I was reading the comments in a post by Schneier today regarding some office in the military thinking about apple servers to avoid the attacks made against windows, and kept seeing the meme of "monoculture == bad". This is not a new debate, but I want to jot some thoughts.
- Having a diversity of systems with equal access to a resource just means that you’ve extended your attack surface for all of the STRIDE classifications except Denial of Service.
- Having a diversity of systems each serving a different partition of data/context does result in higher security if you are looking at all the information together. If an attacker only cares about the data of one partition, then diversity doesn’t help.
- A diversity of systems that need to interoperate often use older and less secure protocols.
- The primary argument (I’ve seen) against monoculture is that a system in the monoculture is weaker then it otherwise would have been because there are more attackers on that system and these attackers benefit from network effects in data sharing.
- At a certain threshold, defenders start getting network effect benefits too.
- First, security vulns in a monoculture tend to not remain private (disadvantage or the network effects), allowing defenders to deal with not only specific issues, but learn to defend against classes of issues.
- Security mitigation techniques are easier to deploy against like machines then diverse machines.
- The monoculture reference to biology is actually harmful to understanding security. Biological systems care the most about survivability (Denial of Service?). Other aspects of security might have some defense as a side effect, but there really isn’t much of a notion of defending against information disclosure.