Inherent insecurity

Now that desktop PCs have put a veritable petri dish for viruses on every desk, the only sure-fire answer is to remove the nutrients. But where should we start?

Some experts say the roots of our current security plague lie in the fact that are we living in a Microsoft monoculture. Yet there is a more fundamental problem: There is simply too much to attack.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The desktop computing model is just asking for infection, and trying to inoculate each PC with patches is like trying to cure a flu outbreak by offering individual doses of medicine after it's too late.

Computer viruses, like organic viruses, come in too many shapes and sizes and mutate into new forms so quickly that we have little hope of systemically recognizing and stopping them. But perhaps we can redefine the rules of the game.

Right now, every PC has to be responsible for protecting itself while viruses are free to run around the network.

Right now, every PC has to be responsible for protecting itself while viruses are free to run around the network. And it takes just a few unprotected desktops out of the millions available to allow viruses to continue to propagate. If a desktop PC gets badly infected, its user will experience a good deal of downtime while the PC gets cleaned up. Furthermore, many companies that have solid firewalls around their perimeters are painfully aware of what can happen when a traveling user plugs an infected laptop into the local network.

Servers, on the other hand, operate in highly managed environments and are much easier to protect than desktop PCs. If a server is infected, it can simply be taken offline, blocking a virus's ability to replicate without affecting the operation of the enterprise. (The assumption is that applications are being load-balanced across multiple servers or running on a grid.) This is part of the promise of IBM's Autonomic Computing initiative and HP's Adaptive Enterprise, which are integral to their respective grid-computing strategies.

All this points to a need to reverse the conditions that have turned desktop PCs into veritable breeding grounds for computer viruses and worms. The nutrients are program code on the client machines. All applications should be executed on secure servers and merely have their user interfaces displayed on the desktops.

How the thin-client approach will play out in practice is still unclear.

That would leave nothing for viruses to attack on the desktop, which makes them less destructive to users and far less able to propagate.

How the thin-client approach will play out in practice is still unclear. Terminal services such as Citrix Systems are hard to manage for large-scale deployments or over the public Internet.

Attempts to make Web pages usable have led to a "fat browser" approach of embedded JavaScript, ActiveX controls, applets and Flash presentations that make the browser as insecure as desktop software. Sun Microsystems is pushing its SunRay terminals, which admittedly are an extremely pure implementation of the thin-client vision, but a hardware solution is not very flexible or mobile. Now, new generations of rich thin-client technology are being driven by the growing popularity of corporate portals and utility computing.

		Get Up to Speed on... Utility computing Get the latest headlines and company-specific news in our expanded GUTS section.

Many customers look at Microsoft with recrimination in light of the endless stream of security holes that have surfaced recently. But Microsoft has a difficult challenge on this front. Not only is it an especially favorite target of hackers, but its strategic reliance on the desktop means that it will not be able to push a virus-immune thin-client model in the marketplace.

Doing so would weaken the importance of Windows. That's why Microsoft's strategy will necessarily continue to be to supply patches and offer bounties on virus writers.