Cisco buys Duo Security to address a ‘new’ security perimeter

Last week, Cisco jumped head first into the identity and access management (IAM) market with its acquisition of Duo Security for over $2.3 billion. Now, I’ve been chatting with Cisco about identity management for many years. Cisco always understood the importance of identity management in the security stack but remained reluctant to jump into this area. 

Why the change of heart? Because cloud and mobile computing have all but erased the network perimeter. These days, mobile users access SaaS and cloud-based applications and never touch internal networks at all. As one CISO told me years ago, “Because of cloud and mobile computing, I’m losing control of my IT infrastructure. To address this change, I’m really forced into gaining more control in two areas: Identity and data security. Like it or not, these two areas are the ‘new’ security perimeters.”

To be clear, network security products and services are still necessary, and Cisco will continue to sell lots of firewalls, IPS/IDSs, and gateway appliances. With the acquisition of Duo, however, Cisco can extend its already broad cybersecurity footprint by doing the following:

• Capitalizing on multi-factor authentication (MFA) expansion. According to ESG research, 65 percent of enterprise organizations use MFA, but most use it to protect a small percentage of their applications and/or users. (Note: I am an employee of ESG.) Why? MFA has always been too complex and expensive, and many organizations didn’t feel the need to issue tokens or smart cards to their employees when they were tethered to corporate PCs connected to LANs via wired networks. Fast forward to today: Cloud and mobile computing increase the need for MFA, while the technology itself has become cheaper and easier to use – especially with the use of mobile applications and maturing standards like FIDO. Duo has already capitalized on MFA momentum on its own. Now Cisco can apply its vast global resources to kick this MFA push into overdrive.
• Expanding its managed security services portfolio. Cisco is in the midst of a business transition where more and more of its security revenue comes from cloud-based services for email, DNS security, threat defense, etc. Duo’s SaaS model fits this strategy to a T. In fact, Duo often wins deals by replacing hardware-based tokens and complicated on-premises authentication servers with an end-to-end cloud and mobile model. Look for Cisco to integrate Duo into its data centers, take Duo to new geographies, increase the number of languages supported, and expand Duo service and support options.
• Pushing for leadership in the burgeoning software-defined perimeter space.  While Cisco hasn’t talked much about it, its identity services engine (ISE) has grown precipitously over the past few years, along with supporting products like pxGrid and TrustSec. These technologies are used for network access control (NAC) functions such as determining which devices are connected to the network, assessing their hygiene, and then setting up secure network segments for connectivity. While NAC is still in demand, many organizations also need a software-defined perimeter (SDP) to connect remote users and a multitude of devices to cloud- and SaaS-based applications through point-to-point trusted and encrypted network tunnels that never touch the corporate network. SDP is especially important for Cisco, as many organizations view it as a VPN replacement, a market segment that Cisco owns and must defend. Duo already offers its own version of zero-trust connectivity from endpoints to cloud-based assets. Cisco can marry Duo’s service with its own wares to put together one of the most comprehensive SaaS and on-premises NAC/SDP to upsell its customer base while competing with the likes of Cyxtera, Google, and Zscaler as SDP takes off. 

In the 1990s, Cisco talked about Directory-enabled Networking (DEN) that aligned IP network connectivity with prioritization based upon identity. It never quite got there, but the idea and vision were sound. With Duo in hand, Cisco can put together a DEN-like offering just in time to help customers establish highly secure private network connections for cloud and mobile computing. 

How Cisco can get the most out of its purchase of Duo Security

To get the most out of this acquisition, Cisco should also:

1. Look into data security opportunities. Cisco now plays in one of the two “new” perimeter opportunities. It may want to marry identity and data security through its next acquisition – Digital Guardian, perhaps? In this way, Cisco can also attack another dicey enterprise requirement: data privacy. This is especially important because GDPR is just the beginning of more regulations and governance in this area. 
2. Solidify its SDP architecture and marketing. As I’ve written many times, no one has an SDP budget, but everyone has an SDP requirement. In other words, Cisco has a bit of time to get its SDP act together before the market explodes in 2019. Initial steps: Put together the piece parts into an SDP architecture, develop clear and cogent marketing messages, and take a thought leadership role by teaching the market what SDP is what why it’s needed. Yes, this may cannibalize AnyConnect VPN sales, but Cisco should be willing to take a short-term hit to potentially own the market over time.
3. Build a strong IAM ecosystem. Identity management has always been difficult because it touches application developers, IT operations, security, legal, compliance, etc., and it varies widely by industry. Now that Cisco has put its toe in the water, it should put together an IAM ecosystem of technology vendors, system integrators, VARs, etc. that can help deliver enterprise value and industry solutions. Oh, and Cisco should throw its weight behind industry standard efforts such as FIDO to make sure that as standards flourish, Cisco wins.