (46%)
SASE: The Answer to the Hybrid Work Challenge
SASE answers those challenges by enabling work to occur anywhere, securely and efficiently. As part of a SASE platform, remote access benefits from the scaling of a cloud-native architecture. There’s no need to add server resources to accommodate of users who suddenly need remote access. “Deployment was quick. In a matter of 30 minutes, we configured the Cato mobile solution with single-sign-on (SSO) based on our Azure AD,” says Edo Nakdimon, senior IT manager at Geosyntec Consultants, who had more than 1200 users configured for remote access in less than an hour with the Cato SASE Cloud.
Zero-trust is just part of the SSE pillar of a single-vendor SASE platform, giving IT granular control over remote user resource access. Security is improved by eliminating the VPN servers so frequently and object of attack. And remote user performance improves by inspecting traffic in the PoP right near the user’s location and then sending traffic out to other location across the SASE platform’s global optimized backbone not the unpredictable Internet.
No wonder those IT leaders who did adopt SASE, indicated they were able to address the remote access challenge. When asked, “As a SASE user what are the key benefits you got from SASE?” “Enable Remote Access from Anywhere” as the highest ranked benefit (57% of respondents) followed by “Adopt zero trust security posture for all access” at 47% of respondents.
All of which makes remote access a “quick win” for anyone looking to deploy SASE.
Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our...
Cato SASE Cloud’s “Innovation” and “Platform Play” Earn “Leader” and “Outperformer” Status in GigaOm SD-WAN Radar Report Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our first year to be included in the report and already we shot to the top of the leader’s circle, underscoring the strength and maturity of Cato SD-WAN and showing the importance of considering SD-WAN as part of a broader SASE offering.
The report evaluates 20 notable SD-WAN vendors, including Cisco, Fortinet, Versa Networks, Juniper, Palo Alto, VMware, and others. Of all these SD-WAN providers, Cato Networks is the only one rated as Exceptional in all the key criteria considered to be differentiators among the providers as well as the primary features for customers to consider as they compare solutions.
Figure 2: Only Cato scored “Exceptional” across every one of GigaOm’s Key Criteria
GigaOm: Cato’s SD-WAN Is “Easier to Maintain and Scale”
The report highlights Cato’s unique cloud-based approach to delivering SD-WAN as a real differentiator that makes a software-defined wide area network easier to maintain and scale for business needs.
“Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources within a secure global service managed via a single pane of glass,” says the report. “By moving processing into the cloud using thin edge Cato Sockets, Cato SASE Cloud is easier to maintain and scale than competitive solutions, with new capabilities instantly available. Leveraging an expanding global SLA-backed network of over 75 PoPs, Cato is the only SD-WAN vendor currently bundling a global private backbone with its SD-WAN. Moreover, Cato offers both a standalone SD-WAN solution and a security service edge solution – Cato SSE 360 – for securing third-party SD-WAN devices.”
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Cato Is a Strong “Platform Play” with “Innovation”
The report places Cato as the only vendor with a strong “Platform Play” and “Innovation” in features. According to the report, “Positioning in the Platform Play quadrant indicates that the vendor has a fully integrated solution – usually built from the ground up – at the functional level.” The report additionally recognizes Cato as an Outperformer “based on the speed of innovation compared to the industry in general.” GigaOm calls Cato “a vendor to watch” for its innovation.
Read the GigaOm report for yourself to see why Cato SASE Cloud is the leader of the SD-WAN pack.
Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a...
Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a Gartner SASE Magic Quadrant.
And for good reason.
The industry has seen widely different approaches to what’s being marketed as SASE. Some companies partnered with each other to offer a joint solution with slightly integrated products. For example, Zscaler and any number of SD-WAN partners. Others simply rebranded their existing solutions as SASE. Think VMware SD-WAN (previously VeloCloud) turning into VMware SASE.
Market consolidation has brought together still other companies with disparate services requiring years’ worth of integration. As an example, consider HPE, Aruba and Silver Peak and the integration work ahead of them to make a cohesive SASE product. Meanwhile, we at Cato Networks chose a different path: to build a fully converged, global networking and security solution from the ground up. Gartner calls this “single-vendor SASE.”
A SASE Magic Quadrant would clear up the confusion in the industry and separate the leaders from losers. But while Gartner may not yet be ready to issue a SASE Magic Quadrant, the firm has issued the next best thing -- Market Guide for Single-Vendor SASE. The report takes a close look at the SASE market and specifically at single-vendor SASE.
The Single-Vendor SASE Market is Projected to Grow Substantially
Gartner defines a single-vendor SASE offering as one that delivers converged network and security as-a-service capabilities using a cloud-centric architecture. Cato is the prototypical single-vendor SASE leader. Example services that are part of a single-vendor SASE offering are SD-WAN, SWG, FWaaS, ZTNA, and CASB. All of those service, and this is key, are fully converged together in the underlying architecture, service delivery, and management interface. They truly are one cloud service, which is what separate single-vendor SASE from other approaches.
These converged services might also be the full roster of capabilities for the newest single-vendor SASE entries but they are only the starting point for Cato. In addition to those services, Cato also offers a global private backbone, data loss prevention (DLP), rapid CVE mitigation, managed threat detection and response, SaaS optimization, UC and UCaaS optimization, and a range of other capabilities.
According to Gartner, there should be rapid growth in single-vendor SASE implementation in the next few years. While only 10% of deployments were single-vendor SASE solution last year, Gartner expects a third of all new SASE deployments by 2025 to be single-vendor. By the same timeframe, half the new SD-WAN purchases will be part of a single-vendor SASE offering.
The market’s growth is largely being driven by the desire for simplicity by reducing the number of deployed solutions and vendors. Of course, reducing complexity while still offering enterprise-class capabilities is something Cato has been delivering for years.
[boxlink link="https://www.catonetworks.com/resources/gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_single_vendor_sase"] Gartner® Market Guide for Single-Vendor SASE | Report [/boxlink]
Cato Was Ahead of Its Time in This “Adolescent” Market
“A single-vendor SASE must own or directly control (OEM, not service chain with a partner) each of the capabilities in the core category,” according to the report authors. A “well-architected” solution must have all services fully integrated, a single unified management plane and a single security policy, a unified and scalable software-based architecture, and flexibility and ease of use. The report lists core functional requirements in each of the areas of secure web gateway, cloud access security broker, zero trust network access, and software-defined WAN.
Gartner points out that there are several vendors in the “adolescent” industry that meet the analyst firm’s minimum requirements. There are more, still, that come close but aren’t quite there with their offerings.
Because single-vendor SASE brings together networking and security into one solution with many functions, Gartner recommends that a joint team of network professionals and security experts be appointed to evaluate the solutions based on the organization’s foremost needs.
Single-Vendor SASE Has Lots of Benefits
The benefits of single-vendor SASE are many. Gartner cites the following as reasons to go this route for a SASE solution:
An improved security posture for the organization – This is based on reduced complexity of the various security functions, a single policy enforced everywhere, and a smaller attack surface.
Better use of network and security staff – Deployment times are reduced, fewer skills and resources are needed to manage a unified platform, a single policy is applied throughout the various security functions, and redundant activities go away.
Improved experiences for users and system administrators – Performance issues such as latency and jitter are easier to tame or eliminate, it’s easier to diagnose issues end-to-end, and there is a single repository for logs and other event data.
Of course, implementing such a solution can have its challenges as well—like how to deal with organizational siloes, and what to do about existing IT investments. Global coverage can be an issue for the early-stage vendors. Fortunately, Cato has extensive coverage with 75+ PoPs around the world today. Gartner says solution maturity can be an issue, but that’s mainly a problem for the neophyte vendors. With more than 8 years in the single-vendor SASE business behind us, Cato is one of – if not the – most mature vendor in the market.
Gartner Offers Recommendations
As with all Gartner guides, the research firm has recommendations pertaining to strategy and planning, evaluation, and deployment:
Establish a cross-functional team including people from both networking and security to increase the potential for a successful implementation.
Evaluate single-vendor SASE against the backdrop of multi-vendor and managed offerings to determine which method would provide the most flexibility.
“Choose single-vendor SASE offerings that provide single-pass scanning, single unified console and data lake covering all functions to improve user experience and staff efficacy.” (Spoiler alert: Cato provides all of these things.)
Do a Proof of Concept project with real locations and real users to see how well an offering can meet your needs. (Cato is happy to set you up with a PoC today.)
If you are looking for the most mature and feature-rich single-vendor SASE offering with the largest number of worldwide PoPs, look no further than Cato Networks. Request a demo at https://www.catonetworks.com/contact-us/.
December 13, 2022
8m read
If you're a Security professional looking to become a CISO, then you've come to the right place. This five-step guide is your plan of action...
December 13, 2022
8m read
The 5-Step Action Plan to Becoming CISO The Path to Becoming CISO Isn't Always Linear
There isn’t one definitive path to becoming a CISO.
Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO.
Step 1:
Becoming a CISO is About Changing Your Focus
The Difference Between IS, IT or Cybersecurity Roles and a CISO Role: Tactical vs. Strategic
Making The Shift from Security Engineer to Future CISO
The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see.
How to Think and Act Like a Future CISO
While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset.
A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections.
The Skillset Necessary to Become a CISO
Translate technical requirements into business requirements
Brief executives, VPS, C-level, investors and the board
Understand the business you’re in on a granular level(The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.)
Excellent communication: Send effective emails and give impactful presentations
Balance the risk between functionality and security by running risk assessments
Focus on increasing revenue and profitability in the organization
Focus on a solution-oriented mindset, not an identification mindset
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign_sse360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Step 2:
Getting Clear on the CISO Role: So, What Does a CISO Actually Do?
Learn The CISO’s Role and Responsibilities (R&R)
The CISO is essentially a translator between the security engineering team and C-suite.
Step 3:
Set Yourself Up for Success in the Role: Measure What Matters
What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game.
This means any security incident = CISO gets fired = No one wins
But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality.
100% security means 0 functionality, and vice versa
Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success.
Establishing Your Metrics of Success in the CISO Role
What makes CIOs so successful in their role?
A single metric of success: 5 9s.
This allows CIOs to focus on the R&R necessary to achieve this goal.
Suggested CISO KPI & KPI Setting Process
Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark.
Provide an executive report with weekly attack attempt metrics (i.e., 300.)
Create a proposed benchmark of success: i.e., preventing 98% of attacks.
Get management signoff on your proposed KPIs.
Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.(Ensuring security incidents are promptly reported to C-suite and board.)
Adjust KPIs as necessary and receive management signoff.
Step 4
Mind the Gap: Bridge Your Current Technical and Business Gaps
Recommended Technical Education
GIAC / GSEC Security Essentials
CISSP (Certified Information Systems Security Professionals)
OR CISM (Certified Information Security Manager) CertificationOR CISA (Certified Information System Auditor) Certification
SASE (Secure Access Service Edge) Certification
SSE (Security Service Edge) Certification
Recommended Technical Experience
At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus
Recommended Business Education
An MBA or equivalent business degree, or relevant business experience
CPA or accounting courses
Recommended Business Experience
Approximately 3-5 years of business experience
Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen
Recommended Understanding Of:
Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA.
Current data privacy regulations, e.g., GDPR, CCPA and any regional standards.
Step 5:
How to Get a CISO Job with Limited or No Previous Experience
It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job?
Take On a Virtual CISO Role at a Friend or Family Member’s Small Business
Offer 3 hours of virtual CISO service a week.
In exchange, ask for 3 recommendations a month and to service as a positive reference.
Can you receive mentorship from an existing CISO?
Do friends, family or former colleagues know any CISOs you can connect with? Start there.
Reach out on LinkedIn to CISOs and invite them to coffee or dinner.Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.)
Remember: It’s a numbers game. Don’t get discouraged after a few “no's” or a lack of responses.
Getting Your First CISO Job: Your Action Plan for Career Success
Applying For Jobs
Your resume has one and only one goal – to get you the interview.Week 1:
Send out 20 resumes for CISO jobs with your existing resume
How many respond and request interviews (within 2 weeks)?
If you get under a 50-70% success rate, you need to revise your resume.
Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 - 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success.
Revising your Resume for Success
If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.But what do you change?
The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)Your resume should not only highlight your technical abilities but your business acumen.Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.)
Have you briefed executives and boards?
Have you given effective presentations?
Have you created risk management programs and aligned the entire organization?
Do you lead an online forum on Cybersecurity best practices?
Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities.
The Interview Rounds
The CISO interview process is generally between 5-7 interview rounds.
Remember:The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more.
You’ve Got This: The Road to Landing Your First CISO Role
Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful.
Life After Landing the Coveted CISO Role
Congrats! You’ve Been Hired as a CISO
You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success.
Ensuring Your Success in the CISO Role: Things to Keep in Mind
After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind:
Your Network Security Architecture Will Determine Your Focus and Impact
No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly.
To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity.
Cato SSE 360 = SSE + Total Visibility and Control
Disjointed security point solutions overload resource constrained security teams, impacting security posture, and increasing overall risk due to configuration errors. Traditional SSE (Security Service Edge) convergence mitigates these challenges but offers limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized. And an SSE platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey.
Cato Networks’ SSE 360 service will allow you to solve this. SSE 360 optimizes and secures all traffic, to all WAN, cloud, and internet application resources, and across all ports and protocols. For more information about Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different from traditional SSE vendors.
The new high severity vulnerabilities in OpenSSL — CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL?...
The OpenSSL Vulnerability: A Cato Networks Labs Update The new high severity vulnerabilities in OpenSSL -- CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week.
What is OpenSSL?
OpenSSL is a popular open-source cryptography library that enables secured communications over the Internet in part through the generation of public/private keys and use of SSL and TLS protocols.
What Are the Vulnerabilities?
The vulnerabilities were found in OpenSSL versions 3.0.0. to 3.0.6. They occur after certificate verification and then only after unlikely conditions are met either signing of a malicious certificate by a certificate authority (CA) or after an application continues verifying a certificate despite failing to identify a trusted issuer.
[boxlink link="https://www.catonetworks.com/sase-quarterly-threat-research-reports/?utm_source=blog&utm_medium=top_cta&utm_campaign=q_reports"] SASE Quarterly Threat Research Reports | Go to Reports [/boxlink]
With CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification, enabling an attacker to craft a malicious email address to overflow four attacker-controlled bytes on the stack, which could result in a crash, causing a Denial of Service (DoS), or remote code execution (RCE). With CVE-2022-3786, a buffer overrun can also be triggered in X.509 certificate verification, but specifically in name constraint checking. Again, the attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” Character (decimal 46) on the stack, resulting in a crash causing a DoS. (Read the OpenSSL Security Advisory here for detailed information about the attacks.)
What’s the Impact on Cato SASE Cloud? None.
While Cato does use OpenSSL neither vulnerability impacts our infrastructure. Neither our cloud assets, the Cato Socket or the Cato Client use a vulnerable version of OpenSSL.
What Actions is Cato Taking?
Cato Networks Research Labs is investigating the unlikely case of exploitation attempts and considering adding new IPS signatures to block them. Currently, we have not seen incidents or published reports of exploitation attempts in the wild.
What Actions Should I Expect from Other Tech Vendors?
The attack is severe enough that all vendors should upgrade affected appliances and software. You can see a list of affected software here. While patching and protecting users at Cato can happen instantly, such as with Log4j, that’s not the case with all solutions. Expect exploits of the OpenSSL vulnerabilities to linger as we saw with Log4j.
Cato Networks Research Labs will continue to monitor the situation and update accordingly.
Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On...
Inside a Network Outage: How Cato SASE Cloud Overcame Last Week’s Fiber Optic Cable Cut Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On Monday night, a major fiber optic cable was severed in the Bouches-du-Rhône region of France. The cut impacted the Internet worldwide. Instantly, packet loss surged to 100 percent on select carriers connecting to our Marseilles, Dubai, and Hong Kong PoPs.
And, yet, despite this major outage, Cato users were unaffected. No tickets were opened; no complaints filed. Why? Because the Cato SPACE architecture detected the packet loss spike on the carrier’s network and moved user traffic to one of the other tier-1 providers connecting the Cato PoP.
All of this was done automatically and in seconds. Just look at the below report from our Marseilles PoP. Notice how at 02:21 UTC Cato isolated the two affected carriers (aqua and orange lines) and traffic was picked up by the other carriers at the PoP.
Uplink Traffic Report from Cato’s Marseilles PoP
Click here to enlarge the image
It’s not the first time we’ve seen the resiliency of the Cato Global Private backbone. Whether it’s a network failure or a crash at a top-tier datacenter housing a Cato PoP Cato has proven its ability to automatically recover quickly with little or no impact on the user experience.
The network engineering involved in delivering that kind of availability and performance goes to the very DNA of Cato. From the very beginning, we built our company to address both networking and security. Our founders didn’t just help build the first commercial firewall (Shlomo Kramer) they also built one of the global cloud networks (Gur Shatz). The teams they lead and have built the tools and processes to lead in both domains, which is what’s required in this world of SASE.
When building the Cato Global Private Backbone, we wanted to provide enterprises with the optimum network experience regardless of a site’s location, route taken, or network condition. As such, we built many tiers of redundancy into Cato, such as users automatically connecting to the optimum PoP, instant failover between SPACE instances within a server, servers within a PoP, and between PoPs. (Follow the link for a detailed look at the resiliency built into the Cato Global Private Backbone.)
[boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/?utm_medium=blog_top_cta&utm_campaign=space_wp"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | EBOOK [/boxlink]
Building our backbone from third-party networks, such as those offered by Amazon, Azure or Google, would certainly have been easier, but that would also compromise our control over the underlying network. The network between two PoPs on an Azure or Amazon network in the same region or zone might be reliable enough, but what happens when those PoPs exist across the globe, in different hyperscaler regions/zones, or on separate hyperscaler networks altogether?
As both networking and security professionals, we at Cato didn’t want to leave those and other scenarios to chance. We wanted to own the problem from end-to-end and ensure enterprise customers that they would receive the optimum performance all the time from anywhere to anywhere even during failover conditions.
By building PoPs on our own infrastructure and curating PoP-to-PoP connectivity, we can control the routing, carrier selection, and PoP placement. Carriers connecting our PoPs have been carefully selected for zero packet loss and low latency to other PoPs and for optimal global and regional routes. Cato SPACE architecture monitors those carrier networks, automatically selecting the optimum path for every packet. This way no matter the scenario, users receive the optimum performance.
And by owning the infrastructure, we can deliver PoPs where enterprises require them not where hyperscalers want to place them. With 75+ PoPs all running Cato’s cloud-native SPACE architecture, Cato has more real time deep packet processing capacity than any hyperscaler worldwide. It’s why enterprises with users in 150+ countries trust Cato every day to help them slash telecom costs, boost performance by 20x, and increase availability to five nines by replacing their legacy MPLS networks with the Cato Global Private Backbone.
For many so-called SASE players, one or the other side gets missed. Players coming from the security world need to outsource PoP placement to third-parties who understand networking. Networking vendors coming to SASE need to partner for security expertise. Both approaches compromise the SASE solution. Cato is the only vendor in the world built from the ground up to be single-vendor SASE platform. This is why we can deliver the world’s most robust single-vendor cloud-native SASE platform – today.
Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide...
New Gartner Report Identifies Four Missed Tips When Evaluating SASE Platform Capabilities Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE, Cato meets those capabilities delivering SWG, CASB, ZTNA, SD-WAN, FWaaS, and Malware inspection all at line-rate operation even when decrypting traffic.
While a single platform providing those capabilities is certainly impressive, we at Cato have never thought those features alone make for a single-vendor SASE platform. To radically simplify and improve their security and network operations, IT teams require a fully converged platform. Platforms where capabilities remain discrete and fail to share context and insight forces IT operation to continue juggling multiple consoles that leads to the difficulties IT has long faced when troubleshooting and securing legacy networks.
Gartner would seem to agree. In the 2022 Gartner Market Guide for Single-Vendor SASE (available here for download), Gartner explains how the core capabilities of a well-architected single-vendor SASE offering should be integrated together, unified in management and policy, built on a unified and scalable architecture and designed in a way that makes them flexible and easy to use.
You Say Integrated, We Say Converged
What Gartner describes as integrated we prefer to call converged. But whether it’s converged or integrated we both agree on the same point -- all capabilities must be delivered as from one engine where event data is stored in one common repository and surfaced through a common analytics engine.
[boxlink link="https://www.catonetworks.com/news/cato-has-been-recognized-as-representative-vendor-in-2022-gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_market_guide_news"] Cato Networks Has Been Recognized as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE | Read now [/boxlink]
Unified Management and Policy: Essential for Visibility and Enforcement
Arguably the biggest operational challenge for legacy networks post-deployment is with data distributed across appliances and, by extension, data repositories. How do operational teams quickly identify and address and diagnose potentially malicious or problematic activity and then enforce consistent security policies across the enterprise? And, as a cloud service, how is that done in a way that gives enterprise customers complete control over their own networks while running on a shared platform?
At Cato, we’ve developed the Cato SASE Cloud so that a single management console gives enterprises control over all Cato capabilities – networking and security. A single policy stack uses common data objects enabling enterprises to set common security policies for users and resources in and out of the office. And the Cato architecture is a fully multitenant, distributed architecture giving users complete control over and visibility into their own networks.
The Cloud Provides Unified and Scalable Architecture
With legacy networks, IT teams must invest considerable time and resources on maintaining their branch infrastructure. Appliances need to be upgraded as new capabilities are enabled or traffic volumes grow. And with each new security feature enabled, there’s a performance hit that further degrades the user experience.
All of which is why Cato built the Cato SASE Cloud platform on a global network of PoPs. Every Cato PoP consists of multiple compute nodes with multiple processing cores, with each core running a copy of the Cato Single Pass Cloud Engine (SPACE), Cato’s converged networking and security software stack. Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. SPACE is a single-pass architecture, performing all security inspections in parallel, which allows Cato to maintain wire-speed inspection regardless of traffic volumes and enabled capabilities.
Make it Flexible, Make it Easy
With legacy networks, IT leaders had a tough choice: backhaul traffic to a central inspection point simplifying operations, but add latency and undermine performance, or inspect traffic on-site for better performance but far more complicated operations and deployment.
At Cato, we found a different approach: bring processing as close to the user as possible by building out a global network of PoPs. With the Cato SASE Cloud spanning so many PoPs worldwide, enterprise locations are typically within 25ms RTT of a Cato PoP. In fact, today, Cato serves 1,500 enterprises customers with sites and users in 150+ countries. With PoPs so nearby, enterprises gain the reduced latency experience of local inspection without burdening IT. All with the simplicity of a cloud service.
Single-Vendor SASE: It’s Not Just About the Features
SASE didn’t introduce new capabilities per se. Firewalling, SWG, CASB, ZTNA, SD-WAN, and malware inspection -- all of SASE's core capabilities receded SASE. What SASE introduced was a new way of delivering those capabilities: a singular cloud service where the capabilities are truly one -- fully converged (or integrated) together -- managed from one console and delivered globally from one platform, everywhere. Yes, evaluating features must be part of any SASE platform assessment, but to focus on features is to miss the point. It is the SASE values of convergence, simplicity, ubiquity, and flexibility -- not features -- that ultimately differentiate SASE platforms.
September 20, 2022
6m read
What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the...
September 20, 2022
6m read
The Return On Investment of SD-WAN What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the actual SD-WAN ROI is a mix of hard and soft savings from increasing overall network capacity and availability to a reduced operational load of managing and securing the network. Let's look at the various areas of savings SD-WAN can offer and the resulting ROI.
SD-WAN ROI Driver #1: Reducing MPLS Connectivity Costs
Enterprises have long invested in managed MPLS services to connect locations. The bandwidth is expensive (relative to Internet capacity) and often limited or unavailable on some routes, forcing companies to either pay exorbitant fees to connect locations or, more likely, resort to Internet-based VPNs, complicating network design.
SD-WAN promises to break that paradigm, replacing MPLS entirely or partly with affordable last-mile Internet connectivity. The magnitude of SD-WAN savings is often related to how much MPLS can be replaced and the type of Internet-based connectivity.
Here there's a balance of considerations. Symmetrical Internet connections (also known as Dedicated Internet Access or DIA) offer guaranteed capacity, providing small savings relative to MPLS. Asymmetrical connections with best-effort capacity, such as xDSL or cable, can be aggregated together to match and exceed MPLS last mile uptime at a substantial discount compared to MPLS.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_medium=blog_top_cta&utm_campaign=things_sase_covers_sd-wan_doesnt"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
Often, the ROI argument for SD-WAN is less about hard cost savings and more about optimizing network spending. Enterprises receive far more capacity and functionality for the same amount spent on MPLS. The cost per bit drops dramatically, enabling IT to equip locations with 5x to 10x more capacity. With SD-WAN able to aggregate and failover between multiple last-mile lines, uptime increases significantly
One example was Fischer & Co, an automotive company that reduced its connectivity costs by 70% by replacing MPLS with Internet last-mile and Cato SASE Cloud while relying on Cato SSE 360 for network security protection. Along with the cost savings, Fischer & Co gained the agility to respond to new business challenges instantly, adding new security services or opening new locations, all without the operational overhead of upgrading and scaling of branch security appliances.
SD-WAN ROI Driver #2: Reducing the Costs of Branch Security
SD-WAN also allows organizations to avoid the branch security costs of legacy networks. With legacy architectures, enterprises backhaul branch Internet traffic to a regional datacenter for security inspection and policy enforcement. This approach consumed precious MPLS capacity, increasing costs while adding latency that undermined the user experience. With SD-WAN, companies avoid consuming expensive MPLS capacity on Internet traffic. Instead, MPLS only carries critical application traffic, offloading bandwidth hungry and less critical applications to Internet connections.
However, this now requires branch security to inspect and enforce policies on the Internet flows. SD-WAN appliances include basic firewalls, but those firewalls lack the threat protection needed by today's enterprises. Branch firewalls offer more capabilities, but their capacity constraints limit inspection capabilities for CPU-intensive operations, such as SSL decryption, anti-malware, and IPS. As traffic grows or new capabilities are enabled, companies are often forced to upgrade their appliances. Cloud-based SSE solutions are more scalable but incur the operational cost of integrating and managing another point solution.
Network and network security convergence through a single-vendor SASE platform offers a way to tackle this tradeoff. Alewijnse, a Dutch manufacturing company, eliminated its MPLS network and applied enterprise-grade security to all traffic by switching to the Cato SASE Cloud, taking advantage of Cato’s full SSE 360 protection. "With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost," said Willem-Jan Herckenrath, ICT Manager at Alewijnse.
UMHS, a healthcare company, eliminated its MPLS network and branch security firewalls by moving to Cato's converged, cloud-native and global SASE service. "UMHS is so satisfied with the decision to switch its firewalls to Cato that it plans to migrate all locations using MPLS as soon as their contracts expire. A cost analysis done by the organization shows that this change will save thousands of dollars by having all of its 13 locations connected to the Cato Cloud," said Leslie W. Cothren, IT director at UMHS.
SD-WAN ROI Driver #3: Network Automation and Co-managed Services
One of the costliest components of enterprise networking is the network management model. Legacy network management comes in two flavors: Do It Yourself (DIY) and a managed service. With DIY, network managers often use crude tools like Command Line Interfaces (CLIs) to manage router configurations. Since any network outage costs the business, networking teams focus on availability, evolving the network very slowly. Maintaining dynamic traffic routing or failover becomes very complex. To reduce this complexity, IT outsources network management to service providers, increasing costs and longer resolution times depending on the provider.
SD-WAN promises an improvement in network agility. DIY enterprises can automate network changes and increase network resiliency. However, SD-WAN does add "one more box to manage." For enterprises that prefer a managed service, a new co-managed model enables IT to make quick network changes through a self-service model while the service provider maintains the SD-WAN service. In a co-managed model, the customer doesn't have to maintain the underlying infrastructure and can focus instead on business-specific outcomes.
A case in point is Sun Rich, a food supplier with a North American network comprised of multiple MPLS providers, SD-WAN appliances, WAN optimization solutions, and network security devices – all managed by a small IT team. Every appliance came with its management platform, complicating troubleshooting. By switching to the Cato SASE Cloud, Sun Rich reduced costs and gained control over network and security changes through Cato's single, converged management application. "Based on our size, our annual renewals on our appliances alone were nearly Cato's price," says Adam Laing, Systems Administrator at Sun Rich. "Simplification also translates into better uptime. You can troubleshoot faster with one provider than five providers," he says.
But Is SD-WAN Enough? Comparing SD-WAN to SASE
SD-WAN offers significant opportunities to reduce costs and gain more "bang for the buck" compared to MPLS, but SD-WAN alone will be insufficient to address the needs of today's workforce. As such, an SD-WAN ROI evaluation must consider the myriad of additional point solutions needed to meet enterprise networking and security requirements.
The most obvious example, perhaps, is the hybrid workforce. SD-WAN only connects locations. Remote users will require additional services. Security requirements demand protection against malware, ransomware, and other network-based threats not provided by the rudimentary firewalls included in SD-WAN devices, forcing the deployment of third-party security solutions. Cloud-connectivity solutions are also required. Additionally, SD-WAN performance over the long haul is undermined by the unpredictability of the Internet core, requiring the subscription and integration of yet another solution – a global private backbone.
Separately, these individual solutions may be manageable, but together they significantly complicate troubleshooting and deployment. Deployment takes longer as each point solution must be deployed. Problems take longer to resolve as operations teams must jump between management interfaces to solve issues. In short, organizational agility is reduced at a time when agility is often the very reason for adopting SD-WAN.
How Does SASE Solve SD-WAN's Limitations: Read the eBook
SASE solves these challenges while reducing overall spending compared to MPLS alternatives, like SD-WAN. Cato SASE Cloud overcomes SD-WAN's limitations with built-in SSE 360, zero trust, cloud-native architecture with a complete range of security protections, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Prevention (IPS and Next Generation Anti-Malware). Those capabilities operate from Cato's global platform, making them available anywhere while providing location and remote users with MPLS-like performance at a fraction of global MPLS costs. And with all components managed through a single interface, troubleshooting happens far faster than when juggling multiple interfaces. In short, SASE provides the promises of SD-WAN without its limitations, delivering considerable cost savings without comprising security, simplicity, or performance. For a more in-depth comparison of SASE vs SD-WAN, download our complimentary eBook, 5 Things That SASE covers that SD-WAN Does Not.
September 6, 2022
4m read
Cato has received much praise and many industry awards from analysts over the years, but it’s our customers who know us the best. So, it’s...
September 6, 2022
4m read
The Gnutti Carlo Group Names Cato Networks 2021 Best Supplier in the Innovation Category Cato has received much praise and many industry awards from analysts over the years, but it's our customers who know us the best. So, it's especially gratifying to receive an award from a customer -- the 2021 Best Supplier award in the Innovation Category from global manufacturer Gnutti Carlo Group. The award recognizes the high value of the WAN connectivity and security the Cato SASE Cloud delivers in support of the Gnutti Carlo Group's digital transformation initiative.
"Thanks to the Cato platform and together with strategic services, the Gnutti Carlo Group has benefitted from a more structured, controlled, and secure ICT landscape across the entire company," says Omar Moser, Group Chief Information Officer for the Gnutti Carlo Group. (You can read more about the award here and the Gnutti Carlo Group's story here.)
Too Much Complexity!
Based in Brescia, Italy, the Gnutti Carlo Group is a leading global auto component manufacturer and partner to several OEMs active in the auto, truck, earthmoving, motorcycle, marine, generator sets, and e-mobility sectors. With annual revenues of 700 million euros and nearly 4,000 employees, the company has 16 plants in nine countries in Europe, America, and Asia.
The Group came to Cato to reign in the complexity of its network and security infrastructure built over the years from numerous mergers and acquisitions. "“Since 2000, we have started with an intensive program of internationalization, performing various acquisitions of companies of our sector and even competitors, each with different network and security architectures and policy engines,” says Moser. "It was difficult to keep policies aligned and prevent back doors and other threats."
The company had several datacenters across its locations for local services and took advantage of Microsoft Office 365, Microsoft Azure, and hosted SAP cloud services. "We had it all: public cloud, private cloud, and on-premises applications," says Moser.
Most locations were connected with IPsec VPNs, except for China, which was reached from Frankfort via a shared MPLS.
Moser realized that the only way to serve the business effectively was to centralize security and interconnection control among all locations and between plants, suppliers, and the cloud.
[boxlink link="https://www.catonetworks.com/customers/the-gnutti-carlo-group-centralizes-wan-and-security-boosts-digital-transformation-with-cato/?utm_medium=top_cta&utm_campaign=gnutti_case_study"] The Gnutti Carlo Group Centralizes WAN and Security, Boosts Digital Transformation with Cato | Customer Success Story [/boxlink]
Cato Does it All
He looked at several SD-WAN and SASE solutions, but Cato SASE was the only one that could deliver on all his requirements. "The other solutions couldn't give us a single package with integrated security, networking, and remote access," says Moser. He liked other things about the Cato solution, including its large number of globally dispersed points of presence, SASE architecture, single network and security dashboard, and forward-looking roadmap. Less tangible pluses were his great relationship with Cato and its excellent response time whenever he had any questions.
Moser entered into a three-month conditional purchase contract with Cato, after which he could close the contract if it didn't meet expectations. He connected ten plants, two service providers, 650 remote access VPN users, and Microsoft Azure via Cato and deployed Cato's SSE 360 security services across them.
A Platform for Digital Transformation
The results were so positive that he nominated Cato for the Best Supplier award. Network performance was excellent, even in China, where Moser saw a noticeable latency improvement over MPLS. Security was much improved thanks to firewall policy centralization and optimization and the ability to monitor traffic and block risky services that were previously open. "Standardizing firewall policies and knowing I can prevent intrusions and malware has allowed me to sleep a lot better," says Moser.
Best of all, Cato has enhanced the group's business agility for its digital transformation. "It is my job to be proactive and efficient," says Moser. "If we need to open a new office we can do it easily. With Cato, we have standardization, an innovative approach, and a single partner we can grow with as we transform digitally,"
Satisfying and empowering our customers are Cato's ultimate goals, which is why awards like this one from the Gnutti Carlo Group are music to our ears.
Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions. That is a mistake....
Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.
That is a mistake.
SASE innovation has always been about the convergence of security and networking capabilities into a cloud service. The core capabilities of SASE are not new. Their convergence in appliances isn’t new either; that’s what we call UTMs. It’s the delivery as a secure networking global cloud service that is so revolutionary. Only with one cloud service connecting and securing the entire enterprise – remote users sites, and cloud resources – worldwide can enterprises realize the cost savings, increased agility, operational simplicity, deeper security insight and more promised by SASE.
Too often, though, media and analyst communities miss the essential importance of a converged cloud platform. You’ll read about vendor market share without consideration if the vendor is delivering a converged solution or if it’s just their old appliances marketed under the SASE brand. You’ll see extensive features tables but very little about whether those capabilities exist in one software stack, managed through one interface – the hallmarks of a platform.
GigaOm’s Radar Report Accurately Captures State of SASE Platform Convergence
Which is why I found GigaOm’s recent Radar Report on the Secure Service Access (SSA) market so significant. It is one of the few reports to accurately measure the “platform-ness” of SASE/SSA/SSE solutions. SSA is GigaOm’s terms for the security models being promoted as SSE, SASE, ZTNA, and XDR along with networking capabilities, such as optimized routing and SD-WAN. The report assesses more than 20 vendor solutions, providing detailed writeups and recommendations for each. (Click here to download and read the report.)
[boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink]
Those hundreds of data points are then collapsed into the GigaOm Radar that provides a forward-looking perspective of the vendor offerings. GigaOm plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. Vendors are characterized based on their degree of convergence into a platform (feature vs. platform play) and their robustness (maturity vs. innovation). The length of the arrow indicates the predicted evolution over the coming 12-18 month:
The GigaOm Radar for SSA found Cato and Zscaler to be the only Leaders who were outperforming the market.
The Findings: Platform Convergence is Not a Given in the SASE Market
The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.
The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications -- on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.
Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked “Exceptional” in seven of eight categories:
Defense in Depth
Identity-Based Access
Dynamic Segmentation
Unified Threat Management
ML-Powered Security
Autonomous Network Security
Integrated Solution
And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.
“Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”
To learn more, download the report.
Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work,...
15 Networking Experts To Follow on LinkedIn Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which address the problems de jour.
But how can IT teams and network architects make heads or tails of these rapid shifts? Such intense global and industry-wide changes require the advice of experts who are familiar with both the technical and business landscape, and can speak to the newest technology trends.
Below, we’ve listed 15 of the top experts in enterprise networking and SD-WAN that we recommend following on Linkedin. They are masters in their domain, and industry leaders who can help you stay up-to-date with the latest developments in the world of enterprise networking. They have many years of hands-on and consulting experience, so when they speak about enterprise networks, it’s always worth hearing what they have to say.
1. Greg Ferro
https://www.linkedin.com/in/etherealmind/
@etherealmind
Greg is a co-founder of Packet Pushers, an online media outlet that has covered data, networking and infrastructure for over 12 years. Packet Pushers provides valuable information that can help nearly any professional in the networking field including insights on: public cloud usage, SD-WAN, five minute vendor news, IPv6, and more. Home to a series of podcasts, blog posts, articles, a Spotify channel, and even a newsletter - it’s a multi-media experience. Besides Packet Pushers, Greg runs another well-known industry blog, EtherealMind.com.
2. Ivan Pepelnjak
https://www.linkedin.com/in/ivanpepelnjak/
@ioshints
Ivan is a blogger at ipSpace.net, an author, a webinar presenter and a network architect. His writings and webinars focus mainly on network automation, software-defined networking, large-scale data center tech, network virtualization technologies and advanced IP-based networks. By following him and/or ipSpace.net, you will have access to a plethora of network technology resources, including online courses, webinars, podcasts and blogs.
3. Orhan Ergun
https://www.linkedin.com/in/orhanergun/
@OrhanErgunCCDE
Orhan is an IT trainer, an author and a network architect. On Linkedin, Orhan shares his ideas and thoughts, as well as updates about his recent webinars, blog posts and training courses, to his ~40,000 followers. He also spices up his updates by sprinkling in funny memes with inside IT humor. Orhan’s courses can be found on his website at orhanergun.net, where he focuses on network design, routing, the cloud, security and large-scale networks.
4. Jeff Tantsura
https://www.linkedin.com/in/jeff-tantsura/
Jeff is a Sr. Principal Network Architect at Azure Networking, as well as a writer, editor, podcaster, patent inventor and advisor to startups in networking and security areas. His podcast, “Between 0x2 Nerds”, is bi-monthly and discusses networking topics including: network complexity, scalability, up-and-coming technologies and more. The podcast hosts industry experts, software engineers, academia researchers and decision-makers - so when listening to it, you can expect to hear from professionals with a wide variety of opinions, points of view and areas of expertise!
5. Daniel Dib
https://www.linkedin.com/in/danieldib/
@danieldibswe
Daniel Dib is a Senior Network Architect experienced in routing, switching and security. He is also a prolific content creator, writing blog posts for his own networking-focused blog “Lost in Transit”, as well as additional publications, like “Network Computing”. It’s a great choice if you’re interested in learning more about CCNA, CCNP, CCDP, CCIE, CCDE and all of our various certification courses. His social media posts cover both professional and personal matters, for those of you who like to get to know the person behind the professional.
[boxlink link="https://www.catonetworks.com/resources/4-considerations-to-take-before-renewing-your-sd-wan-product-or-contract/?utm_source=blog&utm_medium=top_cta&utm_campaign="4_considerations_before_sd-wan"] 4 Considerations to Take Before Renewing Your SD-WAN Product or Contract | EBOOK [/boxlink]
6. David Bombal
https://www.linkedin.com/in/davidbombal/
@davidbombal
David Bombal is an author, instructor and YouTuber, creating content for networking professionals across multiple channels. Focusing on topics like network automation, Python programming, ethical hacking and Cisco exams, his videos, podcasts and courses provide a wide range of resources for beginners and advanced learners. David’s online Discord community is also worth visiting, as an online venue for ongoing IT support and communication.
7. John Chambers
https://www.linkedin.com/in/johnchambersjc/
@JohnTChambers
John is the CEO of JC2 Ventures and was previously at Cisco for 26 years, serving as CEO, Chairman and President, among other positions. With more than 263,000 followers on Linkedin and more than 22,000 on Twitter, John is an important source of information for networking professionals interested in a broader, more strategic view of the technological market.
8. Tom Hollingsworth
https://www.linkedin.com/in/networkingnerd/
@networkingnerd
Tom is a networking analyst at Foskett Services and the creator of networkingnerd.net, an online media outlet where he offers a tongue-in-cheek take on networking news and trends. In his latest post he compares Apple Air Tags and lost luggage at airports to SD-WAN. If blog posts aren’t your thing, you can also hear what Tom has to say on his “Tomversations” YouTube playlist or by attending the “Tech Field Day” events he organizes.
9. Matt Conran
https://www.linkedin.com/in/matthewconranjnr/
Matt is a cloud and network architecture specialist with more than 20 years of networking experience in support, engineering, network design, security and architecture. Matt juggles consultancy as an independent contractor with publishing technical content on his website “Network Insight” and with creating training courses on Pluralsight. On his website, you can find helpful explainer videos and posts on a variety of networking topics including cloud security, observability, SD-WAN and more.
10. Russ White
https://www.linkedin.com/in/riw777/
@rtggeek
Russ White is an infrastructure architect, co-host of “The Hedge”, a computer network podcast, and blogger. He has also published a number of books on network architecture. His Linkedin posts are a bulletin board of his latest blog and podcast updates, so by following him you can stay on track of his latest publications, ranking from hands-on network advice to info on how technology will be shaped by global events.
11. Ben Hendrick
www.linkedin.com/in/bhendrick/
Ben is the Chief Architect in the Office of the CTO of the Global Secure Infrastructure Domain at Microsoft. His Linkedin posts focus mainly on recent cybersecurity updates, covering specific events as well as industry trends. With nearly 35 years of network and security experience, you can be sure his daily updates are based on broad insights and a deep familiarity with the networking and security space.
12. Ashish Nadkarni
https://www.linkedin.com/in/ashishnadkarni/
@ashish_nadkarni
Ashish leads two research groups at analyst firm IDC. Both of them - Infrastructure Systems, Platforms and Technologies (ISPTG) and BuyerView Research - are part of IDC's Worldwide Enterprise Infrastructure practice. Ashish delivers reports, blog posts and webinars, and his Linkedin feed to keep up with the latest trends and technologies in networking. Examples of his previous posts include preparing for IT infrastructure supply shortages, storage for AI workloads, and takeaways from networking industry events.
13. Erik Fritzler
https://www.linkedin.com/in/erikfritzler/
@FritzlerErik
Erik has nearly 25 years of experience in network architecture and regularly posts blogs on “Network World”. He specializes in SD-WAN, Network Design, and Engineering and IT Security. In his recent blog post “Why WAN metrics are not enough in SD-WAN policy enforcement”, he discusses how SD-WAN captures metrics that go far beyond the typical WAN measurements including application response time, network transfer time, and server response time.
14. Matt Simmons
https://www.linkedin.com/in/mattsimmonssysadmin/
@standaloneSA
Matt is an SRE at SpaceX, where he is responsible for the infrastructure around the ground control plane. His team owns the OS installation on bare metal, up through the Kubernetes orchestration layer, as well as monitoring, CI/CD and more. If you’re interested in learning about technological “How To’s” and the science of space, Matt’s Linkedin is the place for you. Matt also has a Github repository where he hosts projects and experiments that may be helpful to networking professionals.
15. Cato Networks
https://www.linkedin.com/company/cato-networks/
https://twitter.com/CatoNetworks
Did you know that Cato Networks is also on social? Our social channels are a great way to keep on top of SASE and Security Service Edge (SSE) updates, read original research and even get access to “member only” exclusive events. We run surveys, host giveaways and include updates from industry experts, like our CEO and COO, Shlomo Kramer (co-founder of Check Point,) and Gur Shatz (co-founder of Imperva).
Who Do You Follow?
As business needs and technologies evolve, it can be difficult to constantly keep up with the changes. Experts like the 15 listed above can help, by passing on their know-how, insights and experience through their Linkedin, blogs, Youtube channels, or whatever way you prefer to consume content.
So, who do you follow? Share with us on Linkedin.
Happy To Announce the Birth of a New Technology – SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology...
Is SD-WAN Really Dead? Happy To Announce the Birth of a New Technology - SD-WAN
It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out.
SD-WAN: The Toddler Years
When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk -- walk away, that is, from MPLS – to a network designed for the new world. MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet.
SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant:
More capacity to improve application performance
Reduced network costs by using affordable Internet access, not high-priced MPLS capacity.
More bandwidth flexibility by aggregating Internet last mile connections
Improved last-mile availability by connecting sites through active/active connections
Faster deployments allowing sites to be connected in days not months
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink]
SD-WAN: The Teenager That Disappoints
But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN's job description, making the following use cases particularly challenging:
Remote Workforce
SD-WAN lacks support for remote access -- period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity.
Cloud Readiness
SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity.
Global Performance
SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance.
Advanced Security
SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments.
SD-WAN: The Senior Years
So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone.
And with multiple brains, everything becomes more complicated:
Forget zero-touch:SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated.
High Availability (HA) becomes a headache:With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios.
Visibility is limited:Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs.
Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats.
And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network.
SD-WAN: It’s Not Dead Just Part of a Bigger Family
So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed.
What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent.
To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources.
Cato is the World’s First and Most Robust Global SASE Platform
Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership.
Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS).
With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it's mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey.
Learn more about the differences between traditional WAN and SD-WAN.
It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or...
Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.
Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.
Why a Global SASE Service?
Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.
Why Private?
Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.
Why Not Private Networks from Hyperscalers?
All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them? Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime.
[boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink]
Why Cato’s Global Private Backbone?
For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.
Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.
And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.
Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.
This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.
Key Benefit #1 – Optimized Performance
With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:
Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route.
Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time.
Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization.
Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.
Key Benefit #2 – Self-Healing and Resiliency
To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:
Automatically working around backbone providers in case of outage or degradation to ensure service availability.
Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers.
Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.
A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.
Key Benefit #3 – Secure and Protected
Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.
Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.
Key Benefit #4 – Internet-like Costs
We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.
A Proven Solution for Global Connectivity
Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network.
“Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.”
Steve Waibel, Director of IT, Brake Masters
“We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.”
Joel Jacobson, Global WAN Manager, Vitesco Technologies
“The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.”
Bill Wiser, Vice President of IT, Focus Services
Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone.
“The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.”
Matt Bays, Communications Analyst, Boyd CAT
With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers.
“This year, the entire WAN and Internet connectivity will be running on Cato.”
Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation
As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud,...
Cato’s Ransomware Lab Births Network-based Ransomware Prevention As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation.
Of course, this isn’t our first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.
[boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink]
What’s being introduced today are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:
File properties such as specific file names, file extensions, creation dates, and modification dates,Shared volumes access data such as metrics on users accessing remote folders,Network behavior such as creating certain files and moving across the network in particular ways, andTime intervals such as encrypting whole directories in seconds.
Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer.
The work comes out of our ransomware lab project that we started several months ago. The lab uses a standalone network within Cato where we reproduce ransomware infections in real-life organizations. “We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato. So far, the team has dug into more than dozen ransomware families, including Black Basta, Conti, and Avos Locker.
To get a better sense of what our ransomware protections bring, check out the video below:
As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs...
Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how.
Azure SD-WAN’s MPLS and SD-WAN Problem
When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations.
You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem?
Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless.
And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity.
Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
How Azure SD-WAN Works to Connect Cato and Azure
Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge.
To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP.
Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices.
Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines.
How Azure SD-WAN Secures Azure Resources
In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling.
Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments.
Azure SD-WAN Benefits
The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost:
Superior Microsoft Azure performance
The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services.
Security and deployment simplicity
With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.)
Networking and security agility
Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN.
Affordable and fast ROI
Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato.
For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.
Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security...
The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP?
Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs.
A Quick Note about Cato’s RFP Template
Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies.
So, What Must a SASE RFP Template Include?
Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects.
A Sneak Peek at Cato’s RFP Template
If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink]
1. Business and IT overview
You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case.
2. Solution Architecture
Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc.
3. Solution Capabilities
Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out.
SD-WAN
Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks.
Security
Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting.
Cloud
Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas.
Mobile (SDP / ZTNA)
Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas.
Global
Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more.
4. Support and Services
Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service.
Support and Professional services
Understand if vendors abide by “follow-the-sun,” support, their hours of support and more.
Managed Services
Get a sense of vendor managed services in several key areas.
Next Steps: Get the Full SASE RFP / RFI Template
Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.
Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our...
Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries.
As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud.
Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances.
The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine.
Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load.
[boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink]
A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris.
"Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore."
Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon.
Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.
Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list...
How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation.
Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. In short, Cato provides all of the core SASE capabilities identified by NWW.
We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation.
1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right.
Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service.
2. How well integrated are the multiple components that make up the SASE? Is the integration seamless?
The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.)
[boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink]
3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines?
Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.)
4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting?
Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet.
Question for MSPs
Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well.
1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices?
The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter.
2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection?
Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage.
3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor?
Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself.
4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers.
Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation.
5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard?
Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available.
6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements?
Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary.
7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data.
Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud.
8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection?
Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines.
9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting?
Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture.
10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?
Cato uses a single policy set for all access scenarios.
11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.
Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining.
12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.
The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services.
We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network.
13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time?
Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected.
Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications.
14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.?
The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change.
Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office.
Other Questions to Explore
We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include:
High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS.
What happens when there is a lockup rather than just an outage, will the system failover properly?
What about the underlying memory, storage, and server system underpinning what are often virtual appliances?
What happens if the PoP itself becomes inaccessible?
The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.
Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs...
IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO.
“That MPLS – too expensive. Find an alternative.”
This couldn’t have come at a better time...
Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution...
There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives.
1. Get crystal clear on your WAN challenges:
Do any of these challenges sound familiar?
A. You’ve been told to cut costs
It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business.
B. Employees constantly complain about performance
While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues?
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink]
C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps
Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB.
D. IT now needs to support work from anywhere, with no downtime
Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can.
So, should you stay with MPLS or should you go?
Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS...
Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?)
2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN?
You’ve decided that your MPLS isn’t all it's cracked up to be. Now what?
While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise.
True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere.
However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds.
Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances.
Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep.
And who needs that headache?
So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”?
3. Ever Heard of SASE?
No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.)
According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management.
SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated.
So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE?
It’s time to think strategically: Move beyond the limitations of SD-WAN
No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge.
This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity.
If you’re interested in replacing your MPLS beyond the limits of short-sighted solutions like SD-WAN, then you’ll love Cato SASE Cloud.
Check out this Cato SASE E-book to understand:
Why point products like SD-WAN won’t solve long-term architectural problems
What you need to look for in a SASE solution
Why Cato is the only true SASE solution in enterprise networking and security
We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was...
Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was founded, but how do those benefits translate into hard numbers? We decided it was time to quantify Cato SASE’s real-world financial benefit with a recognized, well-structured methodology, so we commissioned a Total Economic Impact (TEI) study with the consulting arm of the leading analyst firm Forrester.
Forrester interviewed several Cato customers in-depth and used its proprietary TEI methodology to come up with numbers for investment impact, benefits, costs, flexibility, and risks. More on this later.
The results were impressive. According to Forrester, Cato’s ROI came out to 246% over three years with total savings of $4.33 million net present value (NPV) and a payback of the initial investment in under six months. Those numbers don’t include additional savings from less tangible benefits such as risk reduction.
The $4.33 million NPV savings break down this way:
$3.8 million savings in reduced operations and maintenance
$44,000 savings in reduced time to configure Cato at new sites
$2.2 million savings from retiring all the systems replaced by Cato Networks
Investment of $1.76 million over three years
$6.09 million – $1.76 million = $4.33 million NPV.
Numbers Are Only Half the Story
The numbers are certainly impressive, but some of the unquantified benefits the report picked up were perhaps even more enlightening:
Improved employee morale: Team members reported that the activities they were able to shift to after switching to Cato—optimizing systems, for example--were considerably more rewarding than the more mundane activities of setting up, updating, and managing a lot of equipment before Cato.
Consistent security rules: Deploying Cato revealed a lot of inconsistencies in organizations’ governing and securing of network traffic across different sites. The Cato SASE Cloud was able to quickly consolidate all that mess into a single global set of rules, with an obvious positive impact on both security and management.
Reduced time and transit costs: Cato equipment moves through customs without delay or assessments of value-added tax (VAT). This is because Cato Sockets are very simple devices that simply direct traffic to our cloud, where most of the complex encryption and other technologies lie.
Better application performance: We expected this result, which comes from improved network performance.
Overall, respondents describe a transformative, before/after experience.
[boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=tei_report"] The Total Economic Impact™ of Cato Networks | Report [/boxlink]
Before Cato, the organizations had to dedicate separate teams to the costly, time-consuming complexities of managing VPNs, Internet, WAN, and other functions, including spending a lot of time and resources deploying updates at each individual site. Adding new sites was a complex time-consuming process. All that mundane work made it difficult to execute the corporate digital transformation strategy.
As one technology director said about why he turned to Cato, “My goal was, I don’t want my team worrying about how to get a packet from A to B. I’m interested in Layer 7 of the network stack. I want to know: Are applications behaving the way they should? Are people getting the performance they should? Are we secure? You don’t have time to answer that if you’re worried about getting it from A to B.”
After Cato, all of the updates and most of the management were simply delegated to the Cato SASE Cloud. All the remaining network and security oversight required by the customer could be accomplished through a single Cato dashboard. This allowed organizations to redirect all those “before” resources to value-added activities such as system optimization, onboarding new acquisitions, and fast deployment of new sites.
The resulting employee satisfaction benefits were substantial. As a technology director said, “What I heard from my team is, ‘I love that the problems I’m solving on a day-to-day basis are on a completely different order than what I used to have to deal with before.’ They think about complex traffic problems and application troubleshooting and performance.”
Setting up new sites was also vastly easier with Cato, as one IT manager said. “Honestly I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [unnamed previous solution] you need 10 engineers to set it up and 20 engineers to keep it running. With Cato this all went away.”
How Forrester Got The Numbers
Forrester’s findings were the result of in-depth interviews with five decision-makers whose organizations are Cato customers. Forrester compared data based on their experiences prior to deploying Cato with a composite organizational model of a “vanilla” customer. The description of the five decision-makers is in the table below.
The report describes the composite organization that is representative of the five decision-makers that Forrester interviewed and is used to present the aggregate financial analysis in the next section. The global company is headquartered in the U.S. with 40 sites across the U.S., Europe, and the Asia Pacific region growing to 61 by year three. It also has two on-premises and two cloud datacenters in the U.S, one on-premises and two cloud-based datacenters in Europe, and two cloud-based datacenters in Asia Pacific. Year one remote users total 1,500 growing to 2,100 by year three.
Forrester then used its proprietary TEI methodology to construct a financial model with risk-adjusted numbers. The TEI modeling fundamentals included investment impact, benefits, costs, flexibility, and risks.
Some of the more dramatic savings numbers came in operations and maintenance: The organization was able to redirect 10 full-time employees (FTEs) from operations and maintenance to more value-adding activities in year one. By year three it avoided having to hire 12 more FTEs that would have had to manage the previous solution. The average fully loaded annual compensation for a single full-time data engineer is $148,500.
Lots of savings also came from retired systems, including the traditional edge router, perimeter next-generation firewall appliances, intrusion detection and prevention systems, and SD-WAN.
And then there were benefits from Cato’s remote access flexibility. As one IT team manager said, “When COVID hit we were able to add the entire company to the VPN and provide them the ability to work from home in a matter of days. That was amazing.” (Follow the link to read more about Cato’s approach to secure remote access).
I could go on but take a look for yourself. There’s a lot more juicy data in the report and it’s pretty surprising at times and not a difficult read. You can access The Total Economic Impact™ of Cato Networks report following the link.
One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at...
Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at a really bad time. Users are complaining about connection issues, and just when they're frustrated, you need them to be patient enough to walk through them the troubleshooting steps needed to diagnose the problem. Wouldn’t it have been better if you had tools already in place before a problem occurs? Then you could run your testing without involving the user.
Well, now you do. We’ve added an IT toolbox to our Cato Socket, Cato’s SD-WAN device. Embedded in the Socket Web UI is a single interface through which network administrators can test and troubleshoot remote connectivity without involving the end-user. Ping, Traceroute, Speedtest, and iPerf are already available, instantly, through a common interface and without any user involvement.
[caption id="attachment_23495" align="alignnone" width="1699"] The IT toolbox within the Cato Socket UI provides a range of tools for IT to diagnose last-mile connections from a single web interface[/caption]
[boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=short_socket_demo"] Cato Demo: From Legacy to SASE in Under 2 Minutes With Cato Sockets [/boxlink]
Of course, those are not the only troubleshooting tools provided in Cato SASE Cloud. Cato was built from the philosophy that network troubleshooting is a team sport. While Cato Networks engineers maintain the Cato private backbone for 99.999% uptime, Cato users can manage and run the network themselves. They don’t have to open support tickets for changes they can just as easily address independently. Cato provides the tools for doing just that.
Numerous dashboards report on packet loss, latency, jitter, and real-time status help IT diagnose problems once users are connected to Cato.
[caption id="attachment_23497" align="alignnone" width="2113"] Cato includes dynamic dashboards reports on last-mile packet loss, latency, jitter, throughput and more for upstream and downstream connections.[/caption]
Our event discovery capability provides any IT team with advanced research and analytics tools to query a data warehouse that we curate and maintain. It organizes more than 100 types of security, connectivity, system, routing, and Socket management events into a single timeline that can be easily queried. Complex queries can be easily built by selecting from the types and sub-types of events to compare the test data being collected via tool access using Socket Web UI against what has previously occurred on that network connection.
[caption id="attachment_23499" align="alignnone" width="1920"] With Events, Cato converges networking and security events into a single timeline, simplifying the troubleshooting process.[/caption]
Remote troubleshooting has always been a challenge for IT. With remote offices and more users working from home that challenge will only grow. Having the diagnostic tools in place before problems occur goes a long way to improving IT satisfaction.
The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for...
Moving Beyond Remote Access VPNs The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign and invest in remote work infrastructure and raised serious information security concerns. As a result, many companies attempted to meet the needs of their remote workforce via remote access VPNs with varying levels of success.
This is part of a guide series about Access Management.
What is a Remote Access VPN and How Does it Work?
A remote access virtual private network (VPN) is a solution designed to securely connect a remote user to the enterprise network. A remote access VPN creates an encrypted tunnel between a remote worker and the enterprise network. This allows traffic to be sent securely between these parties over untrusted public networks.
VPNs in general are designed to create an encrypted tunnel between two points. Before sending any data over the connection, the two VPN endpoints perform a handshake that allows them to securely generate a shared secret key. Each endpoint of the VPN connection will use this shared encryption key to encrypt the traffic sent to the other endpoint and decrypt traffic sent to them. This creates the VPN tunnel that allows traffic to be sent over a public network without the risk of eavesdropping.
In the case of a remote access VPN, one end of the VPN connection is a VPN appliance or concentrator on the enterprise network and the other is a remote worker’s computer. Both sides will perform the handshake and handle the encryption and decryption of all data on the VPN connection, and a user will have access to resources similar to if they were in the office.
Why Companies Need to Move Beyond Remote Access VPNs
The reason why Remote access VPNs were widely adopted in the wake of COVID-19 was because companies had existing VPN infrastructure and were simply comfortable with the technology. However, these VPN solutions have numerous limitations, including:
Continuous Usage: Corporate VPN infrastructure was originally designed to occasionally connect a small percentage of the workforce to the enterprise network and resources. With the need to support continuous remote work for most or all of the organization’s employees, remote access VPNs no longer meet business requirements.
Limited Scalability of VPNs: Existing VPN infrastructure was not built to support the entire workforce, making it necessary to scale to meet demand. Attempting to solve this issue using additional VPN appliances or concentrators increases the complexity of the enterprise network and requires additional investment in security appliances as well.
Lack of Integrated Security: A remote access VPN is designed to provide an encrypted connection between a remote worker and enterprise systems. It does not include the enterprise-grade security inspection and monitoring that is necessary to protect against modern cyber threats. Relying on remote access VPNs forces companies to invest in additional, standalone security solutions to secure their VPN infrastructure.
Security Granularity: A remote access VPN provides access similar to a direct connection to the enterprise network. These VPNs provide unrestricted access to enterprise resources in violation of the principles of least privilege and zero-trust security. As a result, a compromised account can provide an attacker with far-reaching access and enables the unrestricted spread of malware.
Performance and Availability: VPN traffic travels over the public Internet, meaning that its performance and availability depend on that of the underlying Internet. Packet loss and jitter are common on the Internet, and latency and availability issues can have a significant impact on the productivity of a remote workforce reliant on remote VPNs for connectivity.
Geographic Limitations: VPNs are designed to provide point-to-point connectivity between two locations. As companies become more distributed and reliant on cloud-based infrastructure, using VPNs for remote access creates complex VPN infrastructure or inefficient traffic routing.
Remote access VPNs were a workable secure remote access solution when a small number of employees required occasional remote connectivity to the enterprise network. As telework becomes widespread and corporate networks become more complex, remote access VPNs no longer meet enterprise needs.
Enterprise Solutions for Secure Remote Access
VPNs are the oldest and best-known solution for secure remote access, but this certainly doesn’t mean that they are the best available solution. The numerous limitations and disadvantages of VPNs make them ill-suited to the modern, distributed enterprise that needs to support a mostly or wholly remote workforce.
Today, VPNs are not the only option for enterprise secure remote access. Gartner has coined the term Secure Access Service Edge (SASE) to describe cloud-native solutions that integrate SD-WAN functionality with a full security stack.
Zero trust network access (ZTNA) is one of the security solutions integrated into SASE and serves as a superior alternative to the remote access VPN. Some of the advantages of replacing remote access VPNs with SASE include:
Scalability and Flexibility: SASE is built using a network of geographically distributed, cloud-based Points of Presence (PoPs). This enables the SASE network to seamlessly scale to meet demand without the need to deploy additional VPN and security appliances.
Availability and Redundancy: SASE nodes are built to be redundant and to identify the best available path to traffic’s destination. This offers much higher availability and resiliency and eliminates the single points of failure of VPN-based remote access infrastructure.
Private Backbone: SASE PoPs are connected via a secure private backbone. This enables it to provide performance and availability guarantees that are not possible for Internet-based VPNs.
Integrated Security: In addition to ZTNA, which enforces zero-trust access controls, SASE PoPs integrate a full stack of network security solutions. This enables them to provide enterprise-grade security without the need for additional standalone security solutions, inefficient routing, or security chokepoints.
If you’re looking to deploy or upgrade your organization’s secure remote access infrastructure, a remote access VPN is likely not the right answer. Cato’s SASE-based remote access service provides all of the benefits of a VPN with none of the downsides. To learn more about SASE and how it can work for your business, contact us here.
See Additional Guides on Key Access Management Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.
Network Topology MappingNetwork Topology Mapping 101: The Categories, Types, and TechniquesWhat is Microsegmentation? How Network Microsegmentation Can Protect Data CentersABACABAC (Attribute-Based Access Control): A Complete Guide RBAC vs ABAC. Or maybe NGAC? AWS ABAC: ExplainedRBACWhat Is Role-Based Access Control (RBAC)? A Complete Guide Role Based Access Control Best Practices You Must Know RBAC in Azure: A Practical Guide
The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around...
What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around for at least a decade has come back in vogue to describe networking purchased on a subscription basis.
But what’s particularly interesting for anyone moving away from a global MPLS network or otherwise looking at WAN transformation is the impact NaaS will have on evolving the enterprise backbone. For all of its talk, SASE as understood by much of the industry, will not completely replace a global MPLS network; the Internet is simply too unpredictable for that. Only by converging SASE with NaaS can companies eliminate costly, legacy MPLS services.
What is NaaS (Network-as-a-Service)
Exactly what constitutes a NaaS is open to some debate. All agree that NaaS offerings allow enterprises to consume networking on a subscription basis without having to deploy any hardware. According to a recent Network World article, IDC’s senior research analyst Brandon Butler wrote in a recent whitepaper "NaaS models are inclusive of integrated hardware, software, licenses and support services delivered in a flexible consumption or subscription-based offering.”
Cisco in its recent report flushed that out a bit further defining NaaS as “a cloud-enabled, usage-based consumption model that allows users to acquire and orchestrate network capabilities without owning, building, or maintaining their own infrastructure,” writes industry analyst, Tom Nolle.
Gartner identifies the specific attributes of a cloud service. According to Gartner’s Andrew Lerner, “NaaS is a delivery model for networking products. NaaS offerings deliver network functionality as a service, which include the following capabilities:
elf-service capability
on-demand usage,
Ability to scale up and down.
billed on an opex model
consumption-based, via a metered metric (such as ports, bandwidth or users), (not based on network devices/appliances).
NaaS offerings may include elements such as network switches, routers, gateways and firewalls.”
For those running datacenter networks, Network World reports NaaS offerings will allow them to purchase compute, networking, and storage components configured through an API and controlled by a common management package. (Personally, I find the focus on the appliance form factor a reflection of legacy thinking. Gartner’s view of a consumption-based model based on bandwidth or users, not appliances, I think to be more accurate but let’s leave that aside for the comment.)
But for those involved in the WAN, NaaS is also increasingly coming to describe a new kind of backbone, one that’s programmable, sold on a subscription basis, and designed for the cloud. “I see NaaS as a way to describe agile, programmable backbones and interconnections in a hybrid, multi-cloud architecture,” wrote Shamus McGillicuddy, vice president of network management research at Enterprise Management Associates in an email.
[boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls_ebook"] Terminate Your MPLS Contract Early | Here’s How [/boxlink]
NaaS Must Meet SASE
But here’s the thing, with the proliferation of threats any networking service cannot be divorced from security policy enforcement and threat prevention. It’s why SASE has emerged to be such a dominant force. The convergence of SD-WAN with four areas of security -- NGFW, SWG, CASB, and ZTNA – enables enterprises to extend security policies everywhere will also being more effective and more efficient. (Just check out what our customers say if you want first-hand proof.)
But SASE alone can’t replace MPLS. Converging SD-WAN and security still doesn’t address the need for a predictable, efficient global backbone. And the public Internet is far too unpredictable, too inefficient to support the global enterprise. What’s needed is to converge SASE with a backbone NaaS – a global private backbone delivered on subscription basis.
Cato: The Global SASE Platform That Includes NaaS
The Cato SASE Cloud is the only SASE platform that operates across its own global private backbone, providing SASE and backbone NaaS in one. With the Cato SASE platform, enterprises not only converge security with SD-WAN, but they also get predictable, optimized global connectivity.
“Cato Networks operates its own security network as a service (NaaS) providing a range of
security services including SWG, FWaaS, VPN, and MDR from its own cloud-based network,” writes Futuriom in its “Cloud Secure Edge and SASE Trends Report.” (Click on the link to download the report for free)
The Cato private backbone is a global, geographically distributed, SLA-backed network of 65+ PoPs, interconnected by multiple tier-1 carriers. Each PoP run Cato’s cloud-native software stack that along with security convergence provides global routing optimization and WAN optimization for maximum end-to-end throughput.
Our software continuously monitors network services for latency, packet loss, and jitter to determine, in real-time, the best route for sending every network packet. In fact, according to independent testing, is the only backbone NaaS in the world to include WAN optimization and, as a result, increases iPerf throughput 10x-20x over what you’d expect to see with MPLS or Internet. The backbone is fully encrypted for maximum security and self-healing for maximum uptime.
The Cato Socket, Cato’s edge SD-WAN device, automatically connects to the nearest Cato PoP. All outbound site traffic is sent to the PoP. Policies then direct Internet traffic out to the Internet and the rest across the Cato backbone.
SASE and NaaS Better Together
Converging SASE and backbone NaaS together also offers unique advantages compared to keeping the two separate. Deployment becomes incredibly quick. Customers can often bring up new locations on Cato -- complete with SD-WAN, routing policies, access policies, malware protection rules, and global backbone connections – in under two hours and without expert IT assistance.
Convergence also allows for deeper insights. Cato captures and stores the metadata of every traffic flow from every user across its global private backbone in a massive data lake. This incredible resource enables Cato engineers to do all sorts of “what if” analysis, which would otherwise be impossible. One practical example – the Cato Event screen, which displayed all connectivity, routing, security, system, and Socket management events on one queryable timeline for the past year. Suddenly it becomes very simple to see why users might be having a problem. Was it a last-mile issue? A permissions issue caused by a reconfigured firewall rule? Something else? Identifying root cause becomes much quicker and simpler when you have a single, holistic view of your infrastructure.
[caption id="attachment_21441" align="alignnone" width="1920"] Converging the backbone, SD-WAN, and security into one service enables all events to be presented in a single screen for easy troubleshooting. [/caption]
WAN Transformation That Makes Sense
In short, converging NaaS and SASE together results in better WAN transformation, one that reduces cost, simplifies security, and improves performance all without compromising on the predictability and reliability enterprises expect from their networks.
Hard to believe? Yeah, we get that. It’s why we’ve been called the “Apple of networking.” But don’t take our word for it. Take us for test drive and see for yourself. We can usually get a POC set up in minutes and hours not days. But that shouldn’t be a surprise. We’re an “as a service” after all.
December 14, 2021
4m read
If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly...
December 14, 2021
4m read
Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly brings a scalable, powerful interface. But it’s far more than just another pretty face. It’s a complete restructuring of the backend event architecture and a new frontend with more than 103 improvements.
New dashboards and capabilities can be found throughout the platform. We improved cloud insight with a new advanced cloud catalog. New independent conformance testing for regulatory compliance and security capabilities is, I think, a first in the industry. We enhanced security reporting with an all-new threats dashboard and opened up application performance with another new dashboard. Let’s take a closer look at some of these changes.
New Topology View and a New Backend
The top-level topology view has been redesigned to accommodate deployments of thousands of sites and tens of thousands of users. But in the new Management Application, we’ve enabled customization of the top-level view, enabling you to decide how much detail to show across all edges — sites, remote users, and cloud assets — connected to and are secured by Cato SASE Cloud (see Figure 1).
[caption id="attachment_20988" align="alignnone" width="1024"] Figure 1 Cato’s new Management Application lets enterprises continue to manage their network, security, and access infrastructure from a common interface (1). The new front-end is completely customizable and can surface the providers (2) connecting sites and remote users. You can easily identify problematic sites (3) and drill down into a user or location’s stats at a click (4). [/caption]
Behind the Cato Management Application is a completely rearchitected backend. Improved query analytics for site metrics and events makes the process more efficient and the interface more responsive even with customer environments generating over 2 billion events per day. A new event pipeline increases the event retrieval volume while allowing NetOps and NetSecOps to be more specific and export just the necessary events.
[boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/"] Cato Management Application
[30 min Walkthrough] | Take the Tour [/boxlink]
Independent Compliance Rating Revolutionizes Compliance and Security Verification
A new cloud application catalog has been introduced with 5000 of the most common enterprise applications. For each application, the catalog includes a detailed description of the target app automatically generated by a proprietary data mining service and an independently verified risk score (see Figure 2).
[caption id="attachment_20990" align="alignnone" width="1920"] Figure 2: The new Cloud Apps Catalog contains more than 5000 applications with an overall risk score[/caption]
The risk score is based on Cato’s automated and independent assessment of the cloud application’s compliance levels and security capabilities. Using the massive data lake we maintain of the metadata from every flow crossing Cato’s Global Private Backbone, machine learning algorithms automatically check an application’s claimed regulatory compliance and security features. Currently, Cato regulatory compliance verification includes HIPAA, PCI, and SOC 1-3. Security feature verification includes MFA, encryption of data at rest, and SSO (see Figure 3).
[caption id="attachment_20992" align="alignnone" width="1660"] Figure 3: Cato independently verifies the application’s conformance with regulations and security features[/caption]
New Threat Dashboard Identifies Key Threats Across the Enterprise
[caption id="attachment_21022" align="alignnone" width="1919"] Figure 4: The new Threat Dashboard provides a snapshot of threats across enterprise security infrastructure for assessing the company’s Shadow IT position[/caption]
The new Threat Dashboard summarizes the insights drawn from Cato’s Managed IPS, FWaaS, SWG, and Anti-Malware services. Through a single dashboard, security teams can see the top threats across the enterprise. A dynamic, drill-down timeline allows security teams to gather more insight. Top hosts and users identify the impacted individuals and endpoints (Figure 4).
New Application Dashboard Provides Snapshot of Usage Analytics
With the new Application Dashboard, you gain an overall view of your enterprise application analytics. Administrators can easily understand current and historical bandwidth consumption and flow generation by combinations of sites, users, applications, domains, and categories (Figure 5).
[caption id="attachment_20996" align="alignnone" width="1442"] Figure 5: The new Application Analytics dashboard provides an overview of an application usage that can be easily segmented by combinations of multiple dimensions. In this case, application consumption is shown for each user at a particular site.[/caption]
The Cato Management Application is currently available at no additional charge. To learn more about the management platform, click here or check out this 30 min walkthrough video. You can also contact us for a personal demo.
In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner...
New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform.
The Gartner report states, “While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SD-WAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.”
To learn more, check out this excerpt of the SASE text from the report:
Secure Access Service Edge (SASE)
Analysis by: Nat Smith
Description:
Secure access service edge (SASE, pronounced “sassy”) delivers multiple converged network and security as a service capabilities, such as SD-WAN, secure web gateway (SWG), cloud access security broker (CASB), firewall, and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises general internet security use cases. SASE is primarily delivered as a service and enables dynamic zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.
SASE is evolving from five contributing security and network segments: software-defined wide-area network (SD-WAN), firewall, SWG, CASB and ZTNA. The consolidation of offerings into a single SASE market continues to increase buyer interest and demand. Several vendors offer completely integrated solutions already, and many vendors offer intermediary steps, usually consolidating five products into two. Consolidation and integration of capabilities is one of the main drivers for buyers moving to SASE. This is more important than best-of-breed capabilities for the moment, but that will change as consolidated, single-vendor solutions become more mature.
While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SDWAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.
[boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_cta&utm_campaign=strategic_roadmap_webinar"] Strategic Roadmap for SASE | Watch Now [/boxlink]
Range: 1 to 3 Years
Even though some vendors are not implementing all portions of SASE on their own today, Gartner estimates SASE is about one to three years away from early majority adoption. There are several factors or use cases that we predict will drive the speed of adoption. Consolidation of administration and security enforcement of cloud services, network edge transport, and content protection features drives higher efficiency and scale for remote workers and cloud services. There are three key market segments that we expect to consolidate and serve as components of SASE: these are SWG, CASB and ZTNA. The majority of end users have already transitioned to cloud-based services or are actively doing so now. Second, instead of five components loosely from separate vendors, a single SASE offering with all five components converged into a single offering is the other activity to watch. Several vendors offer complete SASE solutions today and those solutions are maturing quickly. Because of the availability of these two factors, or use cases, buyer adoption is picking up.
Mass: High
Mass is high because SASE has a direct impact on the future of its five contributing market segments — SD-WAN, firewall, SWG, CASB and ZTNA — predicting that they will largely go away, eventually to be engulfed by SASE. Client interest, Google searches, and analyst opinion further validate the likelihood of SASE. Further adding to mass, SASE is also appropriate across all industries and multiple business functions. The changes required for offerings in the contributing segments to evolve to a SASE cloud edge-based solution are significant for some of these contributing markets. The density of this change is high — not only because this affects five segments, but some of these segments are quite large. Appliance-based products will need to transform into cloud native services, not merely cloud-hosted virtual machines (VMs). However, a cloud-native service alone is not sufficient — vendors will also need points of presence (POPs) or cloud edge presence as well, which may require substantial investment or partnerships.
Recommended Actions:
Create a migration path that gives buyers the flexibility to easily adopt SASE capabilities when ready while still being able to use and manage their existing network and security investments. Most buyers will need to work in a hybrid environment of part SASE and part traditional elements for an extended period of time.
Fill out your portfolio or aggressively partner through deep integration to cover any gaps in the SASE offering. Products in the five contributing segments will increasingly become undesirable to buyers if they do not have a convergence path to SASE.
Develop cloud-native components as scalable microservices that can all process packets in a single pass. In a highly competitive SASE market, agility and cost will increasingly become important, and microservices provide both of these benefits. Build a network of distributed points of presence (POPs) through colocation facilities, service provider POPs or infrastructure as a service (IaaS) to reduce latency and improve performance for network security services. The evolution to SASE also requires an evolution of product delivery vehicles.
Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
1Gartner, “Emerging Technologies and Trends Impact Radar: Communications”, Christian Canales, Bill Ray, Kosei Takiishi, Andrew Lerner, Tim Zimmerman, Simon Richard, 13 October 2021
If you’re like many of the IT leaders we encounter, you’re likely facing a refresh on your firewall appliances or will face one soon enough....
The Future of the Enterprise Firewall is in The Cloud If you're like many of the IT leaders we encounter, you're likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS).
Yes, that's probably not news coming from Cato. After all, we've seen more than 1,000 enterprises adopt Cato's FWaaS to secure more than 300,000 mobile users and 15,000 branch offices. And in every one of those deployments, FWaaS displaced firewall appliances.
But it's not just Cato who's seeing this change. Last year, Gartner® projected that by 2025, 30% of new distributed branch office firewall deployments would switch to FWaaS, up from less than 5% in 2020.1
And just this week, for the first time, Gartner included Cato in its "Magic QuadrantTM for Network Firewalls” for the FWaaS implementation of a cloud-native SASE architecture, the Cato SASE Cloud.2"
What's Changing for FWaaS
What's behind this change? FWaaS, and Cato's FWaaS in particular, eliminates the cost and complexity of buying, evaluating, and upgrading firewall appliances. It also makes keeping security infrastructure up-to-date much easier. Rather than stopping everything and racing to apply new IPS signatures and software patches whenever a zero-day threat is found, Cato's FWaaS is kept updated automatically by Cato’s engineers.
Most of all, FWaaS is a better fit for the macro trends shaping your enterprise. No matter where users work or resources reside, FWaaS can deliver secure access, easily. By contrast, physical appliances are poorly suited for securing cloud resources, and virtual appliances consume significant cloud resources while requiring the same upkeep as their physical equivalents. And with users working from home, investing in appliances makes little sense. Delivering secure remote access with an office firewall requires backhauling the user’s traffic, increasing latency, and degrading the remote user experience.
[boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=datacenter_firewall"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink]
Not Just FWaaS, Cloud-Native FWaaS
But to realize those benefits, it's not enough that a provider delivers FWaaS. The FWaaS must run on a global cloud-native architecture.
FWaaS offerings running on physical or virtual appliances hosted in the cloud mean resource utilization is still locked into the granularity of appliances, increasing their costs to the providers — and ultimately to their customers. Appliances also force IT leaders to think through and pay for high-availability (HA) and failover scenarios. It's not just about running redundant appliances in the cloud. What happens if the PoPs hosting those appliances fails? How do connecting locations and users failover to alternative PoPs? Does the FWaaS even have sufficient PoP density to support that failover?
By contrast, with a cloud-native FWaaS, the Cato SASE Cloud shares virtual infrastructure in a way that abstracts resource utilization from the underlying technology. The platform is stateless and fully distributed, assigning tunnels to optimum Cato's Single Pass Cloud Engine (SPACE). The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the complete set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining.
What are the five attributes of a "cloud-native" platform? Check out this blog post, "The Cloud-Native Network: What It Means and Why It Matters," for a detailed explanation.
Key to delivering a self-healing and self-maintaining architecture without compromising performance is the geographic footprint of the FWaaS network. Without sufficient PoPs, latency grows as user traffic must first be delivered to a distant PoP and then be carried across the unpredictable Internet. By, contrast the Cato Global Private Backbone underlying Cato's FWaaS is engineered for zero packet loss, minimal latency, and maximum throughput by including WAN optimization. The backbone interconnects Cato's more than 65 PoPs worldwide. With so many PoPs, users always have a low-latency path to Cato, even if one PoP should fail.
How much better is the Cato global private backbone? An independent consultant recently tested iPerf performance across Cato, MPLS, and the Internet. Across Cato, iPerf improved by more than 1,300%. Check out the results for yourself here: https://www.sd-wan-experts.com/blog/cato-networks-hits-2-5b-and-breaks-speed-barrier/
Cato SASE Cloud: FWaaS on Steroids and a Whole Lot More
Of course, as a SASE platform, FWaaS is only one of the many services delivered by the Cato SASE Cloud. In addition to a global private backbone that can replace any global MPLS service at a fraction of the cost, Cato's networking capabilities includes edge SD-WAN, optimized secure remote access, and accelerated cloud datacenter integration.
FWaaS is only one of Cato's many security services. Other security services include a secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints.
And, all services are seamlessly and continuously updated by Cato's dedicated networking and security experts to ensure maximum availability, optimal network performance, and the highest level of protection against emerging threats.
FWaaS: A Better Way to Protect the Enterprise
In our opinion, Gartner expert’s inclusion of Cato SASE Cloud in the Magic Quadrant is recognition of the unique benefits cloud-native FWaaS brings to the enterprise. FWaaS build on appliances simply cannot meet enterprise requirements, not for performance nor uptime. Cato’s cloud-native approach not only made FWaaS possible, but we proved that it can meet the needs of the vast majority of sites and users. Over time, cloud-native FWaaS will become the dominant deployment model for enterprise security.
And Cato isn’t stopping there. Every quarter we expand our backbone, adding more PoPs. All of those PoPs run our complete SASE stack; they don’t just serve as network ingress points where traffic must be sent to yet another PoP for processing. We will also be adding new security services next year not by putting a marketing wrapper around acquired or third-party solutions, but by building them ourselves, directly into the rest of the Cato Cloud. As for EPP and EDR, neither are currently in scope for SASE but both are viable targets for convergence.
Comparing cloud services and boxes is always challenging. Ultimately, enterprises face a trade-off between DIY or consuming the technology as a service. Moving to the cloud alters the cost of ownership, bringing the same agility and power that’s changed how we consume applications, servers, and storage to security.
To better understand how Cato can improve your enterprise, contact us to run a quick proof-of-concept. You won't be disappointed.
1 Gartner, Critical Capabilities for Network Firewalls, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Adam Hils, Jeremy D'Hoinne, 10 November 2020
2 Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D'Hoinne, Nat Smith, and Adam Hils, 1 November 2021
GARTNER and MAGIC QUADRANT are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do...
Personalized alerts straight from production environments Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do you really look at them?
Sure, when catastrophe hits, they provide a lot of the required context of the problem, but if everything just works (or so you think) do you look at them? Monitoring tools do (hopefully), but even they are configured to only look for specific signs of disaster, not your everyday anomalies. And when will these be added? Yup, soon after a failure, as we all know any root cause analysis doesn’t come complete with a list of additional monitoring tasks.
One of our security researchers developed a solution. Here’s what he had to say:
What I’ve implemented is a touch-free and personalized notification system that takes you and your fellow developers a couple of steps closer to the production runtime. Those warning and error logs? Delivered to you in near real time, or a (daily) digest shedding light on what really goes on in that ant farm you’ve just built. Moreover, by using simple code annotations log messages can be sent to a slack channel enabling group notifications and collaborations. Your production environment starts talking to ya.
The system enables developers to gain visibility into the production runtime, resulting in quicker bug resolution times, fine tuning runtime behavior and better understanding of the service behavior.
Oh, and I named it Dice - Dice Is Cato’s Envoy. It was a fun project to code and is a valuable tool we use.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=Eliminate_Threat_Intelligence"] Eliminate Threat Intelligence False Positives with SASE [/boxlink]
How does it work then?
The first step is building a list of log messages extracted from the source code and a matching list of interested parties. These can be explicitly stated on a comment following the log line in the code, or automatically deduced by looking in the source control history for the last author of the line (i.e. git blame). Yes, I can hear you shouting that the last one on the blame list isn’t necessarily the right developer and you’d be right. However, in practice this isn’t a major problem, and can be addressed by explicit code annotations.
Equipped with this list of messages and authors the system now scans the logs, looking for messages. We decided to focus on Warning and Error messages as they are usually used to signal anomalies or plain faults. However, when an explicit annotation is present in the code we process the message regardless of its log level.
Code examples
Code line
Alerting effect
INFO_LOG("hello cruel world"); // #hello-worlders
Channel to which messages should be sent
WARN_LOG("the sky is crying"); // @elmore@mssp.delta
Explicit mentioning of the developer (Elmore)
ERROR_LOG("it hurts me too");
No annotation here, so blame information will be used (e.g. pig@pen.mssn)
Alerting
Real time messages
Channel messages (as in the example above) are delivered as soon as they are detected, which we used to communicate issues in real time to developers and support engineers. This proved to be very valuable as it enabled us to do a system inspection during runtime, while the investigated issue was still occurring, dramatically lowering the time to resolution.
For example, we used channel messages to debug a particularly nasty IPsec configuration mismatch. The IPsec connection configuration is controlled by our client, and hence we could not debug issues in a sterile environment where we have full control over both ends of the configuration. With the immediate notifications, we were able to get the relevant information out of the running system.
Digests
Digests are also of great value, informing a developer of unexpected or even erroneous behavior. My code (and I guess yours also) has these “this can’t really happen” branches, where you just log the occurrence and get the hell out of the function. With Dice’s messages, I was able to know that these unimaginable acts of the Internet are actually more frequent than I imagined and should get special treatment rather than being disregarded as anomalies. Alerts are usually sent to users in the form of a daily digest, grouping all the same messages together with the number of occurrences, on which servers and the overall time frame.
Slack usage
Using Slack as the communication platform, enables the system to make some judgment regarding the notifications delivery - developers asked for digests to be sent only when they are online and, in any case, not during the weekend, which is easy to accommodate. Furthermore, the ability to add interactive components into the messages opens the door for future enhancements described below.
Aftermath
Useful as Dice is, it can be made even greater. Interactivity should be improved - many times notifications should be snoozed temporarily, till they are addressed in the code, or indefinitely as they are just redundant. The right (or some definition of right) solution is usually to change the log level or remove the message entirely. However, the turnaround for this can be weeks, we deploy new versions every two weeks, so this is too cumbersome. A better way is to allow snoozing/disabling a particular message directly in Slack, via actions.
"It wasn’t me" claim many Sing Sing inmates and blamed developers - the automatically generated blame database may point to the wrong author, and the system should allow for an easy, interactive way of directing a particular message to its actual author. It can be achieved via code annotations, but again this is too slow. Slack actions and a list of blame overrides is a better approach.
Wrapping up
Logs are essentially a read-only API of a system, yet they are mostly written in free form with no structural or longevity guarantees. At any point a developer can change the text and add or remove variable outputs from the messages. It is therefore hard to build robust systems that rely on message analysis. Dice, elegantly if I may say, avoids this induced complexity by shifting the attention to personalized and prompt delivery of messages directly to relevant parties, rather than feeding them into a database of some sort and relying on the monitoring team to notify developers of issues.
As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those...
SSE: It’s SASE without the “A” As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those teams are in lockstep and ready to change, SASE adoption is the logical evolution. But what happens when security teams want to modernize their tools and services but networking teams remain committed to legacy SD-WAN or carrier technologies? For security teams, Gartner has defined a new category, the Security Service Edge (SSE).
What is SSE?
The SSE category was first introduced by Gartner in the “2021 Roadmap for SASE Convergence” report in March of 2021 (where it was named “Security Services Edge” with service in the plural) and later developed in several Hype Cycle reports issued in the summer. SSE is the half of secure access service edge (SASE) focusing on the convergence of security services; networking convergence forms the other half of SASE.
The Components of SSE
Like SASE, SSE offerings converge cloud-centric security capabilities to facilitate secure access to the web, cloud services, and private applications. SSE capabilities include access control, threat protection, data security, and security monitoring. To put that another way, SSE blends
- Zero Trust Network Access (ZTNA)
- Secure web gateway (SWG)
- Cloud access security broker (CASB)
- Firewall-as-a-service (FWaaS)
and more into a single-vendor, cloud-centric, converged service.
[boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_vs_sdwan"] SASE vs SD-WAN What’s Beyond Security | Download eBook [/boxlink]
Why Is SSE Important?
The argument of SSE is much of the same as for SASE. Legacy network security architectures were designed with the datacenter as the focal point for access needs. The cloud and shift to work-from-anywhere have inverted access requirements, putting more users, devices, and resources outside the enterprise network. Connecting and protecting those remote users and cloud resources require a wide range of security and networking capabilities. SSE offerings consolidate the security capabilities, allowing enterprises to enforce security policy with one cloud service. Like SASE, SSE will enable enterprises to reduce complexity, costs, and the number of vendors.
SSE Need To Be Cloud Services Not Just Hosted Appliances
The SSE vision brings core enterprise security technologies into a single cloud service; today’s reality will likely be very different. As we’ve seen with SASE, SSE is still in its early days, with few, if any, delivering a single, global cloud service seamlessly converging together ZTNA, SWG, RBI, CASB, and FWaaS.
And as with SASE it’s important to determine which SSE vendors are cloud-native and which are simply hosting virtual machines in the cloud. Running virtual appliances in the cloud is far different from an “as-a-service.” With cloud-hosted virtual appliances, enterprises need to think through and pay for redundancy and failover scenarios. That’s not the case with a cloud service. Costs also grow with hosted appliances in part because companies must pay for the underlying cloud resource. With a cloud service, no such costs get passed onto the user.
How Are SSE and SASE Similar?
Beyond an “A” in their names, what separates SSE from SASE? As we noted, SSE technologies form the security component of SASE, which means the security arguments for SSE are much the same as for SASE. With users and enterprise resources existing, well, everywhere, legacy datacenter-centric security architectures are inadequate. At the same time, the many security tools needed to protect the enterprise add complexity, cost, and complicate root-cause analysis.
SSE and SASE address these issues. Both are expected to converge security technologies into a single cloud service, simplifying security and reducing cost and complexity. With the primary enterprise security technologies together, security policies around resources access, data inspection, and malware inspection can be consistent for all types of access and users and at better performance than doing this separately. Both SSE and SASE should also allow enterprises to add flexible, cloud-based network security to protect users out of the office. And both are identity-driven, relying on a zero-trust model to restrict user access to permitted resources.
The most significant difference between SSE and SASE comes down to the infrastructure. With Gartner SSE, enterprises unable or unwilling to evolve their networking infrastructure have a product category describing a converged cloud security service. By contrast, SASE brings the same security benefits while converging security with networking.
SASE: Networking and SASE Better Together
But bringing networking and security together is more than a nice-to-have. It’s critical for a platform to secure office, remote users, and cloud resources without comprising the user experience.
Too often, FWaaS offerings have been hampered by poor performance. One reason for this is the limited number of PoPs running the FWaaS software, but the other issue was the underlying network. Their reliance on the global Internet, not a private backbone, to connect PoPs leaves site-to-site communications susceptible to the unpredictability and high latency of the global Internet. SSE solutions will face the same challenge If they’re to enforce site-to-site security.
Converging networking and security together also brings other operational benefits. Deployment times become much shorter as there’s only one solution to set up. Root cause analysis becomes easier as IT teams can use a single, queryable timeline to interrogate and analyze all networking and security events.
Cato is SASE
Cato pioneered the convergence of networking and security into the cloud, delivering the Cato SASE Cloud two years before Gartner defined SASE. Today, over 1,000 enterprises rely on Cato to connect their 300,000 remote users and 15,000 branches and cloud instances.
Cato SASE Cloud connects all enterprise network resources, including branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure, cloud-native network service. Cato SASE Cloud runs on a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The backbone’s cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. Current security services include FWaaS, SWG, standard and next-generation anti-malware (NGAV), managed IPS-as-a-Service (IPS), and Managed Threat Detection and Response (MDR).
Deploy Cato SASE for Security, Networking, or Both – Today
Cato can be gradually deployed to replace or augment legacy network services and security point solutions:
Transform Security Only: Companies can continue with their MPLS services, connecting the Cato Socket, Cato’s edge SD-WAN device, both to the MPLS network and the Internet. All Internet traffic is sent to the Cato Cloud for inspection and policy enforcement.
Transform Networking Only: Companies replace their MPLS with the Cato SASE Cloud, a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The PoPs software continuously monitors the providers for latency, packet loss, and jitter to determine, in real-time, the best route for every packet. Security enforcement can be done in the Cato SASE Cloud or existing edge firewall appliances.
And, of course, when ready, enterprises can migrate networking and security to the Cato SASE Cloud, enjoying the full benefits of network transformation. To learn more about Cato can help your organization on its SASE journey, contact us here.
Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021...
Horizon for SASE Adoption Shortens, Fewer Sample Vendors Identified in SASE Category of Gartner Hype Cycle for Networking, 2021 Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021 and Hype Cycle for Network Security, 2021 provide snapshots of which networking and security technologies are on the rise — and which aren’t.
And when it comes to secure access service edge (SASE), the two reports provide an optimistic picture. The SASE market continues to mature, as evidenced by the horizon for widespread adoption. The horizon reduced significantly this year, dropping from 5-10 years in last year’s “Hype Cycle for Enterprise Networking 2020” to just 2-5 years in this year’s report.
At Cato Networks, we’ve certainly seen that change. Today, more than 900 customers, 11,000 sites and cloud instances, and well over a quarter of a million remote users rely on Cato every day. And we’ve seen large deployments, like Sixt Rent A Car, rely on the global Cato SASE platform to connect its more than 1,000 sites.
“Over the past year, we’ve seen larger enterprises adopt SASE,” says Yishay Yovel, CMO at Cato Network. “Converging networking and security into the global Cato SASE Cloud enables these enterprises to become more efficient and agile in addressing critical business initiatives for cloud migration, widespread remote access, and business restructuring and transformation.”
[boxlink link="https://go.catonetworks.com/2021-Gartners-Hype-Cycle-for-Enterprise-Networking.html?utm_source=blog&utm_medium=upper_cta&utm_campaign=hypecycle_report"] Gartner® Hype Cycle™ for Enterprise Networking 2021 - Get the Report [/boxlink]
Cato Identified as a Sample Vendor for SASE
The reports also identify Cato as a Sample Vendor for the SASE category for the third year in a row. In addition, the number of sample vendors identified in the SASE category narrowed from 10 vendors to 6 vendors with the emergence of challenges delivering a cloud-native global SASE service.
In addition, Cato is only one of two vendors to be identified as a Sample Vendor in the SASE, ZTNA, and FWaaS categories, arguably the three most important sections for a SASE vendor. Zscaler is the second vendor, but, in our opinion, Zscaler is an SWG and lacks the NGFW enforcement and inspection of branch-to-datacenter traffic critical to enterprise deployments.
“We believe our recognition as a Sample Vendor across SASE, ZTNA, and FWaaS categories attest to Cato’s proven capabilities in delivering a complete networking and security platform for the enterprise,” says Shlomo Kramer, CEO and co-founder of Cato Networks. “Through our Cato SPACE architecture, we provide the only global, cloud-native SASE solution that can be deployed, simply and easily, by organizations of all sizes to enable optimal and secure access to anyone, anywhere, and to any application.”
To learn more about the Hype Cycle for Networking, download your copy today.
Gartner Disclaimer
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.” For many, SASE seems like...
Gartner’s Nat Smith Explains What Is and Is Not SASE A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.” For many, SASE seems like another marketing exercise like Big Data or Cloud Computing.
And I get that. For 20+ years, I too was an IT journalist. As a feature journalist, I was lucky. I could specialize and dive deep into the nuances of technologies. News journalists aren’t so fortunate. They must move between many technology areas, making it incredibly difficult to uncover the differences between slideware and reality.
So, I understand skepticism around SASE, particularly when every little networking and security vendor claims to be a SASE company. And if every security device, virtual appliance, or managed service is SASE, what have we accomplished? Nothing.
Which is why a recent session by Nat Smith, Senior Director in the Technology and Service Provider (TSP) division of Gartner, was so interesting. Smith pierced the confusion around the SASE market, explaining what is and what is not SASE in a very plain spoken kind of way.
[boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_link&utm_campaign=gartner_webinar"] Join Our Webinar –Strategic Roadmap for SASE [/boxlink]
SASE connects people and devices to services
Smith’s explanation was very straight forward: SASE is taking the networking service and those kinds of capabilities and also the security service and those capabilities and putting them into a single offering. Some people will simplify it a little bit and say SASE is connecting people and devices to services.
His simple definition alludes to two innovations. The first is convergence, the bringing of all networking and security functionality together. For too long, enterprises have had to grapple with the complexity of managing and integrating network security appliances. The assortment of appliances dotting enterprise networks extracted a significant operational burden on IT teams. They had to patch and maintain appliances. As encrypted traffic levels grew and CPU demands soared, branch appliances had to be upgraded. Gaps were created for attackers to exploit, required significant investment to integrate solutions. Visibility grew limited as critical data was locked behind silos requiring additional management tools to overcome those issues.
Convergence solves these issues, pulling networking and network security functions into one seamless solution. Packets come into the SASE platform, get decrypted, and functions applied in a single pass before sending the packet onto its destination. Performing operations in parallel rather than moving them through a service chain of devices reduces latency and allows the SASE platform to scale more efficiently.
While Gartner documents point to a wide range of functions converged by SASE, Smith broke them down into five main areas: SD-WAN, FWaaS, SWG, CASB, and ZTNA.
In truth, security and networking convergence preceded SASE. UTMs are probably the best example, and even some SD-WAN appliances have added security capabilities (Figure 1). Which brings us to the next innovation —cloud-native services.
[caption id="attachment_17138" align="alignnone" width="1546"] Figure 1: Network security appliances are “thick,” performing all functions themselves.[/caption]
SASE: It’s not an appliance
SASE is a true cloud service. It’s not a single-tenant appliance stuck in the Cloud. It’s a multitenant platform designed as a cloud service. I think of it as the difference between O365 and Word. Microsoft, and all cloud providers, push out new features and new capabilities all the time. There’s no need to download, test, and deploy a new version worrying all the while the repercussions for my laptop. And while desktop software only works for that computer, the Cloud is available to me wherever I go, from whatever device I’m using. I don’t have to worry about running out of storage or patching software. The provider handles all of that.
SASE brings those same cloud benefits to networking and security. SASE breaks functionality into two, keeping the bare minimum at the edge while moving core functioning into the Cloud (Figure 2). There are no patches or updates to test and deploy; they just “appear” in the service. Storage and scaling are things the provider has to worry about, not IT.
[caption id="attachment_17147" align="alignnone" width="1567"] Figure 2: SASE creates a “light” appliance at the edge, providing just enough processing to move traffic into the Cloud where compute-intensive security and networking services can benefit from the scalability and elasticity of the Cloud.[/caption]
Shifting processing to the Cloud leverages the Cloud’s scalability and elasticity. Compute-intensive services, like content inspection, normally force branch appliance upgrades to accommodate traffic growth. But within the Cloud, they can run at line-rate regardless of traffic volumes. And by being in the Cloud, SASE services can be made available to users anywhere without a perceptible difference.
SASE: It’s not just in the Cloud; it is the Cloud
And this point, SASE services being made available to the user efficiently; that’s critical. Smith pointed to the below example where security processing happens in Shanghai PoP that services three locations — Shanghai, Singapore, and San Francisco (Figure 3). He posed the question, “Is this SASE or not?”
[caption id="attachment_17152" align="alignnone" width="1577"] Figure 3: SASE is not a single PoP converging networking and security services, as users located far away (in San Francisco, in this case) will not experience local performance.[/caption]
Shanghai users will experience pretty good response time. Singapore less so, but San Francisco? With a thousand kilometers to the Shanghai PoP, San Francisco users will experience significant latency as traffic is brought back to Shanghai for inspection. Users probably won’t call it that. They’ll likely talk about “the network being slow” or applications taking forever to load.” But the culprit will remain the same: the latency needed to get back to PoP for processing. A single PoP does not make SASE.
SASE is meant to give local performance to all users regardless of location. As such, Smith points out that SASE must be distributed, delivering a cloud edge service that brings security processing near the source. A global network of PoPs is needed, where PoPs are close to the company locations and mobile users using that service (see Figure 4).
[caption id="attachment_17155" align="alignnone" width="1571"] Figure 4: With SASE, security processing is distributed across a global fabric of PoPs. Users experience local performance regardless of location.[/caption]
Convergence and Cloud-Native Define SASE
SASE is the convergence of networking and security, but it’s also about moving from the edge to the Cloud. Smith sees both of those elements — convergence and cloud-native — as essential for realizing SASE’s promise.
Failure to deliver on both of those elements isn’t SASE. It’s just hype.
Nobody likes to wait for results, and that’s certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant...
Update to Cato MDR Shortens Time-to-Value, Automates 70 Security Checks Nobody likes to wait for results, and that's certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant to eliminate threats faster by outsourcing threat hunting to third-party specialists. But to accomplish their goal, MDR services require up to 90 days to baseline typical network operation.
Which is odd if you think about it. Malware dwell time already exceeds 200 days. Why invest in an MDR service if it'll be another three months before your organization realizes any results?
Cato has a better way. The new release of Cato MDR announced this week eliminates the startup window by tapping cross-organizational baselines developed using the Cato system. Let's take a closer look.
What's Behind the Cato MDR Service
As part of the broader Cato service, Cato MDR has deep visibility into enterprise traffic patterns. We've developed a simply massive data warehouse storing the metadata for every IP address, session, and flow crossing the Cato global backbone. We do that over time, so we can see the historical and current traffic patterns across thousands of enterprises and hundreds of thousands of remote users worldwide.
[boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt?utm_source=blog&utm_medium=upper_cta&utm_campaign=5_things_ebook"] Download eBook – 5 things SASE covers that SD-WAN doesn't [/boxlink]
This incredible data repository gives us the basis for our Cato Threat Hunting System (CTHS), a set of multidimensional machine learning algorithms and procedures developed by Cato Research Labs that continuously analyze customer traffic for the network attributes indicative of threats. More specifically, CTHS has the following capabilities:
Full Visibility, No Sensors: Cato sees all WAN and Internet traffic normally segmented by network firewalls and Network Address Translation (NAT). CTHS has full access to real-time network traffic for every IP, session, and flow initiated from any endpoint to any WAN or Internet resource. Optional SSL decryption further expands available data for threat mining. CTHS uses its deep visibility to determine the client application communicating on the network and identify unknown clients. The raw data needed for this analysis is often unavailable to security analytics platforms, such as SIEMs, and is impossible to correlate for real-time systems, such as legacy IPS.
Deep Threat Mining: Data aggregation and machine learning algorithms mine the full network context over time and across multiple enterprise networks. Threat mining identifies suspicious applications and domains using a unique "popularity" indicator modeled on access patterns observed throughout the customer base. Combining client and target contexts yields a minimal number of suspicious events for investigation.
Human Threat Verification: Cato's world-class Security Operations Center (SOC) validates the events generated by CTHS to ensure customers receive accurate notifications of live threats and affected devices. CTHS output is also used to harden Cato's prevention layers to detect and stop malicious activities on the network.
Rapid Threat Containment: For any endpoint, specific enterprise network, or the entire Cato customers base, the SOC can deploy policies to contain any exposed endpoint, both fixed and mobile, in a matter of minutes.
CTHS creates a deep, threat-hunting foundation that powers all Cato security services without requiring customers to deploy data collection infrastructure or analyze mountains of raw data. At the same time, CTHS adheres to privacy regulatory frameworks such as GDPR. With CTHS and Cato Cloud, enterprises of all sizes continue their journey to streamline and simplify network and security.
Cato MDR 2.0 Gains Automated 70-Point Checklist
Beyond faster time-to-value, Cato has also introduced automatic security assessment to the MDR service. Instantly, customers learn how their network security compares against the checks and best practices implemented by enterprises worldwide. Items inspected include proper network segmentation, firewall rules, and security controls, like IPS and anti-malware. The 70-point checklist is derived from the practices of the "best" enterprises across Cato — and avoids the biggest mistakes of the worst enterprises.
"Much of what we're highlighting in our 70-point checklist is probably common sense to any security-minded professional. But all too often, those practices have not been found in one actionable resource," says Elad Menahem, director of security at Cato Networks.
And to further enhance the support given to Cato MDR customers, we've designated security engineers for each customer. The DSEC becomes the customer's single point of contact and security advisor. The DSEC can also tweak threat hunting queries to enhance detection specific to the customer environment, such as gathering specific network information to protect specific valuable assets.
The DSEC is part of the large SOC team, sitting between the Security Analysts and the Security Research. Coupled with CTHS and Cato's unique data warehouse, Cato MDR brings the best of human intelligence and machine intelligence for the highest degree of protection.
Overall, Cato underscores yet another aspect of the value of a global, cloud-native SASE platform. To learn more about Cato MDR, visit https://www.catonetworks.com/services#managed-threat-detection-and-response.
[caption id="attachment_16724" align="alignleft" width="654"] The Cato automatic assessment identifies misconfiguration against 70 security best practices, returning a security posture score and a detailed report for easy action.[/caption]
During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant...
5G: A Step Beyond the Last Mile? During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant was solving the last mile, a challenge that has vexed organizations for decades. The telecom industry, which coined the last mile phrase decades ago, claims to be on the verge of solving the last mile for its customers, with the promise of 5G.
Having spent years waiting for fiber rollouts to make it to their office building, news of multigigabit connectivity without wiring is welcome indeed. As exciting as this news is for CIOs, though, the question they should be asking is whether their legacy enterprise networks can take advantage of 5G’s goodness. And the answer to that question is far from certain.
Powerful Benefits for Enterprises
A fully operational 5G is a gamechanger for enterprises. The delays and limited data transfer capacity that plague today’s connectivity will quickly become a thing of the past. Businesses will be inoculated against outages, and experience full, continuous high-speed availability.
If promises can be believed, enterprises will no longer have to wait months for fiber installations or be limited due to line availability. Rural offices, construction sites, and even offshore oil rigs won’t be limited by a carrier’s unwillingness to invest in high-cost infrastructure expenses that only serve a small number of businesses and fails to deliver a high ROI.
[boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-the-future-sase-today-and-tomorrow/?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Download eBook: The Future SASE – Today and Tomorrow [/boxlink]
In addition to easier provisioning, data rates on 5G are lightning-fast. Designed to deliver peak data rates of up to 20Gbps, it is 20 times faster than 4G. For enterprises involved with the Internet of Things (IoT), 5G will be able to provide more than 100Mbps average data transmission to over a million IoT devices within a square kilometer radius.
Behaving like the Infinite Middle
The high speeds and elimination of last-mile slowdowns are what enterprises need today. 5G will address surges in capacity driven by the growing demand for video conferencing, increased data storage, and businesses operating from multiple locations. Removing last-mile bottlenecks means there is no need to step down capacity as data approaches the end user.
Multi-gig connections can carry high-speed data across the globe and down to the end-user at great speed and lower latency than current solutions. This combination opens the door to greater innovation in many areas. Automation will grow in manufacturing plants through the use of IoT-enabled connected devices. Supply chains will able to share data more efficiently, enabling smoother operation. And expect to see improvements in logistics and deliveries as commercial vehicles take advantage of smart traffic efficiencies created by 5G. Improved traffic flow, decreased journey times, and car-to-car communication will improve the business’s bottom line.
Virtual reality (VR) and augmented reality (AR) become possible, opening new opportunities, particularly for retailers. Personalized digital signage, real-time messaging, and promotions based on real-time consumer behavior become possible with 5G. Innovative tools like smart mirrors could advise consumers on fashion choices or recommend cuts of clothes based on their unique body size and shape.
AI systems will also use the increased real-time data to get even better at analyzing situations and making recommendations. They’ll be more effective, leading to increased adoption of AI technology.
5G and the elimination of last-mile slowdowns are expected to open the door to anything enterprise IT can imagine. It sounds all too perfect — and it is.
The Challenge of Eliminating Last-Mile Slowdowns
There’s no doubt that 5G has the potential to transform business. However, transformation comes with security risks that enterprises can’t afford to ignore. A growing number of entry points, a greater reliance on online data streams, and visibility issues increase an enterprises’ exposure to cyberattacks.
Early 5G adopters will also be exposed to security risks stemming from misconfigurations and security integrations between 5G and 4G networks. Deploying patchwork security solutions that weren’t designed for 5G networks will not only be ineffective as a security tool, but they may create more problems for IT teams by creating more exploitable network entry points.
And enterprises that don’t update their network architectures may find they’re unable to fully benefit from 5G’s performance. That’s because legacy networks backhaul traffic to a central security gateway for inspection and policy enforcement. The latency of that connection, not the last-mile performance, has always been the determinant factor in long-distance connections.
Defending Networks with SASE
A secure access service edge (SASE) addresses enterprise needs for a more secure, better performing 5G network. SASE distribution security inspection and policy enforcement out to points of presence (PoPs) across the globe.
By connecting to the local PoP, all users — whether in the office, on the road, or at home — are protected against network-based threats. And by avoiding traffic backhaul, SASE allows enterprises to take full advantage of 5G’s faster connections without compromising security. Partners can also easily be connected to a company’s SASE network, allowing for secure, high-performance supply chains.
5G is a transformative access technology. SASE is a transformative architectural approach. Together they allow IT to transform the way enterprises operate. To learn more about 5G and how the Cato SASE platform can help your enterprise, contact us here.
Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This...
Poor VPN Scalability Hurts Productivity and Security Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This has inspired companies to invest in scaling their VPN infrastructure, but this is not as easy as it sounds. VPNs are difficult to scale for a few different reasons, and this forces companies to make tradeoffs between network performance and security.
With growing support for remote work, having an unscalable and unsustainable secure remote access solution is not an option. So how can organizations scalably and securely support their remote workforces? We’ll answer that here.
Why VPNs scale poorly
VPNs are designed to provide privacy, not security. They lack built-in access controls and the ability to inspect traffic for malicious content. As a result, companies commonly use VPNs to backhaul remote workers’ traffic through the corporate LAN for security inspection before sending it on to its destination.
This design means that the organization’s VPN solutions, corporate network infrastructure, and perimeter-based security stack are all potential bottlenecks for a VPN-based secure remote access solution. As a result, effectively scaling VPN infrastructure requires investment in a number of areas, including:
VPN Infrastructure: As VPN utilization increases, a company’s VPN terminus needs to be able to support more parallel connections. Accomplishing this often requires deploying additional VPN infrastructure to meet current demands.
Last Mile Network Links: Network links on the corporate LAN must be capable of supporting the load caused by backhauling all network traffic for security inspection. For all traffic with destinations outside of the corporate LAN, traffic will traverse the network twice - both entering and leaving after security inspection - and network links must have the bandwidth to support this.
Security Systems: The use of VPN infrastructure to backhaul business traffic is designed to allow it to undergo security inspection and policy enforcement. Perimeter-based security solutions must have the capacity to process all traffic at line speeds.
System Redundancy: With a remote workforce, secure remote access solutions become “critical infrastructure” with high availability requirements. All systems (VPN, networking, security, etc.) must be designed with adequate redundancy and resiliency.
Acquiring, deploying, and maintaining adequate infrastructure to meet companies’ remote access needs is expensive. The limited feature set and poor scalability of VPNs contribute to a number of problems that are holding businesses back.
An unsustainable and insecure approach
The disadvantages of VPNs for businesses contribute to a number of factors that impair the usability and security of these systems, such as:
Degraded Performance: Because VPNs have no built-in security functionality, sending traffic through a standalone security stack is essential. This means that many organizations backhaul traffic through corporate LANs for inspection, which creates significant network latency.
Appliance Sprawl: The poor scalability and high availability requirements of VPN infrastructure means that organizations need to deploy multiple appliances to meet the needs of a remote workforce. This is expensive and adds complexity to the process of deploying, configuring, and maintaining these appliances.
Security Workarounds: The poor scalability of VPNs drives many organizations to make tradeoffs between network performance and security. A common example is backhauling traffic to the corporate network for security inspection, which incurs significant latency.
Network-Level Access: VPNs provide authorized users with unlimited access to the corporate network. This enables legitimate users to misuse their access and dramatically increases the risks associated with a compromised user account.
The use of enterprise VPN solutions is an unsustainable and insecure approach to implementing secure remote access. As companies plan extended or permanent support for remote work, a better solution is needed.
SASE is a scalable alternative for secure remote access
With the growth of remote work and cloud computing, companies need a secure remote access solution that is designed for the modern enterprise network. While VPNs cannot effectively scale to meet demand, the same is not true of secure access service edge (SASE).
Many of VPNs’ issues arise from two main factors: location and security. VPNs are designed to provide a secure connection to a single terminus, and they lack built-in security so that location needs to host a standalone security stack.
SASE eliminates both of these considerations. Instead of a single VPN terminus, SASE is implemented as a worldwide network of points of presence (PoPs). With so many PoPs, business traffic can enter and leave the corporate WAN at convenient locations.
SASE also incorporates a full security stack, enabling any SASE PoP to perform security inspection and policy enforcement for the traffic passing through it. This eliminates the need to deploy standalone security stacks at each terminus or backhaul to a central location for inspection, simplifying security and eliminating unnecessary latency.
This security stack includes zero trust network access (ZTNA) - also known as software-defined perimeter (SDP) - for secure remote access. Unlike VPNs, ZTNA/SDP implements zero trust security principles, providing access to resources on a case-by-case basis. This minimizes the risk posed by a compromised user account or malicious user.
These two features make SASE a much more scalable secure remote access solution than VPNs. The decentralized nature of the SASE network means that no one location needs to carry the full load of the remote workforce’s network traffic. The network also has built-in redundancy and the ability to easily scale or expand simply by deploying a new virtualized appliance at the desired location.
Cato offers secure, scalable remote access for the distributed enterprise
Modern businesses need secure remote access solutions that protect their remote workforces without compromising security. Cato Cloud makes it easy for employees to connect securely from anywhere to anywhere. To learn more about how to deploy high-performance secure remote access, download our free Work from Anywhere for Everyone eBook.
If you have questions about the benefits of SASE over VPNs or how Cato Cloud can work with your environment, feel free to contact us. Also, don’t hesitate to request a free demo to see Cato Cloud’s secure remote access capabilities for yourself.
Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts...
What is a Cloud Firewall? Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts to access an organization’s cloud resources have begun showing their age.
The shift to multicloud strategies and the rapid evolution of network-based threats are uncovering weaknesses in cloud firewalls. Instead, many companies are adopting Firewall-as-a-Service (FWaaS) solutions. But will FWaaS go far enough? Let’s find out.
What is a Cloud Firewall Used For?
Physical firewalls, aka firewall appliances, have been a fixture in the network stack populating datacenters and branch offices everywhere. But as enterprises shifted data and applications to the cloud, they needed to secure them as well. Deploying a physical firewall in the cloud was impractical at best and frequently impossible.
Enter cloud firewalls. These offerings bring the protective ability of firewall appliances to the cloud. Cloud firewalls run as virtual instances within the cloud provider network. As such, cloud firewalls bring several significant advantages over firewall appliances.
We’ve already discussed one; they’re easy to deploy. Cloud firewalls are also easier to scale than physical firewalls. Need more memory or compute? Just add as you would to any workload in the cloud. Cloud firewalls are also often easier to make highly available. Yes, you’ll need to configure redundant instances appropriately. But the datacenters are already equipped with redundant power sources, HVAC systems, automated backup systems, and more needed to support an HA implementation.
The Limitations of Cloud Firewalls
At the same time, cloud firewalls come with key limitations. With each cloud environment requiring its cloud firewall for protection, security becomes more complex in a multicloud strategy, which is increasingly common among enterprises. What’s more, where cloud firewall instances exist out-of-region, traffic must be backhauled, adding latency to application sessions.
And while cloud firewalls might be easier to maintain than physical appliances, they still need plenty of care. IT teams still need to configure, deploy, and manage the cloud firewall. They still need to apply patches and deploy the latest signatures to protect against zero-day threats. Finally, resource sharing among cloud firewalls becomes challenging at scale. Cloud firewalls function as virtual appliances, requiring their memory and compute. They can’t pool them easily with other cloud firewall instances.
For many IT teams, the question “What is a cloud firewall” is being replaced by “What security tool can we use instead of a cloud firewall.”
Why FWaaS is Replacing Virtual Firewalls
And the answer to that question is quickly becoming FWaaS. FWaaS offerings are independent cloud services that provide companies with their own firewall instances to manage and run. Unlike firewalls, FWaaS provide customers their own logical firewall instances running on the provider’s multitenant firewall platform.
FWaaS platforms are genuine cloud services. They’re multitenant, elastic, and highly scalable, allowing the individual firewalls to consume compute resources more efficiently than individual cloud firewalls. FWaaS providers also assume the burden of ensuring firewall performance doesn’t suffer as traffic loads grow. And since compute resources and operating costs are spread across all customers, FWaaS platforms are often more cost-effective than cloud firewalls.
In short, by using FWaaS, organizations retain the scalability, availability, and extensibility of a cloud deployment. At the same time, they enjoy the low-cost cloud option and improved line-rate network performance.
Does FWaaS Go Far Enough?
FWaaS might seem to answer the security problems facing enterprises, but what they miss is the global network. Most enterprises have at least some resources in private datacenters. Users require optimized access to those resources and the cloud. FWaaS offerings, though, rely on the unpredictable global Internet for transport. Performance to corporate datacenters is far too unpredictable and sluggish for enterprises used to the MPLS and private backbones.
FWaaS offerings also often target HTTP-based applications. Other applications based around legacy protocols may not be supported or require purchasing additional products.
Since FWaaS offerings can’t cover the complete enterprise, they must be integrated with existing networking and security tools. This creates greater operational complexity for IT and leads to fragmented network visibility, complicating the detection of the network traffic patterns indicating malware infections.
In short, FWaaS steps in the right direction but without the underlying network remains a partial solution. For most enterprises, FWaaS doesn’t go far enough.
Moving from Cloud Firewall to SASE
Secure Access Service Edge (SASE) expands on FWaaS, converging security with a global, optimized network. The Cato SASE platform, for example, includes the Cato Global Private Backbone, a global, geographically distributed, SLA-backed network of 60+ PoPs interconnected by multiple tier-1 carriers. Within those PoPs, a complete suite of security services — NGFW, IPS, URLF, anti-malware, and more — operate on all traffic. The traffic is then sent onto the Internet or across the Cato global private backbone to other edges — branch offices, datatcenters, remote users, and cloud resources — connected to Cato PoPs.
The Cato network includes built-in WAN optimization, route optimization, dynamic carrier selection, and cloud optimization to deliver far better performance than the global Internet or legacy infrastructure. During customer testing, for example, file transfer performance improved by 20x with Cato when compared against MPLS. Other customers have seen similar, if not better results, when comparing Cato against the global Internet.
The convergence of security and networking also provides Cato with unprecedented visibility into enterprise traffic flows. Using this unique insight, a team of dedicated networking and security experts seamlessly and continuously update Cato defenses. They offload the burden from enterprises of ensuring maximum service availability, optimal network performance, and the highest level of protection against emerging threats.
It’s Time to Upgrade your Cloud Firewall with SASE
Cato is the world’s first SASE platform. It enables customers to easily connect physical locations, cloud resources, and mobile users to Cato and provides IT teams with a single, self-service console to manage security services.
Learn more on our blogs, contact our team of security experts, or schedule a demo to see how SASE can protect your network environment.
Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become...
Remote Access Security: The Dangers of VPN Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become a more permanent arrangement. Enterprises have responded by expanding their use of VPNs to provide remote access to the masses, but is this the right choice for long-term access?
Aside from enabling easy connectivity, enterprises also must consider the security of VPNs and whether their extensive use poses risks to the organization. (Spoiler alert: they do.) Long-term use alternatives must be considered due to VPNs’ failures where remote access security is concerned. One prominent alternative is Secure Access Service Edge (SASE) platforms with embedded Zero Trust Network Access (ZTNA) that alleviate the security dangers and other disadvantages of VPN.
VPNs Put Remote Access Security at High Risk
In general, VPNs provide minimal security with traffic encryption and simple user authentication. Without inherent strong security measures, they present numerous risk areas:
VPN users have excessive permissions –
VPNs do not provide granular user access to specific resources. When working remotely via VPN, users access the network via a common pool of VPN-assigned IP addresses. This leads to users being able to “see” unauthorized resources on the network, putting them only a password away from being able to access them.
Simple authentication isn’t enough–
VPNs do provide simple user authentication, but stronger authentication of users and their devices is essential. Without extra authentication safeguards – for example, multi-factor authentication, or verification against an enterprise directory system or a RADIUS authentication server – an attacker can use stolen credentials and gain broad access to the network.
Insecure endpoints can spread malware to the network –
There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network.
The full security stack doesn’t reach users’ homes–
Enterprises have built a full stack of security solutions in their central and branch offices. This security doesn’t extend into workers’ homes. Thus, to maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load.
VPN appliances are a single point of failure –
For enterprises that support a large remote workforce connecting via VPN, there is high risk of business interruption if a VPN fails or is incapacitated, such as through a DoS attack. No appliance means no access for anyone who would connect to it.
Some VPNs have known vulnerabilities –
Enterprises are responsible for monitoring for vulnerabilities and updating and patching devices as needed. Serious flaws that go unpatched can put organizations at risk. For example, in March 2020, it was reported that Iranian hackers were leveraging VPN vulnerabilities to install backdoors in corporate and government networks. The attack campaign targeted several high-profile brands of VPNs.
VPNs add to overall network complexity –
Adding one or more VPNs to the data center to manage and configure adds to the overall complexity of network management, which could ultimately lead to greater security vulnerabilities.
Network managers have limited visibility into VPN connections –
The IT department has no visibility into what is happening over these appliances. The user experience suffers when problems occur, and no one knows the root cause.
Split tunneling provides opportunity for attack –
To alleviate VPN capacity constraints, organizations sometimes utilize split tunneling. This is a network architecture configuration where traffic is directed from a VPN client to the corporate network and also through a gateway to link with the Internet. The Internet and corporate network can be accessed at the same time. This provides an opportunity for attackers on the shared public network to compromise the remote computer and use it to gain network access to the internal network.
VPNs Have Other Drawbacks
In addition to the security issues, VPNs have other drawbacks that make them unsuitable for long-term remote access connectivity. For example, an appliance has capacity to support a limited number of simultaneous users. Ordinarily this isn’t a problem when companies have 10% or less of their employees working remotely, but when a much higher percentage of workers need simultaneous and continuous access, VPN capacity can be quickly exceeded. This requires the deployment of more and/or larger appliances, driving costs and management requirements up considerably. Companies use workarounds like split tunneling to address lack of scalability, which can degrade traffic visibility and security.
A Better Long-term Solution for Secure Remote Access
VPNs are no longer the only (or best) choice for enterprise remote access. Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job.
The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.
But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings. For example, all traffic still needs to undergo security inspection before proceeding to its destination. This is where having ZTNA fully integrated into a Secure Access Service Edge (SASE) solution is most beneficial.
SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. The Cato SASE solution provides all this in a cloud-native platform.
Cato’s SASE solution enables remote users, through a client or clientless browser access, to access all business applications, via secure and optimized connection. The Cato Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers connect to the nearest Cato PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s security services protect remote users against threats and enforces application access control.
In short, the Cato SASE platform makes it quick and easy to give optimized and highly secure access to any and all remote workers. For more information on how to support your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.
In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the...
What is a UTM Firewall and What Is Beyond It? In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the making, putting IT on a vicious and costly lifecycle of appliance upgrades.
How can you take the UTM’s benefits and avoid the scalability problem? Let’s take a look to find out what’s beyond the UTM and the future of network security.
Firewalls Evolve Over the Years
Before the UTM, there was the basic firewall. It was a physical appliance installed at a location such as a datacenter or a branch office. All traffic passed through the firewall for basic inspection of security policies based on network information such as the type of protocol or the source/destination addresses.
Traditionally, port 80 of the firewall bore extra scrutiny because this is where web traffic came in. But as applications and networking evolved, firewalls needed to look beyond port 80 to make a determination whether or not a packet flow was malicious.
As the industry started to adopt applications and services that shared common TCP ports, simply looking at the source or destination address and the TCP information wasn’t sufficient to detect malicious traffic. This led to the development of next generation firewalls (NGFWs) that look into the application layer to determine whether or not a flow is malicious.
UTMs Converge Security into One Appliance
While firewalls are essential, companies need more than just a firewall in their security quiver. They also want malware inspection, intrusion detection and prevention, content filtering, and other security measures. These functions could all be separate appliances, or they could all be brought together into a single converged appliance. This new all-in-one security device is what became known as the UTM.
The concept of UTM is good—the execution, not so much. As enterprises enable more security functions and as traffic levels grow, the appliances require more processing power. Ultimately, this forces an appliance upgrade with all of the additional costs and complexity involved. Failing to do that leads to a trade-off between implementing the necessary security functions and reducing processing load to improve performance.
What’s more, placing NGFWs and UTMs in the headquarters or branch doesn’t reflect the needs of today’s business. Users operate anywhere and everywhere but they still must send all of their traffic back to these appliances for inspection, which is inefficient. The same can be said on the application side. With more users accessing resources in the cloud, first sending traffic back to a private datacenter for security inspection by the NGFW makes little sense and can damage the usability of SaaS applications.
The Future of Enterprise Security is in the Cloud
There is a new and revolutionary way of delivering NGFW and other network security capabilities as a cloud service. Firewall-as-a-Service (FWaaS) truly eliminates the appliance form factor, making a full stack of network security (URL Filtering, IPS, AM, NG-AM, Analytics, MDR) available everywhere. A single, logical global firewall with a unified application-aware security policy connects the entire enterprise — all sites, remote users, and cloud resources. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.
FWAS is an integral component of a Secure Access Service Edge (SASE) networking platform. SASE converges the functions of network and security point solutions into a unified, global cloud-native service.
Cato Has a Full Security Stack in Every PoP
Cato’s cloud-native SASE architecture converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. Customers easily connect physical locations, cloud resources, and mobile and remote users to Cato Cloud.
Cato uses a full enterprise-grade network security stack natively built into the Cato SASE Cloud to inspect all WAN and Internet traffic. Security layers include an application-aware FWaaS, secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Zero Trust Network Access (ZTNA) is an integral part of the platform, tying security access policy back to user identity in and out of the office.
All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. Security policies and events are managed centrally using the self-service Cato Management Application.
The Cato SASE platform spans more than 60 global Points of Presence (PoPs) located in nearly every region of the world. Each PoP has a full security stack, ensuring that security is conveniently applied to all traffic at the PoP before going to its final destination.
The future of security is in the cloud, and it goes well beyond UTM. Cato’s SASE platform delivers that future now.
Related content: Read our guide What Is a Network Firewall?
If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing...
New Forrester Report: Merging Network and Security in the Age of Covid If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing the Zero Trust Model for Security and Network Services by analysts David Holmes and Andre Kindness.
Even if you’ve already digested Gartner’s SASE reports (and our numerous blogs), this one is worth a read. Forrester analysts tackle the impact of the post Covid-19 enterprise where some 50 percent of employees are expected to work from home. The report also includes some keen insights on a new network and security model for the Internet of Things (IoT), in addition to mobile and cloud computing.
Forrester has coined its own acronym for the future of the enterprise, the Zero Trust Edge (ZTE). The opener doesn’t pull any punches, stating that enterprise need to “Merge Security and Networking or Sunset Your Business.” The report goes on to outline the challenges on the way to ZTE.
According to Forrester, the Zero Trust Edge model aspires to be a cloud- or edge-hosted full security stack and network solution. Says Forrester, “A Zero Trust edge solution securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services.” ZTE solutions must merge all those disparate security appliances and functions formerly in data centers and branch offices into the cloud where configurations can be altered, added, and deleted based on a single configuration management solution and benefit from cloud-based monitoring and analysis. A single security and network solution reduces both configuration errors and operating inefficiencies compared to multiple on-premises security appliances.
Cato is mentioned prominently as the only example in the report of a cloud-delivered ZTE service. The report notes that the Cato approach “offers all the value that organizations can get from software-as-a-service solutions,” and will “fit the needs of many organizations.” It helps that Cato not only brings its unique network and security solution to branch offices, cloud services, IoT, and datacenters but to mobile and home users as well, as Forrester predicts that securing remote workers is the most compelling initial use case for ZTE.
Download a free copy of the new Forrester report here.
Earlier this week, Cato announced that the 600th graduate has completed the SASE Expert certification program. Business and technical professionals from around the world have...
Cato Offers a Free Certification Program to Help Customers and Channel Partners Learn the Fundamentals of SASE Earlier this week, Cato announced that the 600th graduate has completed the SASE Expert certification program. Business and technical professionals from around the world have sought out high-quality education to attain a baseline level of knowledge of this new approach to networking and security…and for good reason.
Since SASE's introduction, Gartner has cautioned about the misinformation surrounding the architecture. As Gartner noted in its Hype Cycle for Network Security, 2020 report: "There will be a great deal of slideware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery as a service model and the investments required for distributed PoPs. This is a case where software architecture and implementation matters."
As more vendors announce their service offerings in the SASE arena, enterprise IT professionals and channel partners have grown confused over what constitutes a true SASE platform and how it compares to legacy technologies. Some traditional network vendors have added a security element to their hardware appliances, put them in the cloud, and call it “SASE”—but is it really SASE?
Answering those questions isn’t merely an academic exercise. Understanding if the product fulfills the vision of SASE goes a long way to understanding if the product brings the benefits of SASE.
SASE eliminates the legacy appliances that have made IT so complex. Instead, SASE converges networking and security processing into a global cloud-native platform. As cloud services, SASE architectures are easier to operate, save money, reduce risk, and improve IT agility.
Cato Certification Addresses Market Confusion, Advances Professionals’ Knowledge of SASE
The certification course content explores those architectural differences and provides enterprises and channel partners with a solid basis for understanding the SASE revolution. Curriculum highlights include:
A detailed explanation of why enterprises need SASE today
A close look at how Gartner explains the SASE architecture
How SASE compares with legacy technologies
Benefits and drawbacks of SASE for channel partners and enterprises
What constitutes a true SASE platform
Cato's certification program is for IT leaders of all levels. Recent graduates include enterprise network engineers, C-level executives, and channel partners looking to grasp SASE fundamentals. Participants learn sufficient baseline information to understand the advantages and rationale for SASE for their own company or their clients.
The certification is available online for free. Participants take the courses at their own pace from anywhere in the world. To learn more about the SASE Expert certification program, visit https://www.catonetworks.com/sase/sase-expert-level-1/
The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay...
Remote Access Network Architecture and Security Considerations The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay safe, but they needed to keep working as best as possible. Enterprises responded to this sudden need for extensive remote network access by focusing on getting people connected—but connectivity often came at the expense of security.
As WFH (or telework) becomes a long-term model for many organizations, it’s time to rethink the remote access network architecture with security as a priority, not just a “nice to have” consideration. Zero Trust Network Access (ZTNA) must be part of the long-term solution, and Secure Access Service Edge (SASE) can deliver ZTNA with ease.
Long-term Telework Is Becoming the Norm
The pandemic forced people out of their office and onto the dining room table with barely any notice to the IT teams who had to enable and support remote access. The immediate priority was to give people access to their work environment by any means available so they could maintain productivity. VPNs were the connectivity solution of choice for most harried IT teams.
A year into the pandemic, many workers are still connecting to corporate resources from remote locations. What’s more, several large organizations have announced that WFH will be a permanent option for employees at least some of the time. Capital One, Facebook, Amazon, Gartner, Mastercard, Microsoft, Salesforce, PayPal, Siemens—these are just some of the companies that have adopted long-term remote work as the norm.
VPNs are Giving Way to Zero Trust Security
While VPNs provide traffic encryption and user authentication, they still present a security risk because they grant access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. To maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, VPNs are a challenge – an expensive one at that – when it comes to remote access security.
Enterprises are turning to a much more secure user access model known as Zero Trust Network Access (ZTNA). The premise of ZTNA is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs.
The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.
But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings. For example, all traffic still needs to undergo security inspection en route to its destination. This is where having ZTNA fully integrated into a SASE solution is most beneficial.
SASE is a Secure Remote Access Solution Designed for the Modern Enterprise
SASE converges Zero Trust Network Access, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. The Cato SASE solution provides all this in a cloud-native platform.
A key component of the Cato SASE platform is a series of more than 50 global Points of Presence (PoPs) located in virtually every region of the world. These PoPs house integrated security stacks comprised of Next-generation firewalls, secure web gateways, anti-malware, intrusion prevention systems, and of course, the ZTNA technologies.
The PoPs are where all traffic from an organization’s corporate offices, branch offices, and remote and mobile users connect to their network. Thus, security is conveniently applied to all traffic at the PoP before going to its final destination—whether it’s to another branch, remote user, SaaS application, cloud platform, or the Internet.
The PoPs themselves are interconnected by a private, high performance network. This network utilizes routing algorithms that factor in latency, packet loss, and jitter to get traffic to and from its destination optimally, favoring performance over the cost of transmission. To further enhance security, the connections between PoPs are completely encrypted.
Cato’s SASE Platform Simplifies Secure Remote Access for WFH
What does this mean for the remote access worker? The Cato SASE platform makes it very quick and easy to give optimized and highly secure access to any and all workers. For users in the office, access can be limited only to designated resources, complying with zero-trust principles.
For remote and mobile users, Cato provides the flexibility to choose how best to securely connect them to resources and applications. Cato Client is a lightweight application that can be set up in minutes and which automatically connects the remote user to the Cato SASE Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an application portal, which is globally available from all of Cato’s 60+ PoPs, authenticates with the configured SSO, and are instantly presented with a portal of their approved applications. Both client-based and clientless approaches also use comply ZTNA to secure access to specific network resources.
A zero-trust approach is essential for a secure remote workforce, and Cato’s solution allows an easy and effective implementation of ZTNA.
For more information on how to secure your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.
Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized...
Network Security Solutions to Support Remote Workers and Digital Transformation Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized user can try to enter the network to execute a malicious intent, such as stealing data or disrupting operations.
A basic security measure is to keep the attack surface as small as possible. That’s a tall order as organizations undertake the simultaneous processes of digital transformation and network evolution. In addition to legacy data centers, enterprises now have extensive assets in the cloud as well as in branch and remote offices and, increasingly, in workers’ own homes. Such expansions have grown the attack surface exponentially.
The way to shrink it back to a manageable size is with effective network security solutions, which in their own right require an evolution from legacy security appliances to a secure access service edge (SASE) architecture. By converging networking and security in the cloud, SASE provides enterprises with the means to monitor all traffic in real-time and apply strong defense mechanisms at every point of the attack surface, thus minimizing an attacker’s ability to succeed in his nefarious mission.
SASE Solutions Converge Network and Security While Working with Legacy Architectures
Digital transformation is high on every executive’s to-do list, and it’s founded on the principles of innovation, business agility, and speed of delivery of products and services. For most organizations, the cloud is a critical piece of their transformation. This has necessitated a rethink of the WAN architecture. The legacy hub-and-spoke architecture is pure kryptonite to cloud application performance. This has led enterprises to adopt SD-WAN technology, which enables them to eschew bringing all traffic back to a central data center and route traffic directly to branches or the cloud, as needed. Direct Internet access (DIA) is enabled as well.
While SD-WAN can enhance application performance through traffic prioritization and steering, it fails to satisfy enterprise needs for strong security. What’s more, since SD-WAN appliances sit atop the underlying network infrastructure, the need for a high-performance and reliable network backbone is left unaddressed as well. Organizations require a WAN that is capable of optimizing traffic flow between any two points – not just to/from the enterprise LAN – without compromising security.
The Cato Cloud, the world’s first SASE platform, enables an organization to achieve this. Cato converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and remote workers and their mobile devices. It is an architectural transformation that will working with existing legacy technologies also allows enterprise IT teams to advance networking and security to provide a holistic, agile, and adaptable service for the entire digital business.
The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All of the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.
The PoPs also are where security is deployed, making it available to all traffic entering the Cato Cloud network. This is far more practical and cost effective than deploying security appliances at the various branch and home office locations.
Native Security is a Core Component of the Cato Cloud
Security has never been an add-on feature for Cato; rather, it’s a core component that has been built-in from the ground up. The networking component and the security component are part of the same code base. As traffic passes through the network, it is evaluated simultaneously for security issues and network routing—and then it is routed over Cato’s private backbone.
Having network and security all on one platform, in a single-pass solution, has the advantage of deep visibility at wire-speed even if the traffic is encrypted. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain. And it’s all delivered as a service, so that customers don’t need to maintain anything.
Among the full stack of security detection tools provided by Cato are:
Next Generation Firewall (NGFW)
The Cato NGFW inspects both WAN and Internet traffic. It can enforce granular rules based on network entities, time restrictions, and type of traffic. The Deep Packet Inspection (DPI) engine classifies the relevant context, such as application or services, as early as the first packet and without having to decrypt the payload. Cato provides a full list of signatures and parsers to identify common applications. In addition, custom application definitions identify account-specific applications by port, IP address or domain.
Secure Web Gateway (SWG)
The SWG provides granular control over Internet-bound traffic, enabling enforcement of corporate policies and preventing downloads of unwanted or malicious software. There are predefined policies for dozens of different URL categories and support custom rules, enhancing the granularity of web access control. The SWG is easily managed through Cato’s management portal and covered by a full audit trail.
Next Generation Anti-Malware (NGAV)
Cato’s Malware Detection and Prevention leverages multi-layered and tightly-integrated anti-malware engines. First, a signature and heuristics-based inspection engine, which is kept up-to-date at all times based on global threat intelligence databases, scans files in transit to ensure effective protection against known malware. Second, Cato has partnered with SentinalOne to leverage machine learning and artificial intelligence to identify and block unknown malware. Unknown malware can come as either zero-day attacks or, more frequently, as polymorphic variants of known threats that are designed to evade signature-based inspection engines. With both signature and machine learning-based protections, customer data remains private and confidential, as Cato does not share anything with cloud-based repositories.
Intrusion Prevention System (IPS)
Cato delivers a fully managed and adaptive cloud-based IPS service. Cato Research Labs updates, tunes and maintains context-aware heuristics, both those developed in house (based on big-data collection and analysis of customers’ traffic) and those originating from external security feeds. This dramatically reduces the risk of false positives compared to other IPSs that lack an experienced SOC behind them. Cato Cloud scales to support the compute requirements of IPS rules, so customers don’t have to balance protection and performance to avoid unplanned upgrades as processing load exceeds available capacity.
Software Defined Perimeter (SDP)
Also known as Zero Trust Network Access, or ZTNA, a cloud-native software defined perimeter delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native SDP makes mobile access easy — easy to deploy, easy to use, and easy to secure.
All the tools listed above are essential to enterprise security.
Cato also has a service offering of Managed Threat Detection and Response (MDR). Cato’s MDR enables enterprises to offload the resource-intensive and skill-dependent process of detecting compromised endpoints to the Cato SOC team. Cato automatically collects and analyzes all network flows, verifies suspicious activity, and notifies customers of compromised endpoints. This is the power of networking and security convergence to simplify network protection for enterprises of all sizes.
Full Network Security Couldn’t Be Easier
All of these network security solutions are delivered as a service, from the cloud, so there is never anything for the customer to install, update or maintain. The software and all its capabilities are fully integrated and always up to date. It is the best approach to keeping the attack surface of an enterprise network as small as possible, all while fully supporting an organization’s digital transformation needs.
For more information, contact Cato and ask for a demo today.
February 23, 2021
5m read
Today, Cato reported its 2020 financial results. On the surface, the results might seem to simply mark the strong financial growth that’s come to define...
February 23, 2021
5m read
Why Large Enterprises Moved to Cato in 2020 Today, Cato reported its 2020 financial results. On the surface, the results might seem to simply mark the strong financial growth that’s come to define Cato: over 200 percent bookings growth for the fourth consecutive year, a more than $1B valuation, and an additional $130 million funding round.
But just as significant as the financial facts and figures were the causes propelling that growth. Cato saw significant increases in customer scale and complexity. Multiple, 1000+ site deployments and several Fortune 500 and Global 200 enterprises abandoned telco- and MSP-managed networks for Cato’s cloud-native service.
All of which begs the question, what drove larger enterprises to Cato in 2020?
Platform Agility Allows Large Enterprises to Address Many Challenges, Easily
Large enterprises — and enterprises of all sizes — come to Cato for many reasons. In some cases, they come looking for MPLS migration to SD-WAN or Secure Branch Internet Access, in other cases it’s for Cloud Acceleration and Control and Remote Access Security and Optimization. But regardless of why they came to Cato, the overwhelming majority of Cato customers end up using Cato for networking and security. They may replace MPLS with Cato’s affordable backbone but they also use Cato to secure the branch. They come to Cato for SD-WAN but they also connect and secure branch offices and mobile users.
This ability to address a wide range of networking and security use cases with a single, coherent platform has long drawn midsize enterprises but in 2020 has shown to be equally attractive to large deployments. And why not? Simplifying the network leads to cost savings, greater agility, better uptime, reduced attacked surface that attackers can exploit and more. Every IT leader wants those benefits.
During 2020, one Fortune 500 grocery chain came to Cato to replace MPLS connecting its 500+ stores. Today, the company also relies on Cato to protect users with Cato IPS and NextGen anti-malware security services, while leveraging Cato’s Hands-Free Management service for easy administration.
Similarly, avoiding MPLS costs motivated a major car rental company to shift to Cato. The company connected 1,000+ locations across Cato’s global private backbone and protected them with Cato security services.
A leading construction company had 1200+ locations connected by legacy networking services. It replaced those services with Cato while also securing all sites with Cato IPS, NextGen Anti-Malware, and relying on Cato’s Hands-Free Management service for easy administration.
To be clear, enterprises don’t have to use Cato security services. Companies typically migrate gracefully to Cato, often deploying Cato alongside legacy technologies. But it’s this technical agility, the ability to easily and cost-effectively meet a broad range of requirements that allows large enterprises to meet the scope of their challenges.
Service Agility Allows Cato To Accommodate Enterprise Needs
The second part of agility is in the service. With Cato having written the code for its SASE platform, features can be introduced far faster than if the service had been dependent on third-party appliances.
When a global automotive parts manufacturer with 40,000 employees had that rare opportunity to start from a clean slate and build a modern network from scratch, the enterprise rigorously evaluated many networking and security architectures, eventually choosing Cato to connect and secure its 76 locations and 15,000 remote users.
Part of why they selected Cato was the agility to meet their unique requirements. “I don’t know of another company I have worked with, in a very long time that can make the changes you have as quickly as you have,” remarked the network engineer at the enterprise.
Partners had a similar reaction. Last fall, Cato announced the Cato Cloud API for automating provisioning and monitoring from SIEMs and other third-party platforms. The team at CDW, an early adopter of the Cato Cloud API, was also impressed by Cato’s agility. “What struck us most was how fast Cato was able to produce the API. There wasn't even any back-and-forth. It was usable as soon as we got it,” says Mark Hurley, Product Manager of Enterprise Networking Services Research and Design at CDW. During 2020, Cato saw channel-led customer bookings grow by 240%.
Overall, Cato added 136 new features and 2725 enhancements in 2020. Along with Cato Cloud API, other new capabilities included support for:
2 Gbps secure tunnels, exceeding all competing SASE offerings for locations and end-users.
Remote user connectivity without end-point software using Clientless Remote Access extending Cato’s SDP offering.
Near perfect threat detection by eliminating IPS false positives using Cato’s new built-to-purpose reputation assessment system that combines threat intelligence feeds and real-time network information.
During 2020, Cato expanded Cato’s geographic footprint, adding eight new points of presence (PoPs). With more than 60 PoPs worldwide, Cato can connect enterprises offices, remote/mobile users, and cloud resources whether they’re located near Casablanca, Morrocco; Dubai, UAE; Lima, Peru or near dozens of other locations.
Cato SASE Platform: The Agile Solution for Today’s Digital Enterprise
It’s this combination — an agile technology platform with an agile service culture — that’s so appealing to so many of our customers. It gives them the confidence that they’ll be able to address the challenges of today and be prepared for those of tomorrow. Large enterprises might have “discovered” Cato in 2020 but wait till you see what’s in store for 2021.
To find out more about SASE adoption in your enterprise with Cato, contact us here.
For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central...
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities.
Now the spotlight is shifting to the next evolution of networking: the secure access service edge (SASE). Like SD-WAN, SASE is a technology designed to connect geographically dispersed branches and other endpoints to an enterprise’s data and application resources. While there is some overlap in what the two technologies offer – in fact, SD-WAN is a component of SASE – there are significant differences in capabilities, not the least of which is network security. If SD-WAN gained traction for its flexible connectivity options, then SASE will be defined by its ability to seamlessly deliver full security to every edge on the network.
Enterprises Need a Distributed Network Architecture
Every enterprise, regardless of industry or geography, has a need for secure, high-performance, and reliable networking. In a bygone era, a hub-and-spoke networking architecture centered around an on-premise data center would have met that need—but not so today. A distributed network architecture is critical to support the increasing use of cloud platforms, SaaS applications, and especially remote and mobile workers.
This last requirement is ever more important in a world still experiencing a global pandemic. And even as we eventually move to a post-Covid-19 era, there will be a significant need to support people who continue to work from home, either permanently or occasionally, as well as those who return to the office.
SD-WAN Is a Step in the Right Direction
SD-WAN is a software-based approach to building and managing networks that connect geographically dispersed offices. It uses a virtualized network overlay to connect and remotely manage branch offices, typically connecting them back to a central private network, though it also can connect users directly to the cloud. SD-WAN provides optimal traffic routing over multiple transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a combination thereof. However, SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a reliable, well performing network backbone is left unaddressed by SD-WAN appliances alone.
In general, SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. This only leads to complexity and higher costs as more security services are added as discrete appliances or virtual functions. Another option is known as Secure SD-WAN, a solution which integrates a full security stack into an SD-WAN appliance. In this case, the solution’s effectiveness is limited by the deployment locations of the SD-WAN appliances, which are typically installed at each branch. Security is only applied for the traffic at the branch. What’s more, in deployments covering multiple branches, each appliance needs to be maintained separately, which provides the potential for out-of-sync policies and out-of-date software.
Another shortcoming of SD-WAN is that by design, networking appliances are built for site-to-site connectivity. Securely connecting work-from-home or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN delivers some important benefits, networking appliances alone are not a holistic solution. That’s where SASE comes in.
SASE Is the Future of Secure Enterprise Networking
SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile, and adaptable service to the digital business.
The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications.
Cato uses a full enterprise-grade network security stack natively built into the Cato Cloud to inspect all WAN and Internet traffic. Security layers include application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and managed IPS-as-a-Service (IPS). Cato can further secure a customer’s network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because Cato runs a distributed, cloud-native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling traffic for security inspection.
Importantly, in this age of work-from-home, Cato’s SASE solution easily supports mobile and remote users. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote users. Moreover, the platform can scale quickly to any number of remote users without worry.
For SASE, It Has to Be Cloud-Native Security
It wasn’t long ago that networking and enterprise security were different disciplines. Silos, if you will. But today, with users working everywhere, security and networking must always go together. The only way to protect users everywhere at scale without compromising performance is the cloud. Converging security and networking together into a genuine cloud service with a single-pass, cloud-native architecture is the only way to deliver high performance security and networking everywhere. That’s the power of SASE.
For more information, contact us or ask for a demo. Get the free e-book Secure Access Service Edge for Dummies.
Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next...
Why Remote Workforce and Legacy Security Architectures Don’t Mix Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for next year, and what they think about secure access service edge (SASE).
When the dust settled and the results tallied, we found an optimistic group of IT leaders, confident in their networks but concerned about securing and managing their remote workforce.
Make no mistake about it, work-from-home (WFH) and the remote workforce aren’t going away any time soon. Only 7%of respondents indicated that everyone will move back to the office. More than half (80%) indicated their companies will continue with a remote workforce in whole or in part.
With users working remotely, IT organizations still need the same level of security controls and visibility. But delivering those capabilities can’t be done by compromising application performance. And that’s a problem for legacy security architectures as they add latency, crippling application performance, and lack the optimization techniques for improving the remote experience.
It’s no surprise then that boosting remote access performance was the most popular primary focus for IT leaders over the next 12 months (47% of respondents). At the same time, when asked to cite the primary security challenges facing their IT organizations, 58% of respondents pointed to “enforcing corporate security policies on remote users” making it second to only “Defending against emerging threats like malware/ransomware” (66% of respondents).
But the problems of securing the remote workforce don’t stand on their own. They’re compounded by all of the legacy security challenges facing IT teams. More than half (57% of respondents) indicated that they lacked sufficient time and resources to implement security best practices. And those best practices can be as mundane as patching software and systems shortly after vendors release patches (32% of respondents).
Astounding. In the 21st century with networks that have seen throughput jump ten thousand-fold over the past 30 years and we still have patching problems?
IT managers shouldn’t blame themselves, though. It’s clear where the problem lies — in the architecture. As Cato security engineer, Peter Lee, noted in this blog when documenting the vulnerability and subsequent patches issued for VPN servers:
“Patching has become so common that we just assume that’s the way it has to be. “Patch Tuesday” has us expecting fixes to problems every week. In reality, patching is an artifact of the way all appliances are built. If we eliminate the appliance architecture, we can eliminate the overhead and risk of patches.”
Eliminating appliances will not only eliminate patching problems, it will also eliminate the performance and visibility challenges introduced by legacy security architectures. Of course, this assumes enterprises can replace legacy security architectures with an approach that will:
Simplify today’s security stack
Eliminate the patching headaches
Deliver secure access everywhere, at scale, without compromising performance
Give visibility and control into all traffics flows
What architecture will do that? According to respondents — SASE.
More than 91% of respondents expect SASE to simplify management and security. Of those who’ve already adopted SASE, 86% of respondents experienced increased security, 70% indicated time savings in management and maintenance, 55% indicated overall cost saving and greater agility, 36% saw fewer complaints from remote users, and 36% realized all these benefits. No wonder that more than half of the respondents indicated that SASE would be very or extremely important to their business post COVID-19.
Isn’t it time you considered SASE? To learn more about Cato’s SASE platform, contact us here.
As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work...
SD-WAN or SASE: The Power is in the Platform As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work at home, not in the office.
What’s the alternative? Buy more VPN servers? That’s short-term thinking, and only effective until enterprises need to change again, and users move back to the office. Then IT’s left with an infrastructure investment sitting underutilized.
No, to support the new requirements of the post-pandemic era, enterprises need a new strategy, one that addresses the needs of an uncertain working environment.
A Platform Rather than a Product
The biggest challenge for this new strategy is that it’s not clear as to what those needs will be. Yes, we need to have large scale, high performance remote access today but that was a problem for IT back in January and March. What are tomorrow’s challenges? That’s harder to foresee. And since you don’t yet know what problems will arise, you can’t possibly buy a product to prepare for tomorrow – unless, of course, you’re prepared to gamble with your budget.
What you can do, though, is put in place a solution that has ALL the capabilities you’ll need but only activate those needed today. When new work conditions present themselves, the right platform can adapt quickly. Such a platform should be agnostic of the last-mile technologies. It should be lean enough to run anywhere on any device, connecting any kind of location – a branch, datacenter, or cloud resource. And it should have the geographical footprint, security capabilities, and optimization technologies to securely connect users across the globe without comprising the user experience.
A decade ago, such a comprehensive, global platform wasn’t possible. Today, though, the necessary networking and security technologies have matured to the point that they can be converged together. The Internet is everywhere. Processing resources are ubiquitous in the cloud. And 90 percent of the capabilities of routers, firewalls, and now, SD-WAN are common across vendors. The real value then comes not in any one product but in the convergence of those capabilities together.
Yes, SD-WAN is one of the capabilities in such a platform, but SD-WAN alone is not the answer. SD-WAN appliances are products aimed at addressing a very particular problem – the limitations of MPLS and legacy networks. They won’t connect your mobile users or solve your long-term remote access challenges because SD-WAN solutions are built for the branch. They also don’t secure users or sites against malware. SD-WAN solutions also fail to provide the backbone for predictable, global performance. To address these and other gaps, you’ll need yet more hardware or software limiting IT agility, fragmenting visibility, and increasing costs.
Comprehensive Visibility and Management Remain Critical
As we tackle new challenges with point solutions, we risk creating greater management problems for ourselves. Add a new security solution – new type of firewall, a SWG, or IPS – and you have yet another product to manage and maintain. Your visibility into the network becomes fragmented if you have one console for SD-WAN and another for the firewall, or global backbone provider. And once your view is fragmented, troubleshooting becomes dramatically more complex.
Having all technologies in one platform allows for a single-pane-of-glass. IT managers can see networking and security events in one interface for all users – at home or in the office – accessing any resource – in the cloud or in a private datacenter. Such holistic insight improves all facets of network and security operations from planning to provisioning new resources to troubleshooting.
And management delivery should be flexible enough to meet enterprise requirements. With self-service, enterprises configure and troubleshoot the networks themselves, doing in seconds what otherwise required hours or days with legacy telcos. For additional assistance, co-management should be available allowing customers to rely on ongoing support from the provider or its partners without relinquishing control for overall management. Fully managed offloads responsibility for moves, adds, and changes onto provider.
Support Well, Run Fast
A company’s network is critical infrastructure. It is the lifeblood of the organization’s communications and, quite often, its operations. Therefore, the customer/provider relationship should be viewed by both sides as a true partnership where each one can only succeed with full support from the other.
Such a partnership can be hard to establish when a vendor just wants to sell a product and move on to the next opportunity. It requires companies to not only support customers well but also innovate fast. By owning the platform, providers can deliver new features independent of any supplier. It’s the kind of innovation we’ve seen in cloud services but not telcos and legacy carriers. It’s up to you, though, to find providers that live up to this vision.
Making the Technology Transition to SASE
SD-WAN is a sophisticated technology, but it’s meant for meeting the challenges of yesterday not to tomorrow. The Secure Access Service Edge (SASE) is a comprehensive platform that blends SD-WAN with security and remote access many other capabilities to meet whatever challenges you face today and, tomorrow. For more information about selecting SASE and the right partner for WAN transformation, watch the on-demand webinar -- The Dark side of SD-WAN.
Long before the global pandemic made its way around the world, enterprises were already providing at least some of their workers the ability to work...
Types of Remote Access Technologies for Enterprises Long before the global pandemic made its way around the world, enterprises were already providing at least some of their workers the ability to work remotely. Whether it was salespeople on the road, or telecommuters working from home a few days per week, some small percentage of employees needed access to their corporate resources from some remote location.
Then it seemed that overnight, millions of workers worldwide were told to isolate and work from home as best as they could. Businesses were suddenly forced to enable remote access for hundreds or thousands of users, all at once, from anywhere across the globe. Many companies that already offered VPN services to a small group of remote workers scurried to extend those capabilities to the much larger workforce sequestering at home. It was a decision made in haste out of necessity, but now it’s time to consider, is VPN the best remote access technology for the enterprise, or can other technologies provide a better long-term solution?
Long-term Remote Access Could Be the Norm for Some Time
Some knowledge workers are trickling back to their actual offices, but many more are still at home and will be for some time. Global Workplace Analytics estimates that 25-30% of the workforce will still be working from home multiple days a week by the end of 2021. Others may never return to an official office, opting to remain a work-from-home (WFH) employee for good.
Consequently, enterprises need to find a remote access solution that gives home-based workers a similar experience as they would have in the office, including ease of use, good performance, and a fully secure network access experience. What’s more, the solution must be cost effective and easy to administer without the need to add more technical staff members.
VPNs are certainly one option, but not the only one. Other choices include appliance-based SD-WAN and SASE. Let’s have a look at each approach.
VPNs Weren’t Designed to Support an Entire Workforce
While VPNs are a useful remote access solution for a small portion of the workforce, they are an inefficient technology for giving remote access to a very large number of workers. VPNs are designed for point-to-point connectivity, so each secure connection between two points – presumably a remote worker and a network access server (NAS) in a datacenter – requires its own VPN link. Each NAS has a finite capacity for simultaneous users, so for a large remote user base, some serious infrastructure may be needed in the datacenter.
Performance can be an issue. With a VPN, all communication between the user and the VPN is encrypted. The encryption process takes time, and depending on the type of encryption used, this may add noticeable latency to Internet communications. More important, however, is the latency added when a remote user needs access to IaaS and SaaS applications and services. The traffic path is convoluted because it must travel between the end user and the NAS before then going out to the cloud, and vice versa on the way back.
An important issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. Stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks. What’s more, there is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network via insecure user devices.
SD-WAN Brings Intelligence into Routing Remote Users’ Traffic
Another option for providing remote access for home-based workers is appliance-based SD-WAN. It brings a level of intelligence to the connectivity that VPNs don’t have. Lee Doyle, principal analyst with Doyle Research, outlines the benefits of using SD-WAN to connect home office users to their enterprise network:
Prioritization for mission-critical and latency-sensitive applications
Accelerated access to cloud-based services
Enhanced security via encryption, VPNs, firewalls and integration with cloud-based security
Centralized management tools for IT administrators
One thing to consider about appliance-based SD-WAN is that it’s primarily designed for branch office connectivity—though it can accommodate individual users at home as well. However, if a company isn’t already using SD-WAN, this isn’t a technology that is easy to implement and setup for hundreds or thousands of home-based users. What’s more, a significant investment must be made in the various communication and security appliances.
SASE Provides a Simpler, More Secure, Easily Scalable Solution
Cato’s Secure Access Service Edge (or SASE) platform provides a great alternative to VPN for remote access by many simultaneous workers. The platform offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access.
Companies that enable WFH using Cato’s platform can scale quickly to any number of remote users with ease. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) maintained by Cato to deliver a wide range of security and networking services close to all locations and users. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.
Cato’s SASE platform employs Zero Trust Network Access in granting users access to the specific resources and applications they need to use. This granular-level security is part of the identity-driven approach to network access that SASE demands. Since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied to traffic from remote users. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies. This eliminates the “trombone effect” associated with forcing traffic to specific security choke points on a network. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.
SASE Supports WFH in the Short-term and Long-term
While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.
At Cato, we pride ourselves not only on the performance and airtight security of the Cato platform but the power and ease of use of...
Cato Engineers Review Favorite SASE Features At Cato, we pride ourselves not only on the performance and airtight security of the Cato platform but the power and ease of use of its management tools. Cato’s cloud-based interface puts a lot of granular configuration power in the hands of the customers, rather than forcing them to wait hours or days for the provider to make each configuration change. Cato also provides unparalleled visibility into WAN traffic and security.
In Cato’s Sales Engineers Demo and Interview Video Series, our sales engineers show you their Cato favorites. Dive in with them as they demonstrate how to set bidirectional quality of service, utilize Cato’s Zero Trust Network Access (ZTNA) capabilities, and deep dive into bandwidth management and analytics.
How to Configure and Monitor ZTNA with Cato in Minutes - by Jerry Young:
In 10 minutes, learn how to configure Cato’s Zero Trust Network Access (ZTNA) and then track and monitor access events. Jerry shows how easy it is when you use the right DNS settings, making sure that access is enforced correctly, unaffected by IP address changes. Watch as he defines ZTNA to specific hosts, applications, and users and demonstrates how access events are recorded and audited.
How a SASE with a Private Backbone Optimizes Access to Cloud Applications - by Nick Gagliardi:
Nick shows how to optimize WAN traffic to specific cloud applications by keeping it on Cato’s global private backbone rather than public Internet. He demonstrates how simple it is to set an egress rule that keeps a specific cloud application’s network traffic on the Cato global private backbone, where it benefits from all the optimization and security of Cato’s SASE platform and performs as well as private applications hosted on private datacenters. Keep watching until the end to see what’s #1 on Netflix in Germany….even if you’re in the US.
What Modern, SASE-based Network Monitoring Should Look Like - by Mark Bayne:
Cato’s Senior Director of Worldwide Sales Engineering, Mark Bayne, takes you through the many layers of Cato’s SASE monitoring tools. He starts with the basic connectivity metrics, then proceeds into configuring individual application usage leveraging Cato’s application awareness technology and demonstrates Cato’s unique real-time views of live application prioritization, routing, and user access.
Bi-directional QoS, Advanced Bandwidth Management, and Real-Time Application Analytics - by Jack Dolan:
Experience the power of Cato’s bi-directional QoS, advanced bandwidth management, and real-time application analytics. Jack explains Cato’s Cloud SASE architecture in detail, including how network traffic is routed, managed, and optimized. Moving through the management console, he demonstrates how to set network rules to control traffic priorities, and how Cato’s advanced and real-time analytics give IT leaders an unprecedented view into their WAN.
How to Configure VoIP and ERP Optimization for 3,000 Global Employees Across the World in Minutes - by Sylvain Chareyre:
Experience Cato agility with Sylvan as he shows how an IT manager can make enterprise-wide network changes instantly. In less than 10 minutes, Sylvain demonstrates how to deploy worldwide unified communications as a service (UCaaS) for 3,000 users, optimize access to an on-premises ERP system, and prepare the network for cloud migration.
December 28, 2020
2m read
Throughout the year, Catoians gather and share memes internally about a host of topics. This year, we developed a very unscientific algorithm for ranking those...
December 28, 2020
2m read
The Best Networking Memes of 2020 Throughout the year, Catoians gather and share memes internally about a host of topics. This year, we developed a very unscientific algorithm for ranking those memes and sharing the very best. Big thanks to Cato’s Daniel Avron, Jerry Young, Oded Engel, and Oren David for their scouring the Internet efforts. And without further ado…
#10 The Best Quote of 2020
#9 The Biggest Threat of the Year
#8 The Best Depiction of Work Life Under Covid-19
#7 The Best Label for a LAN cable
#6 The Best Depiction of Dual Factor Authentication
#5 The Best Example of Worthwhile Remote Work
#4 The Best Example of COVID-19’s Impact on Networking
#3 The Best Explanation of an Always On/Never Off Feature
#2 The Best Explanation of Application Developers vs. Application Testers
#1 The Best Consequence of Privacy Laws
And just in case you haven’t had enough...….
Best Contribution COVID-19 Has Made to Society
Best Usability Lesson
December 21, 2020
4m read
It’s likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked...
December 21, 2020
4m read
Stopping Sunburst: The Second-Best Argument for a SASE Platform It's likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked undetected in enterprise networks. Some 18,000 SolarWinds customers may have downloaded the trojanized Orion software, and not one reported the threat. (To better understand why this threat went undetected, check out this blog from Shay Siksik, Cato's Security Analyst Manager. )
And these weren't small, unprofessional organizations. More than 425 of the US Fortune 500 companies use SolarWinds products. These are enterprises who likely invested in all manners of preventive security measures. They've made heavy investments in NGFW appliances, antimalware, endpoint detection and response (EDR), and more. And still, it didn't matter. If you ever needed a lesson that security prevention isn't enough, Sunburst was it.
But there was a second, equally important lesson to consider from this outbreak: What do you do post-infection? For appliance-studded enterprises, post-infection looks like a race against time. They need to update infrastructure against the trojan, and hunt for the trojan on their networks before any further damage can be done.
In this, the real-world, security appliance vendors priding themselves on how quickly they released a Sunburst signature is only half the story. Enterprises must still download, test, and deploy those signatures across all appliances for all vendors — an enormous headache. They must then hunt for Sunburst lurking in their organization — an impossible task without months of traffic already logged for analysis. No security appliance vendor is going to help on that score.
Contrast that with the experience of Cato SASE customers. Within a few minutes of identifying Sunburst's IoCs, our security team updated all Cato detection and prevention engines. Instantly, all Cato customers were protected against the trojan. No patches needed to be downloaded; no updates applied. Customers or partners —no further action was needed. Period.
But that was only a start. Cato's security team mined months of data stored in our massive data warehouse built from all customers' traffic flows. Through this process, the security team could identify network flows from those enterprises exhibiting Sunburst IoCs. The team alerted the relevant customers and helped them with remediation. The team will continue monitoring all Cato customer traffic for Sunburst moving forward.
And how long did this entire process take the Cato team? Few hours. In just a few hours, Cato was able to protect all customers against this threat, and identify and alert those already infected by Sunburst.
Let's be clear. There's no substitute for stopping threats before they penetrate defenses. We all know that. But the reality is that given the complexity of today's networks, the first-mover advantage of attackers, and the enormous resources available to threat actors, perfect prevention is impossible. Enterprises must prepare themselves for what happens after learning about a threat.
How do you discover and hunt for threats in your organizations? In legacy enterprises, such an effort would have required enormous expenditures. Aggregation tools deployed to gather the data and storage purchased and maintained to store months of traffic. Data mining and analysis tools are needed to investigate the data. And, most of all, hiring of specialized talent for hunting threats.
More likely, companies would rely on an MSSP. Even then, the MSSP would still have to race against time, manually updating appliances and struggling to look for threats. But for customers of a true SASE platform, like Cato Cloud, automatic updates to all components and threat hunting are already part of the service.
Sunburst: Yet Another Argument for SASE
2020 has been an auspicious year for security and networking teams. We began by learning about the fundamental shift in networking and network security called secure access service edge (SASE).
Quickly, we saw the biggest argument for SASE — the need to shift to large-scale, work-from-home. Whereas legacy enterprise spent weeks and months deploying large scale, work-from-home solutions, Cato SASE customers converted to remote access in minutes and hours. How appropriate then that we should close the year with another case for SASE — quick and instant response to Sunburst.
To learn more about how Cato's SASE platform can help you ready your network for whatever comes next, contact us here.
December 13, 2020
5m read
If you are about to renew your MPLS contract, or if you need to upgrade your capacity—STOP! Don’t commit to another year of MPLS until...
December 13, 2020
5m read
MPLS Upgrade for the Modern Enterprise If you are about to renew your MPLS contract, or if you need to upgrade your capacity—STOP! Don’t commit to another year of MPLS until you’ve had time to consider if it’s the right technology to carry your business forward. Modern enterprises now have alternatives to MPLS that are more flexible and just as reliable for building a WAN.
Not only is MPLS expensive and inflexible but it’s also poorly suited for meeting the needs of organizations that embrace cloud computing, SaaS applications, and a mobile/remote workforce. If it’s been a while since you’ve shopped around for network connectivity, you need to know that you can switch your dedicated and expensive MPLS network to a cloud-based network and still sustain the service levels your business needs, maintain security, cut costs, and improve overall agility and flexibility.
MPLS Can’t Adapt to Changing Traffic Patterns, and Other Drawbacks
Every enterprise has a need for secure, high-performance, and reliable networking. For decades now, organizations have built their WANs using MPLS circuits to connect branch offices back to the corporate home office. Until recently, MPLS circuits were not only the logical choice but the only choice for high-performance branch connectivity.
The advent of cloud computing and high adoption rates for SaaS applications are real disruptors for WANs built on an MPLS-based hub-and-spoke architecture. MPLS is optimized for point-to-point connectivity only. Workers in branch offices have no direct means of reaching the Internet for cloud or SaaS applications. Their traffic can only be backhauled to headquarters over the MPLS lines and then sent out to the cloud.
This “hair pinning” of traffic just adds latency and creates performance issues. It certainly fails to meet today’s needs when a large percentage of traffic is cloud bound. Consider that Microsoft 365 is the world’s most widely used cloud service – 56% of organizations around the world use it – but 365 isn’t designed to work over a legacy MPLS WAN.
There are other shortcomings of MPLS for modern enterprises. For example, security can be an issue. An MPLS network doesn’t offer built-in data protection, and if incorrectly implemented, it can open the network to vulnerabilities. Cost can be an issue too, especially when compared to alternatives that use the Internet as a transport mechanism. In that comparison, MPLS has a much higher per-megabit price. What’s more, MPLS offers no mechanism to support individual users who work remotely or who must be highly mobile.
For enterprises with a global or multi-national footprint, it can take a long time – perhaps as long as half a year – to deploy MPLS in different countries. There is no single global provider of MPLS, and so an enterprise must work through a broker or accept that it must manage numerous service providers. But perhaps the biggest drawback is a lack of control over the network. The service provider(s) has an outsized role in managing the network.
Is SD-WAN the Alternative to an MPLS Upgrade?
For several years now, pundits have touted SD-WAN as an alternative – or at least a complement – to MPLS. Certainly, SD-WAN has been looking to address the challenges of MPLS, like cost, capacity, rigidity, and manageability.
An SD-WAN edge can dynamically route traffic over multiple data services (cable, xDSL, 4G/LTE, and even MPLS) based on the type of traffic and the quality of the underlying service. An enterprise can easily increase capacity available for production by adding inexpensive data services to an existing MPLS-based network. Zero-touch provisioning allows the edge to configure its connection to the WAN using the available mix of services at each location. This means that new sites can be brought on quickly with a single or dual Internet service or 4G/LTE.
SD-WAN offers many desirable features, but on its own, it’s not a full-fledged replacement for MPLS. In many cases, and especially for branch offices, an MPLS circuit is still needed to carry latency-sensitive traffic. Also, SD-WAN routers don’t address security needs. Enterprises need to extend their security architectures using edge firewalls or cloud security services, which adds to the cost and complexity of an SD-WAN deployment.
Moreover, SD-WAN solutions weren’t designed with cloud resources and mobile users in mind. Vendors have since come up with ways – albeit inelegant – to route traffic to the cloud, but mobile users are left in the lurch with SD-WAN.
SASE Extends SD-WAN as a Real Alternative to MPLS
Cato Networks’ SASE solution addresses the shortcomings of pure SD-WAN to offer a genuine alternative to MPLS-based networking. SD-WAN is actually just one part of Cato’s network offering. SD-WAN appliances deliver important networking functionality while SASE goes further by converging SD-WAN with other network and security services to create a holistic WAN connectivity and security fabric.
The Cato Cloud provides an SLA-backed global backbone of points of presence (PoPs) that form an affordable alternative to MPLS-based networking. This single, global network connects and secures all enterprise edges – sites, cloud resources, and mobile/remote users – without compromising on the cost savings, agility, or reach of the Internet or the predictability, reliability, and performance of MPLS. This SASE solution also builds security into the underlying cloud-native architecture to eliminate the need for a patchwork of security appliances.
SASE is a truly transformational approach to the WAN. By combining SD-WAN and other networking functionality with advanced security features, SASE can legitimately address most WAN network and security requirements at scale, and certainly, be a legitimate replacement for an MPLS-based network.
Learn More
Cato purpose-built the world’s first true SASE platform and has been recognized as a leader in the space. If you’d like to learn more about what SASE can do for your enterprise, please contact us today, sign up for a demo, or download our “How to Migrate from MPLS to SD-WAN” eBook.
Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a...
50,000 Fortinet VPNs Breached Via Vulnerability Fixed 18 Months Ago. Here’s What You Can Do. Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a hacker had leaked the credentials for 50,000 Fortinet VPNs. The victims include high street banks, telecoms, and government organizations from around the world. The stolen data includes usernames, passwords, access level (such as 'full access'), and the original unmasked IP address of the user connected to the VPN. The data is spreading across the Dark Web.
The vulnerability exploited to obtain the data is CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
This is not its first known exploitation. Back in July 2020, the UK's National Cyber Security Center (NCSC) and Canada's Communications Establishment (CSE) published information on the use of this vulnerability by APT29 -- also known as 'Cozy Bear', and believed to be a Russian state-backed group involved in hacking the DNC prior to the 2016 U.S. elections. In this instance, the target via the Fortinet VPNs was thought to be information about COVID-19 vaccines.
In October 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned that the Russian state-backed hacking group often known as Energetic Bear used the same vulnerability in attacks against the networks of various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks -- ahead of the 2020 elections.
None of this should have been possible. Fortinet patched the vulnerability back in Spring 2019 -- well over a year before these incidents. After the latest incidents, Fortinet told Bleeping Computer, "In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade."
Patching. That’s the Real Problem
So, the real problem here is a patch problem. Fortinet VPN users -- thousands of major corporations and government entities -- simply failed to patch a critical vulnerability despite repeated warnings.
The need for a robust patching regime has been known and urged for decades. But still companies fail to patch their systems efficiently or sufficiently. The result can be disastrous. The infamous Equifax breach of 2017 was ultimately a failure in patching. The ultimate cost to Equifax could be several billion dollars, combining settlements to affected users (potentially up to $2 billion) and a further $1 billion for agreed security upgrades. There are many other examples of costly breaches caused by a failure to patch.
The basic problem remains -- organizations find patching very difficult, and this same issue of unpatched systems being compromised will continue. According to a Ponemon/ServiceNow report in October 2019,
60% of breach victims were breached due to an unpatched known vulnerability where the patch was not applied
62% were unaware that their organizations were vulnerable prior to the data breach
52% of respondents say their organizations are at a disadvantage in responding to vulnerabilities because they use manual processes.
There are many reasons for companies' failure to patch. Not enough staff. Insufficient resources to adequately test the possible downstream effect of patches. And connections to operational technology, where the inbred philosophy is not to touch something that is currently working. Indeed, Dark Reading has stated that nearly three-fourths of organizations worry that software updates and patches could 'break' their systems when applied. Then there are the usual challenges of any downtime, legacy system patching, and compatibilities with existing applications and operating systems.
Patching Doesn’t Have to Be A Problem
But there is a solution to the patch problem that is simple and effective and not dependent on in-house resources -- the use of firewall as a service (FWaaS), such as what’s provided into Cato’s SASE platform. Without the cloud, security must be installed appliance by appliance in location by location. It is incumbent on the overworked and under resourced security or IT team to update and manage those appliances; this is where patching fails.
Cloud services, however, do not rely on their users' own staff resources. Whenever Cato becomes aware of a new fix or patch, we automatically pushed it out to all our customers. Cloud service users receive a robust patch regime without having to worry about patching and a repeat of the Fortinet VPN incidents and the Equifax patch failure.
Just a day before Thanksgiving, an AWS cloud outage struck down large parts of the Internet for multiple hours, impacting major apps, websites, and services...
How Cato Cloud Resiliency Overcomes Regional and National Outages Just a day before Thanksgiving, an AWS cloud outage struck down large parts of the Internet for multiple hours, impacting major apps, websites, and services worldwide like Autodesk, Roku, and Shipt. Although only 1 of 23 AWS geographic regions (US-East-1) experienced issues at the time, the global echo was significant for any company dependent on AWS cloud services.
It’s incredibly important to look “under the covers” of all cloud-based offerings, especially those claiming to be SASE services. Simply spinning up a virtual appliance in the cloud or hosting physical appliances and calling it a “cloud-based service” is a far cry from providing an enterprise-grade service that’s designed to work 24x7x365. What happens when the appliance fails? How does the cloud-hosted appliance deal with failures in the cloud provider’s infrastructure? If SASE is to become the networking and security solution, it must be enterprise-grade. This is very much a case where architecture matters.
Cato Cloud: A Self-Healing Architecture
Cato has spent years developing a cloud-native, self-healing platform that can recover from failures at all levels of its architecture. Today, Cato runs a stateless, single-pass cloud-native engine that handles the routing, optimizing, and securing of all WAN and Internet traffic.
Processing is distributed across a cloud-scale, global network of points of presence (PoPs). The controller functionality is a smart, distributed data plane at the processing engine level, not a single controller, eliminating a potential single point of failure. With most processing in the cloud, edge devices and clients accessing Cato are radically simplified, further reducing the likelihood of edge outages.
Every Cato Cloud tunnel and resource has automated failover capabilities inside the PoP, across PoPs, and the entire cloud for a fully self-healing architecture.
Self-Healing of the Cloud Network
Rather than the unpredictable global Internet, Cato Cloud is built on our global private backbone. It’s a global, geographically distributed, SLA-backed network of 60+ PoPs, interconnected by multiple tier-1 carriers. This cloud network is engineered to deliver predictable transport with zero packet loss, minimum latency, and global optimization for maximum performance.
Self-Healing Between PoPs
Upon a failure or degradation in a tier-1 carrier connecting to a Cato PoP, any PoP can automatically switch to an alternate tier-1 carrier in the global backbone to maintain Internet access. If needed, PoPs will connect to the nearest Internet Exchange (IX) for enhanced redundancy.
If any global POP becomes unreachable or disrupted due to maintenance, all tunnels connected to the PoP automatically move to the nearest available PoP. Special rules for failover, regulations, and more are included in the automatic decision-making for tradeoffs. IP ranges associated with failed PoPs are also moved to ensure service continuity.
Self-Healing Within PoPs
All Cato’s PoPs contain redundant servers, each running identical copies of Cato’s software. These compute nodes are available as needed to serve any edge tunnel connected to that PoP. Each
compute node can serve any edge tunnel connected to the PoP. If a compute node fails, the disconnected tunnels will reconnect to an available compute node inside the PoP, as it remains the closest PoP to the disconnected edges. In most cases, user sessions will not be affected.
Overall Self-Healing
And in the unlikely event of total Cato Cloud loss, Cato Sockets can establish direct connectivity to enable branch and Internet connectivity using the public Internet without security or backbone.
Self-Healing at the Edge
Locations
Cato edge appliances are thin edge SD-WAN devices with sufficient logic to move traffic into Cato Cloud for networking and security processing. The thin-edge design makes redundant devices affordable. Cato also provides Sockets with redundant components.
Several high availability branch (HA) design options are available:
Affordable cold spares with automatic provisioning in the cloud,
Warm standby for automatic take over as part of self-healing architecture, and
Transport overlay across multiple last-mile transports in either active/passive or active/active configurations.
Sites automatically reconnect to the optimum PoP upon any outage or degradation. In addition, if the Cato Cloud is temporarily unreachable for any reason, branches communicate directly with one another, automatically reconnecting back to the Cato cloud upon availability.
Remote Users
The same seamless HA is available for remote users. If a remote user’s device loses tunnel connectivity or the user roams, Cato Clients automatically reconnect to the nearest PoP with dynamic tunnel failover inside a PoP or dynamic tunnel failover across PoPs to continue all services.
Built-in Self-Healing for Peace of Mind
As the recent AWS outage reminds us, the public cloud, for all its uptime, alone does not guarantee uptime. In today’s cloud-first digital world, fragmented networking point solutions add HA complexity and cost.
With Cato’s self-healing architecture, all failure detection, failover, and fallback are automatic, with no need to manually update networking, security, or optimization policies. Cato’s cloud-native, SASE platform enables global enterprises to meet or even surpass uptime requirements with the best mix of cost, resilience, and enterprise-grade redundancy superior to the unpredictable public Internet and more affordable than global MPLS and other legacy backbones.
Read more about how Cato helps global and regional enterprises in digital transformation
November 16, 2020
5m read
Network security covers many different areas, including access control, cloud security, malware protection, BYOD security, remote workforce, and web security. The modern digital business of...
November 16, 2020
5m read
Top 15 Network Security Websites Network security covers many different areas, including access control, cloud security, malware protection, BYOD security, remote workforce, and web security. The modern digital business of any size, industry, or location needs to keep up with all these responsibilities to maintain a strong security posture. So we gathered a list of 15 websites (listed alphabetically) to help you stay informed with the latest trends and innovations in the network security arena.
1. CIS
CIS is a forward-thinking nonprofit with a mission “to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” The resources section offers a wide range of materials including whitepapers, blogs, and webinars. A recent blog post provides cyber defense tips for staying secure both in the office and at home.
2. Dark Reading
Dark Reading is one of the most respected online magazines for security professionals, offering both news and in-depth opinion pieces on the latest developments within the industry. It has some excellent articles, offering the latest information in cybersecurity management to keep you in-the-know.
3. Data Breach Today
Data Breach Today offers a wealth of information on security, from training and compliance guides to industry events and latest news. There’s an extensive section on network and perimeter security issues, including webinars and whitepapers. One interesting webinar looks at how enterprises are investing in bug bounty competitions to find network vulnerabilities.
4. Hackaday
Not a network security blog per se, Hackaday nonetheless deserves a special mention. This cheeky website is all about the community built around the idea of hacking, which is defined as “an art form that uses something in a way in which it was not originally intended”. The website gathers hacking stories that are primarily intended for entertainment.
[boxlink link="https://go.catonetworks.com/First-100-Days-as-CIO-5-Steps-to-Success.html?utm_source=blog&utm_medium=blog_top_cta&utm_campaign=cio_ebook"] Download eBook – First 100 Days as CIO [/boxlink]
5. Help Net Security
Help Net Security covers technical security challenges and management concerns. Contributors include an impressive roster of industry leaders, who discuss everything from cultivating a sustainable workforce during COVID-19 to tech trends and risks shaping organizations’ data protection strategy. Make sure to check out the whitepaper archives for more in-depth content.
6. IDG
IDG is a worldwide leading tech media company with a community of the most influential technology and security executives. Some of IDG’s premium brands include CIO®, Computerworld®, CSO®, and Network World®. A great visual summary of IT response, six months into the pandemic, is available here.
7. Infosec
Infosec has been fighting cybercrime since 2004, offering the most advanced and comprehensive education and training platforms. Infosec is recognized as a security awareness and training leader by both Gartner and Forrester. Some of their helpful resources include topics like General Security, Wireless Security, and Threat Hunting.
8. Infosecurity Magazine
Infosecurity Magazine is the go-to resource for the latest news on all subjects related to information security. It has over ten years of experience providing knowledge and insights, focusing on hot topics and trends, in-depth news analysis, and opinion columns from industry experts. Check out the Network Security section, which includes topics such as access rights management, endpoint security, firewalls, intrusion prevention/detection, and more.
9. Sans Institute
Established in 1989, Sans Institute specializes in information security, cybersecurity training, and certification in over 90 cities across the globe. Their website includes a large repository of materials on network security. They offer an interesting course, which gives an in-depth look at intrusion detection and provides whitepapers on network security.
10. SC Media
SC Media has been sharing industry expert guidance and insight, in-depth features and timely news, and independent product reviews for 30 years. The magazine also runs annual awards for organizations that apply innovative solutions to security issues. Check out the resource library for featured assets and reports.
11. Security Magazine
Security Magazine looks at network security issues from the point of view of C-level management. The column Security Talk offers insights into the issues C-level executives face today. A recent publication discusses the cybersecurity threats that require security leaders to ensure constant control enforcement across newly expanded footprints.
12. TechRepublic
TechRepublic is a great source for breaking IT news, best practices, advice, and how-tos delivered by a global team of tech journalists, industry analysts, and real-world IT professionals. A recent article reviews the five, must-know, emerging tech terms from Gartner's 25th Hype Cycle report.
13. The Hacker News
Established in 2010, The Hacker News is a dedicated cybersecurity and hacking news platform that attracts over 8 million readers. It’s considered one of the most significant information security channels for topics such as data breaches, cyber attacks, vulnerabilities, and malware. It includes a rich Security Research Library and featured articles on industry innovations, such as “Gartner Says the Future of Network Security Lies with SASE” and product reviews on secure remote access (ZTNA/SDP), managed threat detection and response (MDR), and lots more.
14. The Register
The Register is a leading, reliable global online enterprise technology news publication, reaching ~40 million readers worldwide. Known for its opinionated and sometimes controversial opinion pieces, The Register offers networking professionals a valuable collection of interesting content written by industry peers. The website includes a prominent section on security.
15. Threatpost
Threatpost is an independent leading news site for IT and business security, covering topics like vulnerabilities, malware and cloud security. Threatposts’s award-winning editorial team provides a rich selection of content, including podcasts, featured articles, videos, and slide shows, alongside expert commentary on breaking industry news.
Can you think of any other resource that should be on this list? Follow us on LinkedIn, Facebook, or Twitter , and let us know!
Also, as someone who is interested in network security, make sure you learn about SASE, if you haven't already.
*This blog was updated and republished in November 2020
November 10, 2020
5m read
When the Apple iPhone hit the market in 2007, it was described as “revolutionary.” The monumental success of the iPhone – and countless imitators from...
November 10, 2020
5m read
SASE: It’s the iPhone of Networking When the Apple iPhone hit the market in 2007, it was described as "revolutionary." The monumental success of the iPhone – and countless imitators from other smartphone vendors – has proven the term to be correct. But why? What’s the big innovation of the smartphone? After all, the components in a smartphone predated this type of device by years. We had our PDAs for our contact lists and appointments, digital cameras to take photos, mobile phones to place calls, handheld GPS to find our way to places, and portable media players for music.
The innovation of the smartphone was, of course, that it converged all these functions (and more) together. Convergence. That is the innovation of SASE.
When Gartner defined the market for the Secure Access Service Edge (SASE) last year, we had already seen all its networking and security functions on the market. We already had firewalls and UTMs. We had mobile access solutions. We had SD-WAN and networking. But we had them as separate solutions coming from different vendors, which made their deployment quite complex. What’s more, with the functions being separate components, taking advantage of capabilities across the functions required heavy integration and multi-vendor coordination.
Like the smartphone, SASE’s first innovation is that it brought all those disparate components together into one converged and convenient platform. This makes deployment and delivery much simpler.
Convergence Is More Than Convenience
Packaging multiple functions into a smartphone did more than save pocket space. It created a platform that could be used for unlimited applications. Sensors and software and other capabilities all built into the smartphone resulted in several benefits. First, things work together seamlessly, so no integration is needed. Second, app developers don’t have to create functions for themselves because they can simply use what the platform already offers. But most importantly, a robust platform with lots of capabilities is a force multiplier to spur even more innovation and new kinds of solutions that might otherwise be impractical or even impossible to build.
For example, the language translation app Google Translate builds on some of the inherent features of the smartphone in a very innovative way. This app delivers a language conversion engine that lets you translate a sign written in a foreign language in real-time. It uses the smartphone’s camera to capture an image of the sign, embedded OCR to convert the image into text, and then Google’s own language engine to translate the foreign text to the target language. Google used some of the capabilities of the smartphone, coupled with its own technology, to create a unique and high value application. Delivery of Google Translate’s capabilities wouldn’t be possible without convergence of functions on the device.
A SASE Platform Enables Capabilities that Were Previously Impractical, If Not Impossible
The same is true of SASE. Pulling together all networking and security functions into a single, coherent platform does more than make deployment simpler. It allows for combining data and capabilities in different ways to develop new solutions that otherwise might have been impossible to deliver. Let’s explore some examples of the benefits of convergence in the Cato SASE platform:
ZTNA and Remote Access -VPNs have traditionally been the dominant point solution to provide remote access to a network. However, VPNs bring risk to an enterprise due to the lack of granular control over network access. Software-defined perimeter (SDP), also called Zero Trust Network Access (ZTNA), enables tighter overall network security for remote access users. SASE converges ZTNA, NGFW, and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage Cato’s SASE architecture receive the benefits of ZTNA along with a full suite of converged network and security solutions that is both simple to manage and highly scalable.
High-Performance FWaaS - Firewall as a service is a multifunction security gateway delivered as a cloud-based service. It is often intended to protect mobile users and small branch offices that have no dependency on the central datacenter for applications. Standalone FWaaS offerings often incur poor site-to-site performance because of their few PoPs and dependency on the unpredictable, global Internet. With integrated FWaaS, Cato’s SASE architecture, though, addresses these shortcomings to deliver high-performance FWaaS.
Threat Prevention - The Cato SASE platform detects and prevents threats not only based on signatures and security feeds but also on network characteristics. This latter information wouldn’t be available if Cato’s security services had been built on a security-only platform. Instead, Cato captures the network metadata of all flows from all users at all customers in massive data warehouse and enriched with threat-intelligence feeds and other security-specific information. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks. It's the kind of context that can't be gleaned from looking at networking or security domains distinctively, or by examining just one organization's network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time.
Event Correlation - Last year, Cato introduced SIEM capabilities called Instant*Insight, offered with the Cato platform at no added cost to customers. Instant*Insight organizes the millions of networking and security events tracked by Cato into a “queryable” timeline through a single-pane-of-glass. This service tracks issues for all sites, mobile users, and cloud resources. IT teams can quickly drill down into and correlate these events to arrive at the root cause of issues.
For years, organizations have looked for such a platform but delivering it was impractical before SASE convergence. Network appliances typically share log data – not raw event data – with SIEMs. Even then the right APIs need to be written, the data needs to be normalized, and only then can it be stored in a common datastore. It’s a massive undertaking when networking and security are separate functions. But Cato was able to develop Instant*Insight in a matter of months precisely because we were able to leverage the power of convergence. The data has already been gathered and the base tool sets were available.
In short, a true SASE platform does more than make deployment easier. It converges capabilities together to form a platform that provides the basis of new capabilities. Integration can’t give you that—only smartphone-like convergence can.
The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly –...
Rethinking Enterprise VPN Solutions: Designing Scalable VPN Connectivity The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers.
Many companies turned to their existing VPN infrastructure, beefing up the terminating appliances in the datacenter with additional capacity to support hundreds or thousands of new work from home (WFH) users. In the early days of Coronavirus lockdowns, some countries saw a surge in VPN use that more than doubled the typical pre-pandemic demand. However, VPN infrastructure isn’t designed to support an entire workforce. As organizations contemplate an extended or even permanent switch to WFH, investing in a secure, scalable connectivity solution is essential.
Enterprise VPN Solutions are Not Designed for Distributed Workforces
VPNs are designed for point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter). Each terminating appliance has a finite capacity for simultaneous users. VPN visibility is limited when companies deploy multiple disparate appliances.
Pre-pandemic, many organizations had sufficient VPN capacity to support between 10 and 20 percent of their workforce as short-duration remote users at any given time. This supported employees temporarily working from hotels and customer sites as well as from their homes. Once the pandemic restrictions forced people to isolate at home, companies saw their VPN usage shoot up to as much as 50 to 70 percent of the workforce. It was a real challenge to quickly scale capacity because the number of required VPN links for continuous connectivity scales exponentially with the number of remote sites.
Security is a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel is not inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage.
Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.
Of further concern, VPNs themselves can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.
Related content: read our blog on Moving Beyond Remote Access VPNs
SASE Provides a Simpler, More Secure, Scalable Solution Compared to VPN Solutions
In mid-2019, Gartner introduced a new cloud-native architectural framework to deliver secure global connectivity to all locations and users. Gartner analysts named this architecture the Secure Access Service Edge (or SASE). Cato Networks is recognized as offering the world’s first global SASE platform.
Cato’s SASE platform is built as the core network and security infrastructure of the business, and not just as a remote access solution. It offers unprecedented levels of scalability, availability, and performance to all enterprise resources.
It so happens that SASE is an ideal VPN alternative. SASE offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. There are several ways that Cato’s SASE platform outperforms a traditional VPN solution.
First, the SASE service seamlessly scales to support any number of end-users globally. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) to deliver a wide range of security and networking services, including remote access, close to all locations and users.
Second, availability is inherently designed into Cato’s SASE service. Each resource – a location, a user, or a cloud – establishes a tunnel to the nearest SASE PoP. Each PoP is built from multiple redundant compute nodes for local resiliency, and multiple regional PoPs dynamically back up one another. The SASE tunnel management system automatically seeks an available PoP to deliver continuous service, so the customer doesn’t have to worry about high availability design and redundancy planning.
Third, SASE PoPs are interconnected with a private backbone and closely peer with cloud providers, to ensure optimal routing from each edge to each application. This is in contrast with the use of the public Internet to connect to users to the corporate network.
Fourth, since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied. Because the SASE service is globally distributed, SASE avoids the trombone effect associated with forcing traffic to specific security choke points on the network. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies.
And lastly, Cato’s SASE platform employs Zero Trust Network Architecture in granting users access to the specific resources and applications they need to use. This granular-level is part of the identity-driven approach to network access that SASE demands.
SASE is Well-Suited to Remote Work
Enterprises that enable WFH using the Cato Networks SASE platform can scale quickly to any number of remote users without worry. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.
Security is decentralized, located at the PoPs, which reduces the load on infrastructure in the company’s datacenter. Routing and security are integrated at this network edge. Thus, security administrators can choose to inspect business traffic and ignore personal traffic at the PoP. Moreover, traffic can be routed directly and securely to cloud infrastructure from the PoP instead of forcing it to a central datacenter first. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.
WFH Employees Have Secure and Productive Access to the Corporate Network
While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.
As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The...
Why SASE Must Support ALL Edges, ALL Traffic, and ALL Applications As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The Future of Network Security Is in the Cloud, Gartner saw SASE (Secure Access Service Edge) as creating a single network for the complete enterprise, connecting and securing all edges everywhere.
Of late, though, some network providers want to selectively deliver only part of those capabilities, such as only providing secure access to the Internet. It’s really “sleight of marketing” to call implementing select capabilities “SASE,” as this doesn’t meet Gartner’s original definition of the term [bold emphasis added]:
The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.
SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.
In further describing SASE, the Gartner analysts wrote:
What security and risk professionals in a digital enterprise need is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to.
In short, SASE is meant to be one holistic platform for the complete network, covering all edges, all traffic, and all applications, i.e., the “entities” in the definition above.
The Legacy Network Can’t Be Overlooked
This complete network includes an enterprise’s legacy network. While enterprises are moving many applications and workloads to the cloud, as well as embracing mobility, there continues to be legacy infrastructure that still performs important functions. Workers in branch offices still need to access files in private datacenters. People in sales offices still need to use legacy applications left in private datacenters that are too sensitive or simply unsuitable to be moved to the cloud. Both scenarios, and many others, continue to require predictable, low-latency network performance between locations.
To deliver on those expectations, you’re going to need the right networking features. These include the route optimization to calculate the best path for each packet, the QoS in the last mile, and the dynamic path selection to move traffic to the optimum path. The global Internet is too unpredictable with too much latency to deliver high performance connections day in and day out. You’ll need the lower latency of a global private backbone and a fix for packet loss. Basically, it’s all the “networking stuff” that we take for granted today when building an enterprise WAN.
Site-to-Site Security a Must
And when traffic is sent between sites, it must be secured. It means ensuring that NGFW is in place to restrict access to resources, that anti-malware is used to prevent the lateral movement of malware across the organization, that DLP ensures that data isn’t being syphoned off in a breach.
Relying on separate products to address site-to-site traffic means that enterprises have to face the challenges of a multiplicity of systems (and maybe even vendors). IT ends up juggling multiple management consoles, each populated with siloed information, which makes operations more much more challenging. Visibility into the network is fragmented as data collection is spread across two (or more) solutions.
And because visibility is obscured, so is the ability to detect trends spanning site-to-site and Internet communications. For example, malicious content may bypass detection and be downloaded from the Internet. The malware might exfiltrate data to its C&C server or infect other WAN-based resources, such a file server. Such an approach might be missed if you weren’t looking at the networking and security domains for both Internet-based communications and site-to-site traffic.
SASE Sees It All
SASE spans all edges, applications, and traffic flows. Only a true SASE architecture has complete visibility and control over both network and security because they are converged into a single software stack. As noted in the recent Hype Cycle report, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” Thus, data flows are inspected one time (called a single-pass architecture) to determine networking and security needs. For example, which way to steer the packets, how to prioritize data flows, how to impose security policies, whether there is malware present, etc.
Because all such evaluations are done in a single pass of the traffic – where the data flow is decrypted once, inspected, then re-encrypted – performance is truly enhanced. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected and re-encrypted multiple times. This adds unnecessary latency to the network. It’s called “stitching together” a SASE-like solution, but hardly True SASE.
September 14, 2020
5m read
Of late, there’s talk about using multiple vendors to deliver a SASE solution. One would provide the SD-WAN and security, another the global private backbone,...
September 14, 2020
5m read
Why I Hate Multivendor SASE Of late, there’s talk about using multiple vendors to deliver a SASE solution. One would provide the SD-WAN and security, another the global private backbone, and perhaps a third-will deliver remote access. But is that what SASE is all about?
As the article points out, Gartner analysts defined SASE as a single, vendor cloud-native platform. In their August 2019 report “The Future of Network Security Is in the Cloud,” they wrote: “This market converges network (for example, software-defined WAN [SD-WAN]) and network security services (such as SWG, CASB and firewall as a service [FWaaS]). We refer to it as the secure access service edge and it is primarily delivered as a cloud-based service.”
In Gartner’s Hype Cycle for Network Security, 2020, the analyst firm does give a nod to “dual vendor deployments that have deep cross-vendor integration” as a form of SASE. However, I would argue that an “integrated” solution still has its faults.
The keyword in the original description of SASE is “converges.” There’s a difference between convergence and integration. Convergence conveys that network and security have been brought together onto one platform best developed by a single provider, whereas integration conveys that multiple services or appliances from two or more suppliers are tied together through APIs or other means.
Gartner calls this integrated approach a “SASE alternative” that approximates the offerings of a true SASE solution. The industry is more broadly calling it “multivendor SASE,” a solution in which customers stitch together networking and security functions from different vendors through integration.
SASE Was Defined to Address All of an Enterprise’s Requirements
As pointed out in the report, traditional enterprise network design, where the enterprise datacenter is the focal point for access, is increasingly ineffective and cumbersome in a world of cloud and mobile. Backhauling branch and mobile traffic for inspection no longer makes sense when most traffic needs to go directly to the cloud. Secure access services need to be everywhere.
By spanning all edges, applications, and traffic flows, SASE provides:
Support for existing east-west traffic (such as WAN, site-to-site, VoIP, RDP, to on-premise apps, etc.), which is still present and will be for some time, and
Support for both current and future traffic flows with full optimization and security.
Pulling together all networking and security functions into a single, coherent platform does more than make deployment simpler. With all traffic consolidated into one converged platform, SASE provides complete visibility that enhances security and control.
How Multivendor SASE Falls Short
Multivendor SASE, which involves taking components from various vendors and integrating them together, falls short of a truly converged solution in several ways. First is the challenge of deploying multiple devices, especially if the security stack is repeated in each branch. That’s a lot of appliances to deploy, configure and maintain.
Next is the major effort to integrate the different services and devices into a somewhat cohesive solution. The main solution provider – maybe an MSP or a telco – will take care of much of the integration, but some effort might still be on the customer’s plate. Integration is a daunting task, as the separate pieces are likely to be on different development or update cycles. Each time a patch is applied or an OS is updated, testing is needed to ensure there are no problems with the APIs or other aspects of the integration. This cycle of “update and test” adds time and cost to the solution each time one of the components changes.
Network and security management can be a challenge in a multivendor SASE solution. When there are distinct devices from different vendors, they each run their own management consoles and store data in separate formats and places. Perhaps one dominant management console is chosen to present the relevant data. However, important detail data from the individual services or devices might not be made available through that console. Moreover, alerting may be less efficient, as separate tools each want to provide their own alerts. Even if a SIEM is present to correlate the alerts, significant work is required to tune and maintain the SIEM’s correlation engine.
With the security stack being separate from the network, there is a loss of, call it data fidelity, where network security is concerned. The security tools are working from logs and not actual network flows, and so they aren’t seeing everything in full context and thus might miss indications of threats.
The Advantages of Converged, Single Vendor SASE
When all networking and security components converged into one platform, great synergies can be achieved.
All traffic on the network needs to be inspected by various devices to know how to treat that traffic. The WAN needs to know how to route the traffic. The firewall needs to know how to process the traffic based on numerous policies. Different security devices need to know if the traffic harbors threats, or if sensitive data is being exfiltrated. Each of these functions need to inspect traffic that is not encrypted. With Cato, the network and security are converged, so the traffic can be decrypted one time, inspected by all necessary functions, and then re-encrypted. Contrast this to a multivendor SASE that decrypts/re-encrypts traffic multiple times as it passes through each individual service or device. The converged SASE approach is much more efficient and doesn’t impact overall performance.
Having network and security all on one platform, in the same data flow, has the advantage of deep visibility when it comes to threat detection. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain.
As for integration, there is none. Cato’s entire SASE code base is one stack. It allows us to be very agile when it comes to updates, enhancements, and introducing new features. We don’t depend on third parties’ development lifecycles as a multivendor SASE solution must do.
Multivendor SASE Isn’t SASE At All—It’s Merely an Alternative
When it comes down to it, what the industry is calling “multivendor SASE” isn’t really SASE at all. It’s simply a way to allow traditional network or security vendors to bolt onto their current solutions to provide services that are similar but far short of true SASE.
September 7, 2020
5m read
Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing...
September 7, 2020
5m read
What is Zero Trust Architecture? Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing fluff from the real value. Fortunately, unlike many buzzwords, there is plenty of substance around zero trust.
So, what exactly is the substance behind zero trust and how can you identify solutions that meet your enterprise’s needs? Let’s take a look.
What is Zero Trust Architecture? A crash course
In simple terms, zero trust is based on these principles: apply granular access controls and do not trust any endpoints unless they are explicitly granted access to a given resource. Zero Trust Architecture is simply a network design that implements zero trust principles.
Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security.
In other words, traditional solutions trusted everything on the internal network by default. Unfortunately, that model doesn’t hold up well for the modern digital business. The reason zero trust has become necessary is enterprise networks have changed drastically over the last decade, and even more so over the last six months.
Remote work is now the norm, critical data flows to and from multiple public clouds, Bring Your Own Device (BYOD) is common practice, and WAN perimeters are more dynamic than ever. This means enterprise networks that have a broader attack surface are strongly incentivized to both prevent breaches and limit dwell time and lateral movement in the event a breach occurs. Zero Trust Architecture enables micro-segmentation and the creation of micro-perimeters around devices to achieve these goals.
How Zero Trust Architecture works
While the specific tools used to implement Zero Trust Architecture may vary, the National Cybersecurity Center of Excellence’s ‘Implementing a Zero Trust Architecture’ project calls out four key functions:
Identify. Involves inventory and categorization of systems, software, and other resources. Enables baselines to be set for anomaly detection.
Protect. Involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities zero trust is based upon as well as integrity checking for software, firmware, and hardware.
Detect. The detect function deals with identifying anomalies and other network events. The key here is continuous real-time monitoring to proactively detect potential threats.
Respond. This function handles the containment and mitigation of threats once they are detected.
Zero Trust Architecture couples these functions with granular application-level access policies set to default-deny.
The result is a workflow that looks something like this in practice:
Users authenticate using MFA (multi-factor authentication) over a secure channel
Access is granted to specific applications and network resources based upon the user’s identity
The session is continuously monitored for anomalies or malicious activity
Threat response occurs in real-time when potentially malicious activity is detected
The same general model is applied to all users and resources within the enterprise, creating an environment where true micro-segmentation is possible.
How SDP and SASE enable Zero Trust Architecture
SDP (software-defined perimeter) which is also referred to as ZTNA (Zero Trust Network Access) is a software-defined approach to secure remote access. SDP is based on strong user authentication, application-level access rights, and continuous risk assessment throughout user sessions. With that description alone, it becomes easy to see how SDP makes it possible to implement Zero Trust Architecture.
When SDP is part of a larger SASE (Secure Access Service Edge) platform, enterprises gain additional security and performance benefits as well. SDP with SASE eliminates the complexity of deploying appliances at each location and the unpredictability that comes from depending on the public Internet as a network backbone. Additionally, with SASE, advanced security features are baked-in to the underlying network infrastructure. In short, SDP as a part of SASE enables Zero Trust Architecture to reach its full potential.
For example, the Cato SASE platform implements zero trust and delivers:
Integrated client-based or clientless browser-based remote access
Authentication via secure MFA
Authorization based upon application-level access policies based on user identities
DPI (deep packet inspection) and an intelligent anti-malware engine for continuous protection against threats
Advanced security features such as NGFW (next-generation firewall), IPS (intrusion prevention system), and SWG (secure web gateway)
Optimized end-to-end performance for on-premises and cloud resources
A globally distributed cloud-scale platform accessible from all network edges
A network backbone supported by 50+ PoPs (points of presence) and a 99.999% uptime SLA
Interested in learning more about SDP, SASE, and Zero Trust Architecture?
If you’d like to learn more about SDP, SASE, or Zero Trust Architecture, please contact us today or sign up to demo the Cato SASE platform. If you’d like to learn more about how to take a secure and modern approach to remote work for the enterprise, download our eBook Work from Anywhere for Everyone.
Remote work has become the new normal as a result of the COVID-19 pandemic, and according to a survey by collaboration software provider Slack, most...
A Modern Approach to Enterprise Remote Access Remote work has become the new normal as a result of the COVID-19 pandemic, and according to a survey by collaboration software provider Slack, most knowledge workers believe remote-work-friendly policies will continue after the pandemic as well.
At the same time this unprecedented shift to remote work is occurring, businesses are realizing traditional enterprise remote access solutions, like Internet-based VPN, often aren’t capable of addressing all the needs of large-scale work from home. As a result, user experience and productivity can suffer. That’s why many enterprises are turning to more modern and scalable remote access solutions like SDP (software-defined perimeter) and SASE (Secure Access Service Edge) that can deliver enterprise-grade performance and security at scale.
But what exactly do enterprises need from a remote access solution and why are SDP solutions capable of meeting those needs better than traditional solutions? Let’s take a look.
What businesses need from enterprise remote access solutions
To remain productive when working from home, employees need access to the same data and applications they used in the office. Additionally, the importance of collaboration tools like Slack and Microsoft Teams increases dramatically. Enterprise IT needs to provide access to these resources, which are often scattered across the public cloud and corporate datacenters, in a way that allows employees to remain productive without sacrificing security.
Therefore, enterprise remote access solutions need to:
Deliver high quality user experience. When everyone is working from home, there is a direct relationship between network connectivity and productivity. If a user cannot attend a teleconference due to latency or business applications become unusable or inaccessible, productivity comes to a screeching halt. Simply put, the network cannot become a productivity bottleneck.
Provide predictable and reliable performance. Predictable and reliable performance go hand-in-hand with user experience. Latency, packet loss, and network outages can all wreak havoc on remote workforce. This means enterprises need enterprise remote access solutions that are both reliable and fault tolerant.
Provide enterprise-grade security. Remote work makes it even harder to address the challenges of enterprise network security. Endpoints are now effectively deployed at every employees’ home, expanding attack surfaces and adding to the risk posed by phishing attacks and malware. As a result, enterprises need remote access solutions that can enforce granular security policies, rapidly detect and mitigate threats, and reduce lateral movement in the event a breach occurs.
Scale easily. Capacity constraints and network complexity can become major bottlenecks as a remote workforce scales. Enterprise remote access solutions need to be able to scale easily without adding significant complexity to the network.
The problems with traditional enterprise remote access solutions
Point solutions like Internet-based VPN aren’t entirely without a use case. For small-scale and affordable connectivity between a few sites, a point solution may be the right answer. However, the continuous use and scale of organization-wide work from home isn’t a use case that traditional point solutions can effectively address. Issues that enterprises using these solutions to enable large-scale remote work have encountered include:
Latency and poor user experience. VPN servers have a limited amount of capacity, as more users connect, the server can become overworked and performance degradation occurs. As a result, user experience suffers.
Unreliable performance. Point solutions that depend on the Internet are also subject to all the problems with Internet routing. When an enterprise remote access solution is entirely dependent on the Internet, that means unpredictable performance can become the norm.
Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility.
Difficult to scale. The client/server architecture of point solutions simply isn’t scalable. To increase capacity for a network based on point solutions, IT needs to either deploy new appliances or upgrade existing ones. Further, addressing security and performance optimization challenges requires additional appliances to be deployed and integrated, which increases network complexity.
How SDP and SASE solves these issues
SDP, also known as ZTNA (Zero Trust Network Access), is a software-defined approach to application access. It is based on three core functionalities:
Strong user authentication
Application-level access based on user profiles
Continuous risk assessment during sessions
This software-defined approach that enables delivers application-level security policies helps to address several of the security and scalability challenges enterprises face. While SDP alone is useful, when it is when used as a part of a broader SASE platform that enterprises derive the most value from an optimized and secure remote access solution.
SASE includes WAN optimizations and network security functions like NGFW (next-generation firewall), and IPS (intrusion prevention system) that help eliminate the need for complex deployments with multiple appliances while improving security and performance. Further, because SASE is cloud-based, enterprises benefit from the hyper-scalability of the cloud in their remote access solution.
For example, businesses that use Cato’s SASE platform benefit from an enterprise remote access solution that:
Optimizes performance for all applications and improves user experience. Traffic is optimally routed over a global private backbone that eliminates the performance issues of VPN servers that depend on the Internet. Additionally, WAN optimizations increase throughput for use cases like video conferences and sharing large files. Further, with client-based or clientless access options and integrations for authentication services like Azure Active Directory, users benefit from a simple and secure SSO (single-sign-on) experience with MFA (multifactor authentication).
Provides predictable performance and a 99.999% uptime SLA. Cato’s network backbone consists of over 50 PoPs (points of presence) across the globe and is backed by a 99.999% uptime SLA. This gives enterprises a level of performance reliability and fault tolerance point solutions cannot.
Enforces granular security policies and continuously monitors for threats - SDP coupled with NGFW, IPS, and threat detection deliver enterprise-grade security in a single, easy-to-manage platform.
Brings the scalability of the cloud to remote access. The cloud approach of SASE delivers scalability point solutions simply cannot match. The underlying appliances and infrastructure are abstracted away from the enterprise, reducing complexity and allowing IT to focus on core business functions.
Interested in learning more about SDP, SASE, and enterprise remote access solutions?
As we have seen, SDP and SASE provide a modern approach to enterprise remote access and enable digital businesses to effectively support large scale remote work. If you’d like to learn more about SDP, SASE, or enterprise remote access solutions, contact us today or download this Work from Anywhere for Everyone eBook. If you’d like to see the world’s first SASE platform in action, we invite you to sign up for a demo.
Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then...
SASE Convergence or Integration? It’s Not the Same Thing Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then bolt on security to protect data and devices. The widespread adoption of Gartner's secure access service edge (SASE) architecture all but debunked that notion, and today it's widely accepted that networking and security must come together.
For Cato, of course, this is nothing new. We’ve always viewed networking and security as two sides of the same coin. The Cato software converges security and networking functions together and into one cloud-native platform. The same software running QoS and path selection of SD-WAN, WAN optimization, and other networking functions is also the same software doing security inspection and policy enforcement.
But for those vendors rushing to join SASE, solution integration has become the answer. Using service chaining or some other method, vendors will connect their networking and security point solutions or with those of third parties. Such an approach, though, is fraught with problems. Deployment involves rolling out multiple appliances or solutions. IT is left juggling multiple management consoles, which complicates troubleshooting. The disparate policy frameworks remain another hurdle.
Let's take a closer look at the differences between convergence and integration during the deployment, operation, and management phases of the network.
Deployment
Simplified Deployment of Secure SD-WAN
Opening new offices become much simpler and quicker because convergence allows for the deployment of a very, thin edge. With most functionalities converged into the cloud, the connecting software or device can be very light, running as an SD-WAN device, a virtual appliance, or even a small piece of software, like a mobile client. All “edges” of the enterprise are interconnected by one, predictable global backbone.
By contrast, integrating security and networking solutions, enterprises have to deploy and install separate solutions, such as SD-WAN and firewall appliances. Rolling out security appliances at all the branches is cumbersome and expensive—and sometimes even impossible. Additional solutions are needed for remote access and reliable, high-performance, global connectivity further complicating deployment (and fragmenting visibility, as we’ll discuss).
Rapid Network Expansion Enabled by Software-only Deployment
Convergence also enables providers to expand their network's geographic footprint very rapidly without compromising on the services offered at a location. There are no proprietary appliances to wait on, configure, and ship to a distant location. As such, within a few short years, Cato's network has surged to more than 50 PoPs worldwide, nearly doubling the coverage density of service providers twice its age.
[caption id="attachment_11218" align="aligncenter" width="960"] With its cloud-native software platform, Cato has been able to rapidly expand its network, reaching 50+ PoPs in a few short years, the most of any independent, cloud-native backbone.[/caption]
Operation
Improved Performance with Single-pass Processing
Having converged networking and security enables Cato to decrypt and inspect the packet once, performing all security and networking processing in parallel. As such, traffic, even encrypted traffic, can be inspected at wire speed regardless of the needed security policies or optimizations. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected, and re-encrypted multiple times. It adds unnecessary latency to the network.
Holistic Intelligence Deepens and Broadens Security Capabilities
Once traffic enters the Cato PoP, Cato captures, stores and analyzes the network metadata of those packets. The metadata is further enriched with threat-intelligence feeds and other security-specific information. More than 1 TB of traffic metadata across hundreds of customer networks is captured every day. The metadata is stored in a cloud-scale, big data architecture. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks.
It's the kind of context that can't be gleaned from looking at networking or security domains distinctively, or by examining just one organization's network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time.
By contrast, with separate security and networking appliances, data is stored in different databases in different formats. The result is a fragmented view of the environment and then often only for one customer. Adding a SIEM doesn't help much because it's only processing logs and missing out on the raw metadata that provides such deep insight, particularly for security analytics.
[caption id="attachment_11223" align="aligncenter" width="1200"] Cato Managed Detection and Response (MDR) Service[/caption]
Management
Converging Management Makes Network Planning More Accurate, Simplifies Routine Work, Eliminates Errors
Convergence also makes network and security management simpler, more effective with less investment. The most obvious example is the management interface. From one platform, enterprises can monitor, report on, and manage their networking, remote access, and security infrastructure. Accounting for all traffic leads to a more accurate understanding of what’s happening on your network everywhere. Network planning becomes more accurate.
Convergence also makes day-to-day interactions easier, more painless. The objects, such as users and sites, created in one domain, are available in the other, shortening configuration times and reducing the number of configuration errors. All too often it’s those errors that increase the attack surface and create the vulnerabilities attackers can exploit to penetrate an organization.
[caption id="attachment_11220" align="aligncenter" width="1506"] From a single console, Cato customers can monitor and manage their sites (1), as well as remote users and security infrastructure (2). They have overall visibility (3) that can be drilled into at a click.[/caption]
Visibility Shortens the Time to Resolve Problems
Convergence also reduces troubleshooting times. Under the hood, all networking and security management data is already stored in a common database. As such, from one interface, IT can correlate network and security events to investigate a problem. It’s a powerful capability long sought after by IT best understood by looking at the alternative.
Take, for example, the case where users across offices periodically complain about call quality. Once you’ve validated the UC/UCaaS system is in order, you start investigating the network.
What might that look like? Well, for one, you'll check last-mile line quality at the user locations. The last-mile jitter and packet loss metrics lines may not be available for past events, though. You'll probably need to capture the data and wait till the next time the event occurs. But, for the purposes of this discussion, let’s assume you have the data right now.
So, you jump to your provider’s monitoring console and extract the relevant information. It’s not available from the provider? Maybe you can connect to each edge device to pull the data. Another console will be needed to check your backbone’s performance as well. Still, another console might be needed to ensure QoS and bandwidth rules aren't throttling the line. And a fourth interface will need to be consulted to be sure a misconfigured firewall rule isn’t blocking access for some users.
Your IT team has had to juggle four or five consoles, already. With each one, they had to master the product set and interface nuances to extract the needed information but there’s more.
For complex problems, you'll want to correlate event data across the platform. This means exporting the data, assuming that’s possible, into a common platform for analysis. You’ll need a tool that can ingest the various data sources, store the data into a data warehouse, normalize the data into a common format, graph the events out onto a timeline, and then give you the tools to filter and query appropriately.
Or you can just use Cato Instant*Insight, a feature of the Cato management console, and available to all Cato customers. With Cato Instant*Insight security, routing, connectivity, system, and device management event data for the past year (and longer, if required) is available, correlated, and mapped onto a time frame for analysis. From a simple Kibana-like interface, customers can drill down to analyze problems from across their network (see figure below).
[caption id="attachment_11219" align="aligncenter" width="1199"] By converging security and networking data into a common database, Cato was able to quickly introduce Cato Instant*Insight. This SIEM-like capability allows users to see all routing, security, routing, connectivity, system, and device management events (1). They can even drill down into a site to see network health events, such as packet loss metrics (2).[/caption]
The Strategic Advantages of Convergence
We’ve identified the benefits convergence brings across the network and security lifecycle. Faster and simpler deployment and rapid network expansion. Better network performance and deeper network visibility. Easier routine management and faster troubleshooting. These are all important, of course, but convergence has even greater, strategic implications as well.
For too long, the sheer complexity of the enterprise networks has burdened IT with hidden costs at every level. Capital costs, for example, remain high. They’re dictated, in part, by the licensing fees companies pay to their suppliers. And although networking solutions will share some functionality, such as packet processing, (de)encryption, and deep packet inspection (DPI), each must redevelop the technology for itself, failing to pass potential savings onto the customer.
Operational costs also increase in every part of the lifecycle with each new solution. For every new product adopted, IT must learn about the markets, evaluate their options, and then deploy, integrate, and maintain solutions. The whole process consumes precious staff resources.
Staffing requirements remain high. IT must find individuals who have first mastered the arcane commands needed to extract the necessary data from their various IT solutions. This leads to IT teams that are built based on vendor and appliance expertise, rather than on broad network and security administration and leadership skills. It’s like requiring people to master car mechanics before receiving their driver's license. Is it any wonder IT faces a staffing problem?
And each solution increases the risk to the company. Attackers are no longer only targeting government or the largest of companies. They’re going after everyone and none can afford to leave infrastructure unprotected. Yet with each new solution deployed, there comes another opportunity for penetration. IT must spend more time and effort of highly-skilled, and expensive, technical experts to ensure infrastructure is patched and kept current. Too often that’s not the case, which had led to attacks through VPN servers, routers, and, yes, third-party SD-WAN appliances.
Convergence changes the IT operations paradigm. With one set of code, one data repository for all event data, a seamless interface becomes possible for the entire network. It presents IT with the tools to do what they need to do best and not sweat the grunt work.
Trying to achieve that by piecing together existing devices and solution is impractical if not impossible. The technical problems are immense but don’t discount the business disincentives. The management console is too important for vendors to expect them to give up on their interface. It’s a major tool for differentiation from the competition. Which is one major reason why, beyond any technical challenges, forming a single-pane-of-glass into networking and security has been so challenging for so long.
Only a platform built for convergence can deliver the benefits of convergence.
The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over...
The disadvantages of VPNs for Enterprises The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over 200% in a matter of weeks. In many cases, remote access VPNs enabled enterprises to get work from home initiatives off the ground quickly and keep their business running, despite offices being closed.
However, as they settle into the new normal, many enterprises are also learning that there are several VPN disadvantages as well. Scalability, performance, and security can all become challenges with remote access VPN. SDP (software-defined perimeter) provides enterprises with a solution to the disadvantages of VPN. By taking a software-defined approach to remote access and network security, SDP (sometimes referred to as ZTNA or Zero Trust Network Access) helps address these challenges in a way that is more sustainable long-term.
But what exactly sets SDP apart from traditional remote access VPN? Let’s find out.
Of course, VPN isn’t without its upside
Remote access VPNs provide enterprises with a means to enable remote work. A virtual or physical appliance within the WAN, the public Internet, and client software on employee PCs is often sufficient to support work from home initiatives. In many cases, this exact sort of remote access VPN configuration helped businesses keep the lights on when the pandemic hit.
[boxlink link="https://catonetworks.easywebinar.live/registration-85?utm_source=blog&utm_medium=top_cta&utm_campaign=Using_SASE_For_ZTNA_webinar"] Watch the episode - Using SASE For ZTNA: The Future of Post-Covid 19 IT Architecture [/boxlink]
VPN disadvantages
While it is true remote access VPN saved the day for some businesses, it’s also true that the increased usage has further magnified some of the biggest VPN disadvantages.
#1: Not designed for continuous use
The use case for remote access VPN was never to connect an entire enterprise to the WAN. Traditionally, enterprises purchased VPN solutions to connect a small percentage of the workforce for short periods of time. With a shift to large-scale work from home, existing VPN infrastructure is forced to support a continuous workload it wasn’t intended for. This creates an environment where VPN servers are subject to excessive loads that can negatively affect performance and user experience.
#2: Complexity impedes scalability
Enterprises may try to address the issue of VPN overload with additional VPN appliances or VPN concentrators, but this adds cost and complexity to the network. Similarly, configuring VPN appliances for HA (high availability) adds more cost and requires more complex configuration.Further, because VPN servers provide remote access, but not enterprise-grade security and monitoring, they must be complemented by management solutions and security tools. These additional appliances and applications lead to even more configuration and maintenance. As each additional solution is layered in, the network becomes more complex and more difficult to scale.
#3: Lack of granular security
VPN appliances are a textbook example of castle-and-moat security. Once a user connects via VPN, they have effectively unrestricted access to the rest of the subnet. For some enterprises, this means non-admin users have network access to critical infrastructure when they shouldn’t. Further, this castle-and-moat approach increases the risk of malware spread and data breaches.To add granular security controls to remote access VPN, enterprises often have to deploy additional security point-solutions, but this adds additional cost and complexity while leaving plenty of room for misconfiguration and human error.
#4: Unpredictable performance
VPN connections occur over the public Internet, which means network performance is directly tied to public Internet performance. The jitter and packet loss common to the Internet can wreak havoc on mission critical apps and user experience. Additionally, enterprises with a global footprint know that there are significant latency challenges when attempting to send Internet traffic across the globe, before we even take into account the additional overhead VPN tunneling adds.
#5: Unreliable availability
Beyond unpredictable performance, enterprises that depend on the public Internet for remote access get no availability guarantees. When public Internet outages mean lost productivity for your entire organization, the risk of depending solely on the public Internet can outweigh the rewards significantly.
How SDP addresses remote access VPN disadvantages
SDP, when used as part of a holistic Secure Access Service Edge (or SASE) platform, directly addresses VPN’s disadvantages and provides enterprises with a scalable and reliable remote network access solution.
SASE is a category of enterprise networking that converges network and security functionality into a unified cloud-native service. SDP, which is an important part of the SASE framework, is a modern approach to remote application access that has global performance optimization, threat protection, and granular access controls built in.
The idea behind SDP is simple:
√ Users securely authenticate (e.g. using MFA and encrypted network protocols)
√ Access rights are assigned based on profiles and specific applications
√ Risk assessment occurs continuously during each user session
Using Cato’s SASE platform as an example, with SASE and SDP, enterprises gain a remote access solution that:
Is built for continuous access. Cato’s globally distributed cloud-native platform is purpose built for continuous access. Enterprises don’t have to worry about overloading a single VPN appliance with cloud-native infrastructure. Additionally, performance optimization and HA are built into Cato’s global private backbone, eliminating many of the performance issues that created VPN’s dependence on the public Internet.
Delivers hyper-scalability. Enterprises don’t need to add more appliances to scale. SDP and SASE bring the hyper-scalability of the cloud to remote access.
Provides granular access control. SDP allows enterprises to design access controls at the application-level and based on user profiles. This leads to a significant reduction in risk compared to VPN’s network-level approach.
Proactively protects against threats. With SDP, network traffic goes through end-to-end packet inspection using a robust cloud-based security stack designed to detect and prevent malicious behavior. This occurs without the need to deploy and maintain additional security solutions.
Is backed by a 99.999% uptime SLA. Cato’s global private backbone consists of more than 50 PoPs interconnected by Tier-1 Internet Service Providers and backed by a 99.999% uptime SLA. In a time where entire workforces are remote, this guarantee of availability can make a world of difference.
All this comes together to make SASE and SDP an ideal remote access VPN alternative.
Want to learn more about remote work, SDP, and SASE?
Enterprises are learning remote access VPN may not be the right long-term solution as we adjust to the new normal. Many are also learning that SASE and SDP are ideal for enabling secure, reliable, and high-performance remote work that can scale.
If you’d like to learn more about how SDP and SASE can address the challenges of legacy VPN, download our eBook Work from Anywhere for Everyone. If you’d like to see the Cato SASE platform in action for yourself, contact us or sign up for a demo today.
For the second year in a row, Cato Networks was recognized as a Sample Vendor in the Secure Access Service Edge (SASE) category in the...
Cloud Native, COVID-19, and True Secure Access Service Edge – What The 2020 Gartner Hype Cycles Taught Us For the second year in a row, Cato Networks was recognized as a Sample Vendor in the Secure Access Service Edge (SASE) category in the Gartner Hype Cycle for Enterprise Networking, 2020.1 Cato was also recognized as Sample Vendor in three other categories including SD-WAN, Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA) in the Hype Cycle for Network Security 2020.2
In our opinion, it's unique for a vendor to be acknowledged for the same platform — not multiple, discrete products sold by the same vendor. The report also taught us quite a bit more about SASE since its introduction nearly a year ago. Here are some of the key highlights and insights.
SASE in, SD-WAN Out
What was an anomaly a year ago has become a phenomenon. In under a year, SASE has become widely accepted across the industry. Today, it’s understood that SD-WAN and security must come together. The days of standalone SD-WAN (without any stated security strategy) are past. The embracement of SASE is the best indicator of this trend.
Writes Gartner, “While the term originated in 2019, the architecture has been deployed by early adopters as early as 2017. By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018. By 2023, 20% of enterprises will have adopted SWG, CASB, ZTNA, and branch FWaaS capabilities from the same vendor, up from less than 5% in 2019.”1
SASE adoption reflects the shift towards a workforce that works from anywhere, accessing resources that are no longer confined to private datacenters. Writes Gartner, “Although the term is relatively new, the architectural approach (cloud if you can, on-premises if you must) has been deployed for at least two years. The inversion of networking and network security patterns as users, devices, and services leave the traditional enterprise perimeter will transform the competitive landscape for network and network security as a service over the next decade, although the winners and losers will be apparent by 2022."
One of the major motivations for SASE has been the shift to work-from-home. Writes Gartner, “COVID-19 has highlighted the need for business continuity plans that include flexible, anywhere, anytime, secure remote access, at scale, even from untrusted devices. SASE's cloud-delivered set of services, including zero trust network access, is driving rapid adoption of SASE.”1
As such, enterprises are encouraged to look at one, converged solution for branch offices and remote access. Writes Gartner, “Combine branch office and secure remote access in a single implementation, even if the transition will occur over an extended period.”1
Architecture Matters: True SASE Services Are Cloud Native
More so than evaluating specific features, SASE offerings should be evaluated on their architecture. Delivering a cloud-native architecture for security and networking capabilities is critical. Writes Gartner, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” 1
Simply linking together discrete appliances does not meet this need. Writes Gartner, “Avoid vendors that propose to deliver the broad set of services by linking a large number of products via virtual machine service chaining.”1
The Shift to a Cloud-Native Architecture Threatens Incumbents
The emphasis on the cloud will be disruptive for many. Writes Gartner, “There have been more than a dozen SASE announcements over the past 12 months by vendors seeking to stake out their position in this extremely competitive market. There will be a great deal of slideware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery as a service model and the investments required for distributed PoPs. This is a case where software architecture and implementation matters.”1
Adopt SASE Through Network Transformation
The shift to SASE can occur through the natural migration and development of the network. Gartner encourages enterprise IT to “Leverage a WAN refresh, firewall refresh, VPN refresh or SD-WAN deployment to drive the redesign of your network and network security architectures.” Enterprises are told to “Use cost-cutting initiatives in 2020 from MPLS offload to fund branch office and workforce transformation via the adoption of SASE.”1
Cato Delivers True SASE Not SASE Hype
Cato converges security and networking into a global, cloud-native platform that interconnects all edges — sites, users, applications, and cloud resources. At the core of the Cato Cloud is a global private backbone spanning 58 PoPs that extends the full range of Cato’s networking and security capabilities to every location and user worldwide.
As the SASE market matures, the importance of a cloud-native architecture is becoming ever more critical. As we noted earlier, Gartner writes, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.”2 In our opinion, this SASE definition breaks away from the appliance-centric, and service chained model of legacy architectures.
Today, Cato has more than 600 SASE customers worldwide, connecting thousands of locations, and nearly 200,000 mobile users. Cato has been delivering its SASE architecture since 2017 to enterprises of all sizes.
To learn more, read
the Gartner Hype Cycle for Network Security, 2020, for a limited time.
the text of the SASE category from the two recent Hype Cycle reports.
the press release about Cato’s recognition in these two recent Hype Cycle reports.
about Cato’s SASE offering, visit https://www.catonetworks.com/SASE
Visit our blog to learn more about SASE from these two recent Gartner Hype Cycle reports.
To read the press release about Cato’s recognition within these two recent Hype Cycle reports visit here.
To see the complete SASE text from the Hype Cycle, download The Gartner Hype Cycle for Network Security 2020.
To read the press release about Cato’s recognition within the Hype Cycle, visit https://www.catonetworks.com/news/cato-in-the-gartner-hype-cycle-for-network-security-2020
To learn more about Cato’s SASE offering, visit https://www.catonetworks.com/SASE
1 Gartner, "Hype Cycle for Enterprise Networking, 2020” Andrew Lerner, Danellie Young, July 8, 2020.
2 Gartner, "Hype Cycle for Network Security, 2020” Pete Shoard, June 30, 2020.
Gartner Disclaimer
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened...
How to Prepare for Long-term Remote Work, Post-Pandemic Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened their restrictions and allowed some workers to return to their places of employment, there are indications that WFH could be long-lasting or even permanent for some.
In a March 30 survey of 317 CFOs and business finance leaders conducted by Gartner, nearly 75 percent of those surveyed expect that at least 5 percent of their workforce who previously worked in company offices will become permanent WFH employees after the pandemic ends.
This shift to remote work has big implications for enterprise networks. Network managers who had to quickly put the resources in place to support a temporary WFH mandate will need to rethink how to sustain remote work for the long-term. There are three areas, in particular, that we believe are critically important in supporting a remote workforce: network access, security, and enterprise communications.
Remote Workers Need Network Access Comparable to In-Office Workers
To accommodate the sudden surge of home-based workers, network managers might have ordered a slew of new VPN licenses, and maybe even a larger firewall or VPN appliance, to connect people to the corporate network. However, access via VPN can be notoriously slow, especially as traffic is backhauled back across the Internet to the VPN server. VPNs also can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.
For these reasons, VPNs should not be viewed as a permanent solution for remote workers. Rather, people working from home on a full-time basis need network access that is comparable to in-office workers—reliable, good performance, easy to use, and secure.
As the world's first global Secure Access Service Edge (SASE) platform, Cato includes remote access with SD-WAN in one single platform. Enterprises can choose how to securely connect remote and mobile users to their enterprise resources and applications. Cato Client is a lightweight application that can be set up on a user’s device in minutes. It automatically connects the remote user to the Cato Cloud and from there they can access the same resources and applications they could access from any branch office. Cato’s clientless access solution allows optimized and secure access to select applications through a browser. Users navigate to an Application Portal, which is globally available from all of Cato’s 50+ PoPs, authenticate with the configured SSO, and are instantly presented with their approved applications.
[caption id="attachment_10102" align="aligncenter" width="1564"] With Cato’s clientless option, users are presented with a dashboard of approved applications. Clicking on an icon launches them directly into the application.[/caption]
Security is Essential to Enable Working From Home
Remote work often puts the employee outside the network defense perimeter. Therefore, any WFH practices have to consider two aspects of security, those being network access control and protecting the home-based worker from cyber-attack.
A VPN establishes a secure, encrypted connection so that a remote user’s traffic can travel over a public, unsecured, unencrypted network privately and safely. Other than encrypting the traffic in transit, a VPN has little else to offer in terms of securing the user’s ability to access the enterprise network and providing functions such as threat detection and mitigation.
Security, overall, is where Cato really shines because security is inherent in the network. It begins with the user login to the enterprise network. Cato is integrated with identity providers to provide strong authentication and a single-sign-on (SSO) experience. Using authentication services, like Microsoft 365 or Azure AD, as the remote access SSO will ensure that users securely authenticate through interfaces they are already familiar with. And, enabling multi-factor authentication at the identity provider will automatically enforce it to the remote access user’s authentication, further strengthening remote access security.
The remote user’s traffic is fully inspected by Cato’s security stack, ensuring enterprise-grade protection to users everywhere. Cato’s access controls (Next Generation Firewall, Secure Web Gateway), Advanced Threat Protection (IPS, next generation anti-malware) and managed threat detection and response (MDR) capabilities are enforced globally, ensuring that remote users benefit from the same protection as office users.
Unified Communications Help All Workers Collaborate, No Matter Where They Are
Many organizations have adopted Unified Communications (UC) or UC-as-a-Service (UCaaS) to promote collaboration across the enterprise. All workers need consistent and reliable access to services such as voice, video, web conferencing, email, voice mail, messaging, screen and document sharing, and scheduled meetings. It’s critical that remote/WFH workers have these same tools to maintain virtual presence, if not physical presence, with their colleagues in the office. And while Cato doesn’t offer UCaaS as part of the Cato Cloud network, our network is optimized in several ways to support this type of service.
UCaaS quickly becomes a critical application for many organizations, which makes securing UCaaS against disruption particularly important. Cato addresses this problem by converging security services into the network. Next-generation firewall (NGFW), intrusion prevention service (IPS), advanced threat protection, and network forensics are converged into Cato Cloud, protecting UCaaS and all traffic from Internet-borne threats.
Cato minimizes packet loss and latency – the enemy of call quality – through loss correction, and by eliminating backhaul and avoiding the unpredictable public Internet. Backhaul is eliminated by sending UCaaS traffic directly across the Cato network to the Cato PoP closest to the UCaaS destination. And as Cato and UCaaS providers like RingCentral often share the same physical datacenters, public Internet latency is minimized.
Cato overcomes congestion and last-mile packet loss that often degrade UCaaS service quality. Sophisticated upstream and downstream Quality of Service (QoS) ensure UCaaS traffic receives the necessary bandwidth. Policy-based Routing (PBR) along with real-time, optimum path selection across Cato Network minimizes packet loss.
And finally, Cato overcomes last-mile availability problems by sending traffic across multiple last-mile links (active/active mode; other options, such as active/passive and active/active/passive are also available). In the event of a brownout or blackout, UCaaS sessions automatically failover to the secondary connection fast enough to preserve a call. Brownouts are also mitigated by various Packet Loss Mitigation techniques.
Making the Remote Office a Safe Haven for Work
The coronavirus pandemic is changing business and work life in many ways. Employees who have receded to the safe recesses of their homes may never venture to the office again. Network managers need to consider how to keep WFH employees as effective and productive as if they were still in a corporate office, and this includes network access, security and collaborative communications.
