A simple application Apple filed earlier this year with the Federal Register for permission to establish production in a U.S. foreign trade zone was all it took. According to numerous reports on the Web and in social media outlets that followed, Apple was planning on moving its component and server production for its datacenters to a site in Mesa, Ariz.
As it turned out, Apple was quick to clarify it only plans to assemble its server racks in the zone in Mesa where it will not have to pay tariffs and custom duties on parts imported or exported to and from the location. Apple will also consolidate its server rack-assembly sites in Mesa to supply Apple’s datacenters in the U.S., such as its locations in Oregon and North Carolina. The location already serves as a central backup location for its iCloud and iTunes data.
However, while Apple’s move to consolidate its rack builds is not as radical as originally reported, it does reflect how the smartphone giant is addressing security concerns about configuring its servers and racks. Instead of relying on third-party suppliers for already-mounted server racks and servers with potential software and hardware security holes, Apple is moving much of that part of its supply chain in-house.
Apple decision, security experts say, is smart.
“By building the servers closer to the distribution target data centers in U.S., Apple can reduce the risks of the devices from being tampered with from a third party,” Ertunga Arsal, CEO of cyber security company ESNC told EBN. “It can increase the security of its internal servers by applying more controls on the physical build processes.”
Indeed, in theory, it thus certainly makes sense for OEMs to configure their backend servers and even components to help eliminate security risks from suppliers– to the extent that they are able.
“OEMs that build their own components and servers would reap great security advantages, and it would even be strongly recommended,” Arsal said. “But we also see many OEMs that have insecure IT systems, which they use to update the firmware of their products before they are shipped. If this is the case, even in-house built components and servers would not rescue them.”
In one case, ESNC identified a portal in a device used to update the firmware that had a critical SQL injection flaw. “The security vulnerability could have given an attacker the capability of uploading malicious firmware, which would have then been installed on the devices before they were distributed,” Arsal said. “After a thorough investigation, we determined the portal was fortunately not compromised. But this was a wakeup call for the OEM.”
The incident points up to how OEMs would certainly solve many security issues by securing their servers and networks, as well as building their own components themselves—but the obvious problem is the cost to do that. “In-house production offers the most security and is strongly recommended–that is, only if the price tag that come with it makes sense,” Arsal said.
The software solution
OEMs must thus rely on security software for protection throughout most of their supply chains, given the obvious cost implications involved in building server racks, much less components, in-house. However, software is just not enough ensure that the parts coming in do not have embedded malware and other vulnerabilities, Michael Morris, chief technology officer for root9B, told EBN.
“Unfortunately, the community has relied on automated security solutions to reduce costs. Although these security products are a necessity, they cannot be your only reliance for security,” Morris said. “This particular topic is a perfect example of how security products have failed to protect users and infrastructure. In many cases, security software is expected to protect the operating environment.
The big tradeoff
Apple’s production of its server racks in-house, for example, obviously represents just a fraction of its vast supply chain network around the world. It also shows how even one of the world’s most profitable companies continues to rely heavily on third-party suppliers despite the security risks, underscoring the futility of ever moving more supplier production in-house for OEMs with more limited resources.
OEM inventing its own operating system and endpoint security entirely from scratch. This might be a reasonable approach for a handful of organizations on the planet–but only a handful,” Ang Cui, CEO and chief scientist for Red Balloon Security, told EBN. “The more reasonable approach for the vast majority of OEMs is to demand access to third-party security solutions at each and every layer of their computing infrastructure.”