Spread security risks with diversity

Some diversity needs to be built into IT systems so that the overall infrastructure is made more resilient, says Sun Microsystems executive.
Written by Vivian Yeo, Contributor

Organizations can enhance the resiliency or "survivability" of their IT infrastructure by introducing diversity, according to a Sun Microsystems executive.

Joel Weise, chief technologist and principal engineer at Sun Microsystems, told ZDNet Asia in an interview while uniformity has its advantages, a threat targeting a common vulnerability in a "monoculture" would have a "domino effect".

"Maybe having a monoculture is not a good idea; maybe having standardized images is not as good an idea as we thought it was," he said.

Organizations, however, should not rush into changing configurations or filling out their infrastructure with varying brands, said Weise. "[Rather], think about how you're implementing your entire infrastructure so it has some sort of characteristics of diversity, just in case you need to be concerned about that monoculture."

The idea of diversity is part of a wider perspective that Sun has on IT security, said Weise. Termed as "adaptive security", it involves principles or parallels from biological and ecological systems.

Anticipate and adapt
Biological systems, he explained, possess some element of immunity to diseases--human bodies have the natural and automatic ability to mount attacks against threats. Likewise, ecological systems respond to threats by spreading the risks across themselves and survival does not depend on a single element or entity.

When applied to the IT ecosystem, adaptive security allows applications, systems, and the ability to self-configure, self-detect, and even self-quarantine when under attack so as to ensure the survivability of the rest of the ecosystem. IT administrators can map or model "acceptable behavior", translate that into security configurations or policies for systems, and have them act on anomalous behavior based on the settings, said Weise.

Putting in place adaptive security can also help organizations anticipate and respond to zero day threats, he pointed out. "Today, for the most part, people are reactive in terms of security. We want to be proactive…and not just wait for something to happen." Such technologies, he added, are still in the laboratory stage although some "serious headway" could soon be made.

Weise noted that the ability to anticipate threats will be a "really major discriminator" for businesses. "If I can anticipate threats, I actually can reduce the attack surface. The other benefit is that you become more operationally efficient," he said, adding that operational efficiencies would come from automation, and minimizing the types of risks that administrators need to understand.

Putting adaptive security into practice does not actually require enterprises to tap on new hardware or software, said Weise. Existing technologies such as virtualization, has the necessary features such as compartmentalization that provide the ability to contain or isolate problems.

Weise said: "Collectively aggregate the types of different means [of protection principles]…and you're reducing the threat window tremendously." In the long run, businesses will have systems that are not only operationally more efficient and less likely to fail, but they will also be less susceptible to attack, he added.

Editorial standards