Diversity Not the Answer to Monoculture Computing
Is diversifying software and operating systems the only way to reduce security risk in a software 'monoculture'? Don't be lulled into such as easy answer, says a technology analyst.
A recently published white paper, which argued that the federal government's increasing reliance on Microsoft software makes federal systems "susceptible to massive, cascading failures," continues to spark controversy since it first aired in September.
The report -- presented at a meeting of the Computer & Communications Industry Association (CCIA), a trade group which has been critical of Microsoft in the past -- suggested that reliance on only Microsoft operating systems and applications, which it calls 'monoculture computing,' increases the risk associated with security vulnerabilities and computer viruses.
But one analyst is arguing that enterprises should not conclude from the report or the ensuing debate that diversifying their software is the answer. Diverse operating systems will still have security issues, as well as increased costs, noted Michael Gartenberg, research director with Jupiter Research (owned by the same company as this Web site).
"A few weeks ago, the CCIA published a report that says a monoculture computing environment is a bad idea, citing the security issues on the rise as a result of Windows popularity on the desktop," Gartenberg said in a research note.
"Some analysts agree and suggest diversifying desktop operating systems is a good idea for lowering security costs and issues. The problem is that the causal relationship is almost never true, and diversity is not the answer."
Gartenberg argued that diversity will not lower security costs or risk. Instead, he said, businesses that follow advice that suggest they utilize multiple operating environments in their infrastructure will have to bear the security costs and issues associated with all the operating systems they use, instead of one. That's on top of other costs they'll bear for supporting multiple operating systems and associated software.
"The fallacy is that diverse operating systems will not have security issues or holes," he said, pointing to the fact that 16 of the 29 security advisories issued by the Computer Emergency Response Team (CERT) last year involved Linux or open source products.
"Any popular OS will draw the attention of virus writers and hackers, and today's interconnected systems are the real weak link," Gartenberg said. "If alternative systems grow in popularity, it is likely they will become the target of attack as well. Monoculture has nothing to do with it. When Apple commanded double-digit market share in the early 90s, Macintosh users were regularly plagued by virus issues."
That conclusion, at least, is born out by the stance of Daniel Geer, primary author of the controversial report, CyberInsecurity: The Cost of Monopoly -- How the Dominance of Microsoft's Products Poses a Risk to Security.
In an interview with internetnews.com after the report was released, Geer said, "If the monoculture was all Linux, it would be just as bad."
Geer's argument is that a cascading failure of networked computers is only aided if all of the components of the network are alike. Replication and redundancy can mitigate the effects of failures, but Geer said that if the components are all the same, then no amount of replication can protect against a failure.
"Nature has proven to us that a monoculture fails catastrophically," Geer told internetnews.com.
In the report, Geer suggested three remedies that he said would go a long way toward containing such an eventuality. The remedies were specific to Microsoft, but he said they would apply to any other entity able to dominate its market, as both IBM and AT&T have done in the past. Geer said Microsoft should:
- Publish interface specifications to major functional components of its code, both Windows and Office
- Foster development of alternative sources of functionality through an approach comparable to the 'plug and play' technology for hardware components
- Work with consortia of hardware and software vendors to define specifications and interfaces for future developments, in a way similar to the Internet Society's RFC process to define new protocols for the Internet.
But Gartenberg said that the best tack enterprises can take to protect themselves is to focus on proactive measures and taking responsibility for their systems. He said businesses should make sure they deploy patches in a timely manner and use technology like personal firewalls, rather than seeking potential savings through diversity.
"If there is no functional ROI, diversity just raises operational costs and reduces productivity," he said. "The last thing IT shops need to deal with is affirmative action for minority operating systems."
However, he noted that diversity does make sense when there is a return-on-investment benefit associated with supporting multiple operating environments.
"Diversity does make sense when there is an ROI associated with functionality," he said. "For example, an organization that deploys Mac OS to meet certain business needs and as such the ROI benefit almost certainly cancels out any TCO overhead."
Geer himself, formerly the CTO of Boston-based computer security firm @Stake, found himself out of a job the day after the release of the report.
The firm, which does business with Microsoft, said Geer's report was not approved by the company and that the "values and opinions of the report are not in line" with the company's views.