Product-based Security vs. Service-based Security



Microsoft has recently announced a new security service called OneCare, that aspires to provide busy consumers with virus and spyware protection, firewall protection, performance tuning, data backup and PC maintenance all in one package. This is an exemplification of how the trend is moving away from the standalone product model.


Ownership vs. Subscription Model


Some folks just like to feel that what they buy is theirs, to do with as they please after they plunk down their hard-earned cash. These are the people who would never think of leasing a car or renting a house. Even if they must “pay it out” and incur interest charges because it’s too large a purchase to pay in full up front, at least they have something to show for it at the end of the finance period. I confess to being one of those people.


I’ve never leased a computer (or bought one on credit for that matter) and probably wouldn’t even if there were a clear financial advantage. In the software world, however, the old rules have never really applied. That’s because you never (or almost never) actually buy software anyway; you merely purchase a license to use the software. Traditionally, that license gave you the right to use it for as long as you wanted (within the parameters of the EULA), or at least as long as there was hardware around to support it.


However, the latest trend (which seems to be more popular with vendors than with users) is to sell software on a subscription basis. The first to successfully implement this were the anti-virus vendors; it makes sense in that case because AV software is useless unless the AV definitions are updated on a regular basis. Anti-spyware programs and other security programs that require constant updates to keep up with the latest attack signatures or domain black lists, all logical candidates for this model, have followed suit.


Characteristics of the Subscription Model


For the vendor, the advantage of the subscription/service model is obvious: a constant, more predictable revenue stream. The vendor has no guarantee that businesses or individuals will upgrade their software as soon as a new version appears; many just keep on using the old product as long as it meets their needs. If they’re tied into a subscription model, they must pay the yearly fee to keep using the software.


There are advantages for the software customers, as well, although they depend on how the service is implemented. If, rather than paying $500 for a perpetual software license and then paying an upgrade fee of $300 every couple of years when a new version comes out, you could instead pay $150 per year for a subscription, your overall expenditure and your initial outlay would be lower. And, as for the vendor, the cost is more predictable and thus easier to work into the budget.


Service-based software is often different in more than just its pricing structure, though. The ultimate in service-based software is the ASP delivery model, where the vendor actually hosts the software on its own servers and takes care of maintenance, troubleshooting, etc. This can relieve the customer of the costs of administrative overhead. On the other hand, it makes the customer dependent on the vendor to a much greater extent, and dependent on the network connection to the vendor’s services. If the service is hosted over the Internet, and your (or the vendor’s) Internet connection is disrupted, your software may be unavailable.


How Well Does the Service Model Work for Security?


Most security products are well suited to the service model. Whereas many of us might be wary of paying a yearly subscription fee for our word processing or spreadsheet software (viewing it as a way to force us to upgrade whether we want to or not), we understand that intrusions/attacks, viruses, Trojans, worms, spyware and other security risks are constantly being created and modified, so it’s essential that the software and related definition files always be up to date.


A hybrid product/service model has been working well for the major AV vendors for quite some time. You purchase the AV program (for example, Norton Antivirus 2004) and then you pay a yearly fee for the live update, which allows you to download from the Internet not only new definitions on a daily, weekly or monthly basis, but also provides program updates.


Other security products, such as application layer filtering add-ons for your firewall (Websense, SurfControl, etc.) use the same sort of hybrid product/subscription model.


Some services require no software to be installed on your systems. For example, e-mail spam filtering services such as MailRoute intercept spam mail before it ever gets to your servers.


Microsoft OneCare


Consumers and businesses alike are spending more and more time and money on security products and keeping operating systems and applications properly patched, as well as regular software maintenance to address error messages, poor performance, etc. Microsoft’s latest idea is to roll all this together into a single paid subscription service called OneCare that will:



  • Provide constantly updated firewall protection
  • Provide constantly updated anti-virus protection
  • Provide PC “health” maintenance
  • Provide performance tuning
  • Provide data backup

The OneCare service is currently in private beta testing at the time of this writing. As the beta is opened up to members of the public, you can visit the following site to learn how to participate: http://beta.windowsonecare.com/betaentry.aspx.  


The company has taken a bit of a bashing over its plans to charge for the service; apparently many users feel that, although third party vendors charge for personal firewall products, AV programs, health and performance maintenance software and backup services, Microsoft should provide those services at no cost.


What do you think? Do you prefer the product or service model for software in general, and for security software in particular? Is Microsoft wrong to charge for their OneCare service? Visit the General Security Discussion message board at http://www.security-forums.com/forum/ and let us know your opinions on this topic.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top