Understand the benefits of cloud-native networking for secure access to the service edge

To better understand the importance of cloud native, Shlomo Kramer, CEO of Cato Networks, who built the secure access service edge (SASE) service for the company from the ground up for cloud delivery, discussed this.

Gartner coined the term Secure Access Service Edge (SASE) last year. Do you agree with its definition?

[[321598]]

Kramer: I agree. Cato Networks created the Secure Access Service Edge (SASE) service as a vision to converge network transport and network security and deliver it as a cloud computing service. The debate about why you need a secure access service edge (SASE) is essentially topological, because traffic patterns have changed. Network traffic used to be inbound, because people used corporate workstations and connected to applications located in corporate data centers.

This means that security is actually a "hard shell" placed around a soft core. Security is provided at the edge and protects all the physical facilities behind it. Today, traffic patterns have changed and security needs to be applied everywhere. Applications are built in AWS public cloud and on-premises environments, while workers are in the office, home, hotel or anywhere. Therefore, enterprise assets are now everywhere, so this security no longer works. Its security must be different and must be integrated everywhere, thus agreeing with the concept of secure access service edge (SASE).

What other challenges exist with legacy technologies like MPLS and security appliances?

Kramer: The problems with MPLS are well documented, so without spending too much time on the subject, many companies want to move away from MPLS because of its high cost, long deployment time, and lack of agility. MPLS doesn't do anything for mobile users or cloud computing connections, so organizations need to deploy VPN servers, cloud interconnects, and other technologies to connect all of their company's resources.

Branch offices have always been a huge problem when it comes to security, and are seen by the industry as the only possible solution. Devices need to be procured, deployed, maintained, upgraded, and retired. All of this takes time and effort. They need to be integrated with each other, which requires even more time and skills. Most devices are managed through separate management consoles, making operations complex and challenging. Over time, more devices are added, increasing the level of complexity. Additionally, when traffic surges or too many features are turned on, upgrades often need to be made outside of budget cycles. Security experts often lag in applying software patches because updating devices is risky and requires careful planning, which puts the business at risk.

But for enterprises that want to become leaner and more agile, security appliances as an architecture involve too much hassle and cost. The same is true for VNFs and virtual appliances, which enterprises still need to deploy, manage and scale.

What benefits do cloud-native platforms provide?

Kramer: For Cato co-founder Gur Shatz and I, coming from the security and networking worlds, these issues are familiar. When we think about the right architecture moving forward, cloud computing seems to be the obvious choice, and people have seen how cloud computing has transformed the market for data centers, servers, storage, and applications. We think cloud computing can do the same for security and networking.

Like AWS public cloud for data centers and servers, we want to create a utility that protects the entire enterprise (not just sites), but also remote networks, cloud data centers, cloud applications and third-party devices and network them. We want enterprises to take advantage of this utility and get all the advanced security and network services for the entire organization at once. This is why we call SD-WAN devices "Cato sockets", just like power sockets. This vision is consistent with the Secure Access Service Edge (SASE) definition.

Instead of using appliances, we move the “heavy lifting” involved in security and networking to a global, distributed, cloud-native software platform. For cloud-native software, this means several things. We actually discussed the value of cloud-native in a blog post on this topic. There are many benefits, but multi-tenancy in particular is a game changer. This allows cloud providers to amortize costs across their customer base, allowing them to deliver products at prices that customers can’t match if they buy appliances.

The platform runs a single channel, security and network stack that performs all security checks in parallel. Packets are passed in, unpacked and decrypted by our software, which then performs all necessary security checks in parallel before sending the packet. This is an incredible change from the way appliances work today. Today, each device must unpack and decrypt the packet, run a deep packet inspection (DPI) engine to understand the packet, apply specific security checks, and repack and re-encrypt it for the next device.

Why is a global private network necessary?

Kramer: For the network, enterprises will always need predictable low-latency performance. This is simply not possible with today’s global Internet routing when using broadband. Although the problem of unpredictable latency across global routing or in less developed areas of the global Internet is well known even within global Internet regions, we have seen specific routes have issues.

How do you overcome the latency and global connectivity costs of MPLS? Our answer is to leverage the massive scale in global IP connectivity. By purchasing large-scale wholesale SLA-backed capacity across multiple IP backbones, and then dynamically selecting the best backbone at every hop in the network, we are able to provide global low-latency connectivity at a fraction of the cost of MPLS.

The SASE industry is currently full of startups and smaller vendors. Why are large enterprises struggling to make this transition?

Kramer: I think the shift is clear, but existing appliance-based solutions simply cannot be converted to cloud-native solutions. Redesigning a cloud platform would require a significant investment in R&D, which would come at the expense of existing and very successful product lines, so in addition to engineering, there would be internal conflicts that would need to be overcome.

That’s why the big companies are threatened by SASE. We all recognize the value of SASE, but to achieve it, many established solution providers need to disrupt their existing business, which is not easy to do.

In the industry, we see vendors trying to capitalize on SASE by rebranding their solutions as SASE offerings. For IT to tell the real from the fake of a SASE platform, the adoption litmus test is simple: if the emphasis is in the appliance, it’s SASE, if the offering lacks SD-WAN and has more than one management console, it’s not SASE.