Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple's security strategy: make it invisible

Rich Mogull | June 17, 2013
When I received an invitation to the keynote event at Apple's Worldwide Developers Conference, my first reaction was, "Why?" I'm known as a security guy, which means my keynote invites are only when major security features are released. But as I watched the presentations, I began to understand why.

When I received an invitation to the keynote event at Apple's Worldwide Developers Conference, my first reaction was, "Why?" I'm known as a security guy, which means my keynote invites are only when major security features are released. But as I watched the presentations, I began to understand why.

Among the many new features in iOS and OS X that the company discussed, two security-related ones received extended attention: iCloud Keychain and Activation Lock. And as I thought about the demos of those and other new features in the days that followed, I came to realize something about the company's approach to security that I hadn't thought about before.

The human factor

Apple is famously focused on design and human experience as their top guiding principles. When it comes to security, that focus created a conundrum. Security is all about placing obstacles in the way of attackers, but (despite the claims of security vendors) those same obstacles can get in the way of users, too.

Take passwords, for example: As essential as they are to protecting us and our devices, they are one of the most universally despised things about using technology. (I've ranted about passwords elsewhere).

For many years, Apple tended to choose good user experience at the expense of leaving users vulnerable to security risks. That strategy worked for a long time, in part because Apple's comparatively low market share made its products less attractive targets. But as Apple products began to gain in popularity, many of us in the security business wondered how Apple would adjust its security strategies to its new position in the spotlight.

As it turns out, the company not only handled that change smoothly, it has embraced it. Despite a rocky start, Apple now applies its impressive design sensibilities to security, playing the game its own way and in the process changing our expectations for security and technology.

Pragmatic design

While Apple hasn't said so explicitly, it's clear that one key principle guides them when it comes to security: The more you impede a user's ability to do something, the more likely that user is to circumvent security measures. There were three good examples in the company's WWDC keynote:

iCloud Keychain: When Apple first announced iCloud Keychain, I was initially perplexed. Why add a password manager to the operating system and default browser when there are plenty of third-party applications that do this, and it isn't among a feature users are screaming for?

Then I realized that Apple was tackling a real-world security issue by trying to make that issue simply go away for the average user. Apple certainly can't stop the onslaught of phishing attacks. But it can add a built-in, cloud-based password manager both reduces security risks and improves the user experience. That addition enables users to use complex, site-specific passwords, and those passwords will--with no user effort--synchronize across all of their devices and be available whenever they're needed (assuming those users use Apple products only, of course).

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.