Lipstick on a Pig: When a Single-Pane-of-Glass Hides a Bad SASE Architecture

The Secure Access Service Edge (SASE) is a unique innovation. It doesn’t focus on new cutting-edge features such as addressing emerging threats or improving application performance. Rather, it focuses on making networking and security infrastructure easier to deploy, maintain, manage, and adapt to changing business and technical requirements. This new paradigm is threatening legacy point solution incumbents. It portrays the world they created for their customers as costly and complex, pressuring customer budgets, skills, and people.

Gartner tackled this market trend in their research note: “Predicts 2022: Consolidated Security Platforms are the Future.” Writes Gartner, “The requirement to address changing needs and new attacks prompts SRM (security and risk management) leaders to introduce new tools, leaving enterprises with a complex, fragmented environment with many stand-alone products and high operational costs.” In fact, customers want to break the trend of increasing operational complexity. Writes Gartner. “SRM leaders tell Gartner that they want to increase their efficiency by consolidating point products into broader, integrated security platforms that operate as a service”.

This is the fundamental promise of SASE. However, SASE is extremely difficult for vendors that start from a pile of point solutions built for on-premises deployment. What such vendors need to do is re-architect these point solutions into a single, converged platform delivered as a cloud service. What they can afford to do is to hide the pile behind a single pane of glass. Writes Gartner: “Simply consolidating existing approaches cannot address the challenges at hand. Convergence of security systems must produce efficiencies that are greater than the sum of their individual components.”

How can you achieve efficiency that is greater than the sum of the SASE parts? The answer is: core capabilities should be built once and be leveraged to address multiple functional requirements.

For example, traffic processing. Traffic processing engines are at the core of many networking and security products including routers, SD-WAN devices, next generation firewalls, secure web gateways, IPS, CASB/DLP, and ZTNA products. Each such engine uses a separate rule engine, policies, and context attributes to achieve its desired outcomes. Their deployment varies based on the subset of traffic they need to inspect and the source of that traffic including endpoints, locations, networks, and applications.

A true SASE architecture is “single pass.” It means that the same traffic processing engine can address multiple technical and business requirements (threat prevention, data protection, network acceleration). To do that, it must be able to extract the relevant context needed to enforce the applicable policies across all these domains. It needs a rule engine that is expandable to create rich rulesets that use context attributes to express elaborate business policies. And it needs to feed a common repository of analytics and events that is accessible via a single management console.

Simply put, the underlying architecture drives the benefits of SASE bottom-up — not a pretty UI managing a convoluted architecture top-down. If you have an aggregation of separate point products everything becomes more complex — deployment, maintenance, integration, resiliency, and scaling — because each product brings its unique set of requirements, processes, and skills to an already very busy IT organization.

This is why Cato is the world’s first and most mature SASE platform. It isn’t just because we cover the key functional requirements of SD-WAN, Secure Web Gateway (SWG), Firewall-as-a-Service (FWaaS), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Rather, it is because we built the only true SASE architecture to deliver these capabilities as a single global cloud service with simplicity, automation, scalability, and resiliency that truly enables IT to support the business with whatever comes next.