Is Google Confusing Safe and Secure in Dumping Windows?

On June 1, the Financial Times reported that Google planned to drop Windows as its primary desktop operating system and switch to Apple 's Mac OS X and Linux , because the latter two are more secure than Windows. That's a pretty bold leap by any measure. Should your organization follow suit? Not so fast.

No doubt about it, switching desktop operating systems across an enterprise the size of Google is a massive undertaking. There's just so much to take care of. It's a move that's far more complicated and disruptive than simply uninstalling one operating system and installing another. And the direct product costs are a mere drop in the bucket compared to the overall costs when you consider things like tech support, user training and so on.

I can only assume that Google was well aware of all this and made an informed business decision. If that is the case, should the rest of us consider it a warning sign that we should heed?

Let's take a rational look at some of the factors involved here. And I'll point out that I have absolutely no direct contact with Google on this, so I'm merely making some guesses from an outsider's perspective.

For starters, Google seems to be reacting at least in part to the recently publicized attacks it experienced. From those reports, it appears that the attackers were able to exploit old browser configurations (Internet Explorer 6) at Google to gain their initial access to the company. Of course, it sure shouldn't surprise anyone reading this column that running a vulnerable browser can lead to significant problems.

Aside from that, wouldn't it be cheaper to simply upgrade these vulnerable browsers, or even switch to a different browser, than replace the entire operating system? It's got to be cheaper to switch browsers than it is to replace desktop operating systems across an entire company.

Next, does anyone really believe that OS X or Linux are inherently more secure than Windows? Seriously? I believe I'm safer on OS X than I would be on Windows, but let's not confuse secure with safe.

Consider doing something that is inherently risky -- say, walking around with a wad of cash stuffed in your pocket that's so large it's obvious, and without anything to protect yourself. That's just crazy, right?

Now, if you're carrying that cash while walking down a quiet country lane, you're far safer than if you were walking through crowded city streets in a foreign land where you glaringly stood out. Safer, but not more secure.

That's the difference between secure and safe, but how does it apply to switching operating systems? You may feel that an operating system other than Windows is more secure because there have been fewer published successful attacks and malware for that other operating system. That could well be a legitimate concern. But I'd argue that neither Linux nor OS X is inherently any more secure than Windows. They tend to be safer because there are far fewer attacks and malware aimed at them, at least today.

So, what makes one operating system safer than another? Published 0days? Successful attacks? All of these things and much more factor into the equation, for sure, but it doesn't end there. At some level, we're kind of at the whim of the attackers. What operating systems are they attacking most today?

If we think of attacking systems as a business, then the folks writing the attacks face similar issues as the ones faced by any software developer. What platform do you write your code for? Market share, likelihood of success, cost to market and many other things are likely to factor into that decision. Well then, by all accounts, these things tend to be dynamic. Right now, they tend to favor Windows, but that may well not always be the case.

What is safe today may well not be the safest choice tomorrow. From where I sit, it's a pretty safe bet that we'll start to see more malware and attacks aimed at Apple's systems in the future, just because of their market success in the past couple of years. See where this is going?

My point is this: Today we have far more attack code that works on Windows systems than on OS X or Linux. That probably won't always be the case, and underneath it all, there are security weaknesses in all three of these operating systems. So, switching operating systems across an entire enterprise and bearing the resulting expenses might not be adequately forward-looking to be a sound business decision.

A far more compelling business justification will be found by looking at the business applications you need. Which platform best supports your business processes? What applications are available for those business processes? How about usability? How about ease of integration with other business infrastructure? Those are the sorts of things that should factor most in the decision process.

While I have my own preferences for what desktop operating system I want to be using personally, that's hardly a basis for a sound business decision for the entire enterprise.

So, if you're looking at Google's actions and trying to decide whether your enterprise should consider switching operating systems, security and safety should certainly be factors, but don't fool yourself. Be sure to see the big picture before you make that hugely important leap.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Security Watch Newsletter

Comments