I’ve spent more than two decades in the streaming industry and the progress that many of us have witnessed, as consumers and professionals, is truly remarkable. Today, Internet-delivered video is pushing traditional broadcasters to upgrade the user-experience as consumers have learned that sometimes, as is the case with 4K, the highest quality video is often available by streaming rather than pay TV. It’s a testament to the scores of committed engineers who’ve come together to develop the underlying standards, technologies, architectures, and codecs that make it all possible.

Not only did the standards bodies need to develop the technologies and apply them, but many individuals and companies had to take a risk and adopt them. Consider where we’d be if DirecTV and the DVD Forum had not chosen MPEG-2. And it was the AVC codec standard that enabled HD video with ATSC, Blu-ray, and streaming. In turn, for the streaming industry, HEVC enabled a step function to occur in home entertainment video and streaming with 4K, HDR, and real-life colors.

As far as we’ve come, codec innovation hasn’t stalled or stopped. VVC, the successor to HEVC, is now in the wild, and the Alliance for Open Media (AOM) AV1 codec, with its powerful group of supporters like YouTube, Netflix, Twitch, Amazon, Facebook, Apple, Microsoft and others, are streaming video at bitrates that are 30%-50% less than HEVC. But, for every ecosystem that has moved through the innovation curve to sustaining technology development, the pull from entrenched legacy architectures can overwhelm even the most progressive and forward-leaning technology organizations. In this reality, five nine’s uptime and net promoter scores (NPS) become the standard that governs technology choices as consumers move from, “I can’t believe I can get the game here, even with the glitches,” to “Why did my video service go out right in the middle of the game?”

In particular, we’ve seen some media and entertainment companies in the industry pushing the pedal down hard with innovation, betting on their success if they can provide the best QoE possible. Simultaneously, there is a consistent wish in preserving legacy technology deployments and architectures, hoping to stretch the previous technology investments for another few years. The trouble with this thinking is that we are in one of the fastest moving competitive cycles the industry has ever experienced. One has to look no further than Disney, who signed up 65 million paying subscribers for their Disney+ streaming service in under 12 months. As a whole, the industry needs to embrace a spirit of continuous innovation to remain competitive with fast-moving entrants that do not see technology risk as something to be avoided but rather a competitive advantage.

It’s not that the entire industry needs an innovation “wake up call.” In my conversations with operators, vendors, and streaming services worldwide, I’ve noticed a stark contrast between video teams’ attitudes working in Asia and India, compared to the U.S. For example, Asian operators are far more likely to take some operational risk in the short term to gain a competitive advantage in the medium term. One example of Asian video services taking short term risk for a tangible benefit is the overwhelming adoption of HEVC for all content, unlike in the U.S., where HEVC is used only for UHD content. In Asia, many video services have assumed an early technology adopter stance and use advanced codecs as a competitive advantage to reduce operational cost, improve quality, and increase streaming user experience. Contrast this with leading services in the U.S. who are still mainly using the tried and true 17-year-old AVC codec even when a sufficiently high number of user devices, or their owned and controlled set-top boxes, support HEVC natively.

In the streaming industry, innovation that fosters adoption, is the surest way to compete and win. In a recent enlightening video chat I had with Zoe Liu, the co-founder of Visionular, a video encoding company with more than twenty customers in Asia and India, Zoe confirmed that almost all UGC, RTC, and premium video streaming services in Asia use HEVC; and many are in evaluation or have begun the adoption of AV1. Zoe pointed out that, “they see the bitrate savings of HEVC and now AV1 as a huge competitive driver. A new codec standard like HEVC or AV1 allows them to increase resolution while upgrading their video quality, even while the bandwidth needed stays the same or goes down. The resulting consumer experience benefit is well understood, and services are willing to do a little extra work today because the user benefits far outweigh the risk. Asian video companies’ mindset is not to adopt the latest standard is to admit that a service is not trying to be the best.”

Consumer services in Asia that have embraced advanced codec technology standards include iQIYI, Bilibili, and Huya, all NASDAQ listed companies. Far from fledgling companies, Huya is the smallest with a $6 billion market cap, while both iQIYI and Bilibili are valued at $16 billion and $16.3 billion, respectively. The business models and consumer services that these three companies offer are varied, yet, they all heavily depend on being an early adopter of video technology as a differentiation advantage. For example, iQIYI is an innovative market-leading online entertainment service operating in China with 530 million monthly active users. They are one of the largest online video platforms globally and are a member of the Alliance for Open Media (AOM) and a current user of HEVC. As an early AOMedia member, iQIYI has developed QAV1, a proprietary AV1 standard-based encoder to help them meet consumer demand for advanced technology and entertainment experiences, including UHD 4K and 8K Ultra HD.

Bilibili is the Chinese equivalent of YouTube. In the first quarter of 2020, Bilibili reported 172 million monthly active users. On August 3, 2020, Bilibili announced a strategic partnership with Riot Games, granting the video service a three-year exclusive license for live broadcasting of the League of Legend Esports global events (in Mandarin only), including the world-renowned League of Legend World Championship, Mid-Season Invitational, and All-Star Event in China. These are presumably large high profile streaming productions. Thus it says a lot to know that they are using HEVC and purport to be actively looking at AV1 and VVC.

Huya is an ultra-low latency live streaming platform that serves 168.5 million users video game footage monthly. As more than one billion people worldwide watch streamed video gameplay every month, according to GlobalWebIndex, Huya is well-positioned for growth. And this makes their choice of HEVC and AV1 all the more relevant, given that nearly half of Huya Live users are accessing the service from a mobile device. Even with HEVC hardware decoders not fully deployed across the mobile landscape, and with AV1 decode limited to software, it says a lot that Huya is willing to risk some viewers not being able to access the technology. Because of the overwhelming benefits that HEVC and AV1 can deliver to most of their users, Huya sees that early adoption of these codec standards can help them stand out against their competitors.

With consumers globally having so many choices when it comes to live and on-demand video content, and the fierce competition amongst OTT services to grab market share, video services can differentiate by taking small operational risks. The question then is what to do when a codec swap, or new technology adoption, is not as simple as cutting over to the latest and greatest standard? The value promise for most streaming services is that viewers can watch content anytime, anyplace, and anywhere. When we consider the rapid advancements in the video codec space, and with a new and “better” standard always just a few years off, video engineers and technical leaders face pressure to default to the mean of AVC. After all, the royalty situation is understood, the playback ecosystem is ubiquitous, and finding video engineers knowledgeable about x264 is relatively easy.

There is never a significant gain in business, without some sacrifice and risk. Staying the course by sticking with a legacy tech stack, I believe, could cause a video service to be unable to compete with what viewers now demand from the user-experience. After all, what do you do when your competitor can deliver higher quality video with a better streaming UX because of the lower bitrates that their technology choice enables? The answer to this dilemma is continuous innovation as a competitive strategy. When you consider that even ten years ago, Asia was nowhere close to the U.S. in video streaming capability, but is now delivering the largest streaming events ever. With 870 million monthly users in Asia relying on video standards that U.S. companies are basically dismissing as not being needed, this is a strong statement to the power of innovation and the speed that it can propel a company from non-competitive to the leader.

In the global competitive environment that we are in, and with so many entertainment options competing for our attention and time, it’s not sufficient to merely keep pace with those services that we consider to be competitors. By adopting a spirit of continuous innovation and leveraging the best solutions and technologies available, companies will be in a prime position to improve how they encode video to deliver a better experience to their users. This will put distance between those who insist on doing what’s safe, and the companies willing to move fast, not to break things, but to learn quickly to have the best possible solution.

With Fastly’s announcement of their intent to acquire web application security company Signal Sciences [see my post on the details here], it’s created some confusion in the market of what the acquisition will mean for competitors and who exactly Fastly will be competing with. I see this recent activity impacting the CDN market in three very distinct ways; increasing the criticality of and focus on security versus just bit delivery; balancing scalability and management with developer tooling; understanding the importance of the relationship between the cloud and edge compute.

As I recently wrote in another blog post, a comprehensive security solution requires DDoS mitigation, web application and API protection, protection from form jacking and Magecart style attacks, bot management capabilities, malware and ransomware protection, and the ability to manage all of these based on risk profiles versus static rules. It is only this broad-based investment over a multi-year horizon that enabled Akamai to achieve the milestone of a $1 billion annual run rate in security revenue. 

With Signal Sciences, Fastly is banking on the impact that security can have on the growth of their edge compute business, given the similar approach that both they and Signal Sciences have taken in targeting developers. Fastly and Signal Sciences have each invested to ensure their solutions can be implemented effectively in a developer-centric model, with fast on-boarding of under 30 days. Tech-savvy teams appreciate how Signal Sciences supports multiple deployment models and have made their solution available on AWS, Azure and Google Cloud marketplaces, and can be deployed as a virtual image on other IaaS platforms as well. This bodes well for helping to drive awareness with developers and to facilitate integrating Fastly’s solutions into their cloud architectures.

One challenge that Fastly will need to overcome is that they are still a new entrant in the crowded cloud security industry and as of today, they get a very small percentage of their overall revenue from their cloud security portfolio. The Signal Sciences acquisition will do little to help change that as Signal Sciences only brings 60 enterprise companies with the acquisition and had annual recurring revenue of $28 million as of June of this year. Signal Sciences will definitely help Fastly build out their cloud security product portfolio, but it will take time to do the integration once the deal is completed.

The entire deal between the two companies comes down to the idea of how important it is to apply application level security to edge computing deployments. And this idea doesn’t just relate to Fastly, but also to Cloudflare, Akamai and Amazon. To explain the idea in more detail, if you’re just running application logic like VCL or Akamai’s config language at the edge, your IP is still is still stored in centralized resources – the cloud, or the core. But if you move the entire application out to the edge, you then have to secure it at the edge. So if Fastly’s Compute@Edge product is going to be successful, it needs to have all the same security features a business would typically deploy at the core, at the edge. CDN security vendors like Fastly, Akamai, Cloudflare and others want to secure every one of their customer’s apps with a cloud WAF, but to date, these companies haven’t had an on-prem install. Getting that functionality is the main reason why Fastly is acquiring Signal Sciences, since the agent that was typically installed on-prem, now gets to run on Fastly’s Compute@Edge.

When it comes to competitors, unlike Fastly which is a cloud platform that offers a subscription-based service, Signal Sciences is an on-prem solution that monetizes via a licensing model. So from this perspective, Signal Sciences was much more of an F5 competitor versus other cloud providers in the market. Beyond licensing models, Akamai and F5 focus on enterprise customers while Cloudflare focuses on the SMB market. So Akamai, F5 and Fastly rarely see Cloudflare competing for the same deals in the market. While relatively new, the Signal Sciences web application firewall (WAF) should improve Fastly’s WAF capabilities, but it will have to be integrated into the platform to benefit from its CDN to compete with offerings from other providers. Compared to Akamai, Signal Sciences has a very small threat research team, which means that the security signals intelligence that other security providers use to differentiate their WAF rules will still take time to develop at Fastly. 

Prior to the acquisition, Fastly offered security capabilities including DDoS mitigation and WAF, but relied on partnerships with Shape, DataDome and PerimeterX for bot management. From a product perspective, Signal Sciences’ bot management capabilities are very basic and do not compare to the more sophisticated offerings from Akamai, Imperva or F5. After the acquisition, Fastly still has some work to do to execute across both the sales and product fronts of the new combined offering. A key challenge to customers is that their security teams often aren’t able to keep up with the increasing number of complex applications they need to protect. This could present a challenge as the Signal Sciences solution requires developers to code rules to account for their business logic themselves. While the solution is easy to manage via self-service tuning, manually coding rules across potentially 100s of applications will prove challenging to scale and maintain. Also, unlike other security companies, Fastly does not currently offer a managed security service or managed SOC for businesses under frequent attack, so this is a gap they may have to close.

In the coming years, every cloud and CDN vendor will increasingly align themselves to the edge and edge computing, which is already confusing today as businesses struggle to understand how cloud, CDN and edge relate to one another and how security requirements fit into the equation. Not helping the process is the fact that vendors all use the terms “edge”, “edge compute”, and “programmable edge network” interchangeably, without much in the way of definitions, use cases, or verticals they are targeting. “Edge” is a location in a network; “edge compute” is a service. They are not the same thing. This will all become more complicated before it gets simpler and I plan to do a lot of blog posts over the next 12-months explaining how edge compute services work, what type of applications are taking advantage of them, and what benefits customers are seeing. But make no mistake, there is a lot hype around “edge compute” services and the market is still in the very, very early stages, with the overall industry still figuring it out.

Fastly’s intent to acquire Signal Sciences is a very logical and positive step for Fastly to take in order to improve their security offering and show that they are investing in more robust security technology. As with all cloud security acquisitions, the multiples are very high on these deals and Fastly valued Signal Sciences at $775 million, not far off from the $1 billion F5 paid for Shape. With their intent to spend that much money, Fastly has a lot of pressure now to grow their security revenue quickly in a market dominated by Akamai. How fast they can grow and whether or not they plan to break out their security revenue for Wall Street come next year, are unknown. One thing is certain; security will continue to be a major focus as attack events make headlines and businesses push additional infrastructure into the cloud. There is enough room for multiple vendors for varying cloud security solutions, but based on revenue, everyone is playing catchup to Akamai. 

Since the impact of covid on the entire world, there has been a lot of discussion about the long-term impact on conferences and trade shows that take in place in-person. We know that short-term, these events have all been cancelled and many conference organizers are using online platforms to publish content in varying forms. While many seem to think that online events will now become the norm, spelling the death of in-person conferences, the fact is that for conferences with good content and focus, in-person events are going to come back stronger than ever.

Over the past 19 years, previously with StreamingMedia.com and now with the NAB Show, I’ve had the opportunity to be the conference chairman for over 50 in-person events, across two continents, in 11 venues, interacting with over 4,000 individual speakers. Every day I talk to vendors and content owners who are all looking for ways to showcase their expertise as thought leaders, demonstrate their capabilities, fill their pipeline with leads, generate content for social platforms and meet with their largest clients and partners. While some of this can be accomplished by online platforms, no digital platform can ever replace what can be accomplished in person (and previously with a handshake).

The majority of us want to be around others, we want to read body language during negotiations, listen to the tone of someone’s voice and network and interact with other people. In order words, conferences will come back because of what makes us all human. That’s not to suggest all conferences will survive post-covid and we’ve already seen a few conference organizers that have announced their plans to exit the conference business completely. But let’s be honest here. For more than a few conferences, covid wasn’t what caused their demise. It was the fact that even pre-covid their event simply stunk. Some may not like to hear it, but it needs to be said. With or without covid their conference business would not have survived.

How many events do we need that classify themselves as a “cloud” show and say they cover “blockchain, security, IoT, hyperscale, private/hybrid/public, across enterprise, publishing and broadcast.” Events like that, trying to be everything to every vertical are already on their way out. That’s not how we consume business related content online and it’s not how we consume content in-person. The best conferences are ones that focus on the content, the user-experience, their marketing message and are relentless in their attempt to ALWAYS put the attendee experience first – above all else. Conferences that sell keynotes to companies to do sales pitches, put seven speakers on a 30 minute round-table panel just to pad their speaker lineup and don’t have a “content is king” mentality simply won’t survive. I am amazed at just how many in-person conference websites I look at where they don’t even list by name, the chairperson of the show. The content of any show is only as good as the expertise of the person putting it on.

Everyone thinks they can be a show organizer and many don’t truly understand what it takes to provide speakers, attendees and sponsors with a good user-experience, start to finish. You have to pay attention to every little detail and many overlook the little things that really make the experience better. Something as simple as brining your own doorstops to the venue to make sure session room doors don’t close loudly while someone is speaking – that’s the level of detail required. Now multiply that times 100.

I can no longer count the number of vendors, OTT platforms, studios, broadcasters and those tied to the streaming media industry who have said to me that they can’t wait till conferences come back. They miss being able to generate the sales leads that they get from focused shows and many tell me that online events don’t bring the same level of qualified leads. This makes sense because when someone takes the time and spends the money to come to an in-person event, they are already well qualified. That’s not the case when events are online and anyone can stop by to kick the tires. Companies also want to give their executives a way to get in front of a live audience to showcase their thought-leadership, be engaging, take questions and interact with others. Being able to network and meet someone at a reception that you would never have met online. Once again, doing all the things that make us human. This becomes even more needed in a digitally overloaded world.

What covid is going to do for the events that do survive is make many organizers re-think what the end-user experience needs to be and how to improve on it. And that’s a good thing for everyone. Conferences need to be personalized, bespoke and custom for each attendee. It’s a lot of work, but it can be done. Online platforms should not be a replacement for a great show, but should enhance it, adding value and reducing complexity for the attendee. Far too many events are not frictionless from the start and only add complexity with their platforms and process, demanding that attendees do things the way they want them to do it, or simply because that’s how they have done it in the past. That approach and thought process simply isn’t going to work moving forward. Covid has shown everyone how easy it is to do things online and conference organizers will need to immediately adapt and change their mentality. The best companies in the world see their business excel in times of turmoil, as they spot the opportunity, pivot and are forged in fire.

And for those wondering, yes, my Streaming Summit event in collaboration with the NAB Show will be back and better than ever. For Vegas, whenever the next event takes place, it will move into the newly expanded convention center, in the West Hall. With new conference rooms, exhibition area, dining options and plenty of space to implement any social distancing requirements, the venue is the perfect fit. When you add in the new Streaming Experience, a free area where you can see live demos of every streaming media device in the market running over 100 OTT platforms, make no mistake – we will be back! [Updated Sept 10th: the NAB Show announced new dates for the 2021 Vegas show, now taking place October 9-13. My Streaming Summit event will take place during this time. Further details to come next year.] 

Focus is key. Content is king. Frictionless is essential. Messaging is crucial. Any event that can follow these principles is going to come back stronger than ever. Not overnight, maybe not for their first show, but in the long-run their business will be better as a result of the hiatus.

This morning, Fastly announced an agreement to acquire web application security company Signal Sciences for approximately $775 million in cash and stock. Signal Sciences has raised about $62M to date and had $28 million in revenue in 2019. Based on their projected 2020 run rate, Fastly is paying in the range of 19x revenue with $200 million in cash and approximately $575 million worth of stock. The deal is expected to close sometime this year after all the required regulatory approvals.

While 19x revenue may seem like a high-multiple for Fastly to pay, this seems to be the norm of what cloud security companies are going for in today’s market. Shape was recently acquired by F5 for $1 billion, on approximately $70 million in annual recurring revenue. Other recent cloud security based acquisitions by FireEye and Palo Alto Networks also valued those deals with similar multiples.

Fastly already offers some cloud based security solutions, but adding Signal Sciences to the mix will help to expand their product feature set with additional products and functionality, especially around WAF, ATO and API protection and rate limiting. Fastly is also banking on the impact that security can have on the growth of their edge compute business and the similar approach to the market Signal Sciences has with Fastly in terms of targeting developers and the importance of APIs. Fastly disclosed that Signal Sciences has 60+ enterprise customers, defined as $100k in Trailing Twelve Months (TTM) revenue, of which 70% are new accounts for Fastly and that their product line has gross margins of 85%+. This is in line with the numbers I recently gave out on Akamai’s security product line, where I estimated they have 80-85% gross margins for their cloud security services.

With Akamai having just hit a major cloud security revenue milestone for the company, and for the industry, announcing they have achieved a $1 billion run rate on an annualized basis, it’s no surprise to see Fastly take steps to buildout their cloud security product line even further. Adding in all the different cloud security services available today and the total addressable market (TAM) is in the multi-billions, if not larger. And with high-margins for vendors and developers releasing more complex apps with lots of intelligence and logic, these cloud security solutions will become even more essential for customers doing business on the web, which is basically every company. The demand for these services is going to continue to grow at a very healthy rate overall, for many years to come, which means there is a lot of room for growth for vendors that specialize in this market.

Updated 1:17pm ET: TechCrunch is saying that this deal places Fastly as a, “new competitor in the cybersecurity market“, but that’s not accurate. Fastly has already been selling cybersecurity services in the market.

Note: I’m working on a more detailed article around how this news might impact some of the competitive landscape when it comes to these services.

Recently I published data on CDN pricing for video delivery and software downloads that focused on the commodity elements of content delivery, versus premium services like security that represent a major value driver, and high-margins, for CDN vendors. With all CDNs having just reported Q2 earnings, Akamai hit a major revenue milestone for the company, and for the industry, announcing they have achieved a $1 billion run rate on an annualized basis, for their cloud security business.

Security threat vectors continue to expand in number and type. The scope of solutions to defend against the most common attacks now includes not only DDoS protection and web application firewall capabilities, but also API protection, bot management, third party formjacking protection, content piracy protection, customer identity and access management, secure application access, and secure web gateway. With attacks and data breaches dominating news stories, a comprehensive security strategy is no longer optional and customers continue to see new applications and use cases where they need to deploy a wide range of cloud security solutions.

Lately, several cloud providers and CDNs have mitigated record setting DDoS attacks, proving that big DDoS hits are still a significant threat. There are many ways customers are adding DDoS protection, both on-prem and cloud based, but looking at these large attacks and as ThousandEyes highlighted in a DDoS attack against GitHub, it’s important to understand the bandwidth limits of a DDoS mitigation solution to ensure they actually keep the site online if you’re targeted. With the massive surge in online traffic during the pandemic, looking into the capacity of a solution provider, the customers on their platform, and how they have architected their solution to avoid disruption if one of their customers is attacked, are critical to vendor selection in this area.

Verizon recently reported that web application attacks doubled since last year, and another growing security service for CDNs is offering web application firewall (WAF) products. Selecting a WAF vendor can be particularly challenging, as Jaspal Jandu, the group CISO at DAZN highlighted, “The challenge is finding skilled security professionals who understand the need to balance business opportunities against the risks of a rapidly changing world.” The issue with WAF solutions is that some providers offer a basic solution that requires customers to code rules themselves. This is challenging if the customer doesn’t have a group of security experts who also understand their business logic because a high degree of false positives disrupts business, whereas a high degree of false negatives can lead to compromises, fines, and brand damage. When it comes to web application and API protection, it pays for customers to ask their vendor about the availability of proprietary rulesets, curated rules, and the availability of services to tune rules to suit their business.

But there is an even more pervasive threat to digital businesses that stems from increasingly sophisticated bots. Researcher Troy Hunt recently loaded his 10 billionth stolen credential to haveibeenpwnd. His site and research point to the fact that credential abuse and account takeover are an increasingly lucrative criminal enterprise. During the launch of Disney+, I saw first-hand how you could easily buy stolen accounts from third-parties openly advertising them for sale on Twitter.

Experts highlight that bots, and especially low-cost, turnkey bots that come with out-of-the-box evasions to solve CAPTCHAs, or load large databases of proxy servers to stump basic WAF protections make this a very difficult problem to solve. Simple IP blocking or rate limiting cannot protect against purpose-built all-in-one bots like AIO bot that are designed to evade detections. This explains why CDN providers and others have been snapping up a lot of bot detection companies and building out their mitigation capabilities. Last year we saw Barracuda acquire bot mitigation technology from InfiSecure; Adjust acquired bot detection specialist Unbotify; Distil acquired bot detection company Are You A Human; Imperva Acquired Distil Networks; Radware Acquired ShieldSquare; and Goldman Sachs Merchant Banking Division invested in ClearSky Security.

I continue to see CDN companies compete for video and software download traffic share as customers add to and shift their multi-CDN architectures, especially as they expand video services internationally. But increasingly, the ability to deliver comprehensive and effective security solutions has long since become a key differentiator. Additionally, while the CDN market tends to be more fluid with regards to pricing changes, we can expect that pricing for security services will likely maintain a value-centric premium for some time to come. In a recent survey I conducted of 238 cloud security customers, asking about their deployment architecture, spend per year, preference for bundling security with other cloud/CDN services, pricing changes and transition from on-prem to cloud, the data showed almost no decline in pricing year-over-year. Overall, pricing for cloud security solutions is quite stable.

There are a lot of ways vendors can show differentiation amongst competitors in product functionality and customization and most importantly for vendors, the margins on cloud security solutions are very healthy. In the case of Akamai they don’t disclose margins for just their cloud security business, but I estimate it to be in the 80-85% range. At $1 billion in revenue, Akamai is well ahead of the pack by a big order of magnitude. While Cloudflare said they expect to do $404M-$408M in revenue this year, I estimate the percentage of their revenue that’s tied to cloud security solutions, to be in the $80M-$100M range. With Akamai being 10x that in security revenue, this milestone shows the magnitude of their continued dominance as the market leader for cloud security solutions among CDNs. The company has done an incredible job at growing their revenue over the past five years and the rest of the business continues to benefit from the high-margins their security product line produces.