Different vendors, better security

Microsoft is getting into the security game. Some folks say, "It's about time." Others say, "Haven't they had security for years?" I look it at it quite differently.

The facts: Microsoft acquired the anti-virus company GeCAD in 2003 and recently acquired anti-spyware maker Giant Company Software . Microsoft obviously plans to compete with Symantec, Network Associates and other companies that have made billions of dollars protecting users from the security holes in Microsoft products.

Now what's wrong with this picture? I firmly believe in homogenized milk, but not a homogenized network or computer system.

Imagine this scenario. MicroHome, a do-it-yourself construction company, builds a nice, simple shell for a house that lets people build effective, usable homes for themselves. MicroHome becomes enormously successful. Then other companies begin to offer materials such as tile roofs, better carpeting, lead-free paints, aluminum exteriors, upgraded appliances and so on. MicroHome wants a piece of that action, too, so it adds various enhancements to each new version of its products.

One day, NovaHome, a Utah company, notices that the only way to get from one MicroHome to the next is to fill a little floppy basket with goodies, put on a pair of sneakers and march down a winding path through the woods until you get to the next MicroHome. So NovaHome builds Inter-Home Express (IHX), a high-speed road system that lets every MicroHome attach an on-ramp/off-ramp. Now all the people can visit each other's homes easily.

However, some bad kids in one neighborhood notice that MicroHome didn't build locks into the doors and windows of its off-the-shelf houses. As a result, they can leap onto NovaHome's IHX and get into anyone's house they want.

Companies start to provide locks and keys for the MicroHomes. Eventually, MicroHome gets the hint and decides to add locks and keys to the houses it sells. However, MicroHome builds the lock-and-key systems in such a way that if a kid breaks into one MicroHome, he and his friends can break into any MicroHome.

Here's another scenario. Imagine you own a large, multinational company. Every door, window, desk, filing cabinet, garage and delivery truck in your facilities has a lock and key. Would you, as a responsible corporate leader, use the same locks, made by the same company, using the same keying system, for everything of value in your company?

We know that suites of products from one vendor are more vulnerable than those that are combined from different vendors. Why, with a single iota of common sense, would I add to my potential vulnerability by relying upon more homogeneity in mission-critical situations?

At the end of the day, I don't care if the new Microsoft security products outshine everything else by five orders of magnitude. There are three problems that are far more fundamental:

Homogeneity in security is a recipe for disaster. One fundamental flaw in a critical place can break down all security efforts instantly. Well-managed heterogeneity is the only proven and effective approach.

• Expecting any vendor to self-regulate and monitor its own shortcomings in a public forum is wishful thinking at best, and dereliction if it comes down to a legal proceeding.

• Sooner or later, Microsoft's security products will be so integrated into Windows that they will be unable to be turned off or removed, and third-party products will be uninstallable, inoperable and undoubtedly labeled as malicious.

This is not a slam at Microsoft. This is an indictment of those who choose the easy, off-the-shelf answer to security rather than spend the time and effort to achieve a realistic level of security across their company. I can guarantee you that the bricks, mortar, trowel and roof of the third little pig's house all were made by different companies.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022