Thoughts on Monoculture

I was reading the comments in a post by Schneier today regarding some office in the military thinking about apple servers to avoid the attacks made against windows, and kept seeing the meme of "monoculture == bad". This is not a new debate, but I want to jot some thoughts.

  • Having a diversity of systems with equal access to a resource just means that you’ve extended your attack surface for all of the STRIDE classifications except Denial of Service.
  • Having a diversity of systems each serving a different partition of data/context does result in higher security if you are looking at all the information together. If an attacker only cares about the data of one partition, then diversity doesn’t help.
  • A diversity of systems that need to interoperate often use older and less secure protocols.
  • The primary argument (I’ve seen) against monoculture is that a system in the monoculture is weaker then it otherwise would have been because there are more attackers on that system and these attackers benefit from network effects in data sharing.
  • At a certain threshold, defenders start getting  network effect benefits too.
    • First, security vulns in a monoculture tend to not remain private (disadvantage or the network effects), allowing defenders to deal with not only specific issues, but learn to defend against classes of issues.
    • Security mitigation techniques are easier to deploy against like machines then diverse machines.
  • The monoculture reference to biology is actually harmful to understanding security. Biological systems care the most about survivability (Denial of Service?). Other aspects of security might have some defense as a side effect, but there really isn’t much of a notion of defending against information disclosure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s