The digital business is all about speed. Time to develop new products, deliver them to the market, and respond to a change in business conditions or the competitive landscape. Technology is how speed happens, and IT must enable the business to get things done. Automation, agility, elasticity, and flexibility are some of the traits of the modern IT infrastructure, which is already demonstrated via the increased usage of cloud computing.
Unlike cloud computing, networking and security are painfully incompatible with the cloud-centric and mobile- first business. The network is rigid and static. Security is heavily fragmented across multiple domains of physical locations, cloud resources, and mobile users. Together, networking and security are slowing down the business as silos erected decades ago are stretched and patched to accommodate emerging business requirements.
Networking and security need to become part of the IT platform for the digital business. Don’t take our word for it: Gartner has recently defined a new category that converges network and security into a single cloud-based service: Secure Access Service Edge (SASE). Simply put, SASE is the secure network for the future of your business.
SASE: A New Networking and Security Architecture for the Business
SASE is a new category defined by Gartner analysts Neil McDonald (security analyst) and Joe Skorupa (networking analyst). SASE details an architectural transformation of enterprise networking and security that will enable IT to provide a holistic, agile and adaptable service to the digital business. The SASE Cloud service has 4 main characteristics: it’s identity-driven, cloud native, globally distributed, and supports all edges (WAN, cloud, mobile, edge computing).
Identity-driven: The basis for SASE Networking and Security Policies
At the core of SASE is the identity. An identity is attached to every enterprise resource: a person, an application, a service, or a device. It is the identity that determines the true essence of the resource – not its physical location. Identity, as part of a broad and dynamic context awareness drives the risk and network service profile of every flow, and the resulting mix of authentication methods, threat inspection, and data access authorization. Identity “blindness” is a trait of pure networking vendors, however It is “table stakes” with security vendors. The benefit of security and networking convergence is the infusion of identity throughout the access life cycle from ensuring quality of service to applying risk-driven security controls.
Cloud-native: Built-for and delivered-from the cloud
A core characteristic of SASE is a cloud-native, as-a-service model. A cloud-native architecture leverages key cloud capabilities including elasticity, adaptability, self-healing, and self- maintenance.
SASE calls for the creation of a network of cloud points of presence (PoPs) which comprise the SASE Cloud. The PoPs run the provider software that delivers a wide range of networking and network security capabilities as a service. The PoPs should seamlessly scale to adapt to changes in traffic load via the addition of compute nodes. The PoPs software can be upgraded to deliver new features or bug fixes seamlessly and without IT involvement. The cloud architecture must include self-healing capabilities to automatically move processing away from failing compute nodes and PoPs and into healthy ones.
These capabilities can’t be achieved by spinning up virtual appliances in the cloud. As appliances are designed to serve a single customer (single tenant) and lack the overall cloud orchestration layer to ensure elasticity and self-healing. The approach of service chaining legacy point products, appliances or cloud services, will likely affect service quality and performance.
All Edges: Physical Locations, Clouds, Users, and Edge Computing
SASE uniquely supports all enterprise edges equally. By adopting a cloud-first approach to networking and security, SASE decouples many common capabilities, such as network optimization and threat prevention, from physical location edges, and places them in the cloud. For example, legacy network security appliances are tied to a specific physical location, which is not suitable for serving the cloud or mobile edges. SASE includes a thin-edge component to connect different edges to the neatest available SASE PoP.
The edges work in tandem with the SASE cloud service to overcome PoP failures or access issues to ensure continuous service. As noted earlier, the SASE Cloud is designed to deliver the same set of capabilities from every PoP, and without dependency on customer-specific components simplifying the shift of traffic across the SASE Cloud.
Edge implementations vary. Physical locations use SD-WAN devices and multiple Internet links to maximize throughput, enforce QoS, and overcome link failure or degradation. Mobile workers use a VPN client or clientless web access for enterprise-grade protection and optimized access to datacenter and cloud applications. Cloud data centers will connect to the SASE Cloud over multiple tunnels, with all traffic secured and optimized regardless of the source edge.
The Core Capabilities of SASE: Plug-and-Play Visibility, Optimization, and Control
The SASE architecture is made of two core components. SASE Cloud acts as an aggregator of networking and security capabilities. SASE edge connectors drive traff from physical, cloud, and devices edges for SASE cloud processing.
SASE uses a single-pass, traffic processing engine to efficiently apply optimization and security inspection with rich context for all traffic. Contrast the SASE model with stacking point products where each product analyzes traffic for a specific requirement, adds overhead for actions like decryption, and lacks the context generated in other network and security point products.
Cato Networks: A Full SASE Platform You Can Deploy Today
Your SASE journey can start today with WAN transformation or appliance refresh. How do you pay for SASE? The good news is, that the budget for SASE is already here. Your next security appliance refresh, your upcoming MPLS contract renewal, or your M&A integration project – all represent great catalysts to launch the SASE project.
The migration does not have to happen all at once, and most SASE platforms support a gradual migration process, during which a SASE can co-exist with legacy network and security solutions until they are fully retired. While the SASE category defined by Gartner is new (published first in Gartner’s Hype Cycle for Enterprise Networking 2019, its implementation is not. The Cato Cloud is a market-proven SASE platform you can deploy today. Cato converges enterprise network and security capabilities into a single pass software stack delivered as a cloud service.
Cato Cloud meets the key attributes of the SASE architecture
- Identity-driven everything: Cato automatically determines the identity or the resource connecting to the Cato Cloud regardless of location. The identity is attached to the flow, and is used, together with other context elements to trigger multi-factor authentication, drive application-level access control policies, determine network quality of service, and continuously assess the data risk associated with the flow.
- Cloud-native traffic processing: Cato developed the Cato cloud from scratch as a cloud-native service. It uses a “single pass engine” to process all traffic from the packet up and provide optimization and security. Cato does not use purpose-built appliance or virtual machines and is therefore able to provide Cato customers the scalability, self-service, and agility of cloud providers.
- Support for all edges: Physical locations, mobile users on any device, cloud datacenters and applications, use Cato edge solutions to plug into the Cato Cloud. Physical locations use an edge SD- WAN device (Cato Socket), a VPN client application or a web browser is offered for mobile devices, and IPsec tunnels connect cloud resources to the Cato Cloud. Regardless of edge, Cato’s full set of networking and security capabilities is readily available from the nearest Cato PoP.
- Globally distributed network of PoPs: Cato Cloud spans over +47 PoPs from which the full capabilities of the service are delivered. All of Cato’s PoPs are interconnected by multiple tier-1 carriers, forming a global private backbone that optimizes WAN and cloud traffic. The PoP software applies deep packet inspection to secure the traffic against multiple threats as it flows through the Cato Cloud.