Cato Networks Extends ZTNA to Protect Against Insider Threats

July 11th, 2023

A single ZTNA policy securing access inside and outside the office headlines new enhancements to Cato SASE Cloud for combatting emerging threats in today’s hybrid environment

TEL AVIV, Israel, July 11th, 2023 — Cato Networks, provider of the world’s leading single-vendor SASE platform, addressed mounting security concerns posed by insider threats. Over the past two years, incidents related to insider threats have grown 44%, according to the Ponemon Institute,1 with the cost per incident reaching $15.8 million.  

Essential to stopping insider threats is first ensuring users and IT administrators only have access to the necessary resources. To those ends, Cato became the first to extend ZTNA to users inside the office without requiring additional policies or infrastructure.  With RBAC+, Cato brings fine-grained controls over what IT administrators can do across SASE capabilities.  In addition, Cato has also extended DNS protection to prevent insiders and attackers from exfiltrating data and exploiting all manners of potential DNS vulnerabilities. 

Why ZTNA Often Fails to Address Access Abuse  

As enterprises undergo layoffs and adopt hybrid work models, the risk of insider threats has only grown. Disgruntled users and IT staffers, or external attackers who’ve acquired credentials and are now looking to elevate permissions, pose threats to the enterprise.  

ZTNA was meant to help with that challenge. By providing users secure access to only the necessary resources and then continuing to inspect and monitor traffic once admitted onto the network, IT organizations could identify and limit the risk posed by any user. 

However, ZTNA solutions only apply access controls to remote users, not in-office users, complicating access management. They also lack the security engines to continually inspect traffic flows, exposing the enterprise to attacks from authorized users. And they lack the AI and ML algorithms to identify suspicious actions indicative of emerging threats.  

“Administrators should be able to construct a single application access policy for users in an office or on the road, said John Grady, Principal Analyst with Enterprise Strategy Group, “ZTNA tools supporting this help organizations not only improve their security posture but their operational efficiency as well.” 

Cato Brings a Simpler, Smarter Approach to ZTNA  

Cato has extended its ZTNA capabilities to users within the office without the complexity of configuring additional policies.

Through a single ZTNA policy, enterprises maintain zero-trust security seamlessly and easily. Regardless if a user is in the office or outside the office, access to IT resources is guided by the same ZTNA policy and the same user identity. Besides user identity, Cato ZTNA policies consider an extensive range of parameters including device posture, location, and time of day.

For control over IT administration, Cato also enhanced its role-based access control (RBAC) to enable secure, granular access in converged networking and security teams. As enterprises adopt SASE, there is a growing need for a common management platform with granular networking, security, and access roles. With Cato, separate roles can be defined globally or by site for networking, access, and security personnel. Roles can also be customized for editing or viewing the individual capabilities in each sector provided by Cato SASE Cloud, such as Internet Firewall, TLS Inspection, DLP Configurations and more.  

Cato Adds Enhanced Prevention of DNS-based Attacks  

Once users are allowed access to the network, Cato continually inspects user traffic to ensure conformance with company security policies. Cato extended those capabilities with advanced DNS protections. Cato inspects DNS requests to identify and block domains used for DNS tunneling, crypto miners, dynamic DNS, malicious domains, and C&C domains, as well as AI detections of domains used for phishing that are newly registered or created by DGAs 

All enhancements are currently available at no additional charge to Cato customers.  

To learn more about Cato Networks and Cato SASE Cloud, visit 

1”2022 Ponemon Institute Cost of Insider Threats: Global Report,” Ponemon Institute 

Supporting Quotes  

Gur Shatz, co-founder, president, and Chief Operating Officer, Cato Networks  

“For too long, ZTNA solutions have focused on secure remote access only. But securing internal access is just as important, particularly with today’s hybrid workforce. The work our team has done today makes ZTNA even easier and more effective, letting an enterprise secure access for a user in working remotely or in the office with the same policy.”  

Etay Maor, senior director of security strategy, Cato Networks 

“It is no secret that lack of access control and authorization is a go-to weakness for threat actors. While MITRE and other frameworks point it out, the threat actors are not shy about it either. They buy and sell privileged accounts on the Dark Web, offer discovery services, and even during discussion with them they have advised companies to “check granted privileges for users, to make them maximum reduced privileges and access only exact applications” 

Digital Assets  

Supporting Resources  

About Cato Networks 

Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, into a global cloud service. Cato SASE Cloud optimizes and secures application access for all users and locations everywhere. Using Cato, customers easily replace costly and rigid legacy MPLS with modern network architecture based on SD-WAN, secure and optimize a hybrid workforce working from anywhere, and enable seamless cloud migration. Cato enforces granular access policies, protects users against threats, and prevents sensitive data loss, all easily managed from a single pane of glass. With Cato, businesses are ready for whatever’s next.