US-based two-aspect authentication provider Duo safety introduced this morning that it is in talks to be obtained through networking large Cisco. based on Duo’s press liberate, Duo will become a “business unit” below Cisco’s security company community, and present Duo CEO Dug track will turn into the unit’s well-known supervisor.
Ars is a happy Duo consumer, and we use the product notably to observe 2FA to a variety of our inner functions; past that, a number of Ars staffers (myself included) use Duo’s free tier to wrap 2FA around our personal very own stuff, like Linux PAM authentication and Mac/home windows logins. Duo’s flexibility and ease of use has been an incredible driver of success for the business, which says it has about 12,000 valued clientele.
but the be concerned here is that Cisco is going to homicide the golden goose—and, as a former Cisco consumer, I’m struggling to suppose the rest but dread about the entire methods during which this acquisition might kill everything that’s respectable about Duo.
Duo boss says no longer to fret
In an email to Duo purchasers this morning, Duo CEO Dug music attempts to tackle fears like mine within the very 2d paragraph:
if you examine nothing else, please read this: our commitment to give you the provider and performance you had been aware of will not alternate. we are able to even be continuing to extend our library of integrations and inventive solutions to make certain your protection choices stay essentially the most adored in the industry.
i do know here’s alleged to make us consider superior, however’s a lawyer-pleasant non-statement that doesn’t in reality assure anyone of anything significant. “Our dedication [emphasis added] to provide you with the carrier and functionality you were aware of will now not change” is shameful company doubletalk. Duo’s “dedication” is immaterial to this dialogue. announcing “our dedication to give you the carrier and performance you had been accustomed to will not exchange” is very distinctive from in fact asserting “the provider and functionality you were accustomed to will no longer alternate.”
I’ve reached out to Duo’s press workplace seeking comments about the acquisition, but Duo had no longer answered at e-book time. I’ll replace this piece with the business’s comments if it does.
My peril-sensitive shades simply went dark
probably I’m simply overreacting. perhaps every thing’s going to be satisfactory. purchaser-facing brands like Linksys have been getting alongside well under Cisco for the previous few years—as a minimum after this idiocy, appropriate?
I’d love for that to be the case, but I simply can’t locate the hope within me. I spent a decade as a Cisco business customer, elbows deep first in Cisco MDS9500-series SAN administrators after which later in NX-OS powered converged switches, and my very own experience with Cisco became standard profoundly poor, even though i was working for a Fortune 25 business with all of the additional earnings and help attention that warranted.
in my opinion—which is counseled by using my very own anecdotal adventure—Cisco belongs on the identical shelf as Oracle when it comes to businesses that exhibit a earnings-above-all-else attitude. From my element of view as an commercial enterprise client, Cisco consistently came throughout as unswervingly dedicated to optimum income extraction at every single factor in its relationship with a customer. The company’s per-function licensing became (and remains) so costly and so complicated that the complete product portfolio appeared designed round creatively separating purchasers from their capital first and exact network/SAN administration 2d.
The yawning abyss of suckification
When the information broke this morning, I had a brief and despairing dialog in Ars Slack with Jason Marlin, Ars’ technical director-in-chief. We’d simply considered the emails and had both independently had the identical preliminary response of dismay:
The considerations we had—articulated above, comprehensive with swears for emphasis—can widely be packed together beneath a single horrifying prediction: Cisco goes to screw up Duo with the aid of turning it into a Cisco-fashion product. Jason’s “gross Java applet” remark become basically in jest—pricey God in heaven, please let that now not come to move, as a result of I already have to hold a dedicated virtual machine around loaded with Java so that i will manipulate my net server’s ASA container—however the Cisco-fication of Duo is legitimately scary.
From a usability standpoint, we’re afraid UI/UX creep will radically change the present Duo console right into a Frankenstein-monster nightmare of tabs and countless nested menus. We’re terrified of the easy user-dealing with signal-on interface bloating into a grossly overcomplicated portal that buries primary operations beneath layers of extraneous crap. We’re afraid that construction time could be spent on facets that peculiarly benefit simplest the top-tier enterprise valued clientele in place of improving the average product.
extra importantly, we’re anxious about Duo’s free tier—because at Cisco, all things serve the stock cost (I’ve had lunch with a whole heap of Cisco commercial enterprise earnings reps, and those conversations gave me a very stark, very unflattering peek into Cisco’s salary-pushed tradition). That alone is more than ample to make me worry for the removal of Duo’s extremely valuable free tier, coupled with Cisco mandating Duo carry the rates on Duo’s paid tiers to be able to assist with the enterprise’s senseless obsession with beating its quarterly assistance. The incontrovertible fact that Cisco has lower back to profitability in 2018 makes that variety of expense-pumping just about inevitable. The subsequent time revenue dips, administration will need to go all-hands-on-deck to make up for the shortfall, and squeezing extra salary out of an acquisition is a widespread way of life.
Why ought to every thing I fall in love with die?
a lot of my despair right here comes from the undeniable fact that I’ve considerably adopted Duo into my very own own operational safety routines, and it really works first-rate. It felt like the bit in combat membership the place Jack and Tyler are speakme concerning the perceived permanence of furniture. some thing else took place, I had my 2FA concerns dealt with. I didn’t must suppose about it anymore.
And Duo is incredible at managing these concerns. My servers all use Duo for each 2FA logins and also privilege escalation, by way of Duo’s awesome Duo Unix integration. i exploit Duo 2FA for local logins for my work Macbook Air. I’ve obtained Duo 2FA maintaining the WordPress logins of a couple of websites I help administer. The service helps push requests by means of its app (which additionally will generate TOTP codes and works as a Google Authenticator replacement if desired). it works with hardware tokens like Yubikeys. It even helps U2F authentication, and it’s got a pretty good self-carrier portal for clients so as to add or eradicate their personal instruments as necessary.
whatever else took place, I had my 2FA issues dealt with.
And, as long as you don’t want more than 10 functioning bills, the carrier has a free tier that does everything a person or domestic consumer needs. The extensive functionality, coupled with Duo’s ongoing construction of new how to utilize the carrier, make it a pleasure to use. It’s some of the few services in my life that I’m nearly absolutely one hundred percent satisfied with.
(It’s worth noting that I fell head over heels in love with StartCom’s free SSL/TLS functions and its cheap wildcard certificates, too, and all of us understand how that grew to become out. notice of guidance: if I beginning speaking about how unbelievable an organization is, stop the usage of its functions automatically, because it’s likely about to both crumple or be bought and destroyed.)
To be fair, Cisco is evidently within the technique of growing its personal self-contained infosec vertical and, as Ars IT editor Sean Gallagher pointed out whereas discussing this story, Duo is pretty much the platonic most excellent of a corporation that become created with the specific aim of being bought. It’s precisely the variety of constructing block a company like Cisco would be hunting for to include into its personal plans. And as a great deal as I’m dissing Cisco, there are worse groups to be obtained via—as a minimum it wasn’t Huawei or McAfee (I simply threw up in my mouth a short while typing that). And Cisco doesn’t have its personal greatly applicable 2FA answer, so the likelihood that Cisco would purchase Duo only to kill it (cough cough) seems low.
The best issue that doesn’t change is change
I simply can’t shake the sadness—the feeling that here’s the closing chapter in Duo being a usable, friendly business and the outlet chapter of its existence as an increasingly crappy cog in an business machine concentrated on making 2FA available simplest to those that can find the money for it, instead of for each person. It’s hard to look past the theory that Cisco goes to are available in and screw this up.
but, in the end, alternate is part of existence. And, once again, it’s possible (doubtless, even!) I’m overreacting—Cisco hasn’t entirely gutted and destroyed other safety-focused acquisitions like OpenDNS and Sourcefire, and the enterprise does appear to be solidly committed to myriad noble-sounding goals. And it’s unattainable to disclaim that, if left by myself, Duo may seemingly do loads of super things with Cisco’s monetary and technical resources to draw on.
but my gut—and a variety of lifestyles event on the client end of Cisco’s enterprise practices—tells me that I should still delivery getting to know options to Duo. Cisco’s frothy “individuals first” rhetoric clashes heavily with each interaction I’ve ever had with the business, and—whereas I’m chuffed for the Duo team and its success—as a customer, the handiest things I’m feeling are anxiety and uncertainty.