Security & Ops – Who hates diversity?
I’ve spent a lot of time during my life in IT working with both Operations and Security organizations. One of the things I’ve noticed is that diversity has very different implications on these two organizations. Here is what I mean:
Diversity and Ops
In the world of Operations, diversity (of infrastructure, vendors, etc.) is the enemy. In my work with Gene Kim on the Visible Ops books, it was obvious that high-performing IT organizations aggressively reduced configuration variance and drove toward “copy exact” consistency wherever possible. That makes a lot of sense – for predictability and reliability, Ops wants to eliminate variance and create large groups of infrastructure that can be managed as a group. That means standardization of vendors, OS’s, configurations, processes, etc.
Diversity and Security
In the world of Security, diversity is a lot trickier. There are benefits in consistency – after all, we often anchor to a consistent, objective standard for configurations (CIS Benchmarks or DISA STIGs, for example) because it makes it easier for us to find systems that are configured insecurely. However, too much consistency can make us too vulnerable because we present a homogeneous attack surface to the world.
I have worked with a CISO who recognizes this and has taken deliberate steps to create more diversity in their security controls. In their organization, they’ve established two, redundant data centers to offer more resiliency. The interesting thing is that the two data centers, while redundant, are not identical. In one data center, they use Windows OS’s while the other uses Linux. Each data center uses different firewalls, different network gear vendors, different load balancers, different bandwidth providers, different backup systems, etc.
The rationale is that it will take more than just one “boiler plate” attack to bring down both data centers because the two data centers are not susceptible to the same attacks – the same is true in biology, where a diverse population is more resistant to disease. I find this approach to be a sound, albeit more expensive strategy (more costly because you’re not only dealing with more vendors, but maintaining two IT staffs trained on two different sets of infrastructure).
There can still be order within the diversity
Of course, within each data center, there are still standards for configurations, processes, procedures, etc. and the two do communicate with each other to share intelligence, but the operating environments are very different.
So, to answer the question posed in the title of my post, I think Ops hates diversity in principle, but should encourage Security to embrace some level of diversity. And, I believe Security should work to find the right level of diversity in their security controls to increase the resilience of businesses in the face of organized threats.
What do you think? Where is your organization when it comes to diversity of security controls?