When the Cloud Goes Dark: Why Owning Your Infrastructure Matters for Critical Services 

On June 12, 2025, a global outage at Google Cloud Platform (GCP) brought critical infrastructure to a halt. The ripple effects were immediate. Services from Palo Alto Networks and Cloudflare—both of which rely on GCP—experienced outages that lasted hours. Enterprises depending on these services were left blind and exposed. 
 
This wasn’t a first. It won’t be the last. But it was a wake-up call. 
 
When SASE, SSE, or SD-WAN platforms go down, the business is down. Productivity stalls. Security gaps open. Risk skyrockets. For services this critical, high availability isn’t a nice-to-have. It’s non-negotiable. And it starts with architectural ownership—building on infrastructure you control. 

The Illusion of Cloud Redundancy 

Hyperscalers like GCP, AWS, and Azure offer impressive scale and global reach. But they weren’t designed for networking and security services that must deliver real-time performance and five-nines uptime. They’re general-purpose clouds—built to run apps, not carry the enterprise’s network and security critical infrastructure. 
 
Vendors who build their services on hyperscalers inherit this fragility. When GCP stumbles, everything on top of it stumbles too. Redundancy within a single cloud provider won’t save you from a systemic failure like the one on June 12. And cross-cloud resilience? That only works if it’s designed and tested from the ground up—not patched in after the fact. 

Critical Infrastructure Demands a Different Kind of Cloud 

The Cato SASE Cloud Platform is different by design. We built our own global backbone, with over 85 PoPs running Cato-owned, bare-metal infrastructure in top-tier data centers. We don’t rent resilience—we engineer it. Each PoP runs a fully redundant stack, with our Single Pass Cloud Engine (SPACE) inspecting and enforcing policy on all traffic. When a SPACE, compute node, or PoP fails, traffic shifts automatically—no intervention needed, no service disruption. 
 
This isn’t theory. It’s been tested repeatedly: 
– When a fiber cut disrupted a major carrier, users didn’t notice—our backbone rerouted traffic instantly. 
– When a UK  data center went down, Cato rerouted around it with zero downtime. 
– When power outages hit Spain and Portugal, Cato customers stayed connected and protected. 
 
These weren’t flukes. They were outcomes of deliberate design. 

It’s Not Just About Owning the Metal—It’s About the Architecture 

Resiliency isn’t achieved by throwing more hardware at the problem. It’s about eliminating single points of failure—across compute, connectivity, inspection, and control. 
 
Cato’s architecture distributes inspection across thousands of SPACEs running in parallel. Each can process encrypted traffic at line rate, with full security stack enforcement. If one fails, traffic moves to the next SPACE. If a PoP fails, tunnels automatically reroute to the closest healthy PoP. There’s no need to reconfigure, no waiting for DNS propagation, and no failover scripts. 
 
Compare that to appliance-based or cloud-hosted architectures, where firewalls, SD-WAN edges, or inspection points are bound to a specific instance. Failover requires planning, testing, and manual intervention—often during a crisis. 

Service Uptime Starts with Data Plane Ownership 

When delivering critical infrastructure like SASE, availability and resiliency must be engineered into the data plane itself. This means more than aiming for generic uptime metrics. It requires delivering a true 99.999% availability SLA at the data plane layer—where user sessions are inspected, secured, and routed. If that layer goes down, the enterprise is either offline or dangerously exposed. 

To meet this SLA, every component participating in the data plane must be designed for automatic recovery. Any dependency—be it a physical devices, third-party services or cloud providers—that lacks redundancy and fast failover mechanisms becomes a single point of failure. 

In practice, this means one thing: you have to own the infrastructure. Only then can you design, control, and continuously improve its resilience. When third-party services must be used, they must be architected as stateless, easily replaceable, and monitored components that can fail without impact. Recovery must be automatic, not reactive. 

If you don’t control the infrastructure, you must at least control how it fails—and how quickly it recovers. 

What Enterprises Should Demand from Their SASE Vendor

If your SASE vendor can’t survive a cloud provider outage, they haven’t built a SASE cloud. They’ve rented one. And that’s not enough. 
 
Ask your vendor: 
– Where is your control plane hosted—and what happens if it’s down? 
– What happens if a PoP fails mid-session? 
– How fast is the failover between providers or regions? 
– Are your inspection engines multi-tenant, self-healing, and load-balanced? 
 
And most importantly: Have you proven it? 
 
At Cato, we have. Not once, but many times.