Cato Decries Pseudo-SASE


By: Mary Jander

When the Gartner research firm coined the concept of secure access service edge (SASE) a couple of years back, Cato Networks found its niche. Since then, it’s adopted a go-to-market strategy based on its SASE solutions, arguing prizefighter-style that it is the first, best, and perhaps only real claimant to the term.

This week, Cato decided to throw some technical weight behind its claims. The company outlined the “secret sauce” that makes its service a true SASE offering and explained just why its capabilities are superior to what it calls a cloud-hosted appliance approach that Cato says doesn’t deliver full SASE benefits.

How Cato Achieves SASE

As defined by Futuriom’s Secure Edge and SASE Report, SASE is achieved through a common policy management and security umbrella that supports secure connectivity between endpoints and resources from any physical location. This converged networking/security/policy framework relies on software-defined wide-area networking (SD-WAN), which separates management, control, and data planes, allowing for distributed policy enforcement, identity-focused network access, awareness of context for connection requests, and cloud-native architecture.

Cato was among the first SD-WAN-based managed services on the planet, offering endpoint connections to local points of presence (PoPs) based on identity and context, with traffic inspected and forwarded through secure tunneling on Internet links. The vendor’s focus on adding policy and security pushed it squarely into the SASE realm even before the term was used.

But just how Cato did that hasn’t been crystal clear. Now, Cato explains that it has replaced the range of functions that otherwise can only be achieved through integrating multiple point products. Cato does this by implementing a single software stack it calls a Cato Single Pass Cloud Engine (SPACE) that leverages SD-WAN’s orchestration capabilities. Here’s how Yishay Yovel, Cato’s chief marketing officer, described it in a blog:

“The Cato SASE Cloud is built on a global network of Cato SASE Points of Presence (PoPs). Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of the … Cato SPACE, the converged software stack that optimizes and secures all traffic according to customer policy.
“The Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions.”

Exploring Cato’s SPACE

Cato’s SPACE stack, functioning within the SD-WAN architecture, is the key to how Cato achieves route optimization (which the vendor calls “dynamic flow orchestration”) along with a wide variety of security functions – all handled at up to 2 Gbit/s rates from one or more edge tunnels. Below is an illustration of how SPACE relates to the specific elements of a Cato PoP:

Cato PoPs and Cato SPACEs: Scalable and resilient traffic processing in the cloud

Source: Cato Networks

What Makes Cato Different?

While Cato’s architectural exposition this week gives fairly detailed descriptions of functionality, it is still pretty general technically. But one thing is clear: Cato has done the work of SASE by unifying sophisticated security functions into its SD-WAN network. The results qualify Cato as a true SASE service that equips PoPs to link endpoints with resources in private data centers or the cloud based on identity and context, while maintaining performance via cloud-based orchestration.

Cato’s information – and its insistence on being first and best -- also tempts the question: Who else is doing this? A range of vendors also unify SD-WAN and security services with SASE results, including Aryaka, Palo Alto Networks (NYSE: PANW), and Versa Networks, to name just a few. But Cato says its network-as-a-service (NaaS) delivery model – to which Aryaka’s offerings come closest -- distinguish it by keeping complexity to a minimum while delivering a full range of functions.

Ultimately, the value of a specific solution depends on how well it meets customer requirements. So far, Cato has its share of sales: The company has reported that the number of bookings in 2020 grew over 200% for the fourth year in a row. And following a $130 million funding round last year it reached a “unicorn” valuation of over $1 billion.

Indeed, Cato’s sizable growth has prompted talk of potential IPO or M&A. Management won’t comment. But Cato’s eagerness to clarify its technological approach is surely part of an aggressive strategy to draw attention to its success.