Cato Networks co-founder Gur Shatz isn’t a fan of security services edge (SSE). In fact, he finds the Gartner-coined product category “annoying” and counter productive.

For those that aren’t familiar, SSE is effectively secure access service edge (SASE) without a networking stack. And as a result, most SSE platforms are designed to integrate with customer’s existing SD-WAN deployments as part of a multi-vendor SASE architecture.

Shatz argues this philosophy is fundamentally flawed and a misstep. He said he resents the idea that SSE vendors are perceived as being any better at security simply because they’re solely focused on it as opposed to a SASE vendor doing both networking and security in a single-pass architecture.

It took years to convince everyone that a unified SASE architecture that brings together context from both the networking and security stacks was the right trajectory, he explained. “Now we have SSE, which basically says ‘no, no, let’s go back. Let’s split.”

The problem with multi-vendor SASE architectures, Shatz argues is they result in what he calls a split brain scenario.

“It’s sort of like your doctor saying your brother has multiple personality disorder, but the good news is that he only has two personalities,” he said. “The fact that there’s security and it knows something, and there’s a networking side that knows another thing, is basically a split brain scenario.”

“Whenever you have two things making a decision independently, you have a security hole,” he added.

However, there are legitimate reasons why a company might prefer to consume networking and security products separately, Gartner analyst Charlie Winckless told SDxCentral in an earlier interview. Traditionally, large enterprises, which commonly have large, independent networking and security teams, have preferred this consumption model.

This isn’t surprising to Shatz, “the strongest force in the world is conservatism. Don’t change anything, don’t move people, don’t change the layout. But the thing is, there is a cost associated with that.”

Segmenting a two vendor SASE architecture that’s divided up between the respective teams only serves to add confusion to the mix as it’s often unclear which team — networking or security — is responsible for what, Shatz said.

Approaching SASE from a two vendor perspective also risks missing out of the shared context enabled by a single vendor approach, according to Shatz.

“Two things that are important about both SSE and SASE are the concept of identity — who is the user — and the other concept is what is the Application. Everything that we do on earth is either interacting with each other or applications,” he said.

In most multi-vendor SASE architectures, Shatz argues, the SD-WAN and SSE platform are blind to one another.

“If you [the SSE] just sit upstream, and you’re not aware of anything happening on the network layer, then you’re sort of missing out on some of the cool stuff that really allows you to detect malware,” he explained, adding that to realize the true value of SASE, it's necessary for the networking and security stack to share context across a single control plane.

Cato is one of three companies recognized as unified-SASE in Dell’Oro Group’s 2021 Network Security Market report, which attempted to categorize vendors into two broad categories: those offering a unified SASE product and those offering disaggregated SASE services.

Cato has long championed Gartner’s SASE product category. “We are still the first and only pure SASE platform that was built from the ground up,” Cato CEO Shlomo Kramer boasted in an earlier interview with SDxCentral.

Over the past year, the vendor has taken advantage of its SASE architecture to deliver new capabilities including managed detection and response and Cloud Access Security Broker.

This week, the vendor expanded the reach of its SASE platform to include risk-based Application access control in a bid to combat the threat posed by remote workers using their own devices. The technology enables customers to apply network and security policy to restrict access to workloads and resources based on real-time device posture.

“User devices can be notoriously unprotected, opening a backdoor into Enterprise networks,” Eyal Webber-Zvik, VP of product marketing at Cato, said in a statement. “Today’s announcement allows IT to deliver just the right degree of Application access to minimize the risk of breach without compromising on user productivity.”