Network as a Service: Key Considerations Before You Sign Up for Services

Some universities are turning to third parties to update and manage their networks, while delivering innovative services to the campus. A clearly worded and comprehensive strategy and contract for your Network as a Service (NaaS) solution can result in a smoother and more successful engagement. 

The higher education campus network plays a pivotal role in enabling and securing teaching and learning, research, and administrative activities across campus. The network best supports those activities when it is agile, resilient, with adequate bandwidth and low latency, and is capable of protecting sensitive information and safeguarding against cyber threats. 

However, managing a university campus network comes with its own set of challenges. From ensuring compliance with regulatory standards to addressing the diverse needs of various stakeholders, network managers face a myriad of obstacles. Many institutions fall into deferred maintenance and technical debt, forcing staff to spend more time supporting legacy systems and infrastructure and less time learning about new technologies that would make the network more secure and easier to manage. Finding and retaining qualified staff exacerbates the issue, particularly for smaller or rural institutions. Budget constraints are the norm rather than the exception. 

In response to these growing challenges, some higher ed institutions are turning to network managed service providers (MSPs) or network as a service (NaaS) solutions for cost-effective operational efficiency, specialized expertise, and the scalability and flexibility to adapt to changing needs. 

Note: NaaS in an institution with a significant in-scope research footprint adds significant complexity to this challenge. Also, it is unusual for NaaS in higher ed to manage the data center network. Therefore, neither are addressed in this article. 

Comparing MSP and NaaS 

For reference, some of the players in the higher ed NaaS market segment that use conventional hardware are Apogee and Extreme Networks, while Nile¹ uses its own, purpose-built hardware/software. In some cases, the financial arrangement is largely similar to a lease (sometimes with a buyout clause), others may be closer to a fixed cost per year, and some build in elasticity by charging for the number of connected devices or active ports.

¹ The referenced providers are some we commonly see in 2024; this is not an exhaustive list and the competitive landscape is constantly growing.

The contract should describe the NaaS provider’s approach to network security. For example, how do they segment the network to align with the principles of least privilege and regulatory compliance? (The principles described in NIST 800-207 and the OMB M-22-09 articulate the goals well.) Does the provider have, or partner with, a security operations center (SOC) to provide more complete information security visibility and management? Will the NaaS provider provide and manage your firewall or other security controls?

As a modern network is as much a security tool as it is a data transport tool, be clear on your approach to identity-aware segmentation (aka Zero Trust, per NIST). In this area, a few providers will differentiate themselves by exceling at or failing to deliver on higher education’s unique needs. Look for features like differentiated access to resources for faculty, staff, students, sponsored visitors, unsponsored visitors, and vendors; different IoT types; and inclusion of eduroam.

Indicate who is responsible for maintaining the underlying structured cabling, outside plant, electrical, HVAC, and pathways. If you want the NaaS provider to update these items or any other related one-time issues, consider creating an agreement that finances the updates as part of the initial term. Regarding Wi-Fi, you may want to specify that the provider is responsible for the structured cabling for any new access points required to meet the coverage and capacity requirements of the agreement.

Be clear about technology maintenance and refresh. This is particularly important for Wi-Fi, where the underlying technology changes on a rapid basis.

Include a responsibility matrix, similar to the following example, that specifies tasks and areas of accountability. We also recommend a responsibility matrix for equipment life-cycling.

Regular moves/adds/changes (MACs) will certainly be part of any NaaS agreement. Also consider how you will deal with larger changes, including new building construction and renovations, and short-term efforts like specialty network deployments for events like commencement. The reasonable response time (per an SLA), costs, and how costs will scale with changes, are important. On most campuses, there is a constant cycle of building renovations and new construction; how will the architectural team be supported throughout that process and what is the role of the NaaS provider?

Compliance with Regulatory Standards and Institutional Obligations

The contract should specify who is responsible for staying up-to-date on compliance obligations as they pertain to a robust and secure network, and to support a reasonable interpretation of the client’s compliance obligations as an institution with Controlled Unclassified Information (CUI), PCI, and HIPAA.

Include a clause allocating costs when significant investments are required to comply with regulations. For example, if the client is in an evolving regulatory environment subject to NIST 800-171, which is likely required for some parts of the institution, significant expansion may be required.

Privacy Principles and Data Handling Procedures

Clearly outline the type of data to be retained, for how long, and who has access, incorporating institutional policies. State that the client must approve (and may reject) changes to data privacy processes in advance of those changes taking effect, and how far in advance.

Also describe how to appropriately respond to legal discovery requests and similar issues. This includes what the NaaS provider is responsible for and associated costs.

A common area of negotiation is the NaaS provider’s liability should a breach occur through their access, or through an error or omission within their area of responsibility. Providers will naturally want to limit their liability, so negotiating a liability cap is an important issue that you should discuss with your institution’s risk management experts.

Specialty Areas

Many NaaS providers are adept at managing typical eyeball-type networks with a strong focus on ResNet. Higher education institutions are more like mini cities. Some providers have technology limitations that may make it difficult to meet campus needs, while others lack knowledge and experience with those specialty requirements. Be clear both internally and with the provider on how these specialty needs will be met. In some cases, this results in a separate network just for these devices if they are out of scope with the NaaS. Some examples include:

• Facilities systems, like building automation systems (these typically use BACNet, a legacy broadcast technology, that has significant challenges)
• Classroom and audiovisual technology
• Surveillance cameras
• IP-based emergency alert systems
• VoIP telephones
• Card access control (door locks)
• Vending machines
• Healthcare IoT
• Specialty lab equipment, such as microscopes and nursing simulators
• Access to research clusters, high-performance computing, and support for large (“elephant”) data flows
• eSports equipment

Changes, Exit Strategies, and Transition Management Processes

Describe a clear process and cost approach for changes (e.g., new areas to be covered by Wi-Fi, new construction or renovations, etc.) in the contract. Include a change of control clause that provides the client with the option to exit from the contract early without a termination fee should the NaaS provider experience a change of control, such as a change of ownership due to a merger or reorganization. Also describe what happens at the termination of the contract. The institution is unlikely to be able to cutover to a different provider or insourcing with new equipment without time and disruption. As with any “as a service,” the exit process inclusive of equipment and data ownership must be clearly articulated before entering an agreement.

In many cases, we see NaaS as a key consideration when there is a capacity gap for the existing staff or when one is expected soon (e.g., retirements). Regardless of the motivation, any outsourcing agreement requires respectful and inclusive conversations with the impacted staff on how their responsibilities may shift and what this means for the future of their role. For many, this frees time to do more impactful things for the institution but that won’t always be the case.

Financial Considerations

There are a variety of financial approaches that NaaS providers offer or are exploring in this burgeoning market. As with any negotiation, it’s helpful to understand each party’s motivations and how those are represented under different scenarios being negotiated.

An institution entering into a NaaS agreement should get services that meet needs at a cost less than what they could have delivered in-house, including the cost of support staff. The provider must be able to provide that service at-scale and with per-client customization costs that do not void economies of scale, allowing them to offer the service at a lower cost. All parties should want the NaaS provider to make some profit on the arrangement so that the business model remains viable for a long-term partnership.

We’ve enumerated some areas where there are common misunderstandings on how each party’s costs scale so that an equitable arrangement is more likely to be considered:

• Startup costs related to the initial deployment
• Buyout or other transition costs related to the eventual termination of service
• Routine MACs
• New construction and renovations
• Service expansion (e.g., outdoor Wi-Fi in a new area)
• Temporary event needs, such as deploying service for commencement or major athletics functions
• Contract renewal costs

In many cases, the providers are offering elastic, usage-based options. The sales process sometimes results in an unsustainable understanding of what that might allow for. For example, institutions are likely aware that many devices are shifting from wired ports to Wi-Fi. However, they may not know exactly where the wired ports will continue to be required. The default contract might allow for a full deployment to all wall jacks and then only pay where devices are plugged in. This is great from an institutional perspective but masks a large cost incurred by the NaaS provider.

Best Practices for Working with a NaaS Provider

Outsourcing network services can be a strategic move for many higher ed institutions, but it also comes with potential pitfalls. For example, selecting the wrong provider or treating the provider merely as a cost-cutting tool rather than a strategic partner can lead to a host of problems. It’s important to thoroughly research potential vendors, checking their reputation, experience, and capabilities, to better understand what to expect from the relationship.

To minimize issues that can occur while outsourcing network services, follow these best practices:

• Reach out to your peer institutions to find out if they have engaged with a NaaS provider and to get their insights and advice.
• Consider beginning an engagement with a NaaS provider for a stand-alone network like ResNet. If you’re satisfied after one or two years, for example, expand the provider’s responsibilities to the campus network.
• Communicate expectations and goals from the outset, and ensure that contract wording is clear and unambiguous.
• A NaaS provider will become an extension of your staff. It’s important to foster a productive working relationship.
• Regularly review performance metrics and SLAs. Be careful to focus on the metrics that matter and are measurable in a useful and accurate way. Don’t overthink the SLA. We’ve yet to see a NaaS SLA for a full enterprise that truly encapsulates what a higher ed network accomplishes.
• Despite careful planning, things can still go wrong. It’s essential to have contingency plans in place to address issues such as vendor failure, service interruptions, or unforeseen circumstances.

A well-run university campus network is essential for fostering innovation, collaboration, and academic excellence. By partnering with a reputable NaaS provider and adhering to established best practices, higher education institutions can optimize their network infrastructure and achieve their strategic objectives effectively.

Need Help?

Our team of higher education experts is available to help with Network Assessments and Modernizations. Also check out additional resources:
The Vantage Vision for a Modernized Network
Case Study: Revolutionizing the Higher Ed Campus Network
The Value of Competitive Bidding in IT Procurement

This post was authored by Associate Vice President Jon Young, and Consultant Kim Lindros.

Jon advises clients on network modernization, technology strategic planning, and initiatives that transform institutional academic, administrative, and research capabilities.  Jon is a member of the EDUCAUSE communications infrastructure and applications (commtech) CG steering committee.

Kim supports clients and our consultant team with technical writing, documentation assistance, research, and report preparation. She has written numerous pieces on security, technology, and the impact on higher education.