When someone says, “vertical integration,” most people think about product manufacturing and supply chain. In that context, vertical integration means a company controls everything from manufacturing to distribution. Apple, for example, designs and manufactures its own products, then sells them online and at physical Apple Stores.
Vertical integration, however, can also refer to security processes in the IT world — an increasingly hot technological topic. Combining hardware, software, and cloud services into a controlled ecosystem is the IT version of vertical integration.
Using Apple as an example again, we can see vertical integration at work from a security standpoint. By designing, creating, and controlling hardware, software, and services, Apple creates a more unified and secure platform. All while maintaining the highest quality products and delivering the best end-user experience.
The Apple ecosystem starts with securing the physical hardware at time of manufacture, then the firmware that runs on that hardware, and ultimately the operating system and other software- and cloud-enabled services. This combo creates their famously secure chain of trust through the entire boot process.
Apple iOS device security is a source of industry-wide envy. Let’s take a closer look at how Mac products and macOS use vertical integration to give you the most secure experience possible.
Most recent Macs have a security chip known as the T2. This provides a hardware root of trust that begins the secure boot process. The T2 checks macOS before loading it and can also validate MS Windows if dual booting, ensuring only trusted operating systems run.
Apple also recently started shipping Macs with Apple Silicon. This is the beginning of a looming break-up with Intel, which would make Apple the only mainstream computer manufacturer to actually make their own CPU.
Mac hardware is also equipped with many other familiar security features, including:
- Touch ID or Face ID, which provides biometric login and authentication
- Secure Enclave, which holds cryptographic keys, passcodes, and mathematical representations of fingerprint reader data
- Remote lock/wipe and Activation Lock, which prevent usage if Mac products are lost or stolen. Company-owned Macs can enable this via a mobile device management (MDM) tool
Through the above secure boot process, the trusted macOS loads and runs in its own read-only volume. FileVault2 disk encryption keeps data secure at rest. Plus, apps cannot overwrite system files. Instead, they can create system extensions. This move from kernel extensions to system extensions is a great change toward a more secure and reliable operating system.
MacOS also checks for daily software updates, which can be set to automatically download and install. Keeping up with security and critical updates is an important step that Apple users regularly take; most Apple users are on the latest version of the operating system compared to Android or Windows users.
For added security, Apple signs these updates and macOS verifies the signature. App developers need to join the Apple Developer Program and are thoroughly vetted, as are the apps they upload to the App Store. Customers can build their internal apps through the Apple Developer Enterprise Program, and are also vetted to ensure end users can confidently download and install company apps.
Apple also offers XProtect, built-in malware protection included at no extra charge as a part of macOS. Gatekeeper is also built-in to macOS and vets downloaded apps against Developer ID and notarization status. App sandboxing isolates each app, preventing access to system resources, like camera and microphone, without permission.
Closely tied to the software and hardware features mentioned above, Apple cloud services are an important part of the whole ecosystem. They provide capabilities for authentication, password storage, cloud storage, sync, payment, messaging, and communications. Privacy and data security are at the core of all of the following services:
- Apple ID and Managed Apple ID, which have strong requirements for passwords. Company-owned devices can utilize an MDM tool to set those requirements per company policy
- Two-factor authentication
- iCloud, which can be leveraged for syncing information across a user’s devices, while a company owned device may be restricted from certain services per company policy via an MDM
- Apple servers cryptographically signing App Store apps, using keys validated by the Mac’s Secure Enclave
- iMessage, which uses the Apple Identity Service for public keys and APNs addresses of recipient to deliver encrypted two-way messaging
The Chain of Trust
As you can see, this vertical integration of hardware, software, and services creates a secure chain of trust that has proven to be a successful approach to ensuring the most secure endpoints. As impressive as that robust technology stack is, it’s equally amazing that Apple can also maintain some of the highest customer satisfaction marks. Businesses that have adopted Mac also show improvements in end-user productivity.
But this is all just the tip of the iceberg. To learn more, please read the Apple Platform Security Guide. If your organization needs help assessing whether your infrastructure can accommodate Apple devices, Wipro can help.
For more information, contact us at firstname.lastname@example.org