In Defense Of the Microsoft Monoculture (Column, By Rob Enderle) - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
06:31 PM

In Defense Of the Microsoft Monoculture (Column, By Rob Enderle)

Two high-profile organizations recently argued that diverse software environments are inherently more secure than a Microsoft-only "monoculture." But managing diversity is expensive, and diversity creates its own security problems.

Two high-profile organizations recently argued that diverse environments are inherently more secure than "monoculture" (read: Microsoft-only) environments. They argue that an organization that deploys multiple computing platforms will be inherently more secure than an organization running a single platform on all systems. While they admit costs will go up, they argue that increased security will be worth it.

These arguments were put forward by Gartner and, separately, a panel hosted by the anti-Microsoft Computer & Communications Industry Association.

But there is no evidence that either party has actually analyzed the cost of diversity or quantified the risks of diversity. It appears clear they came up with the solution and then fit the facts of the problem into an argument that supports that conclusion.

We have yet to see a cost/benefit analysis that supports the conclusion that a heterogeneous computing environment lowers the overall threat level of a corporation, or that it is the most cost effective of the choices available to you.

While diversity may -- and I stress may -- lower the extreme threat of some types of attack, diversity would have failed to protect enterprises from most of the attacks that have occurred to date. Few companies can continue to function if even 30% of their systems fail catastrophically. However, diversity will clearly increase costs sharply for sites that are highly consistent now. And diversity may even be less secure than a monoculture, increasing exposure to other types of attack.

A much better approach is to look at the entire security problem first, including the risks and costs of not doing anything, so that you have a foundation on which you can build alternatives. These alternatives include:

- Diversity.

- Accelerated adoption of patches.

- Locking down desktops so users cannot make changes and viruses and worms can't install themselves and run.

- Restricting ports, such as port 80 135, which effectively stopped the latest virus attack. (Corrected Friday 10/10/03.)

- Implementing additional security products, such as virus software and firewalls.

- maintaining "hot sites," or duplicates of key elements of the IT infrastructure, so if the main infrastructure is compromised, users can quickly switch to backup systems.

- Developing the capability to rapidly restore compromised software and data from backups.

- Deploying Windows on alternative hardware. For example, "PC blades" centralize the processors, memory and storage of PCs in a datacenter, while the display, keyboard and mouse are at the user's desktop. PC blades give users the benefit of having their own dedicated PC, while keeping the hardware in a centralized location where it can be more easily maintained and secured.

- Adding security staff or outsourced services.

The result of this analysis would be a security plan that is optimized for your environment. Even if you chose diversity, you could show that you went through a solid decision process before you reached the decision you made, and it wouldn't look like you were ticked at Microsoft and simply shot from the hip.

I'm not a big fan of diversity because so much the research I've done over the last decade or so indicates that by eliminating diversity you can dramatically reduce costs. Companies can minimize support costs by rolling out identical hardware and software to every desktop through big bang deployments. Going the other way in a knee jerk reaction to just one class of security threat seems poorly founded.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll