Nokia completes the acquisition of Nakina Systems. Find out more.

2016 Predictions & A Look Back at 2015

For our last blog of the year, we offer some predictions for 2016 and take a look back at 2015.

In 2015 it feels like NFV and SDN reached the peak of inflated expectations – and that’s a good thing. We have exited the portion of the hype cycle in which people have understood the basics, and are now trying to figure out just these technologies can be used to unlock business value.

Gartner Hype Cycle 2016 Predictions

In 2015, proof-of-concepts have now moved from lab and field trials to initial small-scale commercial implementations. For many service providers, short-term business success will be necessary in order to trigger larger scale deployments.

It also seems that the drivers for both SDN and NFV have shifted from “cost reduction and new service revenues” to “cost reduction and service velocity”. This is likely to be why we’ve seen VoLTE (voice over LTE) and vCPE (virtual customer premise equipment) emerge as probably the most common and popular initial use cases rather moon-shot approaches.

In 2015, cybersecurity awareness increased. Headline-making security breaches by both insiders and external attackers, the transition to cloud-based architectures with an expanded attack surface, and the disappearing perimeter is forcing security considerations to be acknowledged.

Some obligatory predictions for 2016:

  • Cybersecurity goes mainstream in 2016. The need to secure the network, and rapidly detect and neutralize threats, becomes a prerequisite for NFV and SDN based services.

  • New security-related revenue opportunities including managed identity services, breach detection, compliance assurance and more, will emerge for service providers.

  • Internet of Things will inspire new NFV-based services (and more security considerations).

  • Management and Orchestration limitations will be exposed. Until MANO is solved, growth will be stifled.

  • Containers… a new hype cycle?

Happy New Year and stay tuned for more blog posts throughout 2016, and be sure to review our 2015 blogs.

SDN World Congress – A Long Cybersecurity Journey

SDN World Congress Security

This year’s Layer123 SDN & Openflow World Congress in Dusseldorf provided a good measure on the progress made over the last year. Attendance at the event is up, indicating that interests in the technologies are not waning. There was a growing recognition at this year’s event of some of the operational hurdles that are now starting to come into focus. There is widespread acknowledgment that deployments will be hybrid– a mix of physical and virtual networks – partially because service providers have a massive sunk investment in traditional technologies, but also from the frank reality that not everything will be virtual.

There is also a greater realization that the benefits of SDN and NFV are not cost savings, but service agility. SDN and NFV are also now widely perceived to be enabling technologies, and not unrelated to each other. In fact, NFV is becoming the business case for SDN.

It also feels that we’re past the peak in the hype cycle as there is recognition that dramatic cost savings resulting from the move to COTS hardware may not be easily realized. In fact, in some cases, initial costs will be higher as a result of higher operations learning curves and complexity. It is only when there is pervasive wide scale deployment that many of the cost-savings benefits will be realized. Ironically that requires that thee operational complexities be overcome.

SDN World Congress Security

An area that is lagging somewhat behind is cybersecurity. While data plane security services, such as virtual firewall as part of a vCPE service chain, is a common use case, securing the network resources themselves is still largely neglected. SDN, and its various points of centralized control, makes the keys to the network kingdom extremely valuable. Complexity introduced by NFV, including: multi-tenancy, relationships between tenants and landlords when hosting virtual network functions, an expanded attack surface, and the need for administrative isolation between various domains highlights that we are only reaching the cybersecurity starting point. These are some of the points we highlighted during our panel debate.

ETSI security working groups have started to study these areas but there remained a general lack of awareness to the potential threats. With privileged users behind virtually every recent high profile cyberattack, developing the right identity access management strategies for insiders, partners, management and orchestration systems, and SDN controllers is necessary.

This is why we introduced NI-DEFENDER, our Secure Network Auditing Platform. It combines privileged identity access management, continuous configuration scanning, and advanced analytics to prevent, pinpoint, and neutralize network cybersecurity threats. At the event we also showcased NI-VIEWER, the solution’s analytics and visualization capabilities.


Contact us for further information.

Virtualization…It’s Already Mainstream


Virtualization is Going Mainstream. This was the title of an article returned by a Google search recently. The dateline was January 1, 2006.

It’s a good reminder that while there is considerable energy, excitement, and momentum in the news today about network function virtualization going mainstream, the concepts themselves are not new. Server virtualization has been mainstream in enterprise IT environments for quite some time.

Admittedly, there are many considerable and important differences between enterprise workloads and virtual network functions (VNFs) that will be used by communication service providers. However some of the operational challenges encountered by IT security and virtualization administrators provide important previews to what awaits service providers.

Network configuration and change management is one such critical area. In another recent interesting article (this one from August 2015), a large enterprise IT team detected big data search performance issues after standing up a cluster of new servers in a production environment. Ultimately, server-specific configuration issues were the root cause.

“Moving into production in a large server environment creates the opportunity for many server-specific configuration issues.”

Now, extend this scenario to a service provider’s environment. This is a reason why operators confirm that up to 60% of their network outages and degradations are caused by configuration errors. Needless to say, ensuring that virtual servers, the VNFs themselves, and all supporting systems are correctly configured, and stay correctly configured, is crucial to assure service delivery and performance.

Cybersecurity, specifically securing access to networks and resources, is increasing in awareness and complexity. A recently released study by Kasperksky Labs concludes that when a security incident involves virtual machines, the recovery costs double compared to that of a traditional environment.

As privileged user accounts have been contributed to virtually every major security breach reported by the media this year management and control of privileged users and credentials is increasing in urgency.

Service provider networks are complex by nature – they span multiple technologies, vendors, geographies, and support millions of end users. Services will extend across wired and mobile networks, and span virtual and physical infrastructure. Assuring that the configurations off all the physical and virtual devices along the service path are correct is vital. Similarly, applying the appropriate privileged identity access management policies and controls in this environment is equally essential.

NFV requires a new approach to network security and configuration change manegement – such as a Secure Network Auditing Platform.

We’re at the stage where overcoming these practical, operational considerations is essential. Join us along with colleagues from Amdocs, Viavi Solutions, Accedian, and others on two upcoming complimentary webinars as we debate some of these topics. Visit our events page to register.

Where are the NFV Moon Shots?

Apollo17 Lunar Rover

It’s been over 50 years since John F. Kennedy famously declared “we choose to go to the moon.” It’s interesting to try and imagine how the last 50+ years would have unfolded if instead he stated “let’s dabble in space, see if we can develop a business case, and see where it leads us”. As a society, would we have the innovations and prosperity that we enjoy today?

A question that we must challenge ourselves to ask is: Where are the NFV moon shots?

“We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.” – JFK

In June we participated at both TMFLive and LightReadings Big Telecom Event where we announced our new network security solution. At both events there was a lot of discussion about NFV and SDN are key to enable new revenues, and not about cost savings alone. However, from many aspects, these aspirations were not supported with a lot of details. In fact, at BTE there was a lot of discussion about incremental evolution and making small deliberate investments to prove-in business cases in order to executives and boards of directors. That is, a slow incremental approach.

Virtual CPE was cited most commonly as one of the business drivers. But is this really a new business case, or about delivering existing services cheaper, or about re-capturing business that is being lost today, or all of the above? We are the first the acknowledge that transformation isn’t going to be easy. Service provider networks are inherently complex, they have evolved over generations, incorporate a range of technologies and involve an interwoven fabric of people, systems, and processes. It is this complexity that partially explains why new revenue creating services may be delayed until some of the operational realities are resolved (this is something about we’ve previously written: Until MANO is Solved, Creating New Revenues from NFV will be Delayed).

Big Telecom Event Panel with Procera, Intel and Colt

During BTE we also participated in a panel discussion entitled “Improving Customer Experience: The Critical Role of Service Management in a Virtualized World” moderated by Michael Howard, Senior Research Director at Infonetics/IHS Technology with colleagues from Procera, Intel and Colt.

Infonetics Carrier Network Architecture 2020

Michael shared his view of the Carrier Network Architecture 2020. While a simplified representation, it still illustrates the striking complexity that service providers face. For instance, the combination of highly distributed, multi-technology networks with multiple domain-specific orchestration and control points explicitly highlights some of challenge service providers will face: multiple systems and people each “touching” network, and more importantly affecting the services delivered.

Unlike today’s networks, virtualization blurs the natural delineations that existed when functions were implemented in physical devices, and instead creates more inter-dependencies from a performance and security perspective. On the panel we spoke that a service-oriented view towards management and operations must be adopted. And it is important to recognize that service chains span physical and virtual networks, all of which must be correctly tuned in order to deliver the best possible customer experience. As an industry, these are some of the issues which we must figure out, “not because they are easy, but because they are hard”.

Unquestionably, there has been considerable, and accelerating, progress made over the last few years. But where are the moon shots? The closest is perhaps AT&T’s stated ambition to virtualize 75% of their network functions by 2020.

Do they have all the details in place? Do they understand all the risks? Do they understand all the drivers? Probably not. But they do understand they urgency in that something must be done, because if they wait to understand all the aspects of commercialization first, that perhaps we will never get there. After all, others are working on their own moon shots.

Securing SDN and NFV: are you ready?

Cyber Attack Warning

Mary Meeker’s 2015 Internet trends report contains fascinating, broad reaching data about how the technologies that many of us are involved in developing is used and consumed. Compared to 2014, this year’s report devotes more attention to security: “Cyber Attacks: Growing in Size / Complexity / Risk”. Undoubtedly, the 2016 edition will likely provide even more insights. It’s not surprising considering some recent high profile security breaches.

Some interesting insights from Mary Meeker’s report: insider misuse is a significant source of breaches. It states that over 20% of breaches come directly from insiders with malicious intent. Include well-intentioned insiders, it’s easy to see how the majority of network performance issues or security vulnerabilities can be traced to configuration issues

Service providers have not been immune from cyber attacks either. And the security risks they face are only growing. Service providers are facing an unprecedented set of challenges as billions of IP connected devices are attaching to their networks, from all sorts of locations. New technologies such as SDN and NFV, and DevOps paradigms will create significant disruptions to security and network operations teams.

It’s one of the reasons why Nakina announced NI-DEFENDER, a Secure Network Auditing Platform. The solutions combines network and service configuration scanning, context-aware analytics, with role and attribute based identity access management. It can be used to protect today’s fixed and mobile networks, physical and virtual networks, and help operators support new NFV and SDN implementations.

NI-DEFENDER was recognized with two industry innovation awards this week and we will be showcasing the solution next week at LightReading’s Big Telecom Event . We’ll demonstrate how the solution can provide and assure security integrity across a typical heterogeneous mobile network, which includes the Titanium Server, a carrier-class NFV software platform, from our technology partner Wind River.

If you’re in Chicago, plan to stop by and meet the Nakina team and attend our panel discussion on June 10, hosted by Infonetic’s Michael Howard.

NFV vCPE: Too Good to be True? Round 2

VanillaPlus hosted a second NFV roundtable discussion. It was an opportunity for colleagues from Ericsson, Cirtix, Comptel, and RedKnee along with Analysys Mason to discuss how some of the deployment risks can be mitigated. A key question posed is “Why are CPE services a target for virtualization?”

Managed enterprise services are a lucrative revenue stream for many service providers, particularly those looking to offset declining or flat revenues from consumer mobile and wireline services. Managing the customer premise equipment is the single largest expense for service providers. NFV provides the opportunity to eliminate management complexity and expense of customer located equipment, reduce technology obsolescence at customer premise. NFV also enables a pay-as-you-grow CAPEX, requiring small initial investment in virtual machines to support router functions that scale with service. Because enterprise services are in many cases customized (by region, location, vertical, and even by customer), NFV enables workflow automation and self- service provisioning through user accessible portals. Reducing provisioning times and improving time to service is a key driver.

As we discussed on the panel, there are obviously some major challenges. Enterprises are increasingly distributed; remote branch offices are served by a variety of access networks, each with varying degrees of performance, throughput, latency, etc.. It has been estimated that 80% of application performance issues are blamed on the network. And latency is the biggest source of application performance problems. For example, Unified Communications applications generate small packet sizes and ~10x more packets than other applications. Any packet loss, jitter, or degraded performance will have a significant and measurable impact to user experience. Additionally, services are not always ubiquitous, but rather tailored (i.e. vertical specific, location specific, etc.). This means that there will be more configurations and parameters that need to be accurately set in order to meet SLAs and deliver the appropriate service. All this is possible and achievable with of NFV, but one must not overlook the potential increased operational complexity when it comes to properly configuring these service settings, monitoring and troubleshooting. NFV creates the potential for more configuration-induced performance issues. There are more (and different) parameters that can be tuned, and more inter dependencies in this shared, multi-tenant type architecture.

Latency sensitive applications are partially why we’re seeing the industry introduce distributed or edge NFV and other techniques whereby certain capabilities may be hosted on a virtualized platform at the network edge or customer premise, while others centralized. After all it’s not like every enterprise location (particularly remote branch offices) is connected via 10Gbps fiber-fed connections. In fact, most enterprise locations are connected by a range of access technologies, each with varying performance characteristics.

Edge Virtualization for vCPE

This scenario also creates new, creative business models for service providers including a new suite of ‘micro-cloud’ services. Distributed or edge NFV creates a new and different complexities including, most importantly, new security considerations however including an expanded attack surface. New business models will likely could have the service providers maintaining the platform (i.e. the NFVI) and hosting 3rd party virtual machines (VNFs) which belong to the enterprise or another 3rd party. This added challenge created with multi-tenancy and managing the access control policies from a security perspective, and increases troubleshooting and issue isolation complexity. This is why a new, carrier-scale, Identity Access Management strategy is needed.

Automated network data integrity auditing and analytics will be equally crucial in order to understand the exact configurations of the functions in the service chain, isolate and correct misconfigurations instantly, meet service level agreements and customer experience expectations. Automated analysis of service configuration anomalies can dramatically improve resolution of incidents and visibility into service performance. Data-driven analytics helps prioritize remediation, eliminate hours in troubleshooting time, and proactively refine network configurations (such as QoS and TCP/IP settings, which have a direct impact on application performance.

It remains clear that despite the rapid evolution towards NFV, that we’re only scratching the surface of the many operational considerations that are arising. If you missed the live event, a recording of the session is available.

NFV vCPE: Too Good to be True?

Virtual CPE (or vCPE) is one of the most popular use cased for NFV by service providers. It’s not surprising when you consider that the customer premise location, whether a business or a home, is the most complex and costly aspect for a service provider to manage. If you look at the situation today, often service providers have to deploy multiple discrete devices or appliances to deliver a service. And the range of services are pretty diverse, varying by region, market, vertical and customer. Services span everything including managed router, firewall, security (such as intrusion and malware detection), unified communications, application performance management….you get the idea.

vCPE Extreme Case

In some cases, these capabilities may all reside as virtual appliances or agents in more costly and complex converged multi-service devices like integrated service routers. In any case, service providers have to deal with a lot of complexity. Challenges include navigating a myriad of business process and operational complexities spanning from order management to installation, administration and maintenance. Operational issues range from managing equipment obsolescence to service level agreement monitoring and troubleshooting. Identifying the root causes and remotely re mediating issues can be time consuming and costly. And with the uptake in cloud services there are more business critical (and performance-sensitive) application transactions traversing networks.

The outcomes are as expected: high operational costs, longer times to revenue, and ongoing operational complexity. All impact service profitability. Not surprisingly, virtualizing customer premise equipment (vCPE) has been a key target use case for NFV. A target market is small-to-medium enterprises, which collectively represent a very lucrative segment for service providers, with high recurring revenues. But all this obviously comes with some challenges.

By moving functions (like firewalls, application accelerators, and even routing, from the premise and into a data center) there is now even more critical transactions traversing networks. Incorrect QoS parameter settings, for instance, anywhere along the service chain could cause excessive latency causing some applications, such as interactive video, to experience unacceptable quality. Ensuring network configuration integrity end-to-end is even more crucial.

Partially for these reasons, we’re also seeing different types of virtualization strategies emerge. Virtualization-capable platforms are migrating outside the confines of the data center, all the way to the customer premise. This newer breed of device can host virtualized functions. Some of these functions are maintained and owned by the service provider, or perhaps the service provider is hosting these for the enterprise or another 3rd party. This multi-tenancy scenario requires that security integrity be preserved, and strong identity access management policies be in place.

vCPE NFV Typical Case

Implementations will vary and there will be no single universal vCPE recipe. One thing is for certain, this is a rapidly developing space. We’re only scratching the surface of some of the operational challenges. These will be some of the topics we’re discussing at an April 30th roundtable discussion hosted by VanillaPlus. We’ll be joined with colleagues from Ericsson, Citrix, RedKnee, Comptel and Analysys Mason. Make sure to register.

Until MANO is Solved, Creating New Revenues from NFV will be Delayed

A recently published market research report by Coleman Parkes Research on behalf of HP and reveals the responses from 50 communication service provider CIOs and CTOs regarding their NFV priorities for 2015. There is also great video interview from Mobile World Congress with Julia Ochinero, HP’s Director of NFV Marketing, available from Telecom TV. Importantly, the report provides a comparison of answers to the same questions from the previous year. With emerging technologies such as NFV and SDN, we’re still in such early stages that any ability to monitor progress and spot trends year-over-year is invaluable.

While it’s not surprising that the majority of respondents see migrating from proof-of-concept to trial sometime within the next 3 years, what is surprising is that Opex reduction seems be a more important driver than it was in 2014, while leveraging NFV to enable new revenue received fewer responses than the previous year. The percentage of respondents citing capex reduction as the main driver remained the same as the previous year: “The top business driver for network functions virtualization (NFV) in 2015 is reducing operational expenses (OpEx), selected by 75% of respondents as compared to 59% a year ago—a huge jump.”

HP NFV Survey Responses

The transition from proprietary hardware and software to commercial off-the-shelf (COTS) alternatives makes the business case for Capex reduction relatively straight forward. Opex on the other hand is much more difficult to quantify.

In the video interview, Julia states something that we have been stating for quite some time: there won’t be greenfield opportunities for NFV. Service providers will continue to face the realities of continuing to run and expand traditional physical networks. Initially, a lot of discussions involving NFV management and orchestration (MANO) were really walled-garden in nature. That is, orchestration was focused on a single pool of virtualized network infrastructure and virtual network functions. The reality is that networks will span multiple clouds, and multiple networks both physical and virtual. This implies that MANO must extend between physical and virtual networks, and span next generation as well as legacy networks. Unless a seamless service-oriented view to end-to-end orchestration is achieved, the promises of operational savings will not be realized.

At Nakina, we believe a MANO Enablement platform is required to harmonize service orchestration across any type of network and to extend orchestration across hybrid physical and virtual networks. NI-FRAMEWORK, our MANO enablement platform, mediates, abstracts and offloads complex management utilities, allowing orchestrators to easily connect and manage physical and virtual network functions. It extends orchestration, visibility and control to physical and legacy networks.

Another interesting finding from the survey is that in 2015 driving new revenue was selected by 63% of respondents as a key driver for NFV, a drop from at 78% last year. Does this imply that creating new revenue is not as important as previously believed? Rather, it is likely that service providers have realized that NFV itself does not instantly spawn new revenue opportunities and perhaps the focus should initially be centered on the operational hurdles.

MANO enablement helps operators more quickly realize the operational savings, allowing focus to shift towards developing new revenue creating services. Watch this short video to learn more and contact us:


Mobile World Congress Wrap Up

Barcelona Fira

Despite months of planning, it never ceases to amaze me how fast another Mobile World Congress came and went. Despite the long flight, crowded metro, and inflated prices, the event remains one of the most important in our industry.

Anyone here not Zone 1 or Zone 2?

It seems like it is one the of few remaining gatherings where it is possible to meet either by chance or by pre-arrangements with peers, colleagues, influencers, customers and suppliers. Yet the event has grown so large that even scheduling meeting themselves proved to be a logistical challenge. Given the passenger list for my flight alone, United Airlines in fact could have offered a concierge service to arrange in-flight meetings. Note: it is interesting to see the boarding process break down virtually the entire passenger manifest is Zone 1 or Zone 2.

Because it came and went so quickly, I’m feeling a sense of urgency to post the obligatory post-event blog before the memory of #MWC15 fades. Here are some of the notable highlights you may have missed, if like me, you struggled to make it past Hall 5.

Even though we’re still in the process of implementing 4G, the industry talk is now all about 5G. The rate of change in the industry is relentless so it’s not surprising we’re now pushing new boundaries with solutions such as small cells, 5G, Internet of Things, etc..

Speaking of which…at #MWC15, NFV continued its forward progress and included live demonstrations of NFV-based networks. Operators are committing to NFV solutions such as the virtual Evolved Packet Core (vEPC) and virtual Radio Access Network (vRAN) in the pursuit of more cost-effective and more agile networks. The supplier community is wholly onboard as well. VMware announced VMware vCloud for NFV with Integrated OpenStack. Some claims: “VMware vCloud for NFV Helps CSPs Achieve Sustainable Cost Reductions, Improve Time To Market”, “VMware Offers CSPs a Fast, Simple Path to OpenStack Adoption”, and “Multi-Vendor vCloud NFV Platform Supports 40+ Virtual Network Functions from 30+ Vendors”.

The progress is undeniable. What still seems to be missing in these discussions, in my opinion, is a frank recognition of how all this becomes truly operational. Demonstrations, lab trials, proof-of-concepts, and small-scale field trials are all encouraging. But implementing, maintaining, and supporting revenue generating services using these new technologies will create new a whole new set of operational requirements, complexities, and challenges.

In a recently published article we wrote: in order to achieve the commercial promises of SDN and NFV, the industry will have to understand and address the operational considerations of rolling out these technologies in scale, while at the same time dealing with the realities of continuing to run and expand traditional network architectures. Assuring network performance, integrity and security in this dynamic, complex environment is vital, yet it has been overlooked, for the most part, in all discussions to date.

These are the topics we covered at #MWC15 in our in-booth seminars and briefings .

We also released a significant announcement describing how Turk Telekom uses Nakina to enable service orchestration and anticipates saving $25 Million.

After all, Network Integrity is the key to enable NFV, management, and orchestration.

Nakina MWC Booth

If you missed visiting our stand , our presentations and video recordings from #MWC15 available from our resource center.

Fins a la propera vegada Barcelona.

Carrier Class NFV – A Guest Blog by Charlie Ashton, Wind River

Charlie Ashton Wind River

Nakina is pleased to welcome Charlie Ashton, Director of Business Development at Wind River, as a guest blogger:

If 2014 was the year NFV became a leading industry buzzword, 2015 may very well be the year when rubber meets the road and the operational realities of implementing carrier class networks become evident. While virtualization is by no means new (enterprise class data centers have been virtualizing servers for a decade), service provider networks present new challenges and requirements.

For instance a service provider workload, unlike common enterprise workloads, requires critical data plane capabilities which, in most cases, are involved in the delivery of services to hundreds of thousands (or more) subscribers. Examples include elements in the Evolved Packet Core (EPC) of a 4G LTE mobile network. Additionally, telecom networks have critical requirements in terms of availability, performance and security. Many Virtual Network Functions (VNFs) need deterministic, low-latency performance, which must be guaranteed by the NFV Infrastructure (NFVI) software.

Assuring the integrity of the network is critical in order to ensure seamless and continuous operation. Configuration parameters of NFVI and VNF components must be maintained to ensure that their performance supports Service Level Agreements (SLAs) for both business and consumer services, implying a mix of real-time, content-rich and interactive applications. It is easy to see how this becomes more challenging in virtualized networks in in which configurations are more dynamic, workload performance is key and protecting the security integrity of the environment critical.

The joint solutions from Wind River and Nakina address many of the looming operational complexities in NFV. Wind River Titanium Server is the industry’s first fully-integrated and feature-complete NFV software platform. It’s the only platform to guarantee six-nines (99.9999%) uptime for NFV infrastructure. No other commercial server solution enables service providers to maintain the rigorous uptime required as networks transition to a virtualized infrastructure. Nakina’s management and orchestration enablement solutions include a suite of orchestratable applications used to assure network and operational data integrity in physical and virtual networks. These applications continuously audit VNFs and NFVIs to ensure that configuration parameters match those expected by orchestrators, inventory and other OSS systems. Nakina also protects the security integrity of networks, enforcing and tracking the appropriate role-based access policies enforced end-to-end for both personnel and processes (like orchestrators, element management and VNF managers).

Wind River and Nakina will jointly present these and other topics from March 2nd through 5th at Mobile World Congress 2015 in Barcelona. Visit Wind River in Hall 7 Stand 7J65 and visit Nakina in Hall 7, Stand 7J11 .

We look forward to seeing you in Barcelona!