One man's corporate standard--another man's monoculture?

One man's corporate standard--another man's monoculture?

Summary: If you caught one of my recent blogs about zero-day exploits, a day in the life of a real IT manager, and how he's very worried about what he's seeing (in terms of what's getting through the cracks), then you also saw that Doc Searls is recommending that companies consider the idea of polycultures.  There's no question that  monoculture-based IT deployments increase the odds that a simple exploit can devastate an entire company, let alone the Internet.

SHARE:
TOPICS: Malware
39

If you caught one of my recent blogs about zero-day exploits, a day in the life of a real IT manager, and how he's very worried about what he's seeing (in terms of what's getting through the cracks), then you also saw that Doc Searls is recommending that companies consider the idea of polycultures.  There's no question that  monoculture-based IT deployments increase the odds that a simple exploit can devastate an entire company, let alone the Internet.  After all, as the recent Zotob outbreak just demonstrated, whatever it is that brings one computer down can easily bring down the rest if they're all running the same thing (basically, the definition of a monoculture).  For example, more than half of a South Florida-based Memorial Healthcare System's 5,000 workstations were brought to their knees by Zotob before the medical institution's IT staff was able to restrict the worm's movement and protect the rest.   12,000 of San Diego County's computers were impacted as were systems at 13 of Damlier-Chrysler's plants.

So, maybe Searls is right.  Perhaps using the polyculture approach could make for a good hedge for those looking for ways to mitigate their risk.  But, the question I have is, has anybody compared the usage of the terms "monoculture" and "corporate standard?"  If you think about it, the two are sort of the same thing.  We set all sorts of corporate standards to ease the IT department's pain when it comes to training, support, and what has been proven not to wreck the corporate network due to interoperability or compatibility problems.  But then, when we realize how exposed that leaves us -- for example, how one little exploit can bring the entire company down -- it becomes a monoculture that creates a whole new set of problems for us.  This is a real opportunity cost scenario where the better questions are (1) do the benefits of corporate standards outweigh the potential costs of running a monoculture? or (2) On the flip side, do the mitigated risks of a polyculture outweight the benefits of corporate standards?  There's probably no one-size fits all answer.   For some, it's the former.  For others, probably the latter.  What is it for you?

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • Or just turn automatic update on and be done with it.

    Seems pretty simple...
    No_Ax_to_Grind
    • yeah thats great,

      Lets update stuff without testing on a corporate network.. Use SUS and test the patch's before rolling them.. And hope that you get the patch before you get whacked from whatever the patch was for. Most MS patchs are reactive not proactive..
      Oh wait.. If you using windows 2000 you have to upgrade, they dont support it anymore. So much for Automatic updates or SUS.
      icorson1
      • I see you don't understand MS corporate

        upgrade systems. Oh well...
        No_Ax_to_Grind
      • First of all, no longer SUS

        WSUS (complete revamp from SUS) works for Windows 2000 and XP, and it works well. It even supports rollback in case a patch breaks something.

        By the way, a basic firewall would have prevented this worm in the first place.
        george_ou
        • Stop using facts George. This is the talkbacks after all.

          ;-)
          No_Ax_to_Grind
    • Pretty flippant response

      Just how does this address monoculture - other than to perpetuate it?
      Roger Ramjet
  • Corporate standard

    Standards certainly reduce the costs of running an IT department, and since an IT department is a G&A cost center reductions are unqualified Good Things.

    For example, we're in the process of some major cost reduction as a result of standardizing on Dell notebook computers for everyone. We get a big break by having the same models throughout the Company, and since they're identical they can be kitted out with identical drive images.

    Granted, some people will always find something to complain about. We had to fire one of the integrated-circuit designers who was constantly bitching about giving up his Linux workstation with 24" high-res display in favor of a 14" 1024x768 notebook connected to a remote server. No room for anyone who isn't a team player.
    Yagotta B. Kidding
    • Mike Cox, is that you?

      [Granted, some people will always find something to complain about. We had to fire one of the integrated-circuit designers who was constantly bitching about giving up his Linux workstation with 24" high-res display in favor of a 14" 1024x768 notebook connected to a remote server. No room for anyone who isn't a team player.]

      Sounds like a Mike Cox statement!
      Roger Ramjet
      • I wish

        [i]Sounds like a Mike Cox statement![/i]

        Alas, although the delivery is tongue-in-cheek the basic facts are dead-on. For instance, since a 17" monitor is adequate for reading e-mail and preparing PowerPoint slides $COMPANY has dictated that everyone from receptionists to polygon pushers will use the same standard 17" CRT as a cost savings.

        The poor schmo who was trying to do incredibly complex graphic design with his face 4" from the screen was complaining that his eyes couldn't take the strain. Bitch, bitch, bitch. He should have been happy to have a tool suite that costs over $50,000 per year just for the maintenance contract, but was he? [b]Noooo[/b] -- he wanted a $500 monitor, too.

        $COMPANY is right, though -- several of his cow-orkers are buying their own monitors for use at work, so IT can even cut the cost of the cheap monitors next.
        Yagotta B. Kidding
        • What Next?

          You could do what my company does and just require every newhire and current employee to supply their own machines completely. This reduces cost even further and is a great boost to company P&L.

          We're currently working on per employee referral for individual seat licenses, thats the next cost cutting move we think will allow us to fully staff our department for the workload we have. Next year, vacation and non-essential holidays are going away, too.
          jtnixon
  • Benefit of a monoculture vs. risk.

    The bottom line here is that the benefit of have all systems alike far outweights the possible risk.
    No_Ax_to_Grind
    • That may be

      but to make such a bold statement without more of a discussion risks sounding like a decree . . .
      Roger Ramjet
      • Not at all, don't we see it everyday?

        I mena to me it seems pretty obvious, IT departments want a standard set up. Do you see something different?
        No_Ax_to_Grind
    • Risks

      Having all systems alike also brings increased security risks, though.
      Anti_Zealot
      • Yes, but it seems most accept them.

        I am sure there are those that don't but my experiance is that the majority of IT departments want everything as standard as they can get it.
        No_Ax_to_Grind
        • Of course they do

          [i]my experiance is that the majority of IT departments want everything as standard as they can get it.[/i]

          It keeps their costs down and simplifies their workload. The effect on productivity is not their problem.
          Yagotta B. Kidding
          • So then you agree with me.

            End of debate...
            No_Ax_to_Grind
    • Absolutely!

      [i]The bottom line here is that the benefit of have all systems alike far outweights the possible risk.[/i]

      Just think how much the US would have saved if we'd all standardized on driving Pintos.
      Yagotta B. Kidding
    • Thanks

      You've tied the monoculture to an elevated risk. It seems they
      are synonymous. It's become your risk to take.

      As computers blink out across corporate America, the
      accumulated consequences grind against the nebulous "risk"
      and start making risk look pretty good. But America loves a
      good glory wound doesn't it.

      What you are for or against hardly matters unless you're in the
      position to do something about it. This option is what your
      monoculture denies you.

      With every article, Wintel advocates find another way declare
      impotence.
      Harry Bardal
      • What a poor argument and defies the facts.

        Sorry but as I work with many IT departments I hear the same thing over and over, they want to have a standard set up on everything it is possible to do so with. Are you saying you work with IT departments that deliberate shun standards to be more secure? I'd sure like to ask them why...
        No_Ax_to_Grind