Why giving users two separate systems won't improve security

Red/green systems, which give users one system for work and another for other tasks, no longer makes sense from a security and cost perspective. There are alternatives.

A common security question I’m asked is whether it makes sense to have two systems: one locked down and used only for work, and a second for anything else. The idea is that people can do their work on the locked down system and not create excessive risk to their company while still being able to do whatever they normally do on the other system.

The idea is not new. It’s been around for nearly as long as computers have been. I’ve talked about these sorts of “red/green systems” for decades. Red/green systems make even less sense now.

Using two separate systems completely separated from each other would probably decrease cybersecurity risk, perhaps tremendously in some circumstances. But it’s a very expensive way to do computer security. You’re talking doubling hardware, software licenses, support costs, and even support headaches. The cost alone usually kills the idea of two physically separate systems, although it is used in high-security places and a few financial companies.

It’s easy for an IT security person to say, “Hey, buying and supporting two systems is cheaper than paying for one ransomware attack.” I think we can all agree, but asking management to nearly double support costs against a hypothetical situation…well, that’s a tough sell.

Hackers will target the business system

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!