Would a Security Monopoly Really Be So Bad?

Opinion: It's just a thought experiment, but you can make a good case that competition has failed and that what the security market needs is a monopoly.

You could see it coming for years: Microsofts entry into the security business will be treacherous for other security vendors. Its been about to happen for years and now it will take a little longer. But eventually it should actually happen.

And when it happens independent security vendors interests will be threatened, according to many analysts. Will Microsofts entry be their doom, as it has been in so many other businesses? The anti-virus, anti-spyware and other security markets are not the same as previous cases.

As analysts point out in Matt Hines excellent story, the enterprise security market is a totally different animal. Buyers are sophisticated and know they have plenty of credible options. Microsoft enters that market not only with no advantage but with a lot of explaining to do. And customers can reasonably ask whether it makes sense to use a vendors security products to protect systems and applications software from the same vendor.

But even in the consumer market Im not especially worried about these other vendors for a number of reasons, For one thing, theyre only vendors. Its the interests of users that should really matter. For another, the history of the software business is littered with Microsoft failures, although once it does latch on to a market, it never lets go.

Of course, thats all fantasy, since Microsoft is in no better a position to solve our endemic security problems through its security products than any other vendor. It is in a better position to fight them by changing Windows. To a degree this is in the works for Vista, but it can only go so far.

To make a system secure in the real world you could lock it down tight, a configuration that normal users wont accept since they expect to be able to install and update software, not to mention reconfigure their systems. The alternative is anti-virus, intrusion prevention and similar products that look for threats either heuristically or by signature.

Of course, a huge percentage of users dont run anti-virus software or run out-of-date versions. These users are, for all practical purposes, unprotected. One way to solve this—please be patient with me, this is a thought exercise—would be for Microsoft to bundle a high-quality anti-malware product with Windows and make updates either free or very inexpensive.

Before I go any further, this isnt going to happen for a number of reasons, the biggest being that it would put Microsoft in extremely hot water with antitrust authorities; and that producing and distributing updates costs money, and Microsoft wouldnt be keen on creating a perpetual cost center.

But the upside, unless youre one of Microsofts competitors, is huge. Thousands of threats come out every year, but very few of them are able to penetrate a system with a modern, updated security suite. Most of them depend on users being unprotected, and they dont have to infect many systems to be worth writing.

If such protection were a standard part of Windows, the threat would still take at least several years to go away because lots of people never upgrade. Theyll keep botnets in business for a long time. But standard protection would probably cause PC sales with the new Windows version to go through the roof.

One of the real dangers of such a situation would be if Microsofts product were second-rate or worse, not an unreasonable possibility. In this case Microsoft could kill off other vendors but still leave users unprotected to the extent that the product doesnt work as well as it might.

Theres also the "monoculture" problem: If everyones using Microsoft security, then any threat that can get through it is likely to affect a large percentage of users. But Im not aware of lots of threats that consistently get through one anti-virus product but not others. Generally the difference is in how long it takes for the vendor to issue a signature.

If the Microsoft product were insufficient, then other vendors would have an in to the market, especially in the corporate market. But they would have a strong factor mitigating their prices.

Like I said, this is all fantasy—its not going to happen. But its interesting that theres a case to make for it. Competition in the consumer security business has certainly failed to make protection cheap and easy.

Thats why my interpretation of this little thought exercise is that security software is too expensive. The price has been rising rapidly over the last few years to where the security industry has made the situation simple by moving to a subscription model. Where in the past you might have paid $50 for the product and $5 per year for updates, now youll pay $40 or more per year. This is another reason I dont worry about them.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

28571.gif

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.