A Security Industry Giant Opens a Giant Wallet

Cisco announced this week an agreement to acquire Duo Security for $2.35 billion, a colossal price tag that Wall Street analysts estimated at 12-15x 2018 ARR! After a decade of quiet ascension, the identity space has clearly emerged as a white hot success.

First off, congratulations to Duo Security CEO and Co-founder Dug Song, as well as the entire team. They’ve executed extremely well and I have a lot of respect for them. Disclosure: Ping Identity competes with Duo in the multi-factor authentication (MFA) space with our PingID MFA offering, which is part of our broader Ping Identity Platform, and we greatly respect what they have built. 

Fresh on the heels of this transaction, I’d like to share a few insights on the direction of our industry, which is reaching unprecedented heights in the current landscape.

Security and Identity: Two Ships Passing in the Night…Until Now

I believe identity folks are from Venus and security folks are from Mars. What I mean by this is that, while we strive for the same end goal (security, control, visibility), we have historically seen the world differently: one through the lens of how to connect the known, the other from the lens of how to block the malicious or unknown. Until now, these two worlds have co-existed often like ships passing in the night.

But that’s all changing now as cloud and mobile redefine the network perimeter. As one friend wisely told me, “Before you throw away the current paradigm, you better have a new one ready to replace it.” Well, we’re in the process of shedding our current network perimeter paradigm, and identity is ready to replace it. Identity is rapidly becoming the new logical perimeter and control plane for an enterprise without borders. This new reality is bringing the identity and security worlds together.

For Cisco, Zero Trust is the Future, and Zero Trust Requires MFA

Zero Trust, a term which has become synonymous with the Google BeyondCorp initiative on the dissolving enterprise perimeter, describes a world where there is no inside or outside. There are only known and unknown users, devices and apps, all connected through federation and single sign-on (SSO). This vision requires, at least as a starting point, an ability to know and confirm the user (e.g., MFA) and know or trust the device (e.g., MDM or EMM such as Airwatch, Microsoft Intune, Jamf, MobileIron or Blackberry). Therefore, it’s no surprise that the world’s leading network security company is now taking a strategic view of MFA and identity through this acquisition. We’re moving toward this Zero Trust world where the network boundaries are blurred. And it requires MFA, but that’s not all…

MFA Is a Gateway to Identity

What’s interesting to me about this acquisition is that MFA has become the gateway to identity for traditional security companies. Authentication and security have always been joined together, but this move highlights the way in which traditional security companies will enter identity vis-à-vis MFA. It’s easy to understand, and it’s a logical first move for any company from the outside looking into the world of identity.

But once you take the leap into MFA, it quickly becomes clear that authentication takes you further into the world of identity and access management. MFA without federated SSO is like chocolate chip ice cream—only with just the chocolate chips and no ice cream that ties it all together. 

Let me explain. It makes little sense to deploy MFA on every app independently in a repeated siloed fashion like a bunch of individual chocolate chips. It makes considerably more sense to deploy MFA as part of a global authentication service that also federates with any application through SSO wherever it’s needed or desired. With this approach, you only have to deploy MFA once, policy management and enforcement gets centralized, and you retain complete customization for each app as desired.

The second you tip-toe into federation and SSO, it’s game on. I believe all roads lead to a global authentication service, where MFA is only one component of a larger identity platform to help manage and control identity and access across the entire enterprise. 

All that said, I’m really pleased that Cisco made this move and it’s apparent to me why they purchased Duo at such a high value. It validates the importance of the identity industry by demonstrating the significance of MFA in a Zero Trust world. It shifts the focus from the network tier to the identity tier as the ultimate control plane of a borderless future-state.  

Watch this webinar replay to learn the requirements for rapid adoption and implementation of MFA everywhere.