Managed Service Providers (MSPs) of SASE: Part 2

This article follows on from the first, focusing on questions asked specifically to managed service providers (MSPs) by Network World in their guide published last December. As mentioned previously, Cato, in addition to building a SASE (Secure Access Service Edge) platform, is also a service provider.

Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting?

Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user’s location due to the Cato global private backbone and our distributed cloud architecture.

Is policy enforced consistently for all possible access scenarios–individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged?

Cato uses a single policy set for all access scenarios.

Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand.

Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining.

Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs.

The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing of a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services.

We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato’s routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone — that’s right all 70+ PoPs somehow disappear, one day — Cato Sockets will automatically bring up a peer-to-peer network.

One of the key concepts of zero trust is that end-user behaviour should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behaviour that violates policy. Can the SASE enforce those types of actions in real time?

Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected.

Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications.

Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.?

The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato’s edge SD-WAN device, log into their network as usual with no change.

Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimised routing to minimise latency and WAN optimisation to maximise throughput. The result is a remote user experience that’s as close as possible to being inside the office.

Find out more about optimising and securing global access to applications and data, on premise and in the cloud, for an increasingly mobile workforce. Contact [email protected]