Two high-profile organizations recently argued that diverse environments are inherently more secure than "monoculture" (read: Microsoft-only) environments. They argue that an organization that deploys multiple computing platforms will be inherently more secure than an organization running a single platform on all systems. While they admit costs will go up, they argue that increased security will be worth it.

These arguments were put forward by Gartner and, separately, a panel hosted by the anti-Microsoft Computer & Communications Industry Association.

But there is no evidence that either party has actually analyzed the cost of diversity or quantified the risks of diversity. It appears clear they came up with the solution and then fit the facts of the problem into an argument that supports that conclusion.

We have yet to see a cost/benefit analysis that supports the conclusion that a heterogeneous computing environment lowers the overall threat level of a corporation, or that it is the most cost effective of the choices available to you.

While diversity may -- and I stress may -- lower the extreme threat of some types of attack, diversity would have failed to protect enterprises from most of the attacks that have occurred to date. Few companies can continue to function if even 30% of their systems fail catastrophically. However, diversity will clearly increase costs sharply for sites that are highly consistent now. And diversity may even be less secure than a monoculture, increasing exposure to other types of attack.

A much better approach is to look at the entire security problem first, including the risks and costs of not doing anything, so that you have a foundation on which you can build alternatives. These alternatives include:

- Diversity.

- Accelerated adoption of patches.

- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

- Restricting ports, such as port 80 135, which effectively stopped the latest virus attack. (Corrected Friday 10/10/03.)

- Implementing additional security products, such as virus software and firewalls.

- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

- Developing the capability to rapidly restore compromised software and data from backups.

- Deploying Windows on alternative hardware. For example, "PC blades" centralize the processors, memory and storage of PCs in a datacenter, while the display, keyboard and mouse are at the user's desktop. PC blades give users the benefit of having their own dedicated PC, while keeping the hardware in a centralized location where it can be more easily maintained and secured.

- Adding security staff or outsourced services.

The result of this analysis would be a security plan that is optimized for your environment. Even if you chose diversity, you could show that you went through a solid decision process before you reached the decision you made, and it wouldn't look like you were ticked at Microsoft and simply shot from the hip.

I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs. Companies can minimize support costs by rolling out identical hardware and software to every desktop through big bang deployments. Going the other way in a knee jerk reaction to just one class of security threat seems poorly founded.