I have a very simple question forthose who either propagate or agree with the concept that monoculture is dangerous. If an organization was running all Linux on their desktops and servers, would you tell them that they have a big monoculture problem and they should immediately convert half of their desktops and servers to Windows XP and Windows 2003 in the name of cyber diversity? I would put money on the table that 9 out of 10 monoculture opponents would not.It's no secret that the Washington-based anti-Microsoft lobby group CCIA is really more concerned about a Microsoft culture than a monoculture. The fact that this is so transparent leaves me wondering why we are stillusing the word "monoculture" when we all know that "monoculture" is simply code language for "MS-Culture." Why not call it what it is and say "we're concerned about the MS-Culture" instead of "we're concerned about Monoculture?"
Monoculture is being singled out because it is seen as one of the key advantages of the incumbent -- which in this case is Microsoft. The efficiencies of monoculture are so obvious that few organizations actually try to deviate from it. You would behard-pressed to find a single CIO or IT Director whowould go against the grain and choose to double their desktop complexity and associated support costs.
Rob Enderledid a superb column defending monoculture in general (never mind the title "In defense of the Microsoft Monoculture") because either a pure Linux monoculture or a pure Microsoft monoculture would be preferable to a multi-OS environment. Our own John Carroll did an even more in-depth look at the issues back when the whole debate began.Even ignoring the efficiency gains of a monoculture, it could reasonably be argued that a monoculture is more secure than a mixed environment if you define "secure" as the fight against penetration rather than a system's survivability. Real cybercriminals are not interested in bringing your system down in order to get their name on some script kiddy scoreboard website; they want to penetrate your system so they can steal information. For example, if you ran an e-Commerce portal on both Microsoft IIS and Apache, you would be vulnerable to both IIS and Apache vulnerabilities rather than vulnerabilities from a single platform. You would increase the chance that someone could hack in and steal credit card numbers.
The biggest problem with security is not the next great unknown threat that might bring down a monoculture. The real danger is that organizations simply don't spend the time to patch the known vulnerabilities let alone implement best practices for security. It's silly that we still even entertain the idea that monoculture is dangerous when we know that the CCIA probably doesn't even mean it to begin with.