One Step Beyond: Cisco Picks Up MFA Leader DUO Security to Further its Zero-Trust Vision

In our 2018 Trends in Information Security report, we predicted that it was only a matter of time before network security vendors added identity management capabilities to combat both the eroding network perimeter as well as the existential threat to their established VPN and network security businesses posed by new innovations such as zero trust and software-defined networking (SDN). Thus, it's not a total shock that Cisco has finally stepped up to the plate and nabbed high-flying Duo Security, after considerable speculation that the two would join forces in 2017.

Announcing its second-largest information security (infosec) deal, Cisco says it will pay $2.4bn for Duo Security, adding identity and access management (IAM) to the networking giant's ever-expanding security portfolio. Cisco has now purchased 14 infosec companies since the start of the decade, making it the most-active buyer in the sector in recent years, according to 451 Research's M&A KnowledgeBase (The pickup of Duo bumped Cisco ahead of Symantec, which has been out of the market since November, partly because of its still-ongoing look into its accounting practices).

Cisco is paying a rich valuation to take out Duo, which achieved unicorn status in its most-recent funding. Several market sources have indicated that as Duo was raising the round, which was announced last October, both Cisco and Workday were considering an outright purchase of the IAM startup. Workday ended up investing in that round, joining early investor Google Ventures as the only corporate money in Duo, which raised a total of nearly $120m.

According to our understanding, Duo put up about $125m in trailing sales. Its bookings, of course, are higher. We would also note the fact that the startup is entirely subscription-based and runs at roughly 90% gross margins, which was undoubtedly another reason why Cisco paid up for the company. Cisco has used its M&A program to increase its recurring software revenue, which is highly prized on Wall Street, as opposed to its legacy networking hardware products.

Assuming our revenue estimate for Duo is roughly correct, Cisco is valuing the IAM specialist at 19x trailing sales. That's basically in line with the valuation Cisco paid for AppDynamics, which operates in a different market from Duo but shares the financial profile of a fast-growing SaaS startup of scale. For comparison, in the IAM market, subscription-based Okta currently trades at $5.8bn, or 20x trailing sales (although that valuation doesn't reflect any acquisition premium).

Duo Security was founded by University of Michigan (and Arbor Networks) alums Dug Song (CEO) and Jon Oberheide (CTO), who set up the company in their alma mater's hometown of Ann Arbor. It started out with mainly two-factor authentication and multi-factor authentication delivered via a multi-tenant SaaS platform, and later expanded to provide single sign-on (SSO) to compete with IDaaS vendors such as Okta, Ping Identity and OneLogin. Duo Access was a logical next extension, offering NAC-like functionality that checked the security posture of devices before admitting access to resources.

More recently, Duo was one of the early players to address the zero-trust movement, and its Duo Beyond offering is a nod to Google's BeyondCorp architecture. The essential idea is to assume that all users and devices are untrusted, and grant access based on verifying user and device identities, rather than where the latter are located. To help further the Duo Beyond vision, the company had launched a technology partner program to help drive a zero-trust ecosystem, including a recent partnership with Akamai to provide an alternative to VPNs for remote access to applications.

When we last checked in with Duo, the company had doubled headcount to over 500, which at the time of its sale had increased to 700. It raised more than $120m in funding, the most recent tranche being a $70m series D round in late 2017 led by Meritech Capital Partners and Lead Edge Capital. Previous investors include Redpoint Ventures, True Ventures, Geodesic Capital and Index Ventures, as well as strategic investor Workday. The $70m round pushed Duo into clear unicorn status that also raised the likelihood of an IPO, which was further signaled by the hiring of several C-level execs in recent months.

Over the past several years, Cisco has invested a significant amount of time and resources to build a robust security portfolio. In addition to its Talos and Umbrella products, which respectively offer threat intelligence and prevention, the company's Identity Services Engine provides customers with information related to the user and device identities that access the corporate network and manages access to sensitive network resources based on those identities. Combined with its NAC offering, Cisco already applies a zero-trust model within the enterprise's internal network and its VPN business line gives its customers' employees a method to remotely access the internal network securely from managed devices. However, BYOD and multi-cloud implementations have eroded the corporate perimeter, creating the need for Cisco to extend this zero-trust access model across these unmanaged devices and cloud environments as well, which is where Duo fits in.

The purchase of Duo is the latest in a series of M&A intended to expand the company's security offerings:

Competition

As one of the biggest security providers in terms of revenue and product offerings, Cisco competes with most of the larger network and endpoint security vendors such as Symantec, McAfee, Trend Micro, Forcepoint, Palo Alto Networks, Juniper Networks, Check Point Software, Fortinet, SonicWALL and WatchGuard. With the acquisition of Duo, Cisco will also vie with authentication-focused firms such as Dell (RSA Security), VASCO, Entrust Datacard, Gemalto, SecureAuth + Core Security and Yubico.

By focusing on the zero-trust concept, Cisco will also increasingly encounter firms such as Centrify (next-generation access), Microsoft (Conditional Access), Okta (with the purchase of ScaleFT), Akamai and Cloudflare (Cloudflare Access). Cisco and Duo could also contend with companies that have SDP offerings, including Vidder, Cryptzone, FortyCloud, Safe-T, Pertino, Hamachi (LogMeIn), Luminate, Meta Networks, Cyxtera, Edgewise Networks and Verasynth. Additionally, Duo's SSO capabilities could bring it into competition with IDaaS providers such as recently public Okta, as well as Ping Identity, OneLogin and Microsoft, and to a lesser extent VMware (VMware Identity Manager), BlackBerry, Salesforce, SecureAuth + Core Security, OpenText (Covisint) and Exostar.