In our 2018 Trends in Information Security report
, we predicted that it was only a matter of time before network security vendors added identity management capabilities to combat both the eroding network perimeter as well as the existential threat to their established VPN and network security businesses posed by new innovations such as zero trust and software-defined networking (SDN). Thus, it's not a total shock that Cisco has finally stepped up to the plate and nabbed high-flying Duo Security, after considerable speculation that the two would join forces in 2017.
The 451 Take
With its valuation rising by the day, an IPO was becoming a more likely outcome for Duo until Cisco reached for it. Although the price was steep, the logic for Cisco is clear, as the erosion of the network perimeter – thanks largely to mobile and cloud computing – as well as the emergence of zero trust and software-defined perimeter (SDP) posed existential threats to Cisco's VPN, firewall and potentially network access control (NAC) businesses. In combination with other security purchases such as OpenDNS and CloudLock, Cisco instantly becomes one of the leading contenders in the overall cloud security market by effectively combining identity as a service (IDaaS) with cloud access security brokerage (CASB). Duo's sale marks the second acquisition in recent weeks of a vendor focused on the nascent zero-trust networking concept, following Okta's pickup of SDP provider ScaleFT, and it could be viewed as a shot across the bow of other network security specialists – which could spark a wave of zero-trust-related M&A as the rest of the pack look to avoid falling too far behind.
Announcing its second-largest information security (infosec) deal, Cisco says it will pay $2.4bn for Duo Security, adding identity and access management (IAM) to the networking giant's ever-expanding security portfolio. Cisco has now purchased 14 infosec companies since the start of the decade, making it the most-active buyer in the sector in recent years, according to 451 Research's M&A KnowledgeBase
(The pickup of Duo bumped Cisco ahead of Symantec, which has been out of the market since November, partly because of its still-ongoing look into its accounting practices).
Cisco is paying a rich valuation to take out Duo, which achieved unicorn status in its most-recent funding. Several market sources have indicated that as Duo was raising the round, which was announced last October, both Cisco and Workday were considering an outright purchase of the IAM startup. Workday ended up investing in that round, joining early investor Google Ventures as the only corporate money in Duo, which raised a total of nearly $120m.
According to our understanding, Duo put up about $125m in trailing sales. Its bookings, of course, are higher. We would also note the fact that the startup is entirely subscription-based and runs at roughly 90% gross margins, which was undoubtedly another reason why Cisco paid up for the company. Cisco has used its M&A program to increase its recurring software revenue, which is highly prized on Wall Street, as opposed to its legacy networking hardware products.
Assuming our revenue estimate for Duo is roughly correct, Cisco is valuing the IAM specialist at 19x trailing sales. That's basically in line with the valuation Cisco paid for AppDynamics, which operates in a different market from Duo but shares the financial profile of a fast-growing SaaS startup of scale. For comparison, in the IAM market, subscription-based Okta currently trades at $5.8bn, or 20x trailing sales (although that valuation doesn't reflect any acquisition premium).
Duo Security was founded by University
of Michigan (and Arbor Networks) alums Dug Song (CEO) and Jon Oberheide (CTO), who set up the company in their alma mater's hometown of Ann Arbor. It started out with mainly two-factor authentication and multi-factor authentication delivered via a multi-tenant SaaS platform, and later expanded to provide single sign-on (SSO) to compete with IDaaS vendors such as Okta, Ping Identity and
OneLogin. Duo Access was a logical next extension, offering NAC-like functionality that checked the security posture of devices before admitting access to resources.
More recently, Duo was one of the early players to address the zero-trust movement, and its Duo Beyond offering is a nod to Google's BeyondCorp architecture. The essential idea is to assume that all users and devices are untrusted, and grant access based on verifying user
and device identities, rather than where the latter are
located. To help further the Duo Beyond vision, the company had launched a technology partner program to help drive a zero-trust ecosystem, including a recent partnership with Akamai to provide an alternative to VPNs for remote access to applications.
When we last checked in with Duo, the company had doubled headcount to over 500, which at the time of its sale had increased to 700. It raised more than $120m in funding, the most recent tranche being a $70m series D round in late 2017 led by Meritech Capital Partners and Lead Edge Capital. Previous investors include Redpoint Ventures, True Ventures, Geodesic Capital and Index Ventures, as well as strategic investor Workday. The $70m round pushed Duo into clear unicorn status that also raised the likelihood of an IPO, which was further signaled by the hiring of several C-level execs
in recent months.
Over the past several years, Cisco has invested a significant amount of time and resources to build a robust security portfolio. In addition to its Talos and Umbrella products, which respectively offer threat intelligence and prevention, the company's Identity Services Engine provides customers with information related to the user and device identities that access the corporate network and manages access to sensitive network resources based on those identities. Combined with its NAC offering, Cisco already applies a zero-trust model within the enterprise's internal network and its VPN business line gives its customers' employees a method to remotely access the internal network securely from managed devices. However, BYOD and multi-cloud implementations have eroded the corporate perimeter, creating the need for Cisco to extend this zero-trust access model across these unmanaged devices and cloud environments as well, which is where Duo fits in.
The purchase of Duo is the latest in a series of M&A intended to expand the company's security offerings:
As one of the biggest security providers in terms of revenue and product offerings, Cisco competes with most of the larger network and endpoint security vendors such as Symantec, McAfee, Trend Micro, Forcepoint, Palo Alto Networks, Juniper Networks, Check Point Software, Fortinet, SonicWALL and WatchGuard. With the acquisition of Duo, Cisco will also vie with authentication-focused firms such as Dell (RSA Security), VASCO, Entrust Datacard, Gemalto, SecureAuth + Core Security and Yubico.
By focusing on the zero-trust concept, Cisco will also increasingly encounter firms such as Centrify (next-generation access), Microsoft (Conditional Access), Okta (with the purchase of ScaleFT), Akamai and Cloudflare (Cloudflare Access). Cisco and Duo could also contend with companies that have SDP offerings, including Vidder, Cryptzone, FortyCloud, Safe-T, Pertino, Hamachi (LogMeIn), Luminate, Meta Networks, Cyxtera, Edgewise Networks and Verasynth. Additionally, Duo's SSO capabilities could bring it into competition with IDaaS providers such as recently public Okta, as well as Ping Identity, OneLogin and Microsoft, and to a lesser extent VMware (VMware Identity Manager), BlackBerry, Salesforce, SecureAuth + Core Security, OpenText (Covisint) and Exostar.