Fundamentally, the way that carriers (i.e. telcos) deliver managed network services hasn\u2019t changed in decades. The core architecture of this network, known as hub and spoke, consists of branches talking to the data center over a managed network with a separate firewall in the middle. However, this type of legacy WAN can\u2019t support today\u2019s business needs, which include a seminal shift to the cloud, as well as mobile users that need network access from anywhere, not just from the branch.\nYishay Yovel, vice president of market strategy at Cato Networks, has followed the carriers\u2019 dilemma for years. According to Yovel, there are numerous catalysts to this evolutionary change in the managed network services market.\n\u201cTraffic flows across the network have changed significantly in recent years,\u201d he says. \u201cSending all network traffic to the data center before it can go to the cloud is actually quite a hindrance to performance, but when security is centralized, backhauling traffic is necessary to enforce security parameters. But now companies are shifting their traffic patterns to go directly to the cloud or the internet, and this breaks the old security model. Security has to be put all over because traffic no longer goes strictly to the center.\u201d\n\nAnother catalyst to change is worker mobility. Yovel says the managed network is only for branches and physical locations, which leaves mobile workers off the network. Companies are forced to find an alternative connectivity method for them, such as VPN. This just increases complexity overall.\nGlobalization is yet another issue.\n\u201cMulti-national companies typically have to stitch together multiple MPLS providers to create a global network,\u201d says Yovel. \u201cIt\u2019s a real challenge to find consistent and affordable networking everywhere that companies operate today, and there is this pressure to manage all of this with a very small staff.\u201d\nIn short, legacy WANs aren\u2019t built for this deep level of change.\n\u201cThe first challenge for the managed network servicesmarket is that what used to be a very well-defined, very well-understood managed network that has specific goals, specific designs, specific best practices\u2014it\u2019s basically falling apart. It has to address so many objectives and so many needs that the typical hub-and-spoke MPLS-based network with centralized security simply doesn't work well anymore,\u201d Yovel says.\nThe first evolutionary step: NFV\nThe first step toward evolving the managed network services market was network function virtualization (NFV).\n\u201cWhen the service providers were facing the need to streamline their operation, move faster, respond faster, they took an approach of virtualizing appliances,\u201d says Yovel. \u201cThink about all the different network functions that used to be in the old network\u2014next-generation firewalls, various orchestration solutions, VPN solutions, and so on. They virtualized all these boxes, but that didn't change the core dynamic of the network itself. Each function coming from different vendors still had its own management interface, plus its own scaling and sizing environment. The fact the appliance was virtualized didn\u2019t change that. They still had the same problem with the centralized architecture as in the past.\u201d\nConsider the example of virtualizing a firewall. Mobile users still need to connect over the internet over long distances to some firewall in some location to get the security they need. The fact that the firewall is virtualized doesn\u2019t change that dynamic.\n\u201cI still have a firewall in a specific location that is now virtual that I need to connect to, and all the challenges that I had before for my users. They didn't benefit from virtualization at all,\u201d says Yovel.\nThe bottom line is that NFV doesn\u2019t go far enough to transform the operator network to achieve real agility and flexibility and to have an appropriateness for today\u2019s business needs.\nFollow the AWS model of managed services\n\u201cCustomers want managed network services, and I believe they want an [Amazon Web Services] AWS-like handling of the network,\u201d says Yovel. \u201cThey want a managed network the same way they now have managed servers, managed storage, and all these other great things that move to AWS. Unfortunately, telcos don\u2019t have this business model today. They are still very expensive and very complex underneath.\u201d\nA new approach to managed network services is needed, and several major providers are tackling this challenge. Yovel\u2019s company, Cato Networks, is one of those providers, as are a few other companies, such as Microsoft, Aryaka, Meta Networks, and Mode.\nIn general, the new type of managed network service provider is cloud-native, where everything resides in the cloud and customers simply subscribe to a service, as they do today with AWS. The provider establishes a private global network comprised of numerous points of presence over a multi-carrier Tier 1 backbone. The managed service provider then controls the routing and latency of packets on a global scale over this predictable and SLA-backed backbone. By using multiple links and load-balancing among them, the service provider can offer reliability, high availability, guaranteed performance, and consistency all around the world. What\u2019s more, all traffic on the backbone is encrypted for secure transport.\nCustomers can connect their data centers, branches, and mobile users to this global network at the nearest PoP. The network also peers with public clouds and SaaS applications, giving customers direct and secure access to them. Security, such as firewalls, anti-virus and anti-malware, and IDS\/IPS, are generally integrated right into the network and are readily available from anywhere, including for mobile workers.\nThis new architecture solves the problems that the legacy WAN architecture can\u2019t. Network transport is consistent everywhere around the world. Customers can get direct access to the cloud and the internet without backhauling traffic or sacrificing security. Mobile workers can gain access without the need for a VPN. And since the network is offered as a service, there is no waiting for customer premise equipment or circuits to be installed in order to provision service to a new location.\nOne approach: Full ownership of the platform\nCato Networks\u2019 approach is to own the entire platform, with the exception of the underlying transport circuits. Cato has rewritten the old point solution bundle from the legacy telco model and changed it into a cloud-native platform. The telco bundle typically includes MPLS, SD-WAN, next-generation firewall, WAN optimization, policy management, cloud integration, mobile VPN, and software-defined perimeter\u2014all coming from numerous third-party vendors. Cato\u2019s model allows them to control the stack, meaning they have written and full control of their own converged networking and secure software stack, instead of taking third-party elements and integrating them together.\nAccording to Yovel, this provides several advantages. First, Cato is not dependent on any third party to release new features, patch a bug, or make enhancements based on customer requests. Second, costs can go down because there\u2019s no need to pay royalties for third-party software. Third, there is just one set of code for the entire platform, so it\u2019s simpler to manage.\nYovel says these all add up to less complexity and greater velocity. \u201cWe can deploy new features and jump on service requests very quickly because everything is under our control. We don\u2019t have to involve other companies to get things done,\u201d he says.\nAnother approach: Integrate best of breed\nOther companies are jumping into the new managed network services space. Microsoft has an offering called Azure WAN. It offers simple, unified and global connectivity using an underlying Microsoft network. The Azure WAN includes automated large-scale branch connectivity, unified network and policy management, and optimized routing and security. While many of the network elements are developed by Microsoft, the company does use components from technology partners such as Citrix, Riverbed, Palo Alto, and Check Point Software to round out the stack.\nAryaka is a fairly mature company with a global enterprise WAN offering. However, Aryaka prefers to partner with best-of-breed technology partners instead of rolling its own stack. Among the partners are Symantec, Palo Alto, Zscaler, Radware, 8x8, and all the major public cloud platforms.\nMeta Networks offers a network-as-a-service solution that takes security a step further with a software-defined perimeter (SDP) for every user connecting to the network. SDP complements the open security stack embedded in the network.\nAnother provider with its own backbone is Mode. It\u2019s a startup, so the offering isn\u2019t fully fleshed out yet, but they do offer managed global connectivity as an alternative to traditional telcos.\nEnterprise newcomer Teridion leverages the public cloud to deliver their WAN service. They prefer to focus on the multi-cloud aspect of their network service, which closely ties in SaaS applications and cloud workloads so that they perform as well as sites on the WAN backbone.\nThere probably will be other companies getting into this market in the future, as this is the evolutionary direction of the network carrier. It\u2019s exciting to see so many options and alternatives to the traditional, rigid WAN architecture.