Alkira, a networking startup that has just announced a $54m B round of VC funding, offers a service it calls a “network cloud.”

Omdia view

Summary

Alkira, a networking startup that has just announced a $54m B round of VC funding, offers a service it calls a “network cloud,” which represents an interesting new take on the current industry buzzword of secure access service edge (SASE). Of critical importance, Alkira has also just added the ability for customers to set up data center-to-data center connectivity over its network, enabling companies with significant on-premises app infrastructures to take advantage of its services.

SASE has gained a head of steam

The SASE concept has rightly gained considerable traction in the market since it was introduced by a rival analyst firm in 2019. It was a timely observation, in that it highlighted a trend whereby networking and security functionality are bundled together and offered as services from the cloud, and the term has since been seized upon by multiple vendors to describe their offerings.

There are four core elements of a SASE:

  • A network, often comprising points of presence (PoPs) in data centers operated by cloud service providers (CSPs) such as AWS, Azure, and Google. It can also be an actual physical network that was operated by the SASE provider already.
  • SD-WAN networking to enable customers’ branch offices to communicate with HQ, the corporate data center, cloud applications, and each other. This capability provides functionality such as path selection.
  • Network security functionality such as firewalling, IDS/IPS, and secure email gateways, designed to protect users and endpoints in branch offices.
  • A zero-trust access (ZTA) platform to enable users working remotely to access corporate applications securely.

We have seen M&A activity as vendors seek to fill out these four capabilities: Palo Alto Networks bought CloudGenix, for instance, and HPE acquired Silver Peak, while Fortinet purchased OPAQ. Meanwhile, vendors in other market segments such as NaaS and cloud access security brokers (CASBs) have quickly rebranded themselves as SASE providers.

Alkira’s “network cloud” approach

Alkira comes at this question slightly differently. It describes its Cloud Services Exchange (CSX) offering as a “network cloud,” which is of course delivered as a service. It handles connectivity into all the leading clouds, and offers ZTA functionality as a separately charged item.

Alkira was founded in 2018 by CEO Amir Khan and CTO Atif Khan, who had previously co-founded Viptela, the SD-WAN pioneer acquired by Cisco the previous year. With its latest round of funding, the vendor has raised a total of $76m to date. The B round was led by Koch Disruptive Technologies, the investment arm of Koch Industries, which is also an Alkira customer.

Rather than deploying a network of PoPs across all the leading CSPs, Alkira’s approach is to deploy dedicated PoPs for each customer when they sign up to the service, as well as additional ones as the need arises. These dedicated PoPs are called Cloud Exchange Points (CXPs), and they can be deployed in whichever clouds the customer requires them. Each CXP delivers the connectivity, as well as offering an expanding range of network and security services that the customer can add as separately charged items—some of them from Alkira itself and others from third parties. Those from Alkira include

  • Network address translation
  • DDI (i.e. DNS, DHCP, and IPAM, with automated management of the interactions between the three)
  • Inter-company routing
  • ZTA for remote access

Third-party services include

  • Firewall
  • IDS/IPS*
  • Load balancing*
  • WAN optimization*

(*on the roadmap)

For services from third parties, Alkira offers customers the option to migrate existing licenses across; for example, if they already have a Palo Alto firewall license, it can be transferred for use for the firewall function in the CXP. Alternatively, Alkira itself can be responsible for the firewall license and charges it to the customer.

White-labeling is a promising strategy for Alkira

It is this combination of operating entirely cloud-based network infrastructure with aggregating additional services on it in a marketplace-like approach (and hence the use of “exchange” in the platform name) that is interesting in the Alkira business model. This is also what differentiates the company from the SASE vendors, which tend to require a customer to take all four of the component elements listed above from them.

From a more technical perspective, it should be noted that, of the four cornerstone capabilities of a SASE mentioned above, Alkira’s CSX can obviate the need for SD-WAN altogether, since both the control and data planes of any communication run through the cloud and can be managed directly there. That said, it can also integrate with a customer’s existing SD-WAN infrastructure if required, and has already done so with Cisco’s SD-WAN kit, which makes sense given the Khans’ background.

Alkira envisages making its service available in white-label mode for other service providers to label as their own. Omdia sees this as a promising line of business for the company, as it has detected interest on the part of traditional telecoms operators in developing their own SASE offering, given that they are all keen to remain relevant as cloud grows in importance. Indeed, if it is successful in growing its own customer base of enterprises via its direct sales efforts, Alkira would make a natural acquisition target for a larger service provider.

Self-description is one of Alkira’s biggest challenges

It is Omdia’s view that one of the biggest challenges this vendor faces is how to articulate to its potential customers:

  • what it does
  • how that differs from SASE
  • why that might actually be better than buying SASE

The SASE wave flowing across the networking and security world for the last year has attracted multiple adherents from different parts of parts of the tech industry, many of them with much larger marketing budgets than Alkira.

This in itself makes it challenging to be heard among the cacophony of SASE hype in the market. In addition, Alkira itself has toyed with different descriptions of what it does, from “network cloud” (too vague, in Omdia’s opinion) to “cloud network-as-a-service” (better, but still not enough to fire the imagination of potential customers), to “cloud backbone-as-a-service” (which has the huge advantage of being CBaaS, pronounced “seabass,” which is both a likeable and more memorable acronym).

It behooves Alkira to settle on a particular way of characterizing what it does and evangelizing about it, with a view to raising the profile of what is, in fact, an interesting and differentiated approach to network connectivity and security services delivered from the cloud.

Appendix

Further reading

On the Radar: NetFoundry offers network-as-a-service with zero-trust access to apps (November 2020)

On the Radar: OPAQ offers network and security as a service (June 2020)

“CipherCloud remains a CASB, but builds a SASE ecosystem” (June 2020)

“Secure access service edge is not a new cybersecurity market segment” (June 2020)

Author

Rik Turner, Principal Analyst, Cybersecurity

askananalyst@omdia.com