Gartner echoes concerns on Microsoft reliance

Exclusive use of Windows could subject companies to greater damage during a cyberattack, says an upcoming Gartner report.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com

Robert Lemos
covers viruses, worms and other security threats.

4 min read
Exclusive reliance on Microsoft's Windows operating system could make companies vulnerable to greater damage during a cyberattack, according to an upcoming report from business-technology consultancy Gartner.

A copy of the Gartner research note seen by CNET News.com mirrors the conclusions of seven prominent security researchers, who released a paper stating that Microsoft's dominance in software could have serious consequences for national cybersecurity. The Gartner report is scheduled to be published Friday.

Both reports argue that allowing the bulk of information infrastructure to rely on a single code base--or monoculture--could result in a cascading failure, taking down large parts of the Internet in a manner similar to an electrical blackout. The research note focuses on a corporate--rather than national--scale, arguing that for companies, diversifying desktop operating systems could be a good defense against such catastrophe.

"The recent upsurge in malicious-code attacks that target Windows, which is used on more than 90 percent of enterprise desktops, highlights the urgent need for enterprises to improve the security and survivability of their personal computers," says the copy of the report.

"By spreading critical business functions across multiple desktop platforms," the report adds, "or by maintaining key operating groups on separate platforms, you can enhance your ability to keep at least some of your key personnel and processes functioning and communicating during an attack."

The paper is the first indication that corporate America may be lending credence to a position paper written by seven well-respected security researchers and released Sept. 24 by the Computer and Communications Industry Association, a noted Microsoft critic. A lawsuit that charges Microsoft with making computer users' personal data vulnerable was filed against the company a week later, on behalf of a victim of identity fraud. The suit extensively uses the report's conclusions in its arguments.

The advice to businesses also arrives as Linux, widely seen as the major competitor to Microsoft, is making inroads among companies and governments, despite recent research that found Windows still on top in server operating systems. The United Kingdom and Russia both signed Linux deals with IBM on Wednesday. The state of Massachusetts has adopted a policy that will make it more likely that open-source software, such as Linux, will be considered for government systems.

Putting all your PCs in one basket
The Gartner research note does not argue that Microsoft operating systems are inherently less secure, just that absolute reliance on only Windows computers could result in a major failure. The note points out that the danger of monocultures is well accepted: A forest that only has a single species of tree could likewise be destroyed by a single virus; a greater diversity of trees means that many will survive.

However, Bob Muglia, senior vice president of Microsoft's Enterprise Storage and Enterprise Management divisions, said he didn't buy the monoculture argument. Even diverse information systems have to communicate through common interfaces, opening them to broad attacks. Moreover, forcing a company to diversify means reducing efficiency.

"When you do that, you introduce a great deal of complexity and...make it harder for people to do their job on a day-to-day basis," Muglia said.

The Gartner research note agrees that diversity comes at a cost, but it adds that companies that were hit by the SQL Slammer and MSBlast worms may need to consider diversifying as an additional defense against future attacks. Gartner points to the quickening pace at which attacks are created from newly discovered vulnerabilities, predicting that 30 percent of attacks in 2006 will occur before companies can patch their systems, up from 15 percent in 2003.

"Simply patching will never be good enough," the report notes.

By diversifying, companies gain key benefits, Gartner said. Businesses will gain some immunity to the majority of viruses and worms that target Windows systems. Moreover, widespread adoption of alternative operating systems will increase competitive pressure on Microsoft, forcing the company to better secure its software.

Bruce Schneier, chief technology officer of network-monitoring company Counterpane Internet Security and one of the seven authors of the original monoculture paper, said Gartner's advice is a good sign and that though diversifying may involve some difficulties, it's worth it.

"We've always said it's a trade-off," Schneier said. "There are security benefits to a store of never letting customers inside, but the trade-off is unacceptable." The trick is finding an acceptable trade-off that improves security, Schneier said. "If people are finally saying that the security benefits are worth the trade-off, then that's a good thing."

Other analysts said that while the monoculture argument might conceptually hold water, basing information technology decisions on the theory would be difficult.

"Essentially the conclusions that they are drawing are a little overdone," said Stephen O'Grady, a senior analyst for research firm RedMonk. "I don't think your platform choice should be determined by the need for diversification. I think the platform should be determined by what works for you."

Gartner itself warned its clients to do the job right, or not at all. Companies may stumble dealing with diversity on the desktop, the research note says. Noting that two-thirds of successful attacks take advantage of misconfigured systems, the report stresses that companies shouldn't diversify unless they can do so properly.

"Tight administration of a single operating system provides more security than sloppy administration of multiple operating systems," the report says.