Compliance Management, Incident Response, TDR

Diversity breeds system resilience

IT managers should consider the benefits of non-interoperable platforms, says AT&T's Ed Amoroso.

Natural scientists have known for years that a diverse ecosystem is always more resilient than a monoculture to disease. High levels of biodiversity reduce the risk that a single disease could wipe out an ecosystem. Computer scientists, on the other hand, seem harder to convince regarding the benefits of diversity. For decades, computer science theory and information technology practice have focused on maximizing interoperability of technology in the name of standardized operations. Traditional management teams have praised programs that remove differences in enterprise systems, resulting in lower operational costs – but also less secure infrastructure.

The popular near-obsession with maintaining common, standard operating IT environments has made it easier for cyberattacks to spread across systems. Standardized operations are important for compliance and can minimize day-to-day maintenance, administration and training costs. For these cost-motivated reasons, diversity is generally not a prominent goal in most infrastructure settings. However, commonality inadvertently reduces the number of assumptions that must be made by an adversary in order to instigate an attack with maximum reach.  Worms, for example, rely on the ability to identify common, reachable, interoperable systems on the network that will accept and execute a copy of the program.

Diversity introduces intentional and significant differences into technology systems. These differences can include vendor source, deployment approach, network connectivity, programming language and operating system. Deliberate non-interoperability reduces redundant vulnerabilities to prevent an attack from cascading from one component to another. Similar to the way diseases function in a biological environment, a problem originating in one area of an IT system will only spread in the presence of a common vulnerability. If system technologies are sufficiently diverse, then attack propagation can be reduced or even stopped.

Nevertheless, diversity is difficult to implement for several reasons. We must first acknowledge that the PC operating system landscape is largely driven by a single software vendor, so security initiatives must immediately accept an ecosystem lacking in diversity across one element of the enterprise. Mobile operating systems currently offer considerable diversity, but it is possible we will see a trend toward greater consolidation.

Diversity also conflicts with the typical organizational goal of simplifying supplier and vendor relationships, including improved terms often available from a vendor when buying in bulk. If an organization is committed to diversity, the argument goes, they could be forced to introduce a second vendor with a reduction in the level of service provided.

For IT managers, an inventory of infrastructure components should emphasize the degree of over-reliance on one technology or vendor. This inventory should include computing elements, software, network components and services. Where over-reliance on one technology or vendor might exist, IT managers should look closely at the specifics of each situation. If, for example, the performance of that single vendor or technology has been flawless, then such an arrangement might be fine. But if the performance has been marked by repeat software and security issues – especially exploitable vulnerabilities – then some diversity planning might be appropriate. This is best done as part of the standard procurement process. It requires some work, but the time spent is well worth the effort.

Ed Amoroso is SVP and CSO for AT&T Services. His fifth and latest book is Cyber Attacks: Protecting National Infrastructure (Butterworth-Heinemann).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.