I’ve been watching as a number of security expert’s call for the companies to replace Internet Explorer (IE) and the follow-up pieces that state, with the implication that the companies must be stupid, that they aren’t following that advice. I think this reflects more on how far removed many of these experts are from IT management than it does anything else, but, given the coverage, I figured it was time to write a security primer.
There are massive dependencies on this operating system component. It is integrated in the OS, in Microsoft Office, and Web pages have been both optimized for it and tested against it for years now. Hosted applications generally depend on it being there to work properly and it is a known element of most IT shops.
To remove it would be far from simple and, assuming you were in a well-run shop, to make the decision you would need to do a cost-benefit analysis. In a large IT shop this analysis alone would take several months and, given that the recommendations I’ve seen only suggest the abandonment of IE and don’t provide any guidance about what to move to, much of that work needs to be done as well.
Now you have to consider that, given the integration, the only way to really move off of IE is to move to another platform. So, then, why isn’t the recommendation to move to Linux or the Mac OS? Probably because that would seem too extreme, and folks wouldn’t take the pieces seriously. So, I believe that for many of the writers this was a subtle way to argue once again that Linux (or the Mac OS), their favored platforms, should be yours as well.
However, you need to remember that there is a massive infrastructure that surrounds IE, from development resources, to an in increasingly robust patch process, to a massive number of third parties that would need to be considered even if you really could remove IE without replacing the OS. This would clearly not be something to be taken lightly as the cost, both collectively and individually, could be astronomic. And were the migration found to be, after the fact, either unnecessary or to the wrong platform, the repercussions would be significant as well.
Monoculture vs. Diversity
I just finished reviewing three large cases; I’ll cover one at length in a future column. In each case they saved substantially (US$3 million to $10 million) by creating a higher level of consistency than had been the case before their projects had started. The more inconsistent you are the higher the support cost. While I was at Giga Information, we issued several reports that extensively looked at cost and concluded that for each additional platform and vendor you added you squared the support cost.
That might seem extreme, but if you look at the IT costs of a highly standardized IT organization that maintains solid control over its desktops, you will see costs running at a fraction of what other organizations experience. Charter One bank, one of the cases I reviewed — which, by the way, were IBM cases, not Microsoft cases — runs 6,000 desktops with a department of six (including the manager), on Windows XP, and they have time to do other projects.
With Security there are always advantages and disadvantages to any approach. Diversity can slow or stop a virus attack but it opens you up to other types of things. When you have a high level of consistency, you can automate more things, you tend to have more people who are expert on the systems being secured (although this has been a particular problem with Windows and showcases a downside to the ease-of-use advantage this platform has traditionally enjoyed), and you have less overhead (substantially less) managing user accounts (single sign-in, and permissioning is much simpler).
Traditional Security Breaches
While virus attacks get all the news play, remember that traditionally our security exposures have come from disgruntled employees (often ex-employees), vendors, clients, thieves and competitors. These are targeted attacks; folks that want something and often know how to find it.
For them, diversity is a godsend because diversity creates system gaps that they can use to gain access to sensitive information. Not only do you have to link all of the permissions components to each other, but you have to maintain competencies in each and every platform and understand what exposures result when you put them together into the configuration you are using.
Because each company tends to put multiple platform shops together differently (different versions, different distributions, different application loads and different topology) this last consideration can be particularly painful to maintain. This is one of the reasons that companies, since the days of the mainframe, moved to internal standards, because keeping one platform up to date and secure is vastly easier than multiple platforms.
So why are people arguing diversity? Because it promotes the agenda they have — generally, pro-Linux/anti-Microsoft — and because it addresses the kinds of exploits that get press. If a company experiences a unique security breach they are unlikely to report it due to the implications it might have on the company’s stock. However, a virus hits lots of folks and gets flagged broadly, resulting in the impression that viruses are vastly more common than more traditional forms of security breaches. That probably isn’t the case, but the perception is very powerful.
Security as a ‘Real Job’
One of the problems is that, much like the U.S. recently discovered with internal security, companies don’t take the responsibility seriously enough. To be serious, someone has to own the security for the firm, or the state, as a centralized function. They have to take into account the threats that face the organization, both virtual and physical, and articulate a comprehensive plan to mitigate, for a reasonable cost, those threats. Then they need to execute a program that is secure enough for the company and easy enough for the employees to use. And they have to destroy any notion of turf wars; everyone has to own the solution or it won’t work.
This requires focus, a centralization of control and authority, and the participation of every single employee and massive executive buy in. Part of the problem, as I see it, is the general belief that a vendor, any vendor, can address the security issue. That simply is not the case. An organization has a number of ways it can be compromised, and only the vigilance of everyone has any chance of coming close to meeting the entire list of security exposures the firm is likely to experience in the current world.
Security Is Your Job
I’m appalled at the belief, for instance, that the U.S. government can protect our nation against terrorists, and I recall a speech by John F. Kennedy in which he said, “Ask not what your country can do for you, but what you can do for your country.” From a security perspective, every citizen and every employee has to be directly involved.
Recall that this latest IE exploit was actually caught, the perpetrator arrested, and the server he was using taken offline before anyone was compromised. This shows the effectiveness of a system — a system that, by the way, may not exist for the other browsers or platforms. This systems approach to security is vastly more powerful than a product approach because it has layers, and the more layers you have, the more difficult it is to breach a company’s security.
I am getting incredibly tired of “security experts” who are more like sales reps, who use a Microsoft exploit as a justification to change platforms, particularly since the one they are recommending could actually be worse. I’m also getting tired of these experts suggesting you yank out a critical application by the roots without offering a well-researched alternative, or providing any thought into whether the cost of the move will be worth the benefits.
And I’m getting incredibly tired of Microsoft being blamed for every security exposure. Microsoft isn’t your mamma. You have to own your own security and, often as not, it’s the people that make the difference, not the product. Step up to the plate, understand the entire problem, and realize that replacing a product needs to be done as a last resort and only after making damn sure that it actually makes things better, not just different.
Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a consultancy that focuses on personal technology products and trends.
For most companies, there is no compelling reason to standardize the use of IE to access external (non company) websites – this is not the same as removing IE from the machine, as (as is pointed out) it is the default rendering agent for many MS applications.
However, as another poster points out, you can equally easily set the default browser to another (say, Firefox), remove the desktop shortcut to IE (which can be done trivially as a server-level policy) and 90% of the security headaches from IE (visiting websites with IE and becoming infected) vanish.
With its use as a primary web browser gone, there are few reasons to permit direct (or proxied) access to the internet for the component – the exception being that many packages now expect to piggyback their own internet settings on the IE registry keys, pulling such things as default dialer, web proxy and even security settings from there. However, it is also equally possible to use the security settings to lock down the browser to the point it can hardly render text without needing to ask permission.
Agreed – however, quite a few companies have standardized on IE as their "company standard" browser, and getting upper management to change their mind on that one is often a losing battle.
The downside to a new browser is that often some things just won’t work.
An example from my recent past would be 3270 emulation. We had a range of choices – we could have bought the most excellent Attachmate product, at approximately $120/licence, for our 100+ casual users – or we could buy a site licence for TM3270/Java from mochasoft.net for $250 flat payment.
Problem was – it *only* worked in MS Java – the Sun virtual machine has some weird bug that special-cases the tab key, and the authors had not yet worked around this for the java version. the alternative was to buy the ActiveX (definitely IE only) version of the same software (normally $350, but Mochasoft very kindly gave us a copy as a free upgrade from the java edition after we discovered that the latest XP machines we bought came with the sun, not MS, java machine in their IE, and basically those machines were cut off from the spare parts ordering system)
So what is this company to do? we can’t "standardize" on Firefox as that would lock us out of a business-critical application. we also can’t standardize on a non-outlook email client (which uses IE for its rendering agent, in case you are wondering about the link) as we not only need to interoperate with other branches of the same company (which are also on exchange) but have so many functions (like team calendering) dependent on Outlook it would cripple our normal business methods to abandon it.
What? Migrate for the sake of changing your browser? Where did that come from?
Changing the browser in windows is trivial at best. You don’t need to get rid of IE, you can simply install something (such as mozilla, firefox, opera, avant…just google for the word browser) and delete the desktop shortcuts. Simple. So where did you get the idea that in order not to use IE you must remove it or migrate?
I haven’t used IE for a large AM ount of time and I’ve seen no ill effects. Sure, because it’s the default (my mother refuses to attempt to learn how to use firefox) it pops up from time to time, but seriously, if an admin can’t figure out how to install a peice of software (that comes with an installer) he/she shouldn’t be in their current career.
I’ve even heard of people using NO microsoft applications on windows, and none of these people have reported and difficulties.
This article seems more intent on misleading the readership here than it does on educating them about security.