In his book titled “Only The Paranoid Survive”, Andrew Grove (former CEO of Intel) has talked in detail about movement of computer industry from a vertical to a horizontal structure in early 1980s, a transition completed by 1990’s.
In the 1980s, a company used to do everything in the stack. It used to build its own chips, had its own hardware, its own operating system, built its own software and had its own sales & distribution force. A company used to define its entire stack and integration points between layers. Henceforth trust mechanism between those layers become a company’s responsibility. IBM was a great example of such a corporation.
Circa 1990, and this vertical stack had got converted into horizontal one. Former suppliers to IBM such as Intel, Motorola etc were now firmly entrenched at the lower end of the stack occupying it end to end. Former stack holders namely IBM were now integrating the stack between hardware players and providers of operating system such as Microsoft or even open source ones like Unix. In sign of changing times, Microsoft and Intel were now the primary stack builders. Their interest was in widening of horizontal base of this stack.
Rise of Computer Security Industry
Computer Security came alive due to this opening of stack. Very evidently, a vertical stacked company had no compulsion to expose its inner working, technical architecture, hooks etc and so on. Interface between chips and operating system, operating system and applications were shared/exposed internally or at best with in a tightly controlled set of companies. Trust was internal to the system and was by and large maintained.
However, horizontal stacking demanded opening up of integration points between each level of the stack. Not limited for few players, it was supposed to be for everybody. Full documentation existed for everybody to understand operating system internals, hooking details and ability to create applications for the platform. One one hand It gave a momentum to a whole set of entrepreneurs, individuals and companies who started playing in the integration space and specifically application space. On the other hand it also provided an incentive for a minority of fun seeking and later business minded unscrupulous players.
As is their wont, such players started misusing relative/complete openness of integration points. Many virus/malware attacks were launched on individual company systems. After the advent of world wide web, such attacks could be launched on a global scale. This gave rise to a host of computer security firms that guarded unscrupulous use of new found openness in the computer industry. In what is evident, such security firms like McAfee, Symantec, Trend micro and others acted as cops whenever somebody broke the trust software players expected out of each other, in interest of users.
Paraphrasing it differently, security players provided the glue of trust(from an end user point of view) between the integration points of different stacks of this new horizontal computer industry.
Vertical vs Horizontal Act II – Return of Steve Jobs
Apple even during the days of winding down of vertical stack had remained a company wedded to idea of vertical stack. Although Apple did not follow idea of strictly vertical stack by having only microprocessors, hardware and operating system being integrated with in the company. Other eco system players could craft applications for the Mac. However, relatively high prices of Mac and lower market share did make it a uneconomic target for most folks in hacking community. Still, the idea of vertical stack remained integral to the philosophy or Apple and even Steve Jobs, even after he had been eased out of Apple. Steve Jobs carried the same idea of integral vertical stack to his next venture “NeXT”. NeXT Computer had chipset, hardware and software integrated with in the company. Unfortunately for him, economics of the industry had changed benefitting low priced computers built on Wintel combination, and NeXT eventually withdrew out of computer game.
Steve Jobs, with the benefit of hindsight, did never lose his idea of designing a total system in house. By 2007, when he did introduce IPhone, it was clearly comping out of a vertically integrated stack company. Apple designed and built its own hardware, own software and then even its applications. Although, later on they did let outside guys come in by creating the concept of market place. They still controlled it by proxy, deciding who can play in the market place based on their own set of guidelines.
In comes Android, and concerns on security
iPhone was and is a great success. Coupled with iPad, Apple benefitted from a successful vertically integrated company while allowing a limited exposure at the top. Evidently, it left a large part of the industry out of play looking for action in smart phone mobile world. Closest competitor of Apple was Blackberry and it was not very differently structured from Apple. Increasingly getting jittery seeing the advent of Apple, a lot of players set their eyes on a potential competitor – Android.
It was a repeat of early 1980’s for formation of a new horizontal stack. Although Google controlled the operating system, it was open for custom implementation by hardware vendors provided they maintained compatibility required for application developers. Android also provided for market place, once again opening up the entire stack at the top. Most importantly, it allowed various players to offer Android implementations at various price points suiting the needs of most. On the other hand, Apple was perceived as a premium player delivering at higher price points.
Source – http://www.slideshare.net/andreasc/mobile-megatrends-2010-vision-mobile-research
An openness is required for proper functioning of such a horizontal stack. And it comes with its price in terms of security concerns. Since 2007 onwards, as it happened in late 1990, unscrupulous elements started to misuse this openness once again giving rise to security players with a need to act as cops. The glue of trust needed firm hand of security companies to re-establish in front of vendors and users.
Apple had also opened up the stack at application level. Did it have had security concerns? The answer is yes, however such concerns got tempered by injection of certain level of trust by the gatekeeping of market place by Apple. Clearly this was not deemed enough, third-party trust mechanism coming in from was still expected and it came from various security vendors such as McAfee, Lookout mobile etc.
Lockdown Security – OEM breach of trust costs money
Horizontal stacking of mobile/embedded device industry requires another level of trust. Largely a mobile/embedded device’s OS does not provide for developers to directly hook into/or change kernel level components during run time. More over, a shipped mobile/embedded device’s OS is not expected to undergo change, unless carried through a vendor approved OS process. In many situation, such trust is often broken consciously or due to malware that exploits existing vulnerabilities in the operating system. Further more, traditionally OEM owns and provides support for OS part of device and hence it costs them money to remediate each such instance of a broken OS/device. Lockdown of devices and making them temper proof is another level of trust enforced between users and manufacturers of the device, once again by a third-party acting as gatekeeper of trust.
Innovation and enterprise thrive on openness of platforms. It allows various players to interpret a platform, stacks of platforms in the ways that makes most sense to their technical and business instincts. In an ideal schemes of things, it generates an unparalleled market potential that is tapped by enterprising individuals. However, it is also exploited by unscrupulous elements and that is where a third-party security industry becomes keeper of trust and a cop against bad guys.