Transcription

1 MIS Impact Report Duo Security looks to shake up authentication market with mobile and service focus Analyst: Steve Coplan 5 Dec, 2011 Duo Security named for the two-factor authentication technology for logins and transaction validation the company provides has gone after a specific market opportunity with a fresh look at the usability and management challenges based on an authentication service, as well as the ability to easily enroll new authentication channels like mobile devices using onetime passwords and other factors. With one of the founders of network behavior anomaly detection (NBAD) pioneer Arbor Networks heading the company, Duo is one of a new breed of vendors targeting what it sees as a horizontal opportunity that has emerged for authentication and one that traditional authentication can't adequately address (even with cost stripped out of the equation). This opportunity is driven by what could be seen as mutually exclusive forces: the growing need to maintain a security construct of authenticated users, as opposed user authentication to a specific system or network, because of threats targeting user identities, and the need for centralized management, ease of deployment and high levels of usability for authentication to third-party (cloud-based) services. For the moment, security, usability and management are the primary themes of Duo's current pitch, aimed at organizations that have recognized the need for horizontal authentication. Duo is not alone in how it frames platform requirements or underlining the need for a horizontal approach to authentication. It's what is underneath the covers that makes Duo's approach to structural change to authentication more evident. If the security of the user identity is to operate as a component of a services-based model, then the authentication model has to reflect the architecture of the service the user is attempting to access. The focus now shifts from a successful authentication event to how to encapsulate an authenticated user at a logical level and introduce risk assessment. The requirements now extend beyond the key-sharing architecture and associated encryption to integration of the authentication service into the emerging infrastructure. For the moment, Duo is looking to build momentum based on demand for authentication as a service. The next step is building out its application-layer integration and API capabilities for a full-fledged authentication service that will start to overlap with anti-fraud technologies. The 451 Take Even with its approach that emphasizes the 'mores' of its platform more easily managed, more usable, more cost-

2 effective and more secure Duo, at first blush, still appears similar to a host of other players looking at the mobile endpoint as a new authentication token and providing authentication as a service. But Duo is moving toward shaking up the market with some fairly radical ideas. The company has demonstrated ability to build traction from a standing start, focusing on existing uses cases. If Duo can get the market to think about authentication in new ways (that weave it tighter with both authorization and anti-fraud) and deliver on the infrastructure for cloud services integration, the potential for a breakout exists. Context CEO Dug Song and CTO Jon Oberheide founded Duo Security in January 2010 with the name change from Scio Security coming a few months later. Song was previously chief architect at Barracuda Networks, but also founded and served as chief security architect at Arbor Networks, the NBAD pioneer acquired by Tektronix in September 2010 for $225m in cash. According to the 451 KnowledgeBase, 10-year old Arbor sold for a multiple of 2.4 times trailing 12-month revenue. Song has also participated prominently in open source security projects such as OpenSSH. Oberheide shares an Arbor background with Song, and has also conducted independent research into Google Android exploits. The company is not actively seeking investment, in part because operations are mostly funded through existing cash flow, but also because the roughly $1m Duo has raised in seed funding from True Ventures and Resonant Venture Partners should keep the company going until Duo reports 500 customers, with use counts ranging widely. Technology The outcome of any number of far-reaching trends including the consumerization of IT, the adoption of mobile computing and SaaS applications, and the incipient growth of desktop virtualization places identity front and center of the emerging security and management concerns. As identity assumes more centrality for IT (in terms of both the industry and organizational function) in coming to terms with these trends, securing the integrity of the identity assertion, characterizing it in terms of risk assessment, and supplementing (or supplanting) user name and password compose the initial set of security hurdles. After all, advanced adversaries have already demonstrated with phishing attacks and malware proliferation that masquerading as a legitimate user is often the most effective path toward extracting valuable data without immediate detection. While these trends certainly point to far broader demand for authentication, they also suggest that it's no longer business as usual for authentication technology. The countervailing forces that come into play here are those that force authentication vendors either to find ways to secure existing high-value identities more effectively from man-in-the-middle or man-in-thebrowser attacks, or reshape authentication technology so that it's far easier to deploy and manage (or potentially both). As malware continues its relentless insinuation into endpoints and phishing grows in sophistication, the focus has to be on authenticating the identity of the user without exposing the target service or resource to piggybacking exploits. Furthermore, as the threats become more pervasive, the current economics of authentication must be reworked to accommodate a horizontal requirement not only in terms of the direct cost of the authentication token, but also management, enrollment and administration. At first blush, the focus on making authentication easier (and less costly) to implement and use would seem a far less

3 daunting engineering challenge than the NBAD that the Duo founders worked on at Arbor. But the changes in the IT landscape mandate that technology built around a bounded set of use cases, with a limited number of users, undergo a transformation. For Duo as for other vendors the challenge is to engineer a new approach to securing the user component of the emerging services architecture in balance with the need for automation and scale that underlie cloud computing's long-term benefits. This means that not only does the authentication service have to integrate with the target application, it must also associate some meaningful logic with the authentication attempt. We have spoken about the reinvention of the portal, involving the tighter integration of authentication and single sign-on. Duo is headed to the integration of user authentication with authorization at the application logic tier. Products The core component of the Duo platform is its authentication service running in the cloud, which supports four authentication factors (including hard tokens). The driving design principles here are usability, ease of management and deployment, and security of both the platform and the authentication transaction. Duo is uncomfortable with characterization as 'authentication-agnostic.' Instead, the company provides a set of options that can be deployed based on a matrix that covers online or offline, security properties, and device characteristics. The basic mode of authentication across all factors is an on-time password that is delivered to the device, but the platform also supports calls to a standard cell phone or landline to authenticate the user. Where the risk associated with the transaction is higher, the service will generate a notification on the user's smartphone to compel them to confirm the specific transaction details before the request is processed. If they have no phone reception at the time of access, they can receive one-time passcodes via SMS ahead of time, or generate them using Duo's mobile app. Apple iphone and Google Android smartphone users can use Duo Push, which 'pushes' login or transaction details to the phone. In terms of usability, users can select their authentication method once primary authentication has succeeded. No user credentials are stored in the cloud or exposed to the cloud service. The only management data that is exposed through the service is phone numbers but these are never associated with a specific set of user credentials by the service, and can be optionally specified at the point of authentication request. (The service is hosted in third-party datacenters that conform to PCI-DSS requirements and have SAS 70 certification baseline security requirements for a multi-tenanted service.) Primary authentication is against credentials stored in a local store either a flat file or LDAP server like Microsoft Active Directory. Communication between the authentication components is encapsulated in SSL. Where Duo diverges from traditional authentication technology is that it no longer relies on existing Radius servers to integrate to the application. Instead, integration with the application is through prepackaged code for supported SSL VPNs, or through an IFrame/REST-based SDK that allows for integration directly to the application, rather than through an authentication string generated by the Radius server. The service can also integrate directly with the Radius server through an OpenVPN-based proxy, and can support authentication of local and remote Unix logins. Management of policies and users is through a Web-based interface. Administrators can revoke credentials, disable users, and audit access by users and groups. Integrated into the platform is what Duo refers to as real-time fraud alerts, which encompass user-generated alerts from potentially fraudulent logins via phone callback, and a customizable threshold for failed login attempts. Administrators can automatically lock out users after a specified number of invalid logins. Strategy

4 The challenge for Duo will be to balance its technology aspirations with market maturity and existing market opportunities around both secure remote access and privileged user access. Duo's mobile technology and authentication as a service are disruptive to the traditional hardware token model but it's not unique in this respect. We would draw a distinction between authentication as a service and an authentication service that is exposed through an API and can be invoked by a service looking to assess an authorization request. For authentication to effectively tackle the new set of challenges we outlined in the technology section, an authentication service is required that is automated and can operate at scale. This is in part a question of having the right architecture in place, but also the ability to effectively manage the authentication process and allow for a risk-based assessment of trusting the user authentication. So the distinction involves moving from a new delivery model that takes advantage of cloud economies of scale and new technology design principles built around services delivery to infrastructure in the cloud, with integration through servicesbased APIs. However, before Duo delivers on that vision, the company must contend with the pragmatic consideration of having to generate revenue and compete against an increasingly crowded market. Duo has looked to build market reach up into the enterprise through partnerships with system integrators, and has one OEM already in place. We view SaaS providers as potential partners, especially as many look to entrench themselves as identity providers within the enterprise. Competition The granddaddy of two-factor authentication is, of course, RSA, the EMC security division with its SecurID franchise. Gemalto and SafeNet compete in the smart card market, with Duo reporting that it frequently encounters SafeWord OTP technology in competitive situations. (SafeWord comes to SafeNet from the acquisition of Aladdin Knowledge Systems in 2008 by private equity owner Vector Capital). Both vendors are exploring ways of expanding their enterprise footprint. ActivIdentity is looking at ways of expanding its presence in credential management and PKI infrastructure into a broader identity assurance play that builds on digital trust. Symantec has made headway with the VeriSign Identity Protection service since the acquisition of the authentication and SSL business in April 2010, while CA Technologies has managed to keep revenue growth on track at the now rebranded CA CloudMinder authentication service resulting from the acquisition of Arcot Systems for $200m in cash in April Entrust and VASCO Data Security have also experienced plenty of action, across verticals, with authentication as a service picking up. But the authentication marketplace is in the midst of a major transition, as we have outlined more than once. It remains difficult to determine what the net impact of the SecurID breach will be on RSA's fortunes, as conversations with both end users and vendors vary widely on the repercussions of the much publicized (but still little understood) breach of SecurID servers. There is material interest at end users in selecting new authentication providers, but in many cases, these organizations had made the decision to move off expensive hardware tokens to other alternatives even before the breach. The breach merely accelerated the transition, especially when the decision was already made to move to authentication as a service, and to vendors with a known security brand like Symantec/VeriSign or CA Technologies. Furthermore, some organizations have moved swiftly to install new authentication technology, prompted by concerns of unknowable risk, but the absolute numbers are still relatively small. For many legacy applications, the costs of moving to another vendor are not only measured in terms of technology ownership they also involve recoding authentication scripts, and reconfiguring RADIUS servers. Here inertia and the cost-benefit analysis mean that a significant portion of the RSA install base will remain relatively stable.

5 However, the dynamics of the traditional authentication market, dealing with a relatively small subset of users (like system administrators or other privileged users) or with a specific set of use cases involving remote access, through an SSL VPN for instance, is where we anticipate solid growth, but not where authentication will see real innovation and disruption. The prize for vendors like Duo Security is not as much replacement of existing hardware tokens for existing use cases, but rather owning a chunk of the more horizontal market that is shaped by new threats alongside new IT consumption models. The competition here is more theoretical than actual, and is likely to emerge from a mix of startups and established vendors with some potential for new players entering the market through acquisition. Vendors like PhoneFactor, SecurEnvoy, SMS Passcode (in Europe) and Authentify provide phone-based authentication. Yubico and WiKID Systems have also taken new approaches to token-based authentication, while SecureAuth (with its browser-based authentication alternative and SSO) and Technology Nexus are benefiting from the reinvention of the portal trend. There is plenty of interest in this emerging market opportunity, with players like ActivIdentity looking to provide an authentication management tier to accommodate new authentication modes, and vendors like RSA and CA looking to better integrate risk assessment and mobile authentication. We anticipate, too, that Symantec, with its O3 service, will be looking at ways of integrating authentication and authorization. SWOT Analysis Strengths Duo already has market traction, and has built a flexible platform that exploits mobile computing adoption and cloud computing economies of scale. Weaknesses What would have been a distinct voice a year ago, is increasingly drowned out by competing claims about usability, mobile client support and security. To some extent, the RSA breach has increased the noise to signal ration in the market. Opportunities The authentication market is undergoing a period of marked growth, fueled by security concerns, and adoption of new services that create the need for authentication. The hardware token replacement opportunity will be eclipsed by a broader movement toward authentication as a service and new authentication factors over the next 18 months. Threats The escalating and intensifying interest in more flexible and intelligent authentication has the full attention of vendors far larger than Duo, including those with existing service-inthe-cloud footprints. Pricing pressure coupled with comparable technology will take its toll on smaller vendors. This report falls under the following categories. Click on a link below to find similar documents. Company: Duo Security

6 Other Companies: ActivIdentity, Aladdin Knowledge Systems, Apple Inc, Arbor Networks, Arcot Systems, Authentify, Barracuda Networks, CA Technologies, EMC Corp, Entrust, Gemalto, Google, Knowledge Systems Pvt, Microsoft Corporation, Technology Nexus, PhoneFactor, Resonant Venture Partners, RSA Security, SafeNet, SecureAuth, SecurEnvoy, SMS PASSCODE, Symantec, Tektronix Inc, True Ventures, VASCO Data Security International, Vector Capital, VeriSign, WiKID Systems, Yubico Analyst(s): Steve Coplan Sector(s): Security / Identity & access management / Authentication Cloud / Software infrastructure as a service / Security as a service Copyright The 451 Group. All Rights Reserved.