This is the second post in the Tidal Forces series. The introduction is available..
Computers aren’t computers any more.
Call it a personal computer. A laptop, desktop, workstation, PC, or Mac. Whatever configuration we’re dealing with, and whatever we call it, much of the practice of information security focuses on keeping the devices we place in our users’ hands safe. They are the boon and bane of information technology – forcing us to find a delicate balance between safety, security, compliance, and productivity. Lock them down too much and people can’t get things done – they will find an unmanaged alternative instead. Loosen up too much, and a single click on the wrong ad banner can take down a company. Vendors know it is possible to escalate a foothold on the enterprise endpoint, or the network, to reach hundreds of millions – perhaps even billions – in revenue. Extend this out to consumer computers at home, and even a small market footprint can sustain a decade of other failed products and corporate missteps.
But it’s all changing. Fast.
A series of smaller trends in computing devices are overlapping and augmenting each other to form the first of our Tidal Forces which are ripping apart security. All three larger forces hit harder over time, as their effects accelerate. The changing natures of endpoints is the one most likely to deeply impact established security vendors for economic reasons, while simultaneously improving our general ability to protect ourselves from attacks. The other forces are also strongly shaping required security skills and operational processes, but the endpoint changes disproportionally impact vendors, and this transition should be much less painful for security practitioners.
- Most of our devices aren’t ‘computers’ any more: According to both Gartner and IDC, PC shipments have declined for five years in a row. The number of “traditional computers” shipped in 2016 was around 260 million, compared to over 1.5 billion smartphones. The change is so dramatic that Gartner expects Apple’s operating systems (iOS and macOS) to overtake Microsoft Windows in 2017. Employees and consumers spend more time on mobile devices than on old-school computers, with keyboard and monitor. We see a concurrent rise in single-purpose devices, known as the “Internet of Things”. Fitness trackers, lightbulbs, toys, televisions, voice-activated AI portals, thermostats, watches, and nearly anything more complex than a fork (or not.
- The devices we use are more secure: There is effectively no mass malware on iOS. Current iPhones and iPads are so secure that have kicked off a government showdown over privacy and civil rights. Even Android, if you are on a current version and use it correctly, is secure enough that most people don’t need to worry about losing their data. While there is a glut of insecure IoT devices, companies like Apple and Amazon are using their market power, through HomeKit and AWS, to gradually drag manufacturers toward solid baseline security. We don’t have survey data, but we do know Windows 7-10 are materially more secure than Windows XP, and most organizations experience much lower infection rates. It’s not that we have perfect security, but we have much better security out of the box, with a much higher cost to exploit. The trend is only continuing, and most devices don’t need third-party security tools to be safe.
- The devices we use are less open: You cannot install antivirus or monitoring agents on an iPhone. This won’t change because Apple considers the system-wide monitoring they regard as a security risk… because it is. The long-term trend, especially for consumers, is towards closed ecosystems and app stores. Today an operating system vendor would need to open access and loosen security on parts of the system to enable external security monitoring and enforcement. It seems safe to assume this access will continue to be ratcheted down tighter to improve overall platform security, even on general-purpose operating systems. Microsoft first started closing off parts of the system back with Windows Vista, resulting in an anti-security advertising campaign by certain vendors to keep the system open. The end result is an ever-tightening footprint for endpoint security tools.
- We don’t control the networks, and encryption is widespread and stronger: Not only are our devices more secure, but so are our network connections. TLS encryption is increasingly ubiquitous in applications and services, and TLS 1.3 eliminates any possibility of out-of-band monitoring, forcing us to rely on man-in-the-middle techniques (which reduce security) or endpoint agents (which we can’t always install). We are increasingly reducing the effectiveness of bumps in the wire to secure our endpoints and monitor communications.
Thus there is a simultaneous shift away from traditional general-purpose computers toward mobile and other devices, combined with significantly stronger baseline security and reduced accessibility for security tools. As mentioned above, this affects vendors even more than practitioners:
- Security vendors will see a large contraction in consumer anti-malware/endpoint protection: The market won’t disappear, but it’s hard to eviision a scenario where it won’t continue shrinking. Already few consumers purchase endpoint security for Macs, and none for iOS. Windows 10 ships with AV built in and good enough for most consumers. We are talking about billions of dollars in revenue, fading away in a relatively short period of time. I strongly believe that’s why we see moves like Symantec buying Lifelock and releasing a security-enabled WiFi router, as they try to remain relevant to consumers. But it’s hard to see these products making up for such a large loss of addressable market, especially in competition with free credit monitoring and network vendors like Luma who offer basic home network security without annual subscriptions.
- Endpoint security vendors will also see some reduction in enterprise sales: The impact on their consumer business will be higher, but we also expect impact on the enterprise side – caused by a combination of a smaller addressable device footprint, competition from free tools (such as OSQuery for configuration monitoring), and feature commoditization forced by operating system vendors as they close gaps and lock down their operating systems. It’s hard to quantify this, but it is clear that loss of licenses will hurt, as device types shift. It’s also hard to see endpoint DLP and other compliance-oriented tools filling in the revenue gap.
- Network box vendors are in trouble: We will talk much more about box vendors in our next couple posts, but with more distributed access over strongly encrypted connections: enterprises either need to route everything through VPN connections and man-in-the-middle all their traffic, use a cloud service, or just rely more on inherent device security. It is very hard to find any long-terms trends which favor them, and of course attackers continue to innovate.
I am most definitely not saying endpoint and network security will go away, but these markets will contract, and these vendors will be forced to reconfigure to maintain revenue. Some will figure it out, some won’t, and life will go on.
We also see the practice of endpoint security changing:
- Security will be better, but monitoring harder: We are losing our ability to monitor everything on the endpoint, at the same time it is getting harder to monitor network connections. This hurts employee monitoring and (some) compliance, but fortunately it is less problematic for security from attacks.
- We won’t need to manage as many endpoint tools: Because we won’t use them, and the ones we use will run on fewer things. I suggest using your newfound free time to learn more about cloud security architectures.
- We will move to zero-trust networks: This will come up again when we discuss SaaS, but we increasingly assume our networks are compromised, and rely more on inherent endpoint security and encrypted connections to secure services. Some companies do this today – it is no fantasy.
- We will use more cloud-based network monitoring and filtering: Network monitoring is harder, but not impossible. It makes sense to use a cloud service instead of local network tools for things like URL filtering and DLP, because they make it easier to manage widespread users and devices, without maintaining our own large VPN infrastructures. There are definitely tradeoffs here, and over the longer term I expect this market to shrink as well.
I’m sure I am missing a hell of a lot, but the fundamentals are solid. iOS alone has already had a major impact – now imagine a world where most devices we use embody a similar security model, while simultaneously leveraging more secure network connections.
Please let me know what you think in the comments below and on Twitter.