Verizon Looking To Challenge Akamai With New Cloud-Based Web Application Firewall Service

This morning, Verizon announced a new cloud-based web application firewall (WAF) service as part of their Verizon Digital Media Services Defend product suite, which includes built-in protection against network-layer distributed denial of service attacks and origin-cloaking capabilities via Origin Shield. Verizon has launched the offering as a beta product for the next few months, with plans to have it go gold in Q4. Verizon has long been in the business of remotely managing security devices for their customers through their Verizon Security division, with thousands of customers. Some of these security technologies belong on-premise – such as network firewalls and intrusion protection systems, whereas other areas of security, such as those applied to websites and web applications, may be better done in the cloud. This fact has not been lost on Verizon and they are making a big entrance into the market with anti-DDoS, origin protection, and web application firewall solutions built into their recently acquired EdgeCast CDN platform.

For those new to web application firewalls, or WAF’s, they are primarily used to protect websites and web applications by inspecting HTTP/S traffic to ensure the HTTP/S requests are not being used to attack. While WAF’s have traditionally been deployed on-premise – now the trend is to move this service to the cloud for all the standard benefits of cost savings, on-demand scalability, always-on capabilities and faster time to market. While Verizon is not the first to the market with security offerings, we all know Akamai’s been in the security space for a while, Verizon says there are some key differences in how their platform operates. While most WAFs share a similar core approach in that they are inspecting HTTP/S traffic (requests) for attacks, Verizon says their WAF is delivering a set of capabilities previously unseen in the cloud-based WAF market by taking advantage of their existing EdgeCast content delivery network (CDN) for both scale and automation.

For example, the Verizon WAF enables rule updates and WAF instances (rules are procedures that control access to websites) to be pushed out to all their CDN points of presence worldwide in less than 5 minutes. This means that once a new type of vulnerability is identified, new rules can be applied almost instantaneously thereby minimizing the exposure. And given that their WAF is tightly integrated into their CDN platform, customers are able to control (on a per domain or multiple domain basis) exactly what traffic types (e.g. HTML) and/or object types (e.g. json, jpg, etc.) they want to process through the WAF, minimizing both their expense and the amount of incremental performance overhead added to their traffic. Verizon is focusing a lot of the fact that they have a whole lot more rules available in their first version of their WAF product than other vendors do.

By implementing both the OWASP ModSecurity core rule set and the ModSecurity commercial rule set from Trustwave, their customers are provided with the broadest set of rules available on the market. Include the EdgeCast security rules within their HTTP/S caching engine that can be applied to their HTTP/S traffic, and you really do have very deep and broad set of tools to that enable a higher degree of general protection. I think the Trustwave partnership is important to mention as it brings a ton of “black hat” credibility to the table for EdgeCast as a vendor as Trustwave’s technology is considered top notch. The WAF also provides thousands of rules that are custom-built for specific applications like Microsoft SharePoint or Apache servers which makes sense for enterprise customers looking for quick out of the box implementations. From what EdgeCast tells me, they plan on leveraging their Verizon Security division as part of their ongoing roadmap as the Verizon Security folks have a ton of threat intelligence domain experience and can help the EdgeCast team enhance their WAF capabilities even further.

While version 1.0 of Verizon’s WAF hits all the basics and also offers some nice differentiators, it is not without some shortcomings. These include more complete protection against certain types of application layer DDoS attacks, bot mitigation technology, additional reporting, SIEM integration, and the advanced learning features found on some of the higher-end WAF appliances. Verizon EdgeCast has shown me that they have all of these on their roadmap and will be rolling out these capabilities over the next 12 months. They have a pretty good track record adding new capabilities quickly so I’m pretty confident that they will address these deficiencies soon.

The projected market growth for WAFs is anywhere from 18-30% in 2013 with an overall market value of over $250M per year, (Source: Gartner said 30% growth in 2013 and greater than $337M revenue in 2013, TechNavio said 18% growth) and the complementary market for anti-DDoS services is over $500M per year (2014 estimates, IDC) and growing at close to 20% 2012-2017 (source: Infonetics). Hardware-based deployments are dominated by companies such as Imperva, Check Point Software, and Trustwave. Verizon’s WAF will be competing with cloud-based WAF vendors including Akamai, Incapsula (Imperva), CloudFlare, and Qualys – which is also in beta test with their offering.

Some Akamai customers I have spoken to have voiced discontent with the high setup fees and high ongoing monthly recurring costs, along with the lack of control associated with their WAF offering. To date, the only viable alternative to their WAF has been on-premise appliances. That is about to change, and given Verizon’s prior experience re-selling Akamai’s solutions, I think they are better prepared than anyone to compete head to head. EdgeCast says in the case of any customer using Akamai’s stand-alone WAF or Kona bundle, the Verizon WAF supports a much more extensive set of WAF rules without the need for expensive professional services. It also provides the ability to selectively control what traffic and objects are processed through the WAF; deep visibility into what the WAF is actually seeing; a much higher degree of usability and configurability; and less exposure to the risk of attack from new threats given what EdgeCast says is the ability to push out rules updates more than 900% faster than what is offered by other WAF solutions in the market today. Pricing I’ve seen from both vendors indicated that the EdgeCast WAF service will come in very far below what Akamai is charging – both lower set up fees and lower recurring monthly fees. We’ll know more once we see deal flow in the market.

Verizon’s WAF is well suited for mid-sized and enterprise class organizations and provides many reasons to choose it over competing offerings. In combination with other existing Verizon offerings, such as the Verizon anti-DDoS, threat management, and managed security services, Verizon is able to offer a web site security portfolio that few others can deliver. To date, Akamai’s not had much in the way of cloud-based competitors since Qualys’s cloud-based WAF is focused just on Amazon EC2 or VMware’s vCenter. And the other cloud-based WAFs such as Incapsula and Cloudflare are focused almost entirely on the SMB marketplace. Verizon’s WAF is specifically targeting the same enterprise class customers Akamai is, so we’ll have to keep an eye on what kind of traction Verizon can get with their offering and if Verizon has any impact on driving down pricing for these services industry wide.

Even If The Supreme Court Ruled In Aereo’s Favor, It Still Had No Viable Business Model

Those who have read my blog before know that I have criticized Aereo’s business from day one. [See: Barry Diller’s OTT Service Aereo Is Dead On Arrival] Not from the standpoint of whether or not the service was operating legally, but rather with the perspective that when it comes right down to it, Aereo’s service simply isn’t compelling for the majority of consumers and never would be. Aereo offers very little in the way of content, with few choices, only average video quality, on only a few devices, with buggy DVR software. This is the exact opposite of what the vast majority of consumers are looking for in the market when it comes to how they want to consume premium content.

As a whole, the media’s coverage of Aereo has been poor in that it hasn’t fostered a conversation about what consumers want and whether or not Aereo was actually providing it. The story should not be about Aereo’s technology, or size of their antennas, but rather about the business models that their technology could or could not support. There is no value of any technology if it is packaged and brought to the market as a service that consumers are not willing to pay for in volume. Many in the media have been blinded by Aereo, thinking and predicting that their technology was going to replace or displace cable TV, that many simply can’t see the reality. Aereo failed not because it was found to infringe upon the rights of copyright holders, but because their offering wasn’t one that was compelling, reliable or in demand by consumers. Many want to talk about the technology, but few ever questioned Aereo’s business model. That has to change.

Netflix and other services have taught us that consumers want a lot of content choice, they want a deep catalog of content to pick from, they want it on all of their devices, they expect the quality of the video to be very good and the service to be easy to use. This isn’t what Aereo offered. For all the talk by Aereo and some members of the media on how Aereo allowed consumers “to pay only for the channels they want without being tied to cable companies”, the fact is that Aereo didn’t allow for that at all. A USA Today article writes that a “passionate base of a la carte TV fans is cringing”, because with Aereo “consumers can choose to pay only for the channels they want without being tied to cable companies. No, they can’t.

Aereo doesn’t have an a la carte offering of any kind. Aereo offers only one package, without the ability for users to only pick the channels they want. Of the 35 channels offered in the NYC area, Aereo doesn’t allow users to strip out the 10 channels that are broadcast in foreign languages and pay a lower price each month. No, like the cable TV market, Aereo forces users to pay for channels they may not have any ability to watch or have any interest in using. So for all the posturing by Aereo on how it was different from the cable TV industry, the fact is, their packaging was exactly the same. Aereo themselves used the term a la carte when they would talk about their service, when in reality, there is no a la carte at all.

The real discussion should be about what consumers are willing to pay for, what type of content they want to watch, how they want to consume it, what quality they want it in, and the business models that most resonate with them be it subscription, rental, PPV or download to own. Focusing on the size of Aereo’s antennas or how much consumers hate paying their cable bill isn’t the real story. Outside of the copyright issues, there is nothing to debate. The fact that Aereo’s service has been in the market for almost two and a half years, and they haven’t even penetrated 1% of the cable TV market, shows that it’s not the technology that was holding back their business, but rather consumer demand for such a service.

If Aereo came to the market and said it was a niche service and that a small percentage of consumers would want it that would have been accurate. But Aereo’s CEO and Barry Diller’s kept saying the opposite, stating that 25-30 million consumers in the U.S. would pay for such a service, with no data or previous use cases of any kind to back up such statements. Aereo set expectations they could not live up to and weren’t being realistic with themselves, or others in the industry. Just look at this video on Aereo’s website that gives an inside look at their technology where their Chief Commercial Officer says that consumers can access Aereo,”from any device that is Internet connected”. Any device? That’s simply not accurate.

Aereo didn’t understand what consumers are willing to pay for, how to package their service to truly stand apart from cable TV, or how important video quality really is. Aereo set themselves up for failure from day one. They have no one to blame but themselves. The Supreme Court ruling isn’t what stopped Aereo’s business from being successful, it was Aereo’s insistence that their technology would drive demand for their limited service that the majority of consumers never wanted to begin with.

Thursday Webinar – State Of The Second Screen: Behaviors, Trends & Media Consumption

Thursday at 2pm ET, I’ll be moderating another webinar, this time on the topic of, “State Of The Second Screen: What’s Really Happening?” While the industry continues to experiment with, and be fascinated by second screen experiences, many are still on the fence as to its actual potential and place in the future of television. How are the personal viewing habits of audiences actually changing? How important is it for network or content owners to develop a stand-alone app? How much are consumers willing to pay to unlock exclusive content features? What second screen examples are working well? And will consumers ever shift to the point where second-screen becomes the primary screen for the majority of media consumption?

These questions and many more will be covered in this webinar as Alan Wolk, Global Lead Analyst, and Miles Weaver, Product Manager – Second Screen, dive into the second screen behaviors and trends of industry professionals and a younger target audience.

REGISTER NOW to join us for this FREE Web event.

Intelligent Software Is The Future Of Application Delivery, Not Networking Centric Approaches

I have written a few times about Instart Logic and its web application streaming technology. The company has attacked incumbent CDNs with a novel technology that it claims makes those same CDNs obsolete. The core of the technology is a way to build a connection between Instart Logic’s delivery network and the browser on the user’s device. This connection is enabled by a small JavaScript software layer Instart Logic calls the nanovisor on the smartphone, tablet or laptop. The technology allows Instart Logic to identify which parts of a web app are the highest priority and stream them down to the user. This is attracting media companies as well as ecommerce companies that are both investing in delivering very high quality images and dynamic, personalized content.

Instart Logic’s intelligent connection is built entirely upon software smarts and is a shift away from the hardware centric approaches of traditional CDNs. Instart Logic claims that being software-based from the ground up allows for faster iteration and innovation along with lower capital costs. This is very different from the hardware centric approaches from Akamai and other similar vendors, who depend on lots of servers sitting in data centers around the world.

By moving to a “software-defined” model of application delivery, Instart Logic is designed to address the latest performance bottleneck – the wireless “last mile” from the cell tower or WiFi router to the device. The last mile is so painful for traditional CDNs because of four main variables including: network conditions and congestion, speed of Internet connection, application content and structure, and device type. One or any combination of the four can cause applications to load slowly or render a poor user experience. Instart Logic specifically designed its solution to take into account all four of these variables and use software-driven intelligence to address them for each specific user. This is their real secret sauce.

To back up their claim that software-based application delivery allows for faster builds of new features and greater technology innovation flexibility, Instart Logic has been releasing new features and technologies at an impressive clip. The two latest releases are both very interesting and something I have been spending some time to better understand. SmartVision is a new technology that works with the company’s image streaming capability. It uses computer vision technology to analyze the content of images. It can tell whether an image, for example, is a blue ocean or a face, a mountain or picture of a car.

SmartVision decides the minimum image data send required to make the image recognizable on first paint of the screen with a good quality of experience. A picture of a face might require more up front data transfer because of the sharp details whereas a picture of an ocean might not. This will reduce the data transfer to first-load images on the page and thereby reduce page load times. Instart Logic has a patent pending on this technology and is publishing scientific papers about the new approach, which came out of collaborations with image researchers at leading universities.

The second new technology is a feature Instart Logic calls InstantLoad. InstantLoad takes certain components of a web application that are most likely to be used early on in the page load process and use its client side nanovisor.js library to push those assets into the highest performing class of browser cache. In modern browsers with HTML5 technology, there are different classes of browser caches with varying performance. In a nutshell, InstantLoad puts the most highly demanded information into the highest performance cache depending on the devices capabilities and performance.

This is a clear way to leverage newer capabilities that only came online in HTML5 very recently. The technology works across all major browsers and is particularly useful for upping the performance of SaaS applications. Those types of web apps tend to be used throughout the day by users loading up the same pages over and over. So for those apps, any way to improve client side cache usage and performance can greatly improve the user experience and diminish wait times.

Both of these features plug directly into the existing software framework of Instart Logic. To be clear, some of the large incumbent CDNs use software to optimize content delivery and adapt delivery to changing circumstances, such as device type. Other CDNs capture very basic information such as the device type and the network condition and then make changes on the backend to code and images. To date and to my knowledge, only Instart Logic establishes a two-way communications channel between the device and the network and can make real-time decisions using a smart client in the browser, making them unique in the market.

By going deep into the device and using intelligent software to create an entirely new type of application delivery network, Instart Logic is clearly trying to differentiate itself from Akamai, EdgeCast and Amazon CloudFront. If the company can continue to roll out new features and pull in marquee customers like The Washington Post, then that product differentiation could force the incumbents to think about radical overhauls to their technologies, and makes Instart Logic a company to really keep an eye on. If I had to make a short-list of companies that I think are truly innovating in the content delivery market right now, Instart Logic would be number one on that list.

Thursday Webinar: Why Your CDN Needs To Be Paired With Managed DNS

Thursday at 2pm ET, I’ll be moderating another webinar, this time on the topic of, “Four Reasons Why Your CDN Needs To Be Paired With Managed DNS.” Internet performance is more important to companies and brands than ever before with competition for page views, clicks, and conversions increasing every day. If your company is using a content delivery network (CDN) to deliver the videos, pictures, and content, you are putting your CDN investment at risk if you don’t have a managed DNS provider to help power that performance. Dyn Director of Performance Assurance Charlie Baker will go into why CDNs need to be paired with managed DNS, hitting up four specific areas:

  • The DNS impact on page load time
  • Why a CDN-agnostic plan with managed DNS is key
  • The big three of reliability, flexibility, and performance
  • Case studies on how to optimize your performance using multiple providers

REGISTER NOW to join us for this FREE Web event.