BrandLoyalty wanted to modernize its global WAN, and had some very clear wishes and requirements. After a thorough RFP, they went for Cato Networks. We spoke with Ben de Laat and Arne van Vuuren, respectively the Head of IT Security and Head of IT Operations at BrandLoyalty, about this choice.

BrandLoyalty may not be a household name for everyone. Yet we all unknowingly deal with this company more often than we would initially think. This is because supermarkets are among its main customers. BrandLoyalty develops loyalty programs for them, which customers can enter to save stamps for drinking glasses, knives or soccer cards, for example.

BrandLoyalty is an international company based, among other places, in ‘s-Hertogenbosch, The Netherlands. The company doesn’t limit its operations to the Dutch market, though. BrandLoyalty has approximately 550 employees and a large global reach. As such, the company operates as a mini-multinational. At first glance, this may not seem like such an important observation. Yet this discrepancy between absolute and relative size has quite substantial implications. After all, because of this, BrandLoyalty needs a global network, but doesn’t have large numbers of employees who can manage this.

Time for change

Over the past two years, BrandLoyalty has taken the necessary steps to modernize its IT infrastructure. This started with the move to Microsoft Azure. Until two years ago, BrandLoyalty had almost everything on-premises. Now the company is fully in Azure. That suits their distributed business model much better, says De Laat. It is also much more scalable than the environment the company previously had.

With the switch to Azure, BrandLoyalty updated the customer facing part of its digital infrastructure. However, the backend of this infrastructure also needed some attention, because that is where the management of those customer-facing systems takes place. It is also the part that allows employees to optimally connect to the applications BrandLoyalty uses. That’s where Cato Networks comes in. For BrandLoyalty, it’s fair to say that the move to a full-cloud environment in Azure made it take a good, hard look at its WAN too.

Sophisticated but complex WAN environment

BrandLoyalty’s WAN was by no means a neglected part of the organization for De Laat and Van Vuuren, let’s make that clear. As Van Vuuren puts it, “Our WAN was very advanced, but it still didn’t work well. Especially the operations part was very poor.”

In other words, BrandLoyalty’s WAN, in addition to being advanced, was also very complex. It used local firewalls with SilverPeak optimizers and MPLS, and on some sites BrandLoyalty had a dual WAN connection in addition to MPLS. With things like failover and dynamic routing on top of that, you have a pretty complex environment. BrandLoyalty also used various legacy applications that were located in a private cloud somewhere in Europe. This added another layer of complexity. The result of this complexity was an environment that caused too many problems for end users. There was also room for improvement in terms of visibility and insight into how everything worked.

All in all, BrandLoyalty had a fairly clear list of areas for improvement. Based on past experiences with an environment that was far too complex, van Vuuren and De Laat knew one thing for sure; they wanted an integrated solution. That would solve many of the problems that such complexity brings. “I don’t have any network engineers on my team, we focus on operational issues,” van Vuuren explains the need for as little complexity as possible once more. De Laat adds to the sentiment by stating that he sees the internet as water from a tap. It just has to be available at all times.

BrandLoyalty, SASE and Cato Networks

If you are an organization looking for (SD) WAN solutions these days, you won’t be able to escape the term SASE. Gartner introduced this concept to the world in 2019. Like always, this had and has the effect that suddenly every vendor doing anything with SD-WAN, WAFs or other WAN technologies is talking about SASE. It is not surprising, then, that De Laat bumped into the SASE model fairly quickly when he delved into WAN for the first time in 10 years.

De Laat says he was charmed by SASE almost immediately, even though it did take him a while to fully grasp how SASE differs fundamentally from the usual approach to WAN. Once he was there, however, he was convinced. He also immediately saw that there is a lot of noise when it comes to SASE. Not everyone who says they offer it, actually offers it. He immediately saw that Cato wasn’t one of them, though. Cato offers true SASE.

Whereas De Laat was convinced from the outset that SASE, and Cato in particular, was conceptually the way to go, Van Vuuren took a more pragmatic view. In fact, he wasn’t all that enthusiastic about it at the start. Partly because he hadn’t really fully grasped the solution yet, but mainly because he was wondering how Cato would deliver on its promises in practice. Cato is usually quite firm in the statements it makes, so we can certainly understand his hesitation. To illustrate, in an earlier article we published on what Cato has to offer, a spokesperson for the company stated that Cato is the only true SASE supplier on the market.

Van Vuuren, however, became convinced of the merits of Cato Networks over time. Especially the security component of SASE and Cato Networks played an important role in this, more specifically the Zero Trust aspect of it. Given his role at BrandLoyalty, this was obviously also a crucial component for De Laat. In terms of security, Cato’s solution was very fast and transparent. These are precisely the characteristics BrandLoyalty was looking for.

Going for something new, but with an eye on the future

Of course, BrandLoyalty’s choice of Cato Networks wasn’t made right away. The company put out an RFP to four suppliers. Remarkably, the decision to choose Cato was not made during a call with Cato, says De Laat. They made the decision during a call with one of the other suppliers. It was then that they realized they wanted to go for something new, also looking towards the future.

This realization came when they listened to how this other supplier wanted to set up their environment. The plan was to create a design specifically for BrandLoyalty with a number of Points-of-Presence (PoPs) to provide the service. These PoPs would be distributed exactly so that BrandLoyalty’s WAN could take full advantage of them. However, this went against one of De Laat and Van Vuuren’s basic principles, which was that they did not want any customization.

When they asked what would happen if BrandLoyalty wanted to implement a CASB solution in two years’ time, that other supplier couldn’t give a satisfactory answer. They would have to implement it in a single one of the PoPs set up specifically for BrandLoyalty. That just doesn’t make sense, because then all the traffic would have to be routed through that location. That’s not exactly a modern way of working. It also has a significant impact on the performance of your WAN.

With Cato Networks, BrandLoyalty does not run into the above problem, if only because of the number of PoPs it has worldwide. At the time of our previous conversation with Cato (already linked to above), it already had about 70 of these ‘stepping stones’. Every quarter, the company adds about 3 to 4. These are not specifically designed or deployed for specific customers, but are available any customer who needs them. All the security components are also present at all those locations. That certainly makes it a compelling story for BrandLoyalty, also towards the future.

Het volledige SASE-aanbod van Cato Networks

Most mature solution on the market

In addition to the flexible availability of the services, it is primarily the complete picture that Cato Networks offers that BrandLoyalty ultimately went for. “Everything is included,” say De Laat and Van Vuuren. That makes it the most mature total solution on the market. That’s very important, Van Vuuren reiterates. “WAN is so complex, it can keep you awake at night, so you want to take the route of lowest risk,” he summarizes.

Van Vuuren picks this point in the conversation to emphasize the importance of an integration partner. In the case of BrandLoyalty, that partner is IPknowledge. Here, too, the choice for Cato has significant positive consequences, he says. Since Cato takes care of the connections with a private backbone, IPknowledge can focus primarily on providing the lines. IPknowledge is also the operational point of contact for BrandLoyalty. As a result, IPknowledge does not have to use their best staff to build complex WAN solutions, but can now help with the operational part. At the end of the day, this produces a better end result.

Fast transition and fast performance

A third key pillar of BrandLoyalty’s positive experience with Cato Networks is performance. First of all, the speed with which BrandLoyalty could make the switch. De Laat and Van Vuuren call this “very impressive.” Here again, IPknowledge comes into play, of course. Furthermore, implementing Cato itself is a piece of cake. It didn’t take more than an afternoon. All you need is a connection and you are ready to go. In other words, if you make sure you have the lines, you can switch very quickly. Mind you, the entire migration to the new environment takes a little longer than an afternoon. De Laat and Van Vuuren indicate that this also went very quickly at 2.5 months.

Apart from the fast switch to Cato and the fast migration of the WAN environment, the raw performance of the environment itself was also very good, say De Laat and Van Vuuren. Van Vuuren in particular could hardly believe that Cato could deliver on this. “The Cato sockets are very powerful and have virtually no overhead,” he explains his surprise a bit further. This is possible thanks to TLS-over-UDP, where you combine the encryption of TLS with the speed of UDP. That’s pretty special, since TLS was initially developed for use with TCP, not UDP. The combination of TCP and TLS does create the overhead that Van Vuuren feared; with TLS-over-UDP this is not the case.

Initial experiences

BrandLoyalty has been using Cato Networks as the basis for their WAN since December 1. Asked about their initial experiences, De Laat and Van Vuuren indicate that these are definitely positive. Cato provides much more and faster operational possibilities. Previously they had to configure a very complex WAN environment to get from A to B. Now they can implement this very quickly. This is mainly the result of the fact that Cato has eliminated all that complexity.

One of the results of switching to Cato Networks is that BrandLoyalty’s WAN is now not only faster and more flexible, but also a lot more secure. Their previous network was very open, says De Laat. It was simply impossible to set up everything optimally for everyone. Within Cato, you can very easily create a set of rules that make it very clear who is allowed to connect to what. Employees also received notifications of this.

More insights in terms of security always sounds good, but how does this work in practice? Don’t you drown in data? That is also what De Laat initially feared. But he says that fear proved unfounded. You can filter very easily. You can see at a glance what is happening in internet-facing environments, but also very quickly see which IP connects to which PoP.

Influence goes beyond WAN

BrandLoyalty’s primary objective when it deployed Cato Networks was obviously to improve their WAN. Yet the switch also has an impact on other parts of the company. For example, the company now has an RFP out for modernizing their LAN, i.e. the local network within the company’s branches. They say they want to get that closer to Cato as well. Cato’s MDR component plays an important role in this, indicate De Laat and Van Vuuren.

So you could say that the move to Cato Networks has challenged BrandLoyalty to make their broader network environment more robust and professional too. The move towards Zero Trust is a good example of this.

Cato delivers on its promises

All in all, based on our conversation with BrandLoyalty, we can say that Cato Networks not only promises a lot, but that it can also deliver on them. This is true at least for BrandLoyalty, but there is no reason to assume that it is not true in other cases. It is primarily the simplicity that Cato Networks brought to its WAN that both De Laat and Van Vuuren regularly refer to and stress.

To illustrate what this simplicity means in practice, Van Vuuren cites the recent announcement by Cato Networks of their CASB expansion. When he asks Cato what they need to do to prepare for it after he hears of this expansion, Cato can make this clear very quickly. In addition, they also know that it integrates well with what they already have. That’s more or less a given with Cato Network. This is because there is never any need for customization. Other suppliers simply cannot provide such an experience.

If there’s one area where De Laat and Van Vuuren see some room for improvement for Cato Networks, it is that Cato’s sales department should pitch and discuss its offering more in-depth during the RFP process. The use of technical pre-sales consultants, they say, could get Cato Networks’ message across much more clearly. If it does that, Cato has a very convincing story. It makes it clear from the start to customers that what the company promises is also pragmatically achievable. That may be the key high-level take-away from our discussion with BrandLoyalty: Cato Networks promises a lot, but can actually deliver on all of these promises.