High availability may be top of mind for your organization, and if not, it really should be. The cost range of an unplanned outage ranges...
SASE Instant High Availability and Why You Should Care High availability may be top of mind for your organization, and if not, it really should be. The cost range of an unplanned outage ranges from $140,000 to $540,000 per hour. Obviously, this varies greatly between organizations based on a variety of factors specific to your business and environment. You can read more on how to calculate the cost of an outage to your business here: Gartner.
The adoption of the cloud makes high availability more critical than ever, as users and systems now require reliable, secure connectivity to function. With SASE and SSE solutions, vendors often focus on the availability SLA of the service, but modern access requires a broader application of HA across the entire solution. Starting with the location, simple, low-cost, zero-touch devices should be able to easily form HA pairs. Connectivity should then utilize the best path across multiple ISPs, connecting to the best point of presence (with a suitable backup PoP nearby as well) and finally across a middle-mile architected for HA and performance (a global private backbone if you will).
How SASE Provides HA
If this makes sense to you and you don’t currently have HA in all the locations and capabilities that are critical to your business, it is important to understand why this may be. Historically, HA was high effort and high cost as appliances-based solutions required nearly 2x investment to create HA pairs. Beyond just the appliances, building redundant data centers and connectivity was also out of reach for many organizations. Additionally, customers were typically responsible for architecting, deploying, and maintaining the HA deployment (or hiring a consultant), greatly improving the overall complexity of the environment.
[boxlink link="https://www.catonetworks.com/resources/cato-named-a-challenger-in-the-gartner-magic-quadrant-for-single-vendor-sase/?cpiper=true"] Cato named a Challenger in the Gartner® Magic Quadrant™ for Single-vendor SASE | Download the Report [/boxlink]
Let’s say that you do have the time and budget to build your own HA solution globally, is the time and effort worth it to you? How long will it take to implement? I understand you’ve worked hard to become an expert on specific vendor technologies, and it never hurts to know your way around a command line, but implementation and configuration are only the start. Complex HA configurations are difficult to manage on an ongoing basis, requiring specialized knowledge and skills, while not always working as expected when a failure occurs.
To protect your business, HA is essential, and SASE and SSE architectures should provide it on multiple levels natively as part of the solution. We should leave complicated command-line-based configurations and tunnels with ECMP load balancing in the past where they belong, replacing them with the simple, instant high-availability of a SASE solution you know your organization can rely on. Want to see the experience for yourself? Try this interactive demo on creating HA pairs with Cato Sockets here, I warn you, it’s so easy it may just be the world’s most boring demo.
For as long as anyone can remember, organizations have had to balance 4 key areas when it comes to technology: security efficacy, cost, complexity, and...
Security Requires Speed For as long as anyone can remember, organizations have had to balance 4 key areas when it comes to technology: security efficacy, cost, complexity, and user experience. The emergence of SASE and SSE brings new hope to be able to deliver fully in each of these areas, eliminating compromise; but not all architectures are truly up to the task.
SASE represents the convergence of networking and security, with SSE being a stepping-stone to a complete single-vendor platform. The right architecture is essential to providing an experience that aligns with the expectations of modern workers while delivering effective security at scale. Here are a few things to consider when exploring SASE and SSE vendors:
Marketing claims aside, you should consider how many unique geographic locations can provide all capabilities to your user base as well as how effective the organization has been at adding and scaling new PoPs. These PoPs should be hosted in top-tier data centers and not rely on the footprint of a public cloud provider.
[boxlink link="https://go.catonetworks.com/Frost-Sullivan-Award-Cato-SSE360_LP.html"] Cato Networks Recognized as Global SSE Product Leader | Download the Report [/boxlink]
Global Private Backbone
Cloud and mobile adoption are still on the rise but create challenges as users and apps are no longer in fixed locations. The public Internet routes traffic in favor of cost savings for the ISP without consideration for performance. While peering is also a key factor in achieving strong performance, a true global private backbone is critical to any SASE or SSE product and should provide value to both Internet-bound and WAN traffic. Customers should be able to control the routing of their traffic across this backbone to egress traffic as close to the destination as possible.
QoS has been around for more than 20 years and is useful to ensure that critical applications have enough available bandwidth, but QoS does not do anything to improve performance beyond this. When evaluating a provider, look for networking optimization capabilities such as TCP proxy and packet-loss mitigation that will improve the overall user experience.
At Cato Networks, we were founded to deliver on the vision of a true SASE solution, converging networking and security to eliminate compromise and create simple, secure connectivity with performance. Recently we conducted a performance test for one of our customers comparing Cato’s SASE cloud to Zscaler Private Access and the results are impressive.
For the test, several files were transferred from the customer’s file share in London to an endpoint in Tokyo. Even for files only 100MB in size, the performance improvement is substantial. It’s also worth noting that ZPA doesn’t inspect traffic for threats, and despite Cato’s complete zero-trust approach to WAN traffic, with all inspection engines active, Cato’s SASE cloud was able to achieve up to a 317% improvement in performance.
SASE and SSE vendors deliver critical capabilities to organizations and should be carefully evaluated before adoption. While performance is one of many factors to consider, I urge IT and Security leaders not to make it the lowest priority. After all, users are doing their best to be productive and high-performers will naturally look for ways to bypass obstacles that are slowing them down. Just remember… fast is secure, secure is fast.
In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You...
Cato SASE Cloud: Enjoy Simplified Configuration and Centralized, Global Policy Delivery In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You may be familiar with the concept of localized versus centralized policies that exist within legacy SD-WAN architectures, but Cato’s cloud-native SASE architecture simplifies configuration and policy delivery across all capabilities from a true single management application.
Understanding Cato’s Management Application from Its Architecture
To understand policy design within the Cato Management application, it’s useful to discuss some of Cato’s architecture. Cato’s cloud was built from the ground up to provide converged networking and security globally. Because of this convergence, automated security engines and customized policies benefit from shared context and visibility allowing true single-pass processing and more accurate security verdicts.
Each piece of context can typically be used for policy matching across both networking and security capabilities within Cato’s SASE Cloud. This includes elements like IP address, subnet, username, group membership, hostname, remote user, site, and more. Additionally, policy rules can be further refined based on application context including application (custom applications too), application categories, service, port range, domain name, and more. All created rules apply based on the first match in the rule list from the top down.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
A Close Look at Cato’s Networking Policy
Cato’s SASE Cloud is comprised of over 75 (and growing) top-tier data center locations, each connected with multiple tier 1 ISP connections forming Cato’s global private backbone. Cato automatically chooses the best route for your traffic dynamically, resulting in a predictable and reliable connection to resources compared with public Internet. Included features like QoS, TCP Acceleration, and Packet Loss Mitigation allow customers to fine-tune performance to their needs.
1. Cato Network Rules are pre-defined to meet common use-cases. They can be easily customized or create your own rules based on context type.
By default, the Cato Management Application has several pre-defined network rules and bandwidth priority levels to meet the most common use cases, but customers can quickly customize these policies or create their own rules based on the context types mentioned above. Customers can control the use of TCP acceleration and Packet Loss Mitigation and assign a bandwidth priority level to the traffic. Additionally, traffic routing across Cato’s backbone is fully under the customer’s control, allowing egressing from any of our PoPs to get as close to the destination as possible. You can even egress traffic from an IP address that is dedicated to your organization, all without opening a support ticket.
2. Bandwidth Priorities: With Cato, it’s easy to assign a bandwidth priority level to the traffic.
Cato’s Security Policies Share a Similar, Top-Down Logic
Cato’s security policies follow the same top-down logic and benefit from the same shared context as the network policy.
3. Internet Firewall Rules enforce company-driven access policies to Internet websites and apps based on app name, category, port, protocol and service.
The Internet Firewall utilizes a block-list approach and is intended to enforce company-driven access policies to Internet websites and applications based on the application name, application category, port, protocol, and service. Unlike legacy security products, customers do not have to manage and attach multiple security profiles to their rules. All security engines (IPS, Anti-Malware, Next-Generation Anti-Malware) are enabled globally and scan all ports and protocols with exceptions created only when needed. This provides a consistent security posture for all users, locations, and devices without the pitfalls and misconfigurations of multiple security profiles.
4. Cato’s WAN Firewall provides granular control of traffic between all connected edges.
Cato’s WAN Firewall provides granular control of traffic between all connected edges (Site, Data Center, Cloud Data Center, and SDP User). Full mesh connectivity is possible, but the WAN Firewall has an allow-list approach to encourage a zero-trust access approach. The combination of source, destination, device, application, service, and other contexts is extremely flexible, allowing administrators to easily configure the necessary access between their users and locations. For example, typically only IT staff and management servers will need to connect to mobile SDP users directly, and this can be allowed in just a few clicks, or if you want to allow all SMB traffic between a site where your users are and a site with your file servers, that can also be done just as easily.
More About Cato’s Additional Security Capabilities
Cato has additional security capabilities beyond what we’ve covered, including DLP and CASB that have their own policy sets and as we continue to develop and deploy new capabilities you may see more added as well. But like what you’ve seen so far, you can expect simple, easy-to-build policies with powerful granular controls based on the shared context of both networking and security engines. Of course, all policy and service controls will be delivered from a true single-management point – the Cato Management Application.
Cato SSE 360 = SSE + Total Visibility and Control
For more information on Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Go beyond Gartner’s defined scope for an SSE service that offers full visibility and control of all WAN, internet, and cloud. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different than traditional SSE vendors.
TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting...
Don’t Turn a Blind Eye to TLS Traffic TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in utilizing TLS encryption for delivering malware and evading security controls.
This can be indirect via the leveraging common sanctioned SaaS applications (Office365, Box, Dropbox, GDrive, etc.) as delivery vectors or direct by using free certificates from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority created and run for the benefit of the public. Despite being designed for good, threat actors wasted no time in leveraging the advantages of free encryption in their activities.
The point here is that most traffic, good and bad, is now TLS encrypted and can create challenges for IT and security teams.
TLS Inspection to the Rescue
TLS inspection is almost completely transparent to the end-user and sits between the user and their web applications. Like the malicious activity known as a man-in-the-middle attack, TLS inspection intercepts the traffic, enabling inspection by security engines. For this to work without disruption to the end-user, an appropriate certificate must be installed on the client device.
TLS inspection has been available for some time now but isn’t widely used due to a variety of reasons, primarily cost and complexity. Historically NGFW or other appliances have been the source of TLS inspection capabilities for organizations. With any appliance, there is a fixed amount of capability, and the more features you enable, the lower the throughput. TLS inspection is no different and often requires double (or more) hardware investment to accomplish at scale. Additionally, TLS inspection brings up privacy concerns about financial and health information that are not always easily addressed by legacy products.
[boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink]
SASE Makes it Possible
SASE or Secure Access Service Edge removes most of the challenges around TLS decryption, allowing organizations to secure their users and locations more effectively. SASE offers TLS inspection capabilities as product functionality, with no need to size and deploy hardware. Simply create desired exceptions (or alternatively specify what traffic to inspect), deploy certificates to endpoints, and enable the feature. This easy alternative to NGFW TLS decryption makes it possible for organizations to gain visibility into the 95% of their traffic that is hiding in TLS. There are still some challenges, primarily certificate pinned websites and applications. Most SASE providers will manage a bypass list of these for you, but you can always improve your security posture by blocking un-inspectable traffic where it makes sense.
Gain Visibility Today
The question remains, if you are not inspecting TLS today, why aren’t you? You have most likely invested in security technologies such as IPS, CASB, SWG, Next-Generation Antimalware, DLP, etc., but without complete visibility, these tools cannot work effectively. Security engines are a bit like the x-ray machine at airport security, they reveal the contents of luggage (packets) to identify anything bad. Now imagine if you are in the security line and they are only inspecting 5 out of every 100 bags. How secure does this make you feel, would you still get on the plane?
SASE has removed many of the obstacles to adopting TLS inspection and provides complete visibility to all security engines to maximize their value. If you have not considered SASE yet, now may be the time. If you already have SASE and do not know where to start with TLS inspection, start small. You should be able to selectively enable the capability for risky categories of URLs and applications and then increase the scope as your comfort level grows.
See this quick video demo on how easy it is to enable TLS inspection with Cato Networks!
A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing...
The Value of Security Simplicity A Complex Landscape
As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing power but also in terms of the networking and security landscape as well. For every technological advancement in consumer and business productivity, IT systems, operations and security must also try and keep pace.
We must consider not only the speed and capacity at which these tools must operate, but also the emergence of entirely new technical domains. The industry has moved away from castle and moat designs and replaced them with cloud platforms for a variety of services, effectively moving from endpoint security to network security and finally to cloud security and cloud-delivered network security. But with each new need and technical area, a multitude of vendors and products emerge only adding to the complexity.
[caption id="attachment_24677" align="alignnone" width="3000"] Momentum CyberScape Source[/caption]
IT and security leaders must consider multiple security product categories such as network & infrastructure, web, endpoint, application, data, mobile, risk & compliance, operations & incident response, threat intelligence, IoT, IAM, email/messaging, risk management, and more. Adding to the challenge, for each category there are multiple vendors with different product sets, architectures and capabilities. It can be time consuming and challenging to prioritize security investments while selecting the ideal vendor for your business. While each product that you purchase and implement is intended to strengthen your security posture and reduce risk, these products may also be increasing the complexity of your environment.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink]
Complexity Erodes Security
Many have considered it a best practice to purchase products based on the perception in the market as “best of breed.” This approach seems logical but can be detrimental as getting these products to work together can be difficult or impossible. Even products from the same vendor can be lacking in integration, especially if the product was the result of an acquisition. Furthermore, even with out-of-the-box integrations, getting everything to work as desired can still be very time-consuming.
You may have already learned through experience that integration is not convergence. If you are still questioning the difference between the two, here are two examples. A converged solution will have a single management application for all functions of the platform. Separate consoles or a pseudo-unified console that requires downloading, installing, and managing plugins are not converged. For cloud-delivered offerings, a converged solution will offer all capabilities at all PoPs. A vendor that uses some PoPs for capabilities like DLP and remote access and other PoPs for things like NGFW and SWG is not converged. Non-converged solutions can drastically increase management touch, increasing administrative overhead and cost while eroding security value.
How does this happen? For every new product and management application, the opportunity for misconfiguration increases as does the number of policies. Misconfigurations can easily lead to high profile security incidents, while multiple sets of separate policies can lead to gaps that are difficult to identify. A converged security platform provides holistic visibility into your organization’s policies and even makes it easier when you need to conduct compliance audits. Of course, the market has responded to this, and you can spend more money on third-party integration and management tools, or developers that can build custom integrations for you. However, CISO’s live in the real world and do not have unlimited budget, nor do they typically want to own a software development life cycle for home-built integrations. Just remember, more vendors and more products can easily mean more problems.
Is Your Security Stack Weighing You Down?
In addition to hurting your organization’s budget and security posture, point-security products also reduce your ability to be agile and innovate. You may need to manage an update schedule for each of your devices and products. While most vendors have automatic update options, the best practice is to test updates before putting them into production and monitor impacts after production. For example, a content update on a Palo Alto Networks PA-220 Firewall is estimated to take up to 10 minutes.* If you have 1,000 PA-220s, that is more than 166 hours of update time, not including downloading, testing, and verifying. Updates to the device’s firmware or operating system will likely take longer and can lead to outages or device failures. All this time spent on maintaining what you already own can slow other projects in your organization.
“[Content update] installation can take up to 10 minutes on a PA-220 firewall” * Source
Beyond your organization’s ability to innovate, you should also consider the impacts on yourself or your team. Most security products require specialized technical expertise. This can make hiring challenging, especially if you need someone who can manage multiple aspects of your deployment. This means that hiring cycles will take longer, work/life balance may be compromised, and new hire ramping time is increased. Furthermore, complex deployments can make it difficult for skilled individuals to be promoted or take vacation time.
Your security stack represents a significant investment, but is it serving all users, locations, and applications? The costs of deploying and managing your own security architecture will often lead to compromises. You may have a few datacenters and probably backhaul traffic to them to secure. But often enough due to performance and other requirements, you may also be excluding specific locations, users, or applications from some or all security functions. This creates inconsistency in your security posture and user experience and will hurt your organization.
SASE Is the Way
You probably have heard of the Secure Access Service Edge or SASE, a term that Gartner coined in 2019. SASE is the way forward for most modern organizations and represents the convergence of networking and security capabilities delivered from the cloud. This allows organizations to remain agile and flexible, reducing complexity, while securing and enabling their users. The SASE market is relatively new, but there are already multiple vendors who want your business.
When looking at SASE, don’t forget about simplicity, many vendors don’t have converged solutions and the complexity of legacy technology still lurks in their products. Management time and policy sets should be reduced, while deployments and new feature adoption should be seamless. Updates are the vendor's responsibility, keeping you more secure and giving you time for other projects. You may have heard the acronym K.I.S.S. before, but I’ve changed it a bit for a SASE world: Keep It Simple & Secure.
“When we learned about the Cato solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premise firewalls,” – Alf Dela Cruz, Head of IT Infrastructure and Cyber Security at Standard Insurance