All eggs in one basket. The risks of software monoculture.
- anand das
- Jul 28, 2024
- 2 min read
In the aftermath of the major global incident caused by CrowdStrike releasing a corrupted update, many CIO, CTOs, cyber-security leaders of the affected enterprises would have begun audit of how the incident affected their business and what could be done differently going forward. Make no mistake, enterprise tech leaders whose enterprises were not affected by this global outage would have planned an audit for their tech infrastructure too.
For those who didn’t follow the event, this incident was so widespread that it affected air traffic control, government transport departments, transport providers and hospitals in more than 20 countries across the globe. Microsoft confirmed that 8.5 million devices were affected – a conservative estimate would put this between 0.5-0.75% of the total PC devices.
As the enterprise IT teams review their cyber-resilience and conduct tests, once aspect that must be reviewed is the issue of monoculture technology environment, and the benefits of implementing diversity in technology to reduce risk.
A monoculture tech environment or software monoculture refers to a situation where an organisation relies heavily on a single technology or vendor for its IT infrastructure. There are several reasons why companies select single vendors.
Two main reasons are cost-effectiveness and efforts to avoid multiple management platforms and incompatibility between competitive similar solutions. A monoculture environment poses significant risks across multiple dimensions
Cybersecurity risks
Cloud concentration risks
Operational risks
Knowledge gap and skill shortage risks
Its highly likely that the Crowdstrike incident is going to force enterprise technology leaders and policy-makers to adopt tech diversification at a much faster pace than expected. Some of the key strategies that is expected to be adopted by policy makers and enterprises are
Built-in automated Diversity in your cloud : I expect Cloud services to employ automated tools to introduce diversity into systems. This can involve randomizing configurations or using different versions of software to minimize the risk of simultaneous exploitation by attackers
Diverse Technology Stack: Implement a diverse technology stack by using different software platforms, operating systems, and hardware. This reduces the risk of widespread failure due to a single point of vulnerability.
Multiple Vendors: Avoid reliance on a single vendor for critical technology needs. Engaging multiple vendors can provide alternative solutions and reduce the risk of widespread disruption from vendor-specific issues.
Its time for policy makers to come in. Or is it a new feature offered by cloud providers. Crowdstrike like incident can be avoided next time if companies implement not just geo-redundancy, compute-redundancy or data-redundancy but also OS-redundancy or software-redundancy in their architecture.
Multi-culture tech environments comes at significant cost and its not practical to enable such configurations for smaller to medium size enterprises. Only if government policy makers enforce cloud providers to enable these options for its customers and policy makers push emergence of cloud marketplaces, cost-viable multi-culture tech environments can be a reality.
In weeks and months to come, my forecast is that smart cloud computing providers offer tech-diversification as an auto-configurable option. I also expect the policy makers to encourage and enforce multi-culture tech environments for enabling robust cyber-resilience in this heavily cloud & tech dependant world.
Disclaimer: These are my personal views and are not related to views or policies of my employer.
Reference
I do agree..