How Apple Could Lead the Next Big Tech Trend–Security As A Service

by Ben Bajarin   |   August 23rd, 2013

Security is a hot topic in many countries at the moment. And it is going to be a hot topic for the foreseeable future, perhaps for reasons you may not even know yet. It is fascinating to listen to water cooler conversations from folks on the topic. Security, or a lack-there-of, is quickly becoming top of mind for many human beings and rightly so. The question that I think is interesting in all of this discussion is the role technology can play around the topic of security. More importantly, what can technology companies do with regard to security.

Computers come in all shapes and sizes these days. Some go in our pocket, some go in our bags, some sit in our desks and others in large cooled warehouses. Soon we will even have computers that we wear on our person. What comes with this new era of ‘personal electronics’ is new levels of intimacy with our devices. Our smart phones are very personal and more importantly heavily personalized. They contain quite a lot of data about us and are gathering more each and every day. We use them to communicate, participate in commerce, gather information, etc. As I look out at the markets I study and the technologies orienting themselves to serve them, I am becoming increasingly convinced that the idea of security and, more specifically the idea of security as a service, is about to get a lot of attention. And given Apple’s leadership role on a lot of digital things, I expect Apple to lead the charge in next generation of personal digital security too.

An Embedded and Integrated Experience

There are several reasons I think Apple will move the goal posts as it relates to security. The first is related to their acquisition of AuthenTec in 2012. We had been tracking AuthenTec at the time and they had many of the leading solutions for mobile security and biometric sensor technology. AuthenTec also conveniently holds the vast majority of patents in many key areas related to this type of security.

The second reason, which is why Apple bought AuthenTec rather than license the technology, is because Apple is a highly vertically oriented company. Meaning they own and control all the essential elements for them to create the Apple centric experience.

By owning all the key components from designing the system-on-chip, to the hardware and software security layers, the operating system, the hardware itself, and the underlying cloud framework, Apple is uniquely positioned to create a security solution unlike many others.

Security as a Service

Traditionally we think of security as a feature. I’m proposing we think of it as a service. This would include a set of features, when combined and continually implemented, it will be embedded into the fabric of the computing experience.

Earlier this year, in an article for MacWorld, Rich Mogull wrote a great piece. In this article he made many astute observations and comments. This one in particular:

Despite a rocky start, Apple now applies its impressive design sensibilities to security, playing the game its own way and in the process changing our expectations for security and technology.

Apple can afford to play the game their own way since they are the most vertically oriented personal electronics manufacturer on the planet. This will let them do things like bind elements of device security to their processor designs. This follows Intel’s logic with their purchase of McAfee to create new generations of secure silicon adding new levels of encryption to local data. Apple being in control of their hardware and software also would allow them to offer customers the ability to do a thumb scan or image recognition before engaging in a transaction, manage all our passwords in the cloud, etc, and ultimately give us more control of our own digital identity and security.

No Trivial Problem

What I find fascinating about what Apple and others in the industry moving in this direction is not only how complex this problem is but also how risky it is. On device security is one thing but securing data between the device and others as well as the cloud gets even more complex. But I’d argue that tightly integrated solutions stand the best chance to deliver.

Security is a big deal and any company touting the benefits of security as a service has just put a target on their back. But, that doesn’t change the fact that it is important and necessary for companies providing solutions to the consumer market to address this issue. That is what makes this discussion incredibly strategic to Apple as well as others.

It is a battle field their core perceived competitor has no interest in playing on

Security as a service could become a key differentiator for Apple products and a driving reason to choose Apple products over others. But even more interestingly, their competition (Google) doesn’t care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important.

I’m not going to go speculate on how this is going to play out. I just feel the trend bubbling up in a way that makes me believe more security centric solutions are coming and it will be made a big deal. What’s more, only a few companies seem like they have it in their interests to offer this service to their customers as a part of the holistic computing experience.

Ben Bajarin

Ben Bajarin is a Principal Analyst at Creative Strategies, Inc - An industry analysis, market intelligence and research firm located in Silicon Valley. His primary focus is consumer technology and market trend research. He is a husband, father, gadget enthusiast, trend spotter, early adopter and hobby farmer. Full Bio
  • FalKirk

    With the coming of the new iPhone, I have been thinking about this issue A LOT. If Apple could crack the ID issue, the whole pay by phone market would explode.

    However, I find it hard to believe that Apple has overcome the technological challenges to such an extent as to make IDing “foolproof” – and they’d need it not only to be foolproof but thief proof as well.

    I’m waiting for September 10th with baited breath…

    • http://aapltree.wordpress.com/ Mav7

      Been a while, Fal!

      Between Authentec and iCloud Keychain (which really started to convince me that a fingerprint scanner was a distinct possibility for the iPhone 5S), I think Apple has all the pieces in place. Once biometric data (in this case, one of your fingers) becomes the password (for everything), your phone is secured and you never have to remember any password ever again given the proper implementation. With “autologin” via biometrics, getting topayments isn’t far away.

  • toby

    You’re going to have to back up that claim about Google not caring about security. For one thing, why did they start including the selinux module? Yes, it’s in permissive mode by default but clearly they plan on enabling it once they’ve determined they correct policies.

    • benbajarin

      Given Googs business model of free services made up by the selling of data collected on a person and the profiling of said person they are collecting, how is security a priority for them? Plain and simple it isn’t.

      They will have some things that add secure elements but the way I see apple doing it, Goog won’t even come close. Nearly every survey I have seen shows high level of dis trust of Goog. People are right to trust their security with other companies.

      • Oletros

        Taking into account that Google doesn’t sell any data, the rest of your rant against Google it is clear that doesn’t hold water.

        By the way, still trying to grasp what has to do profiling people with security. Or do you say that as iAds makes Apple being less careful about security?

        • benbajarin

          So your saying that you are not the product in Google’s advertising business model? They sell your profile, the knowledge they have on you, in order to sell specific campaigns to advertisers.

          This is all very simple. Google offers free services. They have to monetize those free services. You the consumer are giving up some things in order use the free services. One of those is security. It is the undeniable tradeoff. Again there is nothing wrong with their model but I think people need to understand the tradeoff.

          Second, to say that Google will ever have a shot as being as secure as a vertical player like Apple or RIM for that matter completely misunderstands the horizantal, licensed platform model. Google can not mandate to their OEMs any defining of hardware. Anyone can use it therefore anyone can abuse it. When you have companies out there using their product just trying to make the product cheap or free, these companies simply will not invest in the hardware.

          If Google cared about security, Samsung and Moto, and others would not have had to create their own enterprise level security services. Businesses wouldn’t have to license third party software to secure other Android devices and makes sure data is protected.

          As I said from a business standpoint it is all pretty simple when you understand their model. They sell you, its how they make money.

          • Oletros

            “So your saying that you are not the product in Google’s advertising business model? They sell your profile, the knowledge they have on you, in order to sell specific campaigns to advertisers.”

            The moment you say that you’re the product the moment you have lost all credibility.

            Google (or Apple with iAds) doesn’t sell your data (this was your first claim) and you’re not the product, the product is ad placement.

            “This is all very simple. Google offers free services. They have to monetize those free services. You the consumer are giving up some things in order use the free services. One of those is security. It is the undeniable tradeoff. ”

            When you can make an argument linking free services with less security you will have a point., Since the moment that Google has been on of the first to put two factor authentication, SSL and other security measures on their FREE services your point is wrong

            “As I said from a business standpoint it is all pretty simple when you understand their model. They sell you, its how they make money.”

            AS I said, from a business standpoint it is all pretty simple when you understand their model. They DON’T sell you, they sell advertising space.

          • benbajarin

            Again, the value to the advertiser is only there when they know a bit about who they are advertising too. It’s just how the business works, it is metrics based and to achieve those metrics it requires the profiling.

            Talk to CIOs and other technical implementors of security and see how they feel about Google and their services.

            Also please don’t miss my point, by nature of the law and with respect to key elements of their business they have things that are secure. I’m not saying they are zero percent secure. I’m saying by nature of their business they simply will not focus on this the same way other companies will to ensure higher levels of security tied to certain use cases as other companies.

            Sometime offline if we ever meet I’ll tell you what Andy Rubin said to us straight up about Android security.

          • The Silver Fox

            I suspect that you don’t fully understand how Google advertising works. Google advertisers never receive personally identifiable information about the people who view their ads. The advertisers simply specify the demographics, interests etc that they want to target (eg 30 something males in California), google then delivers the ads to that target audience, but the advertisers never know the names etc of the viewers of the ads – only Google knows that information, and then only if the end user is signed into Google services using their real name.

          • steve_wildstrom

            And don;t forget that Google’s biggest source of revenue is still AdWords, which operates on a much simpler model of advertisers bidding for search terms.

          • benbajarin

            Yes, I do understand that. There is still a matter of holistically the data google is collecting on us as a result of their free services in order to monetize with certain degrees of profiling. I don’t doubt that that is secure, but data on device from corps, personal, etc, as it relates to Android can be at risk and more risk than others.

            My main point is just that given Google’s business this is not a an area they will take a leadership position in. They just can’t. Horizontal models simply fail at this every time.

            Google has no reason to compete specifically on the areas of security.

          • FalKirk

            “The moment you say that you’re the product the moment you have lost all credibility.” – Oletros

            Dude, it is you who have lost all credibility. No reasonable person disputes that we are the product in Google’s advertising model. Google admits as much every day.

            Please don’t let your biases interfere with your reasoning.

        • benbajarin

          On profiling, that is less the issue in my opinion. It is the simple matter that their model does not justify the same focus on security as others to simply protect data, especially at the hardware layer, which is where this all needs to start.

          Amazon profiles me, as do many others, and I can only hope that it becomes useful. Apple’s software via apps are also locked off from each given how Unix handles some things technically. Android on the other hand lets many devs use bits of other apps, etc. So there its much more likely that another could ‘steal’ some of the data being used.

          We did a large survey in the US with individuals who have had their email hacked. 82% of the respondents who have had their email hacked were using either Yahoo mail or Gmail. The overwhelming majority were on Android..

          I’m just saying, there is simply no way this can be as big of a priority to Google as other companies. This is not to say they will not do some things and provide some level of security, but it will not be on par with others who make money differently than Google.

          • steve_wildstrom

            I think you have to separate the security issues of Google services and Android. Google has done a pretty good job on services; for example, it was the first big provider to offer two-factor authentication and has been aggressive at pushing out HTTPS. There are a huge number of moving parts to Google services and they have, for the most part, avoided serious breaches.

            Android is another matter. The big problem is that OS security depends on interactions between the software and hardware and the lack of standardization of Android hardware and a lack of control over how OEMs modify the OS code makes guaranteeing security close to impossible. It’s actually a much worse problem than Windows. Windows was far more locked down WRT OEM modifications than Android and for all the variations in Windows PC designs, the core hardware was quite standardized. Google has left device security largely up to the OEMs. Some, such as Samsung in its most recent products, have done a good job. Others have barely tried.

          • benbajarin

            I agree. The issue in my mind is whether innovating on the idea of security or going beyond the bare minimum which is necessary legally or as to not be liable is a priority for them. I’d contend it is not due to the horizontal nature of their services and software model.

            I’m not saying elements of Google’s offerings are not secure at a basic level, what I”m saying is that it is not in their interests to go out and move the chains in this area the way someone like Apple can who controls the whole system.

          • steve_wildstrom

            Fully agree. Just want to give some credit where it was due. If Google does not have a deep security mentality, at least they are not as sloppy as many of their competitors on services.

            By the way, one thing that stands in the way of Apple being a security provider is their serious lack of transparency on security issues. They have a bad tendency to fix security problems without acknowledging them. They now have a good two-factor authentication system, but they are doing nothing to encourage people to use it. And we still have no idea of what to make of the security breach and shutdown of the developer site this month.

          • Oletros

            “Apple’s software via apps are also locked off from each given how Unix handles some things technically. Android on the other hand lets many devs use bits of other apps, etc.

            And now it is clear that you rite without knowing how Android works

          • benbajarin

            So many CIOs of fortune 500 companies are wrong when they tell me that with data on Android is almost always persistently at risk?

            How do explain high levels of email hacking? Apps loaded with malware in the app store looking to siphen data?

            No I’m not a developer but I talk to many on both fronts and many CIOs and CTOs who focus on device security in their businesses. So hearing the perspectives of many to whom security is a concern informs my thinking.