SASE vendor Cato Networks is adding fine-grained cloud access security broker (CASB) controls to its platforms.
When employees working from home or branch locations log into SaaS services such as Office 365 or Dropbox or Salesforce, a CASB gateway can track the applications employees access, where they log in from, and sometimes even what they do when using those applications.
Previously, Cato only offered limited CASB controls, enabling companies to allow or prohibit the use of particular SaaS tools, says Dave Greenfield, Cato's director of technology evangelism. Now, individual behaviours can be controlled. For example, users might be allowed to download documents from certain cloud file-sharing providers but can only upload documents to a company's preferred platform.
"You can also take a broader approach and define categories based on security features in those products," says Evin Safdia, Cato's director of product marketing. "You can, say, allow file sharing only on platforms that are SOC 2 compliant and have [multi-factor authentication] as a feature," he says.
The use of SaaS applications can also be restricted along other criteria. "For example, during work hours, people can look at their personal Gmail but can't send attachments," says Safdia.
The term SASE – which stands for Secure Access Service Edge – was coined by Gartner in 2019 to describe an architecture that combines SD-WAN with access control and security tools, all bundled as a cloud service. SASE typically includes five key pillars: integrated, cloud-based SD-WAN, firewall-as-a-service, a secure web gateway, zero-trust network access, and CASB.
The Cato Cloud is already a strong offering, and adding CASB functionality is a smart move, says Scott Raynovich, founder and chief technology analyst at research firm Futuriom. "While Cato may not yet be considered a full-fledged CASB competitor, its strong offering in SASE will enable customers to add CASB without a lot of hassle," he says.
Cato's existing SASE customers will be able to gain visibility into what SaaS applications are being used and get context and information behind these applications, as well as any compliance implications, says Roy Chua, founder and principal at research firm AvidThink.
"The market is shifting to SASE, and in that context, Cato appears to be executing well by adding more capabilities in the SASE portfolio onto their unified platform," he says.
Cato CASB now part of Cato SASE Cloud
Cato currently has 4,000 SaaS applications set up to use on its platform, and the number continues to grow as enterprise customers add more apps or Cato discovers new applications on its networks.
SaaS applications are verified using Cato’s application credibility engine, which analyses company information, compliance features and security capabilities so IT teams can decide if an app should be blocked, controlled, or allowed. "We've got machine learning algorithms that run in the background and pick up on any new applications on our backbone by all of our customers and can bring them into our environment," Greenfield adds.
The new CASB product is an additional cost for Cato's SASE customers, but enabling it is as simple as flipping a switch, he says.
The rate at which Cato is adding features, and the synergy between their new CASB features and existing functionality, speak to the value of a single converged platform, Chua says. Cato and other cloud-based SASE vendors will continue to leverage their cloud platforms to add more functionality, he says.
"The next one that's obvious is content-based protection, something like data loss prevention. It's a natural progression of ever finer-grained protection."
In fact, it might be time to retire legacy categories altogether, Chua says. Terms like next-generation firewall, secure web gateway, and CASB are convenient but are quickly becoming less relevant. "The new generation of cloud security platforms, including cloud-centric SASE vendors like Cato, have the opportunity to think and build differently," he says.