If the recent WAN Summit in New York where I moderated a panel on last-mile access (more on that later) was any indication, the SD-WAN market is shifting towards a service-delivery model where sufficient network security and predictability are baked into the SD-WAN so the service can replace MPLS.\nIn session and private conversations, topics related to secure SD-WAN services kept popping up. The challenges of today\u2019s managed services. The impact of the cloud. The need for SLAs in SD-WAN services. How encryption complicates visibility and, by extension, enterprise security. These and other issues point to the change and challenges facing SD-WAN services.\nSD-WAN and the rise of co-managed services\nDuring his talk, \u201cWAN design in the age of SD-WAN\u201d Jim Fagan, director of global platforms at Telstra spoke about how the definition of what is a managed service changes with SD-WAN. It used to be that carriers provided fully-managed networking services \u2014 \u00a0the service delivery, design, maintenance and more were controlled by the carrier. To the enterprise, the a fully managed service is a black box. Got a problem? Open a ticket. There\u2019s little visibility and no control over the service.\nThe cloud has changed how we think about networks, though. We\u2019ve entered the world of co-management where the provider runs the underlying infrastructure, but the enterprise customer (or their MSP) is responsible for their SD-WAN instance across that infrastructure. Think AWS for networking services. In this new model, costs are much lower while control and visibility are much higher.\nSD-WAN services also need to become more predictable if they\u2019re to replace the role of MPLS. In a panel discussion, one panelist observed that there are many reasons for keeping MPLS even after deploying SD-WAN. The Internet is still too unpredictable in some regions or between regions to deliver the consistent, end-to-end performance needed by some corporate applications.\nOne enterprise user on the panel, Mike Howell, the Global Infrastructure Engineering Manager at Rentokil, the biggest pest control company in Europe and the second largest in the US, believes that MPLS performance will move into the ISP space. He noted that some ISPs already give SLAs on their networks, but that\u2019s not done globally. \u201cPerhaps in five years\u2019 time MPLS will trend down fast.\u201d\nAnd if secure SD-WAN is to be delivered as a service, visibility is going to be critical. \u201cIf you don\u2019t have visibility into the network, you can\u2019t have the best security,\u201d says Ripin Checker, director of cloud solutions, at Juniper Networks. Application-layer visibility into all traffic is important for enterprises or providers to gather the indicators pointing to potential threats. But the widespread adoption of encryption, organizations lose traffic visibility, which makes traffic intercept important and that\u2019s a problem.\nSD-WAN and the problems of the thin branch\nThere\u2019s a push among service providers, vendors and many enterprises to reduce the hardware footprint in the branch office. There are the facility costs (heating, electricity, and real estate) that need to be considered when running multiple appliance in a wiring closet. Those appliances need to be deployed, sized, and maintained properly. All of which exacts a toll on operational expenses not just in terms of keeping the appliances running, but also in terms of complexity. Troubleshooting becomes more complicated with more components in the network. Agility is constrained.\nIt\u2019s why Amar Abdelhak, the enterprise architect at AbbVie Inc., a pharmaceutical company with sites in more than 100 countries, believes in hyper-convergence, where multiple functions are offered on one or a few boxes, reducing appliance sprawl. Network Function Virtualization (NFV) is often seen as the way forward for providers to deliver hyper-convergence. WIth NFV, virtual network functions (VNFs) providers can run from different vendors run on an appliance.\nBut consolidating VNFs alone on branch appliances may not solve the problem. Life cycle management is vital when thinking of VNF across the branches, said Sunit Chauhan, senior director of product management at Nuage Networks, in one session. \u201cUsing VNFs with firewalls and WAN optimization is a complicated architecture.\u201d\nIt\u2019s made even more difficult by the constraints of the underlying appliance. Running so many functions on one appliance is bound to force hardware upgrades. Traffic spikes is one potential problem, but the other is applying all functions to all existing traffic. Enabling compute-intensive features, such as traffic decryption, exacts a heavy toll on the appliance, forcing unexpected hardware upgrades.\nThe answer? Moving more to the cloud, it seems. \u00a0\u201cShangri-La is moving the hardware into the cloud,\u201d said Michael Kaehly, technical director in the advanced technology group of Riverbed.