The Secure Access Service Edge (SASE) Architecture: Here’s Where Your Digital Business Network Starts

SASE Architecture
SASE Architecture

When Gartner first introduced Secure Access Service Edge (SASE) in its “Hype Cycle for Enterprise Networking, 2019”, SASE was identified as the next transformation of enterprise networking and security. The SASE architecture described not a new capability but the better use of existing technologies by converging networking and security domains into a single, global, cloud service.

The category was so strategic that Gartner labeled SASE as “transformational.” To put that in context, SD-WAN, with all of its impact on enterprise networks, has never reached a transformational rating by Gartner in a Hype Cycle.

SASE continues to be seen as transformational and relevant as ever. The architecture has been widely adopted as the direction of the enterprise networking and security industries. But beyond the marketing speak, none have introduced a fully distributed, full redundant SASE architecture like the Cato Single Pass Cloud Engine (SPACE) that forms the core element of the Cato SASE platform. (For a deep dive on SASE and how Cato delivers SASE capabilities, click here to read this whitepaper.) Let’s take a closer look.

Why Now and What Makes SASE so Transformational?

SASE is emerging in response to the needs of today’s digital business. The digital business is all about speed and agility. We operate faster and we operate everywhere with remote offices and mobile users. Pulling teams and resources together regardless of location to develop new products faster, deliver them to the market sooner, and respond to changes in business conditions quicker are hallmarks of digital business transformation. Technology is essential to those changes; witness the widespread adoption of cloud computing. The benefits of SASE technology help to usher in this emerging era.

But while the cloud is agile, elastic, and ubiquitous, enterprise networking and security infrastructure have been just the opposite. The network is rigid and static. Security is fragmented between physical locations, cloud resources, and mobile users. Together, networking and security are slowing down the business as silos erected decades ago are stretched and patched to accommodate emerging business requirements.

The very way enterprises have long designed their networks is outdated. Thinking in terms of stitching together SD-WAN devices, firewalls, IPS appliances, and the rest of the basket of security and networking solutions to solve network problems has become the problem itself. As Gartner writes, “Digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete.”

What is SASE Network Architecture?

The SASE Cloud architecture addresses this problem. It provides a single network that connects and secures any enterprise resource – physical, cloud, and mobile – anywhere. In this, the SASE Cloud is marked by four main characteristics: It is identity-driven, cloud-native, supports all edges, and is distributed globally:

  • Identity-driven.  User and resource identity, not simply an IP address, determines the networking experience and level of access rights. Quality of service, route selection, applying risk-driven security controls — all are driven by the identity associated with every network connection. This approach reduces operational overhead by letting companies develop one set of networking and security policies for users regardless of device or location.
  • Cloud-native Architecture. The SASE architecture leverages key cloud capabilities including elasticity, adaptability, self-healing, and self-maintenance to provide a platform that amortizes costs across customers for maximum efficiencies, easily adapts to emerging business requirements, and be available anywhere.
  • Supports All Edges. SASE creates one network for all company resources — datacenters, branch offices, cloud resources, and mobile users. For example, SD-WAN appliances support physical edges while mobile clients and clientless browser access connect users on the go.
  • Globally Distributed. To ensure the full networking and security capabilities are available everywhere and deliver the best possible experience to all edges, the SASE cloud must be globally distributed. As such, Gartner notes, they must expand their footprint to deliver a low-latency service to enterprise edges.

SASE is not your Telco-managed Network Service

The SASE Cloud service runs a single-pass, traffic processing engine that processes traffic from any “edge” — sites, the cloud, and mobile users. It efficiently applies all network optimizations, security inspection, and policy enforcement with rich context before forwarding traffic onto its destination.

In this, SASE is a fundamentally different approach to the way telco services integrated bundles of point solutions. While this approach masks the complexity of the underlying network, enterprises still see their spend increase to pay for both the products and the people to manage them.

By contrast, with a single-pass, cloud-based, architecture, SASE Cloud not only appears to be leaner, it is leaner. All functions are converged together. It processes traffic faster with more context than stringing together multiple point products. SASE is built with the scalability, self-service, and agility of the cloud. Your telco isn’t.

The same is true for network providers that run virtual machines in the cloud or, for that matter, service chain solutions. In both cases, the specific VNFs (Virtual Network Functions), VMs, and services need to be sized, scaled and managed separately. As for security providers integrating various security capabilities in the cloud, they still lack the key SASE elements of controlling network flows and natively supporting the WAN edge.

Ultimately, SASE offers convergence as the key defining attribute. Failing to deliver networking and security capabilities, maintaining them as discrete appliances, or relying on service chaining isn’t convergence but loosely coupled linking of point solutions.

Cato the World’s First SASE Platform

Cato has offered a complete SASE architecture since the company’s inception in 2015, four years before SASE’s introduction. Every day, Cato connects and secures hundreds of enterprises worldwide with hundreds of thousands of branch offices, cloud instances, and mobile users. Cato has been named as a “sample vendor” in the SASE category of every Hype Cycle of Enterprise Networking ever since that first introduction.

More specifically, Cato SASE platform is:

  • Cloud-native. Cato has converged networking and security into a software platform that meets the five attributes of a cloud-native platform: multitenancy, scalability, velocity, efficiency, and ubiquity. The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining.
  • Identity driven. With user awareness, IT can tie security and networking policies to the user’s identity. Cato is fully identity-aware and identity is one of many contextual elements extracted by Cato SPACE from every flow.
  • Support all Edges. Cato connects all enterprise edges — physical locations, cloud resources, and mobile devices — to one another and the Internet. Physical locations connect via Cato SD-WAN devices; mobile users rely on Cato’s client and clientless access; Cato’s agentless configuration connects cloud resources into Cato. Traffic is sent to the nearest Cato PoP where a Cato SPACE extracts context and applies the relevant policy to the flow.
  • Globally distributed. The Cato Private Backbone is a global, geographically distributed, SLA-backed network of 65+ PoPs, interconnected by multiple tier-1 carriers. Every PoP runs the complete Cato converged software stack and extends the strict SASE definition by including WAN and cloud optimization to improve global access to applications everywhere.

Cato is honored to have been named as a sample vendor again in the SASE category. While many of our competitors have either ignored convergence or have pushed for convergence in appliances, poor strategic moves on both accounts, Cato has long advocated for what IS a SASE platform. As Shlomo Kramer, CEO and co-founder of Cato Networks, puts it, “Since Cato’s founding, we’ve focused on converging networking and security into the cloud, creating one, global, cloud-native architecture that connects and secures all locations, cloud resources, and mobile users everywhere.

Learn more about what Cato has to offer by comparing CASB vs SASE, ZTNA vs SASE and by clarifying what is not SASE. Consider starting your journey with our SASE for Dummies guide, or become a certified SASE expert with our available course and exam. Contact us and start your SASE journey today!

** Gartner, “Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge,” Joe Skorupa and Neil MacDonald, 29 July 2019

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.