Cato Adds CASB to SASE


By: Andrew Braunberg

Cato Networks has added cloud access security broker (CASB) functionality to its secure access service edge (SASE) services. As part of Cato SASE Cloud, Cato CASB is immediately available.

Cato CASB has been built into the Cato Single Pass Cloud Engine (SPACE), which is foundational to the Cato SASE services. Cato SPACE provides a SASE architectural framework and enables global route optimization, WAN and cloud access acceleration, and security-as-a-service with next-generation firewall, secure web gateway, next-gen anti-malware, and intrusion prevention system (IPS) capabilities. CASB functionality is an important component of broader SASE solutions, and this is not an unexpected addition to the Cato portfolio.

Existing Cato Cloud customers can take immediate advantage of the new CASB features, including full visibility and control of cloud application access. Cato CASB is, in fact, focused on delivering four main capabilities related to access to cloud applications. These are visibility, assessment, enforcement, and protection. Visibility is delivered through a set of dashboards that catalog usage of software-as-a-service (SaaS) apps, authorized and otherwise.

CASB Packs Credibility Assessment

Not all unsanctioned apps necessarily need to be blocked, and Cato CASB supports an assessment capability that leverages the company’s Application Credibility Engine (ACE). ACE assesses applications based on numerous criteria, including the application's purpose, the developer’s credibility, the degree of security associated with the app, as well as any compliance restrictions. A risk score is created and recommendations for appropriate action suggested.

If restrictions are warranted, Cato CASB can create and enforce access control policy. The service also supports numerous protection features, including next-generation firewall (NGFW), secure web gateway (SWG), IPS, and anti-malware. Data loss prevention (DLP) is scheduled to be added later in 2022.

Multi-Layer Security

Cato CASB can leverage Cato’s full multi-layer threat defense offerings. Files are inspected by Cato anti-malware and IPS engines, while access controls are limited through Cato NGFW and SWG.

The Cato SASE Cloud is distributed through a global network of Cato SASE points of presence (PoPs), which combines software-defined wide-area networking (SD-WAN) and cloud security through a worldwide network to connect and secure distributed branch locations, cloud instances, and mobile users.

Because all the traffic connected to Cato’s network flows through these PoPs, it is easily routed through Cato’s security stack, which now includes CASB. Customers simply need to enable the license.

In addition to DLP support, Cato is also scheduled to add application programming interface (API)-based CASB functionality later this year.