Strategic Roadmap to SASE

Listen to post:
Getting your Trinity Audio player ready...


Since Gartner introduced the Secure Access Service Edge (SASE) category in 2019, interest from enterprises has grown substantially. SASE transforms enterprise IT through the convergence of enterprise networking and network security into a single, cloud-native, service. It aims to optimize security posture, enable zero-trust access from anywhere, and reduce costs and complexity. Given its potential impact, SASE is becoming a strategic project for many organizations.  

However, the widespread availability of SASE offering from different vendors and managed services providers is causing a great deal of confusion. Organizations are challenged to compare SASE feature sets and solutions and combine offering from multiple vendors – resulting in complex architectures that lead to incomplete service offerings that don’t meet needs and expectations.  

Adopting SASE is an IT strategy targeted to accompany and enable rapid growth and digital transformation, not a tactic selection of a point product. As such, making the right selection is more critical than ever. 

During the “2022 Strategic Roadmap to SASE” webinar, Gartner Research Vice President Neil Macdonald and Cato Networks CMO Yishay Yovel, discussed multiple aspects of SASE but most importantly reiterated the fundamental principles and expected benefits that are the basis of why SASE was introduced back in 2019.  

An Inside Look: Life Before and After Deploying a SASE Service | Whitepaper

Several questions were raised during the webinar; the most interesting and relevant ones are answered below. They cover the following areas: 

  1. What business and technical benefits does SASE provide?
  2. When and how should you initiate your SASE project?
  3. How can you deploy SASE gradually into your existing infrastructure?
  4. How do different SASE architectures impact the expected business outcomes?

We hope these Q&A will be able to clear up some of the confusion around SASE and SSE and help organizations make the right decisions when selecting a SASE provider.


SASE market overview

1. Will SSE be replacing SASE in the short term? 

No, SSE is just a stop in the journey to SASE. Today, some organizations are not yet ready to fully transition to SASE for various reasons, but they are ready to adopt SSE because they recognize the benefits in adopting cloud-delivered security services such as SWG, CASB, and ZTNA to protect their offices and remote users when accessing the public Internet. The final step in the journey will be to combine the SSE capabilities with the cloud-delivered connectivity and control services such as SD-WAN and FWaaS to complement Internet security and provide the best performances and protection when accessing corporate assets. 

2. Why is the security industry generally so fragmented, and will it consolidate or splinter more in the next 5 years? 

The trend is clearly towards vendor consolidation. Organizations of all sizes are looking to simplify their infrastructure and operations to become more agile. They are favoring vendors that can combine multiple security and networking functionalities in a single platform, rather than best of breed solutions. This is confirmed by a recent Gartner survey that showed that 75% of organizations are pursuing security vendor consolidation and rising to 90% by Year End 2022. That’s a stunning increase if we compare to just 29% back in 2020. 

3. What are the upcoming changes in SASE that experts foresee? 

SASE is calling for vendor consolidation. Gartner, in its latest report “Market Guide for Single-Vendor SASE”, has explicitly restated the need to unify all SASE capabilities into ideally one single vendor or at best into two vendors that must be fully integrated. We expect a limited list of vendors to stand out in the SASE market leadership and we expect companies to accelerate their initiatives towards network and security cloud-based services to reduce infrastructure complexity, optimize their CAPEX and OPEX and better control security across all their data, users and applications. 

4. What techniques work best on informing senior leadership; assisting them with understanding, approving, and adopting a SASE technology? 

When talking to senior leadsership about the value of SASE, put the emphasis on the benefits that a SASE approach brings to companies in their digital transformation journey: 

  • Simplicity – by reducing infrastructure complexity  
  • Productivity – by providing an improved and consistent user experience 
  • Efficiency – by reducing the overall infrastructure budget 
  • Agility – shifting network and security skills from managing boxes to policies supporting the digital workplace 

SASE Migration and adoption

5. What pre-requisites and steps are needed to transition successfully to a sustainable SASE? 

  • Break down the organizational silos – network and security teams must work in concert in the name of speed, agility and reduction of complexity
  • Choose a SASE vendor that meets the SASE architectural requirements (cloud-native, converged, global & support for all edges)
  • Map future HW and SW refresh to the SASE vendor capabilities
  • Plan the transition project to start with low-risk areas to minimize friction

6. What components of SASE will be important in the SMB market now and in the next 5 years? ZTNA? CASB? SD-WAN? SMB? 

Aside from the specific SASE features (which of course are important and depend on the specific business case), SMBs, probably more than any other organization, will look to adopt SASE solutions that provide the following characteristics and benefits: 

  • Operational simplicity 
  • High automation  
  • Flexibility  
  • Reliability 

These characteristics are typically delivered by cloud-native SASE vendors that offer an “As-a-Service” approach to networking and security. 

7. Do you have a blueprint or reference architecture for an 80% cloud, 20% on-prem environment with multiple SaaS applications? 

Regarding the 80/20 split, this is just marketing. Every enterprise is different, and so is every vendor. At Cato, we believe we should deliver as much as we can from the cloud and as little as we can from on-prem. Our 1500+ customers agree with us.  

Cato SASE vs other SASE solutions

8. Which are the main benefits of the Cato SASE solution compared to a managed SASE offered by a Telco?   

A Telco managed SASE service is normally a conglomeration of point solutions wrapped around a telco managed blanket. Some customers may consider this “black-box” approach but be wary of the following: 

  • They can’t move as fast as a modern digital business requires. Everything is managed through tickets, and involves multiple staff members due to the complexity of the underlying solutions architecture
  • They can’t offer a future-proof solution. They are dependent on their vendors’ roadmap, and usually are last to apply updates and enhancements due to the complexity and risk of downtime.

The bottom line is that, unless they manage a real SASE architecture underneath, they are simply not the right fit for the needs of modern, digital enterprises. 

9. How is Cato SASE a better value than Netskope SASE?  

Enterprises today are looking to consolidate services as much as possible realizing it will improve simplicity, agility, efficiency, and productivity. Netskope offers one point product (SWG+CASB) focused on internet and cloud security, another point product (NPA) focused on ZTNA, and they recently acquired a very small SD-WAN company (Infiot) for their SD-WAN technology. 

While Cato and Netskope share the common vision of a SASE solution delivered as a Service from the cloud, the main difference is in the architecture design. While the Cato architecture has been built from the ground up with a converged approach with networking and security services delivered from a single home-grown software stack, Netskope started as a CASB/DLP solution and has later expanded its services portfolio by integrating multiple point solutions together because of several acquisitions, the last one being a small SDWAN provider called Infiot acquired in August 2022. Stitching point solutions together, even if done in the cloud, still poses questions on how these services can seamlessly scale and how much time it will take, for example, to get the SD-WAN technology fully integrated in the Netskope product suite, or to lift their FWaaS engine to an acceptable level to protect the East-West traffic.  

In essence, whilst Netskope has a strong SSE proposition, their complete SASE offering is still not fully baked.      

If you are looking for simplicity, agility, efficiency, and productivity today, and not in 2-3 years, Cato is the best solution. 

10. What incentive would a business have to switch from Fortinet to SASE via Cato? 

  • Improved productivity – Cato can help you optimize application performance and user experience. The Cato SASE Cloud has a global private backbone which minimizes the exposure of network traffic to the unpredictable and unreliable internet
  • Improved efficiency – By moving from on-premise appliances to a cloud-native solution, procurement, management, and maintenance cost are dramatically reduced. Team members are freed to focus on business needs and outcomes instead of maintenance and support.
  • Improved agility – Whether tomorrow’s need will be additional security capabilities, business expansion, cloud migration or a new balance between office and remote work, a cloud-native network and security infrastructure allows you to meet new business requirements much faster than appliance-based infrastructure that mandates complex planning, sizing, procurement, deployment, integration, and maintenance.

Cato SASE business value

11. How will SASE have an impact on our existing infrastructure? 

SASE has many capabilities that can augment your existing infrastructure today and replace it tomorrow to make your infrastructure more agile, secure, and efficient. For example, you can use a global private backbone to augment SD-WAN with a reliable global transport. You can offload internet security from your resource-constrained on-prem firewalls to an unlimited cloud-delivered security. You can also enable more users to work from remote without adding more VPN servers and without compromising on security or productivity. 

12. Are you able to advise on any effort that Cato may have invested in reassuring potential Financial Service customers that the solution meets regulatory requirements? 

Cato customers, including those from the financial services sector, all rely on us for their mission critical network and network security. To get their trust, we work continuously to make sure our enterprise network and our cloud service adhere to the highest security standards such as ISO, SOC, GDPR and others. Please see here for more details. 

13. Are there any statistics or case studies that show typical cost savings achieved through migration from legacy networks and security to the Cato SASE solution? 

Cato commissioned Forrester to run a survey across Cato Networks customers to quantify the benefits these customers have achieved in adopting the Cato SASE solution. The Total Economic Impact (TEI) report shows a stunning ROI of more than 240% when looking at the following benefits:

  • Reduced operation and maintenance
  • Reduced time to configure
  • Retired legacy systems (on-prem FW, SD-WAN)

The TEI document can be downloaded from here.

Cato SASE capabilities

14. Is it possible to implement the SASE architecture in countries such as: Spain, Italy, Colombia, Chile, Mexico and Venezuela? 

If the SASE architecture is cloud-native, there are no limits to where it can be implemented. The implementation and availability are the responsibility of the SASE vendor. As a customer, you should focus on making sure there are SASE PoPs available withing 25ms round trip time from your users, branches, and datacenters. Cato’s SASE backbone consists of more than 75 POPs around the world with presence in all five continents, including China. New POPs are added on a quarterly basis to guarantee our customers a guaranteed minimum latency. More information can be found here.

15. Is Cato able to connect to other Next-gen firewalls through an IPsec / VPN tunnel? 

Cato allows third party devices to connect to the Cato SASE cloud by means of an IPsec tunnel. A potential use case could be to leverage an existing NGFW for East-West traffic in the local premises and use the Cato Cloud to provide secure internet connectivity and East-West traffic protection for geographical sites. 

16. Is it possible to interconnect two components of SASE from different vendors (e.g., Cato SASE to Cisco Viptela SD-WAN)? 

Cato allows third party devices to connect to the Cato SASE cloud by means of an IPsec tunnel. Third party SDWAN devices will provide reliable connectivity to the Cato SASE cloud, once the traffic lands into one of our POPs, Cato handles security and middle-mile connectivity via the Cato private backbone. 

17. How is security as a service, which is part of SASE, received by customers who have stringent compliance requirements like PCI-DSS / HIPPA etc.? 

Organizations that are planning to migrate their network and security stack to the cloud must ensure they’re partnering with trusted providers who maintain the necessary levels of safeguarding and discipline of their own service security. The enterprise must evaluate the SASE vendor and make sure they adhere to the highest industry standards. Cato SASE services have received ISO27000, GDPR, SOC1, SOC2, SOC3 certifications. And with the Cato CASB solution, enterprises can configure their application control policies so that only applications which are compliant with PCI-DSS and/or HIPAA are authorized.  

Related Topics