Hardware security hits the road

However smart or daft you think Intel might be to pay a hefty premium of 60% to buy McAfee, there’s no doubt that this $7.7 billion acquisition represents a major event in the security solution space. It’s worth considering for a moment the underlying logic and consequences of this surprising move

Business fashion is clearly a factor. The pendulum is swinging towards vertical technology companies, after decades of horizontal specialization. Of course, this might be no more than this year’s fad. Pendulums eventually swing back, whether driven by customer preferences or vendor ambition. The pendulum for outsourcing, for example, has just swung from mega-sourcing to multi-sourcing. That trend’s clearly going the opposite way.  

Financial circumstances must have a bearing. Intel has a huge amount of cash and, like anyone else in that position, will be struggling to find decent investments that can meet their appraisal criteria. McAfee also has a higher profit margin, which might enhance Intel’s P&L account, at least in the short term. These considerations, however, are more of a supporting argument than a driver for the acquisition.   

In fact the real motivation behind the deal is an initiative to embed more security in hardware. Intel confidently believes that McAfee’s security technology will help create “hardware-enhanced security.” They see security as the “third pillar of computing devices” (in addition to power efficient performance and Internet connectivity). This is a great idea in theory. It will help build the higher assurance solutions we need for the future, and help us shoe-horn security into the growing multitude of non-PC, Internet-connected devices. Intel and McAfee are reported to have been working on such developments for some time. 

No doubt other chip makers will be thinking on the same lines. But why pay over the odds for a company when you can simply partner? And why pick an aging software security company, dominated by an overriding commercial interest to milk a fat cash cow? McAfee themselves claim that they have the “core security DNA” to help develop Intel’s future security capability. The problem is that contemporary security technologies are not the best basis for responding to emerging security challenges. Many have reached their sell-by date. Some never delivered on initial promises. Security vendors have yet to satisfactorily solve yesterday’s problems, never mind tomorrow’s challenges. 

In an ideal world, we would ditch our clunky legacy solutions and develop better technologies. But innovation is thin on the ground in a security market that seems content to adopt common practices that often fall well short of the best available. Users prefer familiar concepts to experimental ones.   

Past experience of security acquisitions by large vendors has also demonstrated high risks of culture clash, restructuring pains, and a loss of momentum in further product development. Smart, innovative competitors can benefit from these distractions. Large companies are less agile than smaller ones.    

But new developments in hardware security will require a solid security base. McAfee can bring this to the table. The real enabler for hardware security, however, is trusted computing, and the foundations are already out there in the form of hundreds of millions of TPM chips in laptops and servers. Exploitation of this capability is still in its infancy, but that will come with time. Many laptops are being shipped with self-encrypting drives – a vast improvement on software encryption – yet few laptop purchasers seem aware of this. And when skilfully combined with virtualization technology, trusted computing offers tremendous opportunities for innovative, security solutions.

So hardware security is certainly coming our way, though it might not take the form initially suggested by an Intel/McAfee merger. In fact, a smarter and cheaper option for a chip manufacturer might be to buy Wave Systems, a security vendor specializing in hardware based trusted computing solutions.