Shlomo Kramer is a visionary in the security world. After co-founding Check Point Software, he went on to launch another startup (Imperva). Now, he’s doing it again with Cato Networks, a provider of a cloud-based and secure global SD-WAN. I recently caught up with Shlomo to hear about life and Cato.
Shlomo, tell us about yourself and how you came to start Cato Networks?
Cato Networks is a natural evolution for Gur Shatz and myself. We’ve spent our careers solving large-scale networking and security problems. I co-founded Check Point Software, which introduced the first commercial firewall, and then Imperva, where we built the first web application firewall. Gur, our CTO, developed Imperva’s SecureSphere platform and then founded Incapsula, where he and his team introduced cloud-based DDOS protection.
At Cato Networks, we hope to disrupt the very same markets we helped define by making networking and security much simpler. We do this by converging networking and security into a single service based on a global, secure network in the cloud. With one converged service, you can replace MPLS services, edge SD-WAN appliance, WAN optimization equipment, network security appliances, and mobile VPN access —all of which allow you to reduce costs, complexity, and risk to your company.
Replacing networking and security equipment for one converged service – that’s quite a dramatic change. How did you and Gur come up with the idea for Cato?
Well, the struggles of IT professionals is something we’ve been addressing for much of our careers, but the turning the point was the impact of Amazon Web Services (AWS). We saw how cloud services changed the way organizations purchase servers, storage, and applications. It was interesting to us that networking and security, particularly firewall security, hadn’t gone the same way. We thought there was an opportunity to build the “AWS” of networking and security.
And so just like AWS reduces the costs of rolling out servers and storage, you can the same for networking and security?
Right, but it’s not just about reducing the cost of purchasing firewalls. That’s important, but not the only thing. There’s also the operational angle. We allow companies to run leaner and improve the quality of service they deliver to their customers.
How so?
For one, our customers significantly cut their MPLS connectivity costs. We just published a case study you might find interesting where Alewijnse, the Dutch engineering firm, talks about how, since switching to Cato, they’ve been able to reduce their monthly bandwidth costs by 25% and yet receive 10x more bandwidth.
Eliminating appliances means saving on the costs of maintaining and upgrading them. Customers can also exploit the full functionality of their security investment. With UTMs and other security appliances, problems occur when traffic levels jump or customers try to enable resource-intensive features, like SSL intercept. The appliances often lack the capacity to handle those features, forcing customers to either upgrade outside of their budgetary cycle or sit idle to avoid the hassle. And simplifying the network means that IT teams can be more agile. They can respond faster to requests or incidents, and troubleshoot quicker. There are also fewer threat vectors to exploit, improving their security posture.
Certainly, those are significant changes. Tell me, how do you deliver those capabilities?
As I mentioned, we converge networking and security together into a single cloud service. More specifically, Cato Cloud connects all of the network elements comprising your enterprise WAN into a global, optimized SD-WAN in the cloud. So, you can connect your offices, mobile users, cloud datacenters, SaaS apps — everything into one seamless network.
We call this network the Cato Cloud Network. It’s a global, geographically distributed, SLA-backed network of PoPs, interconnected by multiple tier-1 carriers. Cato Security Services is a layer of enterprise-grade and agile network security capabilities built into Cato Cloud Network. Current services include a next-generation firewall (NGFW), Secure Web Gateway (SWG), and Advanced Threat Prevention. These services secure WAN- and Internet-bound traffic without deploying a single security appliance.Together, Cato Cloud Network and Cato Security Services form Cato Cloud.
You’ve described Cato Cloud as an SD-WAN. It’s a sector that’s become crowded with startups as well as existing networking companies. What do see you missing in the SD-WAN market?
When you think of traditional SD-WAN solutions, you probably think of appliances. SD-WAN appliances have dominated the market and were designed to solve the problems related to MPLS — connectivity costs, ordering delays, lack of agility, and the like. They address those issues by adding Internet connections alongside MPLS lines, forming a hybrid WAN.
But because they were designed to fix MPLS problems (and do so using the Internet), SD-WAN appliances leave customers with several challenges. For one, the Internet doesn’t provide consistent performance, so enterprises must retain some MPLS to support latency and loss-sensitive applications.
What’s more, since networking and security are traditionally separate departments in enterprises, advanced Internet security, which is a critical enabler for SD-WAN, is not built into SD-WAN appliances. Companies continue to depend on third-party security appliances and services, complicating deployments. Lastly, support for cloud resources and mobile users aren’t integral to the SD-WAN even though they are critical for most modern businesses.
What’s different about Cato?
Cato Cloud differs from traditional SD-WAN approaches in three primary ways:
1. It provides global, SLA-backed connectivity superior to the unmanaged public Internet and more affordable than MPLS.
2. Built-in network security allows direct Internet access without having to deploy third-party appliances or services.
3. Cloud and mobile WAN integration are built into Cato Cloud, so mobile users and cloud data centers can securely and optimally connect to the SD-WAN.
What impact do you think SD-WAN will have on traditional MPLS offerings?
It’s pretty clear that MPLS service sales are being severely affected by SD-WAN. We’ve seen MPLS prices decline about 20 percent; nevertheless, they continue to be far more expensive than Internet services. It’s why MPLS providers are racing to deliver managed SD-WAN services, themselves. But just reselling an SD-WAN appliance is not a cloud-based SD-WAN service. You miss out on the scalability, security integration, and easy manageability of delivering SD-WAN as an actual cloud service.