Cato SASE Cloud Platform Architecture

Cato is architected to deliver on the promise of SASE: secure and optimized access for everyone, everywhere, at any scale, and to any application. Cato is focused on offloading day-to-day work from the customers’ IT and minimizing the dependency on scarce skills and resources.

Core Components

The Cato architecture is comprised of multiple cloud-native, scalable, and extensible components that enable a consistent SASE experience even as customers’ footprint, requirements and use cases expand.

Cloud-native Security Convergence

The Single Pass Cloud Engine (SPACE) is the core security engine of Cato. It converges multiple network security functions for flow control and segmentation (NGFW), threat prevention (SWGIPSNGAMRBI), and application and data protection (CASBDLPZTNA) into a cloud-native software stack. The SPACE consistently enforces security policies for both inline traffic and out-of-band access. With complete real-time traffic visibility, the SPACE captures rich context and event data for each inspected flow including network, device, application, and data attributes and feeds it to Cato’s open data lake for incident detection and response. All future network security capabilities will be built into the SPACE to benefit from the same single pass efficiency, cloud distribution readiness, and common data and policy management framework.

Purpose-built Global Cloud Service

Cato created the first purpose-built SASE Cloud service backbone. Numerous Points of Presence (PoPs) worldwide run bare metal compute nodes within top-tier physical hosting providers to deliver real-time scalable and efficient security protection and network optimization. Thousands of SPACEs are orchestrated to deliver a resilient, low-latency inspection within short proximity to every user or location. The Cato PoPs are interconnected with multiple tier-1 global and regional carriers to form a cloud network optimizing Internet access to both Web and SaaS destinations as well as WAN access to on-premises and cloud datacenters and applications. Cato control and ownership of the physical cloud architecture enables footprint extensibility to anywhere in the world without dependency on hyperscalers footprint expansion and cost structures.

Open Data Platform for AI/ML-driven Incident Detection and Response

The Cato SASE Cloud Platform is built on an open data lake that ingests both Cato-generated feeds and third-party feeds from threat intelligence services to support real-time threat prevention. Network and security events are generated through SPACE processing and include rich context of the device, user, network, applications, and data associated with each flow. Endpoint events are created by the Cato Client ZTNA and EPP/EDR engines or via 3rd party endpoint solutions such as Microsoft Defender and Crowdstrike. The complete data set is used by Cato’s AI/ML-based threat hunting and network degradation detection and underpins Cato’s AI-assisted incident investigation and response tools. The data lake can be accessed by customers using the Cato API to extract granular data for processing by external solutions such as SIEM.

Design Principles

The Cato architecture is built to maximize use case coverage and IT resource offload. Cato is committed to follow these principles as we grow the service, the capabilities, and the company itself.

360 Degrees Visibility and Control

The Cato SASE Cloud Platform was architected to consistently and equally support all edges: devices, users, branch locations, physical and cloud datacenters, and the applications used by the business. Cato’s holistic visibility to all traffic enables the replacement of multiple point solutions such as firewalls and cloud proxies to mitigate risks such as web-based attacks, malware propagation across locations, and continuous protection of business applications as they migrate to the cloud.

Autonomous Platform Life Cycle Management

Cato autonomously sustain the cloud platform resiliency, scalability, performance, and global reach. It takes away complex planning, design, deployment, and testing work from IT and enables agile response to new business needs.

  • Self-evolving: new capabilities are seamlessly delivered through non-disruptive updates across the cloud service, edge SD-WAN devices, and clients.
  • Self-healing: in case of a transport, PoP, or SPACE failure, Cato immediately migrates affected edges to an alternate component to ensure service continuity.
  • Self-optimizing: Cato monitors the availability and performance of each path inside the cloud service to determine the fastest route between any source and destination.
  • Self-scaling: Cato distributes traffic from high throughput locations across multiple SPACEs and can seamlessly scale with more compute nodes or new PoPs.
  • Self-expanding: Cato builds new PoP locations, based on customers’ needs. New PoPs integrate into the global footprint to automatically serve nearby users and locations.

Automated Security Posture Management

The Cato SASE Cloud Platform automatically ingests hundreds of security feeds, developed by Cato and by third parties, and distributes them to all SPACEs globally in near real-time. Cato Security Research uses an AI/ML-based system to continuously validate the quality of each feed recommendation against the universe of feeds used by Cato to reduce the likelihood of false positives. Cato further mitigates emerging threats by developing and simulating the impact of new prevention rules on real customer traffic, and only then deploying these rules into production with 24-48 hours without any involvement of IT or impact to the end users.

Feed quality management and the automated mitigation of threats maximizes the stopping power of Cato and offloads complex and resource intensive processes from IT security.

Gradual, Fast, and Flexible Deployment

Cato enables customers to easily migrate to the Cato SASE Cloud. Cato instantly connects physical locations to the Cato Cloud using zero-touch provisioning of Cato edge SD-WAN devices. Cato Clients are easily deployed through a self-service portal or enterprise endpoint mangement (MDM) platforms.

Cato is often used to fully migrate an organization to SASE. However, the Cato platform is modular, and can co-exist with current IT networking and security infrastructure including routers, firewalls, and cloud-based security services. Organizations can deploy Cato selectively and gradually, by use case, geography, or organizational unit, to address business and technical constraints until such a time they are ready to achieve full convergence.

Universal Management with Single Pane of Glass

The Cato SASE Cloud Platform was architected to deliver current and future network security capabilities through a single cloud service. All capabilities are managed through a single pane of glass that follows the same approach to configuring, troubleshooting, and analyzing all aspects of the service. Customers and partners use the Cato Management Application to define policies that are seamlessly distributed to all PoPs, SPACEs, and Cato Clients for consistent enforcement. Similarly, a single universal API is available to access all platform data to automate integrations with other business processes and 3rd party applications.

The Strategic Benefits of a True SASE Platform

Architected from the ground up as a true cloud-native SASE platform, all Cato’s security capabilities, today and in the future, leverage the global distribution, massive scalability, advanced resiliency, autonomous life cycle management, and consistent management model of the Cato platform.

Consistent Policy Enforcement

Cato extends all security capabilities globally to deliver consistent policy enforcement everywhere and to everyone, from the largest datacenters down to a single user device.

Scalable and Resilient Protection

Cato scales to inspect multi-gig traffic streams with full TLS decryption and across all security capabilities, and can automatically recover from service component failures to ensure continuous security protection.

Autonomous Life Cycle Management

Cato ensures the SASE cloud platform maintains optimal security posture, 99.999% service availability, and low-latency security processing for all users and locations, without any customer involvement.

Single Pane of Glass

Cato provides a single pane of glass to consistently manage all security and networking capabilities including configuration, analytics, troubleshooting, and incident detection and response. Unified management model eases new capabilities adoption by IT and the business.

“We ran a breach-and-attack simulator on Cato, Infection rates and lateral movement just dropped while detection rates soared. These were key factors in trusting Cato security.”

Try Cato

The Solution that IT teams have been waiting for.
Prepare to be amazed!