Microsoft vs. Apple Security: Who's Right?

Rob Enderle

When it comes to approaches to security, can Apple's, which clearly works for consumers, work in the enterprise? If the goal is to sell product and make people feel safe, perhaps it can. Or is Microsoft's approach superior, with its more open process? I doubt either company could adopt the other's process easily but, given that some of you will be looking at Snow Leopard in a few months, now would be a good time to, as Apple used to say, think different.


Microsoft's Disclosure Approach


Microsoft's current program appears largely based on the belief that if you disclose everything, your liability is limited. So far, it hasn't seemed to attract much liability, so that part seems to be working. The process of aggressively reporting exploits, coupled with monthly patches that are explained in enough detail to allow someone to actually take advantage of the exploit is actually consistent with the views surrounding open source, in that it appears to be very transparent. I'm using the word "appears" not to be tricky but because I've never really audited the process. However, it does look to be comprehensive.


On top of each disclosure, if Microsoft leaves anything out, Symantec (and other security firms) expands on the exposure to create the impression of vulnerabilities that sell security products. These security firms, in addition, work to identify additional problems, which they generally tell Microsoft about, and help keep this cycle of pain for users and administrators rolling.


So, in effect, it's the folks that work to find ways to penetrate Windows who are actually getting a substantial amount of funding and marketing. The end result is a constant deluge of problems, making the product look incredibly vulnerable and supporting the security industry that has grown to depend on these vulnerabilities.


Apple's Non-Disclosure Approach


Apple doesn't really talk about its exposures; it focuses its efforts on making its product appear invulnerable. It doesn't cooperate with security firms and seems to actually recommend folks don't use security products. I don't think that is because it wants users not to be secure. I think it's because it doesn't want to create the kind of upside-down ecosystem that surrounds Microsoft.


Rather than participate in things like the Black Hat conference, Apple keeps its own security folks locked away working quietly on security problems. It patches quietly, as well, trying to limit or eliminate any sustained coverage of the problems that it too clearly has.


The end result is that its product appears less vulnerable, the security firms have less incentive to promote the vulnerabilities of the product because Apple users mostly don't buy security products, and Apple users feel more secure on Apple products.


So Which Is Better?


If I'm solidly in the open source camp, then it is hard to argue that Microsoft's approach isn't better, but I'm not a coder anymore and while I've been cross trained in every function, I still think that my primary skill remains marketing. As a result, I favor, by a significant margin, the Apple method. Were I Bill Gates and had a time machine, I would go back and close the security hole that was created at the very beginning by not owning security and not outsource it to third parties. Currently, Microsoft is using One Care to get its arms around security but it can't bundle the product into Windows without getting pounded by the anti-trust folks.


This last is probably a lesson for Apple, which still needs to strengthen its own security to include more aggressive anti-virus and anti-phishing technologies before it gets a major breach and the Windows security industry embraces it to fill the gap.


So, I think Apple's approach may be better long term for that company. The question, however, is: Would enterprises that tend to be more open source and really care less about a vendor's image agree? I'd like to know what you think.

Add Comment      Leave a comment on this blog post
Aug 14, 2008 2:40 AM Peter Peter  says:
I have been personally & professionally involved with both PCs & Macs/Apple since their respective inceptions.I don't think the security exposure of Windows & OSX is as level as you imply. If the only difference between OSX & Windows was simply that Apple tries to keep a lid on security exposures, then we would all be hearing about the OSX exploits in the media - Apple does not have control over the hacker community or the media that jumps on this kind of news. Arguably, there is more focus in the hacker community to bring down Windows than OSX.The relative vulnerability & weak security of Windows versus OSX is real, not marketing. Put another way, MS did not create their costly approach to handling security issues first. Their product was weak & required their response to address the weakness. Apple, on the other hand, has a product that is relatively more secure, so they don't have to spend the time & money on addressing that area. Basic economics - spending money on security reduces profit margin so don't spend it if you don't have to. Reply
Aug 14, 2008 4:38 AM Sonja Sonja  says:
Peter I agree. Reply
Aug 18, 2008 3:13 AM Rob Enderle Rob Enderle  says:
I'm in partial agreement with you. Apple is, however, now being attacked and they are in danger of going down the same path Microsoft blazed. Case in point: Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.