My grandmother used to say, “Don’t put all your eggs in one basket." As a child, I did not understand what she meant, but as I grew older, I came to understand that she was talking about diversity.
Diversity is good. It makes us strong and healthy. Diverse groups are competitive and successful. It allows us to combine strengths and mitigate weaknesses.
If Ireland had had more crop diversity, in 1845, then the Irish Potato Famine would not have occurred.
Diversity is good for plants, animals, people, financial investments, and everything else.
No one argues otherwise.
The corporate IT monoculture
If diversity is good then why do many IT managers install Microsoft Windows on every client, join them to a domain then install a low-level remote management system (such as SolarWinds Orion, Kaseya VSA or NinjaRMM)?
These systems have been used by attackers to compromise entire organizations.
Why build an insecure monoculture that your business depends on?
Consistency is more efficient than diversity - A uniform environment can be scaled and optimized until there is nothing left to improve, cut or change.
Diversity isn’t the safe choice - A former colleague used to say, “No one ever got fired for buying IBM”. He meant that buying IBM was the safe choice. Why was it safe? Because everyone else bought IBM too. As an IT manager, it’s easy to deflect blame to the industry, but only if you’ve done the same things they have done. It’s not your fault when things go wrong. The industry made a mistake and will collectively correct it. In fact, we will all get together and talk about it at the next conference over vendor provided drinks and dinners.
Diversity isn’t compliant - From a security compliance perspective, a diverse environment is framed as “out of control”. The yields can’t be predicted, charted and presented at board meetings as easily as homogeneous environments can. If the DNS team runs BIND on OpenBSD while the database team runs Postgres on Debian Linux and the storage team runs FreeBSD for NAS services it will be seen as an “inefficient mess that needs to be cleaned-up and optimized”.
A similar problem
Cryptographers and computer scientists consider Encryption backdoors to be a bad idea. They sometimes refer to them as “exceptional access systems”.
Why are they a bad idea? Because it’s impossible to build a backdoor and ensure it’s not abused.
“This report’s analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend.” - Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
Centralized remote management is an “exceptional access system” and has the same basic problem as encryption backdoors… it is impossible to ensure they will not be abused.
Can we be both consistent and diverse?
- Use a NAC to technically enforce security controls. Each client would have a NAC agent installed that would read local files, registry keys and settings. The agent would send the data to the NAC server which would ensure the device is up2date, has current security signatures and has logging/alerting correctly configured. In this approach, the NAC server has no write access to the clients.
- For remote support, require clients to initiate support connections while an end user is present. This approach would not allow the central remote management server to initiate connections and would prevent the compromise of a control server from taking over all devices on the network.
- Isolate critical services (DNS, email, web). Do not join them to the domain and do not install remote management software on them. Use unique admin credentials for each service and standard Windows utilities (RDP) to manage them.
- More thoughts to come… add yours to the comments below.
We live in a world where efficiency and optimization are considered key to scaling. We strive to do more with less. We chart, graph, predict, forecast and present data. We need consistency to do these things.
But to be strong and resilient, we need diversity too.