Discontent and disruption in the world of content delivery networks

As content delivery networks (CDN) market leaders like Akamai and Cloudflare grapple with technological shifts, some innovators like Teridion, Signal Sciences and Section.io (in which I am an investor) are making rapid advances.

The CDN market, estimated at $5 billion today, is anticipated to be more than $10 billion by 2019. While the market is growing rapidly, can the giants learn to dance? How are the startups aiming slingshots at the legacy Goliaths? Newcomers like StackPath aim to win by offering a “security first” CDN, which, in the wake of the #CloudBleed can be a marketing differentiator. Above all, how will that elephant in the room — Amazon CloudFront — trample all the unicorns?

Looking back: A brief history of CDNs

The first wave of CDNs started with Akamai almost two decades ago in 1998. CDNs were designed to accelerate web content. In the world of constrained bandwidth, speed of delivery is affected by a variety of factors, including page content and effective routing of traffic. Web companies that experience heavy web traffic needed a reliable, rapid mechanism to ensure uninterrupted service. Akamai promised all that, and then some.

Within a year of its launch, Akamai went IPO and had Apple Computer as its logo customer. At the time, Apple constituted 45 percent of its total $1.2 million revenues. Limelight Networks was a fast-follower to Akamai and was launched in 2001. It went public in 2007 but has not been able to catch up with Akamai. In 2016, Akamai posted $2.3 billion in revenues with a market cap of more than $10 billion. (Limelight Networks posted $170 million revenues in 2016 with a market cap of $290 million. Private equity shops, take note.)

Over time, websites became more dynamic and bloated, and we entered the SaaS / application era. And then, the shifts of cloud and mobility changed the way content was delivered and consumed. CDNs started to mitigate DDOS attacks. Add the growing demand for security to that mix and slowly but surely, the CDN universe is getting disrupted.

Amazon launched its own CDN, CloudFront, in 2008. Cloudflare started circa 2009 offering content delivery, security and analytics. In 2011, Fastly got launched and recently announced a new $50 million funding round. StackPath raised $180 million in a single round to disrupt CDN markets. Its CEO, Lance Crosby, is a badass who started SoftLayer and sold it to IBM for $2 billion. Having that kind of an exit made it easier for Lance to raise a war chest of $180 million.

Company

Year Started

Capital Raised

Investors

Cloudflare

July 2009

$182 million

NEA, Union Square Ventures, Fidelity

Fastly

March 2011

$179 million

Battery Ventures, August Capital, Iconiq, Sapphire Ventures

StackPath

2015

$180 million

ABRY Partners

These newcomers have created headaches for Akamai, eating into its margins, steadily forcing the price down. Akamai’s Media Delivery Solutions revenue for 2016 was down 9 percent year-over-year. As CDNs supply-demand curve shifts, customers are enjoying price drops of 20-40 percent.

Grappling with changes

As we enter the new applications- / DevOps-driven world, the developers will drive the next-gen CDN consumption. Dynamic microservices, Continuous Integration / Continuous Delivery (CI/CD) and, of course, performance and security remains paramount.

Let’s look at some of the technological shifts:

Bloated web pages: We are fat, getting fatter. Average bytes per web page has grown ~3X to 2.4 MB in the past five years, as reported by httparchive.org.

https://lh3.googleusercontent.com/MGQTMlY-6p5ZROwFH9DTiduC1HfgMlh6LhJU0TKjF7TaOWDChmFZKaz2cPXQtsXdCnXJcWBT_iGTpX2Uh5UqFiVskYabjyk_0SnKyNVIc9LrcuUMpFQLU2XQ48Kb4uSAfW2O9xTe
An Akamai study shows web page load times for desktops have increased by 63.8 percent in two years, from 7.2 seconds (2013) to 11.8 seconds (2015). And when it comes to dynamic content, customized to enhance the user experience, all bets are off. Steven Sinofsky, the former president of the Windows division of Microsoft, tweeted recently about LinkedIn slow load time as his “favorite new feature.”

https://lh3.googleusercontent.com/B6wV-63lDxDGb8wj_avw8ynxz2IKUp-ofQ3RqICIXIl7Ze9z9L9nR9OkHWS97MRaEo9ZWq7rBwjknve6hR_pSs-9FJVXGN-BaXrTya_t1xQEvZ1TPFIp37QgklmlIxDp-SUbYnlJ

The growth of video: As the CDNs attempt to deliver bloated pages, the type of content has shifted. The demand for video / live streaming / dynamic application content continues to grow. Video is expected to grow 4X by 2020, when Cisco predicts 82 percent of all IP traffic will be video. Video consumption during busy-hour internet traffic (7pm-11pm) is expected to grow nearly fivefold from 2015 to 2020. Dynamic content and bandwidth peaks is the new CDN game, away from static cached content.

Mobile consumption increases: By 2020, ~30 percent of traffic is expected to come from smartphones. The average load time for mobile sites is much more worse — 19 seconds over 3G connections. In a September 2016, “The Need for Mobile Speed” study, Google found that 53 percent of mobile site visits are abandoned if pages take longer than three seconds to load. The data, based on analysis of more than 10,000 mobile Web domains, suggested that mobile sites load in five seconds earn up to two times more mobile ad revenue than those whose sites load in 19 seconds.

So publishers are motivated to drive for speed. And we all know that a one-second delay in Amazon’s web page load time could burn $1.6 billion in sales. Accelerating content for mobile is a headache for CDNs.

Not too far away in the future are gaming, VR/AR and IoT companies. The times they are a changing — and getting messier. Such technological changes are forcing CDNs to improve speed, while dealing with dynamic content.

Optimizing traffic routes over diverse network pathways (ISP, 3G, mobile), balancing load / peak demand and ensuring security is now expected of CDNs. While legacy CDNs are slow to react, several upstarts are tackling traffic optimization, next-gen WAF and DevOps-friendly CDNs.

Optimization of routing: The routing of internet traffic is determined by an archaic Border Gateway Protocol (BGP), which does not factor in timing for data routing. It only looks at the number of hops between two networks. But what if the route with the least number of hops is congested? Or the protocol picks a physically longer route?

For example, a packet may traverse from San Francisco to Los Angeles via Brazil. What if there was a route with multiple hops but was much faster? BGP works really well in terms of reliability. It is a fundamental technology on which the internet is built, but BGP is sub-optimal from a latency (delays, jitter and image freezing) standpoint.

Teridion acts like the “Waze of internet traffic” and optimizes traffic routes using third-party cloud. Its platform helps make real-time packet routing decisions to avoid congested paths. Unlike CDNs, its solution scales on demand and is not limited by upstream communication, pre-provisioned PoPs, geography or cloud providers. It is therefore much quicker to provision. As there is no caching of data, SSL certificate management, security and compliance issues are non-existent. It extends to each and every end-user of a cloud-delivered service.

Chris Keene, chief executive of Teridion says, “As you add more options for acceleration, each has its own security implications and possible trade-offs. Some companies do not want to share SSL Certificates and give up the keys to their kingdom. CDNs cannot do much for such companies.”

Egnyte, an Enterprise File Sync and Sharing (EFSS) upstart, beat some of the giants of file share companies such as Box, Citrix, Google and Microsoft. It was faster by 30 percent in speed over Box and as much as 60 percent for larger 4GB files.

Egnyte was ranked one of the top vendors achieving high marks in an IDC study of sync performance of file share and storage vendors. Kris Lahiri, co-founder of Egnyte says, “The IDC speed test looked at the time to ‘synchronize’ content between the local client and the cloud. This is bidirectional, so any changes made on endpoints needed to be synchronized ASAP. We used a robust web socket connection, smart clients and Teridion’s network acceleration. All these different optimizations got reflected in the results observed by IDC.”

Instead of the conventional CDN path, Egnyte created its own PoPs and partnered with Teridion to optimize the route dynamically in a continuously optimized fashion. In such a scenario, no SSL off-loading was required and that reduced the potential attack surface.

Peter Christy of 451 Research pointed out that Teridion is clever non-obvious technology, and for any CDN it would take time and effort to replicate it. “Even then, it will likely be inferior initially. And then time and effort will be required to operate, maintain and improve such an offering.” While optimized routing is one of the CDN areas of innovation, security is another hot area.

Content + security = better CDN

CDNs moved into security by offering DDoS protection. A site could be taken down with a flood of requests. With a CDN fronting the traffic, the netflow traffic patterns can be analyzed and scrubbed inline. In recent times, CDNs have started to push into offering Web Application Firewalls (WAF) and bot mitigation. Enterprise customers now look to CDNs to manage web security. Akamai’s Cloud Security Solutions 2016 revenue was up 43 percent year-over-year.

While CDNs aim for improved security, CDNs themselves can be vulnerable. In his blog post, David Hobbs writes about several CDN security challenges that include dynamic content attacks, SSL-based attacks and direct IP attacks. The recent Cloudbleed incident shows that infrastructure complexity has its trade-offs. Peter Christy of 451 Research says, “Cloudbleed was frightening because it leaked private information for some Cloudflare customers. I’m sure most people didn’t think it even possible.”

Cloudbleed and the recent AWS S3 problems were both good ole “bugs” — longstanding interactions between complex systems that often go unnoticed. Cloudbleed and Heartbleed (a 2014 bug) were examples where customer data that should have been shielded got leaked.

In another study, 16 CDNs failed in a simulated forwarding loop attack. Here, a malicious customer of any CDN can create forwarding loops inside CDNs. Forwarding loops can cause CDNs to process one client request repetitively, effectively launching a DoS attacks against CDNs.

So far, DDoS attacks against web sites was well-known, but this was the first time when a DoS attack can be launched against a CDN itself by one of its customers. It’s often easy to sign up for a CDN and get a free account. Launching a forward loop attack is not too difficult.

Andrew Petersen, CEO of Signal Sciences, is building the next-generation Web Access Firewall (WAF) that combines security with usability for the DevOps world. Having faced these challenges in his previous life at Etsy, Andrew and his team have taken a bottoms-up approach.

“CDNs can’t get deployed on internal apps. As multiple security tools have to be used it gets harder to manage quickly. If we take a step back, CDNs’ primary focus is speed. Philosophically and technically, this creates trade-offs with performance” Petersen says.

In his blog post, Zane Lackey, co-founder of Signal Sciences, identified six appsec challenges that CDNs may struggle to solve. The development environment is unlikely to have the same configuration as production due to cost and architecture restrictions.

As these environments don’t match, a CDN-based WAF will often trigger false positives in production that are completely unreproducible in development. Debugging failures at this level is frustrating, because access to the CDN console is restricted to the operations team. In practice, a CDN-based WAF is not very friendly to those pursuing DevOps.

From centralized to dispersed: The cloud becomes the edge

Ernie Regalado, editor-in-chief of market research publication Bizety, says, “Edge security as a business model has taken off and it is the fastest growing segment in the industry. Companies like Cloudflare, Incapsula and Distil Networks are pushing to offer DDoS Mitigation, WAF and Bot Mitigation.” Window Snyder, chief security officer at Fastly, echoes the sentiment, “We see data / traffic patterns, understand vulnerabilities and can enhance edge security to further protect our customers in specific ways.”

In this classic innovator’s dilemma, the newcomers are able to start with a clean slate, while incumbents work from their position of strength. Fastly recently announced a $50 million funding round claiming a $100 million annual run rate. Yet Fastly could become slowly if another “edge CDN” StackPath continues down its war path. With 45 PoPs in 25 cities, StackPath has grown rapidly via five acquisitions, including MaxCDN and Highwinds, offering integrated acceleration and security.

 

Macintosh HD:Users:MR:Desktop:Screen Shot 2017-05-29 at 6.30.15 AM.png

The modern-day CDN should do a lot more (Image Courtesy: StackPath)

James Leaverton, VP Ecosystem Development, StackPath, says, “Legacy CDNs are not ready for the shifts to online video and IoT. They have Frankenstein platforms — a user might have to log into a dozen different portals. They have aging infrastructures that were optimized for CDN, but not built to adapt or scale. That’s why companies like ours exist. The StackPath platform is an integrated response to a fragmented problem created by too many delivery and security solutions.”

The DevOps-friendly CDN

As developers become the prime focus for some startups, a DevOps-friendly CDN based in Colorado, Section.io, is slowly but surely establishing its roots. (Disclosure: I am an investor in Section.io via Secure Octane seed fund.)

Backed by Techstars Ventures, Section.io CEO Stewart McGrath wanted to build a platform for developers. Dev teams need new control tools and flexibility in staging and testing their content. “They really have no idea how the site will run until they get into production. And then you need the visibility / metrics once you are in production,“ says Stewart.

To manage traffic, CDNs use different types of reverse proxies such as squid cache, Nginx or Varnish Cache. In a containerized environment, you could have multiple reverse proxies to choose from. In his blog post titled CDNs are dying, Stewart argues that engineers should not feel locked into any one proxy software stack at any one time. Rather, they should be able to pick and choose the tools that work best for their website.

The multi-tenancy also allows isolation, reducing risk of contamination. Section.io aims to decouple proxy software from the networks and takes a software-driven approach to configuration, management and deployment of reverse proxies. “We believe this is the future of a web application delivery platform. Developers can have full control over reverse proxy configuration and experiment in a testing environment,” says Stewart.

The ease of installation, testing, performance and troubleshooting changes how developers can manage their processes from end to end. For legacy CDNs, this will be a challenge in the long run.

As technology needs evolve, innovators are often able offer better solutions and expand certain markets. Ernie Regalado of Bizety writes that the CDN market is likely to be much larger, especially as hungry CDNs invade other’s tech sectors seeking new revenue streams. He expects the overall market to grow to $12 billion by 2019.

This is driven by a convergence (or a collision) between several markets, such as CDNs, multiprotocol label switching (MPLS), Software Defined Wide Area Networks (SD-WAN) market and the Cloud Radio Access Network (RAN) market. Companies like Cato Networks, Aryaka and Versa Networks have raised significant rounds of capital and are making strides in these segments.

Betting on the winners

On one end, web companies like Facebook, Netflix, Pandora and even Apple have shifted to managing their own content delivery. Legacy CDNs are left with no choice but to evolve. Should the giant Akamai worry about the cold CloudFront blowing in from Seattle? According to Datanyze research on CDN markets, AWS CloudFront is eating its way up from the bottom of the market and leads in the Alexa top 1 million domains, while Akamai is strong in the top 100 domains.

# of Akamai Domains

# of AWS CloudFront Domains

Alexa Top 100

20

8

Alexa Top 1000

182

79

Alexa Top 100,000

3004

6275

Alexa Top 1 million

8,738

35,902

Meanwhile, Amazon has steadily crept up and added AWS WAF in 2015 and AWS Shield (DDoS mitigation) in 2016. How this battle plays out remains to be seen. Ernie Regalado says, “AWS is the dominant provider of centralized cloud compute services. Akamai is the leader in edge services, including delivery, security and streaming. As processing, data and business logic move to the edge, Akamai has the advantage and can even disrupt AWS.”

Cloudflare, StackPath and Fastly have raised enough capital. Who gets acquired or goes public remains to be seen. My hunch is Lance will aim for an IPO for StackPath — it’s unlikely he will be content with anything less, especially knowing his last exit was a $2 billion outcome. That could create some heartburn for Cloudflare and Fastly. The young Turks like Distil Networks, Section.io, Teridion and Signal Sciences could raise mucho dinero and become standalone companies.

Telecom carriers and service providers will likely make some moves as networks converge with “software-driven everything.” Those in the enviable nimbler / innovators category will win, no matter which way the wind blows.