Roundtable: More channel skills required to crack SD-WAN market

With software-defined wide area networking (SD-WAN) predicted by analysts to be a market worth millions, and more vendors looking to promote an offering in that market, the channel is being bombarded with messages around the technology. That could cause confusion and make choosing the right solution difficult for both partners and customers.

In the second part of our coverage of a recent SD-WAN roundtable – which was chaired by Zeus Kerravala, founder and principal analyst at ZK Research – we look at the importance of stressing security in the pitch.

Q. The analysts clearly expect this market to take off, but is that happening for real and have you seen customers spending?

Simon Wilson: We saw this about a year and a half ago. The analysts said that in the future a large proportion of spending would be on SD-WAN, and guess what: anyone who had a WAN proposition started talking about it as an SD-WAN technology, which completely confused the market and customers. That’s why when you talk to different people in an organisation it means different things to them. If you can wind it back a bit then you need to ask about the problem that they are trying to solve. We talk to a lot of customers that are edge-centric and their concern is they are worried about IoT [internet of things] security and flexibility in the branch and allowing staff to work from home. They want to use the technology to make them more agile and reduce their costs and to make it more secure.

Mike Wilkinson: It links to where the buyer journey is, which is now aligned with SD-WAN. If you look at the channel, there are inbound requests to the channel from those who know what they want and asking if it can be supplied. Then there are the channel outbound efforts where they need to be educated as they take the solution to SMEs. It is the channel that understands their issue and brings the technology to them, and that’s why you have to spend a lot of time educating them about the benefits.

Q. Are the majority of the deployments for SMEs, or is it large global organisations?

Michael O’Brien: Large medium and up. They recognise the entire value proposition.

Q. There is more to SD-WAN than connectivity, but where should VPN, security capabilities and WAN optimisation live? How much should be pushed into the cloud and how much should be on-premise? There seem to be a lot of delivery options, but what are customers looking for?

Mark Bayne: If you can overcome the security concerns and deliver the functions that are required without having on-premise devices, why wouldn’t you want to push as much into the cloud as possible? There is the scalability and the agility and it makes sense. The view that we have is that the security and the connectivity needs to be completed integrated. You are opening up locations that might previously only have had MPLS [multiprotocol label switching] not to internet exposure and you have a new attack surface. To enable SD-WAN, you need to have security. Whether it is all from a single vendor or through partnerships, you have to have security built in. If you can enable the connectivity and the security that is required through the cloud, then why would you not do it?

Raghupathy N: It is not just about cost savings; it is also about ease of management and deployment. If I can do that from the cloud then the question is, how is the security built into that? Our area of focus is that how to enable our customers to secure the branch with a single device that can deliver and handle multiple functions – basically ‘branch in a box’. For me, it is about customer choice – whether you want full control over features and functionality along with ownership, then it can be cloud or on-premise, but you have to make sure that what you are delivering is secure.

Frank Lyonnet: If you look at the technologies you need at the edge that can be put in the cloud, then I’m thinking of security for internet-bound traffic. Should one really waste some on-premise compute to do that? Using cloud-enabled security is a no-brainer. When it comes to WAN optimisation and the cloud, you still have the last-mile problem. We are talking to customers all over the world, and the last mile is still a problem. So we made a decision to combine on-premise appliances at the edge with pairing with appliances in the cloud to achieve end-to-end optimisation of SaaS [software-as-a-service] and IaaS [infrastructure-as-a-service] applications.

Adrian Tate: Another benefit of SD-WAN is flexibility. It can work in all of those scenarios and there are clearly benefits and values in each one of those, whether it’s in the cloud security or on-premise out of the branch. With SD-WAN, we are giving the customer flexibility about which security they want to use and not forcing them to adopt a new security methodology at the same time as they are adopting SD-WAN. Take SD-WAN and the security process you have at the moment and assess going forward.

Frank Lyonnet: Customers aggressively adopting cloud tend to be very disruptive when they consider their next-generation network. They work across their own silos – networking, security, cloud – to define the best architecture and operation model.

Thomas Quinlan: It is our model that everything gets pushed to the cloud, but there are a couple of points. One is that it is going to be entirely north-south traffic, so for the east and west stuff we have a specific purpose of partnering with SD-WAN vendors for that functionality. With the larger SD-WAN vendors we are moving down the stack as we go, through we have developed partnerships where we can swap API [application programming interface] keys and you can get as close as possible to the single pane of glass where you can provision things at a one to zero touch method in branch offices. The other piece we aren’t really covering here is mobile users. With respect to SD-WAN, mobile users don’t really fit into the branch office model so you have to consider the ability to protect those users too. Because they are rarely in the office, we have to have that level of security and cover those people as well. It is a perfect model, especially for mobile users, to push that security into the cloud. At the same time, we recognise we need to partner with people who can do the things we can’t.

Raghupathy N: We talked about connectivity and security. Does that not exist today? We have connectivity today and security is handled accordingly. The third aspect is size, which is also managed. Everything is done today, so what is it that SD-WAN brings that is different? That’s the question we need to answer. It’s all about simplicity, ease of management and real-time response.

Mike Wilkinson: If the service goes down then what some customers are looking for is the ability to prove innocence. If you are in the application world, they want to be able to say whose responsibility it is – is it the person who owns the network infrastructure or the application provider?

Mark Bayne: An area that we have recognised this year that was missing for us, and a lot of SD-WAN vendors, was that ability for the accountability and from the customer’s perspective they have a single provider that will handle their needs from end to end. Handling those last-mile tickets on behalf of the customer was an issue that we found. When there is an issue, who is going to troubleshoot it? What is needed is monitoring where we will take ownership of the last mile from a monitoring and management issue. From the customer perspective, they see that someone has raised a ticket and someone is going to resolve it. They see a single provider delivering an end-to-end service. The partner will deliver the products and we will provide the monitoring.

Michael O’Brien: We find that customers have such a wide range of deployment models that the reality is that everyone is right and some will want to use the cloud, some want an appliance and some will seek managed SD-WAN services.

Carl Windsor: We see that a lot at Fortinet because we have an on-premise appliance delivering security at the edge and people are coming to us because they want that direct internet access and they don’t want anyone on the way. We secure the internet traffic with the additional advantage or an in-branch segmentation. Many customers want their traffic to go where they want it to rather than being scanned by someone else. If you can do everything in one appliance then there is also simplicity.

Michael O’Brien: Customers are dynamic and wide ranging and partners want to solve the customer problem, they don’t want to take a customer through a journey on a platform they are not ready for, so you have got to be ready to have a virtual environment, an appliance environment. If that integratability isn’t in your solution, you may be forcing a customer down a road they are not ready for. With partners, it is also a compelling proposition.

Q. What happens if you have an outage? The biggest providers in the world have outages, so how do you protect against that?

Thomas Quinlan: It is not as if we never have those things, and it has occurred in the past, but we design resiliency into the system by default. In the case of a customer in London, they would direct access through a tunnel in London and back up to a different geographical area. The resiliency becomes more of a guarantee. In that sense, from a utility model of computing, you are always going to have very infrequent outages, but you have to reduce the risk whenever and wherever possible. We spend a lot of time, engineering and resourcing on making sure it doesn’t happen.

Q. What are the security features that you should deploy if you go to an SD-WAN that offer the customer high value?

Ivan Duggan: We have just announced integration of security and SD-WAN and encryption analysis. Being able to know what is happening in an encrypted packet is crucial to spot malware and something that could potentially contain a threat. Whether you want cloud-based operations or on-premise, what applications are flowing across the network, what’s in them and can you manage them? For us, Umbrella DNS is crucial, and encrypted traffic analysis as well.

Thomas Quinlan: The low-hanging fruit is going to be the same if it is on-premise or not. Encrypted traffic analysis is important because if you can’t see the traffic then you can’t provide any of the security. More traffic will become encrypted in the future so it will become more important. After that it is your standard URL filtering, cloud application, DNS, firewalls. All the same things you’re doing on-premise you can look at doing in the cloud. The security picture doesn’t change, it’s just about how the details are done.

Carl Windsor: An additional benefit of being in control of the security and access layer is being able to dynamically identify threats, notify the administrator and automate quarantine for any user or device across the organisation. As soon as we identify malicious behaviour, we can take remedial action and quarantine the endpoint.

Michael O’Brien: There is another point about making it easy for the partner so they can make some money. Having a segmentation model where you can report back to your customer and model that depending on their schema. Also understanding how they have done a level of end-to-end segmentation and understand all of the aspects of that. It’s a real opportunity for them.

Mark Bayne: We would agree with the application awareness around encryption and malware, but it is also about the direction of the traffic. When you have got an SD-WAN solution going in, it can be providing you with optimised north-south access to SaaS applications, but it is also going to be in a position to provide WAN connectivity, and the security is needed in both areas. The other thing is when those same users are moving out of the office and they are travelling, they need to have that same policy and inspection applied when they are remote. A central place to roll out patches and updates can be taken away from the customer and they can focus on policies.

Simon Wilson: I don’t disagree with any of the security issues you have raised, but none of them are specific to SD-WAN. What would you do differently around SD-WAN?

Mark Bayne: Without SD-WAN you will back all your traffic to a central breakout where you will have a large firewall. With SD-WAN you have a new attack surface and a new location when there was only MPLS before.

Simon Wilson: We come across customers all the time that are doing local breakout from site to internet. They wouldn’t consider their solution to be SD-WAN. They configure their WAN circuits, their routers and their ACLs [access control lists], and it just runs. They are doing all these things today, but they don’t call it SD-WAN in the terms we are talking about. They are doing it in a manual way and to automate that with an SD-WAN solution that might have more functions and shifts them to the cloud and a multicloud environment and the need for a more dynamic way to deal with those issues. That’s why the SD-WAN wins over the regular ACL control. But the security that is more specific around an SD-WAN environment, because it is more dynamic, is identifying what devices users are going to use to make intelligent decisions about where you are sending traffic.

Raghupathy N: It is about how can I push a policy that goes into all devices into a single go and can I deploy it? SD-WAN is about simplifying what you do today. This is about ease of management, long-term cost savings and deployment. The thing is about what difference it brings to your everyday life.

Michael O’Brien: Customers come to the channel with an application model and the channel can talk about SD-WAN being a better way to deliver that application model.

Ivan Duggan: Networking has moved into a software and security space and anyone selling networking has to have security capabilities.

Carl Windsor: We came from this at the opposite direction. We have 15,000 SD-WAN customers, the majority of which were security customers that one day updated their next-gen firewall and suddenly could all take advantage of the SD-WAN capabilities. Today, this has changed so customers are approaching us for our SD-WAN with the added advantage of an embedded next-generation firewall.

Mark Bayne: No matter how simple you make the solution, integration adds complexity. The channel, for us, comes in when you are looking at deployment services. If you have MPLS and you are going to augment that or completely replace it, there is an integration piece that depends on the customer environment.

Frank Lyonnet: We have seen integrators evolving to managed services. They are a valuable third party that sits in between the telcos and enterprises taking care of putting the SD-WAN components together – SD-WAN technology, connectivity brokering and managed services. Those that have specialised into that have been very successful, selling into to mid-size to multinational companies.

Ivan Duggan: We are starting to see partners selling applications and practices that they can create applications they can layer on top.

Simon Wilson: That’s one of the big benefits of the software-defined era – it is more open, there are APIs and they can differentiate and create new offerings themselves. The smart ones are figuring out how to do that better. The channel knows customers better than we do and they are closer to them than we are and they are selling and integrating multiple solutions for the customer.

Tim van Herck: Channels are usually integrating protocols and devices together. Now we are talking about DevOps and multiple cloud providers so that’s requiring a different skillset from the channel that might not be so well developed.

Michael O’Brien: Very rarely is one of our solutions the only thing a customer is doing at one time. That’s when they turn to the channel advisor, who is more trusted on multifunctional, multivendor solutions. We want to enable our partners to be able to deliver a service and know what the best pieces from us are to do that.

Q. What skills does the channel need to develop  then to become more effective?

Michael O’Brien: We find that there are partners out there with the skills and there are plenty in the UK and across Europe. But when you compare that to the average VAR that is doing servers, networking and infrastructure, then no there is still a gap.

Simon Wilson: I think they do. When it comes to the solution we are putting forward then they do. This is one of those things that the first time they implement the solution it is pretty simple. But it becomes more complicated as they become more attuned to it and turn on more of the knobs over time. They start doing more differentiation and adding other circuits and setting up more complicated rules. So yes, they can do it to begin with and then as the customer evolves they need to get smarter.

Raghupathy N: Channels are key in any technology sales, but SD-WAN simplifies a lot of this complexity. Delivering this product has less to do with selling the product than managing this a project. From the channel perspective, SD-WAN is more about managing delivery, RMA [return material authorisation], and so on, because technology as such simplifies lot of deployment issues
Ivan Duggan: We are simplifying the need for deep technical expertise, but that said, if you are not an IT or security expert you are going to find that difficult. There are some great security partners and great IT partners. The number that can do both is increasing, but there needs to be more of them.

Adrian Tate: The conflict that has come out of this conversation is that we talked about only 5% of partners had decided on an SD-WAN solution and general agreement about how partners are hedging their bets and perhaps going with three or four solutions and then we have this need for this specialist expertise around SD-WAN solutions and software-defined security solutions and it doesn’t match. How can partners be experts in all of this technology if they are hedging their bets across four solutions or if they haven’t got around to thinking about it?

Frank Lyonnet: We have seen a ramp up in consumption of our professional services. Demand has been growing and we have created programmes to help partners to gain project management type of skills.

Song Toh: A good number of the decisions to go with SD-WAN are WAN refresh. That alone means this is not a cookie cutter option. Each enterprise has its own WAN topology and architecture. That is making that SD-WAN design almost a subject to the WAN decision so we have to do it together with the customer as a managed service. Even after that the day-to-day management is not simple. We have to give the customer the ability to do some self-management control, but we have to make sure it is working.

Ivan Duggan: I think we are over-complicating it. There is a difference about what circuits you have and how you want them deployed, if you want broadband or MPLS, but if you look at topology and configuration of the SD-WAN that is fairly straightforward. Because we automate the management that is easier to do.

Mike Wilkinson: In some respects, it comes down to the dynamism of the business you are looking at. I worked with some of the private health companies in the UK. If you go and talk to the networking division, they are looking at designing something that will support 200 sites. Then you have the CIO and the business transformation team, and you are reliant on a complete connection between those three groups. The network has to underpin what they are thinking about, and if it is not as well connected as it should be, the person designing the network can find it changing all the time. There needs to be agility in the network design. The more transformation in the business will mean a greater need for flexibility in the future.

Simon Wilson: We are seeing lines of business also going out and procuring solutions on their own, without using IT, which means a lot of traffic is coming they did not know about.

Tim van Herck: If we do get that trigger point where enterprises are considering SD-WAN, it is actually a good opportunity to let them reconsider and extract some complexity out of the branches. Very little has changed over the years and there has been this organic growth of boxes and functionality in the branches so SD-WAN should not be another bolt-on to the stack of boxes already there. This should be a point to rethink the services that can be taken out of the branch and moved into the cloud. Centralise what you can and keep local what you must. The less complexity we have in the branch the better. Security has to be kept in the branch.

Ivan Duggan: You can strike up a branch in an hour for a building site, but before that you would define what that branch will look like, with policies and segmentation. Once you have defined all that and what links it together, striking up an SD-WAN branch is really easy because all your policies have been defined and it’s a click of a button and away it goes. But to build it out, what is your corporate segmentation, security, access policy? Building that out first is a bit more complex, but once you have defined that, then automating it and setting up a branch is much easier.

Mark Bayne: Where we have seen a skills gap is around recognising the use cases that are effectively met by SD-WAN. They don’t have a skills gap in the technical knowledge they would need but it’s being able to recognise that a customer is attempting to do something that would be limited by the existing WAN infrastructure would limit that. I think there are some leading questions that partners can be fed with that would allow them to identify problems. If they are close to the customer so they know all their business goals and where it would fit but for the partner that does not understand SD-WAN there are some questions they can ask: When are your MPLS contracts up for renewal? What is your cloud adoption strategy? Are you moving to Office 365 and how is that going? Understanding when they get the answers to those this is a good fit for SD-WAN.

Michael O’Brien: I agree it’s about understanding the application and where it would best fit. How to make it really perform for the customer.

Q. What is one piece of advice to give to channel partners that are looking to capitalise on SD-WAN?

Frank Lyonnet: There is a gap that exists where the channel is not ready with SD-WAN because it is a new model, not only with technology but also operations, and existing service providers that were delivering on that operational model before are not necessarily top priority choice for organisations because they are not able to deliver right now the full benefit of SD-WAN back to the enterprise. If you have a rigid managed service you don’t get the agility. So there is an opportunity for channel partners to bridge that gap with something that could bring back all the benefits of SD-WAN to the enterprise.

Ivan Duggan: The first is to build up your customer success practice. That is really critical. The second is upskilling your IT department to do security skills.

Thomas Quinlan: I would say training. People are busy and not everyone has time to do training, but at the same time there are a lot of training credits available. The opportunity is there, and basically it is free, but people don’t take advantage of it – they need to start doing that.

Mark Bayne: To make sure they are able to ask the right questions to highlight the current WAN technology challenges. From the other perspective to help them recognise this is a large net new revenue stream potential, rather than cannibalising existing revenue streams. Depending on the partner you are talking to most of the time, SD-WAN allows them to start taking some of the telcos’ revenue, when they weren’t able to before.

Carl Windsor: Understand the customer pain points – really dig down and understand what those are. If it is lack of resources, then you can look deeper into the network. It’s not only SD-WAN, security, but looking down into the branch and seeing where you can help the customer all the way down into the access layer in the network with the wireless LAN, the security, and see how far you can help them with that network and simplify operational management for them.

Raghupathy N: We look at SD-WAN holistically, as universal CPE we are capable of delivering multiple services in a single box. the challenge is that finding the partners that can grow themselves into this market. As a partner that can integrate multiple services into a single offering they have a lot of scope.

Adrian Tate: Don’t dilute your SD-WAN skills by spreading your portfolio too broadly. Focus on one or two SD-WAN solutions and become the experts in those.

Mike Wilkinson: There is a lot of opportunity for them to add value into their customers. Typically they have sold networks. This is an opportunity to move from networks into the application and business process because it brings the two together.

Michael O’Brien: It is about bringing your service to market faster and in a more agile way, so don’t just focus on the IT, focus on the lines of business. If you haven’t already, invest in architectural services and management – that is what this is all about.

Simon Wilson: For channel customers, don’t just think of it as being a WAN problem, but see it as a regional, branch IT issue. Look at it holistically, don’t just look at the WAN as a standalone thing. From the channel perspective, with SD there is so much of an opportunity to use APIs to generate a unique proposition to take to market compared to others which are selling the same vendor. They need to take advantage of that because otherwise customers will just be saying how do I pick from partner A or B?

Song Toh: As a managed service provider we are already in the market and we have an SD-WAN offering. What we do here is we need to deliver the best service and support for the customer.

Frank van Herck: You need to focus on standardising the design of the branches so you can replicate that across multiple customers. The network designs are overly complex these days and it would be easier if you could simplify those into a single design. Also have that conversation to see if the customer wants to move into the cloud.