Since SASE’s introduction, many networking and security vendors have rushed to capitalize on the market by partnering with other providers to include cloud backbones as... Read ›
Why a Backbone Is More Than Just a Bunch of PoPs Since SASE’s introduction, many networking and security vendors have rushed to capitalize on the market by partnering with other providers to include cloud backbones as part of their SASE offerings. But SASE isn’t just a bunch of features in appliances managed from the cloud. It’s about building a true cloud service, one that delivers optimal, secure access to your sites, mobile users, and cloud resources regardless of their location. Achieving that lofty goal requires far more than simply partnering with a global backbone provider. Here’s why.
Simple PoPs Have Shortcomings
Every vendor claiming a SASE solution communicates about having a worldwide deployment of Points of Presence (PoPs). But you must consider the architecture of this network.
Most vendors claiming a SASE solution host their PoPs in a center provided by Amazon (AWS), Google (GCP), or Microsoft (Azure). The PoP is just a connection point – a gateway, of sorts – where the external world (i.e., your sites) connect to the hosting provider. It is not where data is managed or secured. Those functions take place in a separate compute location/datacenter. Thus, when your traffic reaches a PoP, the PoP sends the traffic into the backbone of the provider to the separate compute location. There is latency in this additional traffic flow. What’s more, while a SASE vendor may claim to have 100+ PoPs, it may only have 20 or 25 compute locations in the world, creating a funnel effect with traffic. This architecture is inherently inefficient and adds latency to all traffic flows.
Of course, that compute location isn’t the final destination for your traffic. It would typically be bound for a SaaS application – perhaps one that isn’t hosted in the same region – or to your own datacenter or another branch office (i.e., site to site traffic), or to the general Internet. Now you must consider, how do we keep a reliable network between these points? How do we manage the inbound quality of service? How do we ensure good performance? Are we able to prioritize our key applications, use cases and workloads into our network? SD-WAN will not do these things for you.
The fact is, many SASE providers use the Internet as the backbone network between their PoPs. Putting traffic on this backbone uses the best default path. There is no predictability or SLA about performance. There is little or no control over the packets that are traveling on that Internet backbone. If you can’t control the performance of this traffic, you lose control over applications and thus over the user experience.
“Best Effort” Isn’t Always the Best Way
I have talked with numerous enterprises that replaced MPLS circuits with SD-WAN. Initially, users and management are often happy. IT reduced circuit costs and gained some application steering capabilities at the local level. By that I mean, traffic goes to the SASE solution provider’s PoPs to be forwarded to SaaS or IaaS applications or the Internet. Things work fine—until they don’t.
But when performance problems arise, the customers don’t know who to call because the WAN is using the “best effort” Internet to move traffic. It is not under the SASE provider’s control, so there are no guarantees for performance or quality of service. The network works fine 70% or 80% of the time, but the rest of the time there is packet loss, jitter, and high latency. There’s no way to know where the issue is, or how to resolve it. As a result, critical applications like voice can really suffer in this model.
Cato’s PoPs Are on a Global Private Backbone
Cato also has a global network of PoPs – more than 60 at this writing – but this network has a different, far more efficient architecture. Cato’s PoPs have multitenant software running in our own datacenters, not in a Google, Microsoft or Amazon cloud. Cato PoPs manage the network and security functions in those very same datacenters. So unlike hosted SASE solutions, Cato doesn’t have to send your traffic to a separate compute location to manage and secure data, which eliminates latency.
Moreover, there is a 1:1 ratio of PoPs to compute locations because they are one and the same datacenter. This is important because Gartner says the density and scope of coverage is going to be critical to the success of SASE.
Now let’s talk about the network backbone connecting the PoPs. Instead of using the general Internet to connect them, Cato has a global private backbone. It consists of the global, geographically distributed, SLA-backed PoPs interconnected by multiple tier-1 carriers. The IP transit services on these carriers are backed by “five 9s” availability and minimal packet loss guarantees. As such, the Cato Cloud network has predictable and consistent latency and packet loss metrics, unlike the public Internet.
Cato’s cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption for all traffic traversing the network.
Cato’s global PoPs are connected in a full-mesh topology to provide optimal global routing. The Cato software calculates multiple routes for each packet to identify the shortest path across the mesh. Direct routing to the destination is often the right choice, but in some cases traversing an intermediary PoP (or two) is the better route.
Cato Uses Multiple Cloud Optimization Techniques
Cato natively supports cloud datacenters (IaaS) and cloud applications (SaaS) resources without additional configuration, complexity, or point solutions. Specific optimizations include:
Shared Internet Exchange Points (IXPs), where the Cato PoPs collocate in data centers directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform.
Optimized Cloud Provider (IaaS) Access, in which Cato places PoPs on the AWS and Azure infrastructure.
Optimized Public Cloud Application (SaaS) Access, whereby SaaS traffic sent to the Cato Cloud will route over the Cato backbone, exiting at the PoP nearest to the SaaS application.
Cato Has Strong Security at the PoPs
Another differentiator for Cato is the full stack of security solutions embedded in every PoP. Security is conveniently applied to all traffic at the PoP before going to its final destination—whether it’s to another branch, to a SaaS application, to a cloud platform, or to the Internet.
The enterprise-grade security includes an application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Zero Trust Network Access (ZTNA) is also part of the integrated security offering.
Cato’s PoPs Deliver Extra Value
At Cato, we have a lot of engagements with enterprise organizations that deployed SD–WAN + SWG with PoPs. Most are not satisfied with the results. They are complaining about the lack of full visibility, lack of full control on WAN and Internet traffic, and lack of unification. Part of my job as a sales engineering manager is to reassure them that the solution they really want has existed for five years now and is deployed on thousands of customers. Talk to us about how Cato’s series of PoPs offers quite a lot of value beyond simply connecting edge locations into the WAN.
When Gartner published its seminal report on SASE (“The Future of Network Security Is in the Cloud, August 2019), the analyst firm listed the reduction... Read ›
One Customer’s ROI Argument for Cato Cloud When Gartner published its seminal report on SASE (“The Future of Network Security Is in the Cloud, August 2019), the analyst firm listed the reduction of complexity and costs as one of the top benefits of SASE. Each day, Cato customers confirm that‘s the case; there is significant ROI with the simplicity of SASE. Costs can be vastly reduced when networking and security are merged, and the operational aspects are provided as a service.
The company has reduced operational costs by 60 to 70 percent and networking and security costs by 50 percent
Recently, one of our customers shared an accounting of their ROI. The company, which asked to be kept is anonymous, is a public company in the construction industry with locations worldwide. Deployment of the Cato is well underway, and already, the company has reduced operational costs by 60 to 70 percent and networking and security costs by 50 percent.
Different Types Networks for Different Types of Locations
This company is the third–largest construction firm in the world. It has 40 sites in more than 20 countries across Europe, the Americas, and Asia-Pacific. There are more than 3,000 employees worldwide.
The company‘s original WAN operated on a telco bundle from a carrier that provided a global MPLS network and worldwide Internet services to the various sites. Secure Web Gateway (SWG) services in the cloud were used to secure the web traffic. The company provided locations with different levels of connectivity based on the criticality of work performed at each site:
Level 1 sites required two MPLS and two Internet links.
Level 2 sites required one MPLS and one Internet link.
Level 3 sites required just one Internet link.
Level 4 sites required a basic Internet link.
For example, the company’s main datacenter received Level 1 treatment, as did some of the high-profile manufacturing centers, to ensure continuous connectivity. By contrast, the smallest of offices were level 4.
There Were Many Drivers for a New Network
The existing network was very complex to manage, did not provide agility, was expensive to operate, and had considerable security gaps that put the business at risk. In particular, the company wasn‘t applying new features or security patches to its network, which created a technical deficit and high risk. The IT team wanted better performance, cost savings, stronger security, resilience in the infrastructure, agility and scalability, and the ability to monitor what is happening on the network.
The company‘s Cato deployment began nearly a year ago. The company expects to be entirely switched over to Cato by Q1 of 2022. Meanwhile, the company’s IT manager shared with us they’ve already realized the following savings attributed to easier network operations and management. The ROI elements involved both time savings as well as productivity or functionality benefits they gained by moving to Cato:
Cato automatically applies security patches and feature updates, so there is no time required on the company‘s part to do this work. Previously, patches and updates were not managed by anyone, which posed a high risk. Even one significant breach could have resulted in millions of euros in fines and business losses.
Cato now manages the network firewall and security, inspecting east/west traffic and reducing risk for the company. IT only allocates about one hour of effort per month.
Having replaced the SWG service provider, Cato now manages the external security, including Internet firewall, secure web gateway, intrusion prevention, and anti-malware. Previously the company spent at least four hours per month on this effort, and now the time is reduced to just one hour per month. In addition, Cato‘s internal security is fully native to the network, not an external add-on solution.
The company troubleshoots problems using Cato‘s analytics and event discovery feature. Troubleshooting was previously difficult, if not impossible, and time-consuming, taking about five hours per month, and then with poor results. With Cato, the company spends about the same amount of time, but with much better results, and has seen huge adoption from various teams.
The company now enjoys detailed reporting based on network analytics. This type of information was impossible with the old network, and it takes only two hours per month to get the information. .
Costs Have Been Reduced by Half, and Often More
All told, the company previously devoted about 120+ hours per year to operational activities to support the old network – and this is without the benefit of having strong network security – and now the company devotes about 50 hours per year to network management and operations. This includes WAN and Internet zero-day protection that they didn‘t have before. The result is about 60 to 70 percent savings of operational effort with the new Cato network.
As for networking costs, the company has cut its telecom bill for the WAN in half and also reduced SWG security by half. This has resulted in substantial financial savings for a more manageable, more secure global network.
[caption id="attachment_15746" align="alignnone" width="2560"] The enterprise replaced a telco bundle of MPLS, Internet, and a SWG service with Cato, reducing operation costs by up to 70% while improving security and troubleshooting.[/caption]
The Cato Network Provides Additional Benefits
In addition to the savings, the company has also identified other benefits by switching to Cato, including:
• Better network performance for all sites
• Alignment with IT governance
• Better alignment with business needs
• Resilience from having a minimum of two links per site
• Agility and scalability
• Complete visibility of what‘s happening on the network
• Strong user and business adoption
• Strong integrated and unified security
• Monitoring, reporting, and alerting on issues
• Futureproof – ready for Cloud, VoIP, Video, and more
In short, the company is pleased with its new network, and Cato is pleased to be of service to them.
If your organization struggles with some of these same issues and wants a better ROI from your network, contact us to learn how Cato can help.
