In financial services and healthcare industries application whitelisting is becoming an increasingly important tool for defending against malware attacks, says Bob Janssen, founder and CTO of RES Software, an enterprise software solution firm.
Application whitelisting is the longstanding IT administrative practice of sand-boxing computers and networks from various applications, denying applications that are not explicitly approved by IT. New applications are denied execution on the server by default, limiting the company's exposure to malicious applications and stopping users from updating to versions of approved applications that may have some yet-unsolved security holes.
Although whitelisting is effective in blocking malware, it is much more difficult to manage than it sounds. Employees want to install whatever they like (BYO Application, if you will), and slow speed of approval from IT admins makes the process onerous for end-users and the IT staff. The list of approved applications and vendors, and controlling who has access to what, is difficult to manage. Handing out the local administrative privileges to install applications creates vulnerabilities. Most irritating of all, whitelisting has a history of blocking non-malicious applications, which has prevented users from getting the most out of their systems.
Add in complications of mobile devices, and it's not hard to see why whitelisting has often been foregone for the opposite (and arguably less secure) blacklisting approach, which approves all applications except those specifically identified as malicious or noncompliant.
But new automated approaches to application whitelisting are making those constraints more manageable, and it's spurring adoption by high-security-minded industries, observes Janssen. Customer-centric IT solutions are allowing IT admin to pre-approve certain applications, so when users go to install those applications they are able to launch without requesting special permissions. Certain populations of users can be given extra privileges to launch more sensitive applications.
"IT staff would like to keep everyone on a regular user account," says Janssen. "They can program the solution to trust these vendors, or approve only certain versions of a software, so when it's time to install something we can elevate that installation without users asking for privileges. That goes a long way."
Whitelisting solutions are also offering more flexibility, rules, and filters with the range of requirements they can implement. Some firms allow users to upload anything as long as it's on the approved vendors list, or exactly control the software version (for example, allowing the installation of Adobe Reader, or only certain versions of the software).
Whitelisting has also become more contextual, adopting controls depending on where the user is located. A roaming user may not have access to certain applications, or have the applications shut down when out of range and unable to access information. "Security has become very dynamic -- it really depends on the exact moment in time, what is locally available, and so on."
Whitelisting goes against consumerization, which is about instant gratification, Janssen adds. "Imagine you request something in the app stores and have to wait weeks for it to be delivered. We see the same thing in IT, but users want access instantly." He says IT teams that take on traditional whitelisting tools that don't offer flexibility for self-servicing are doing themselves and the end-users a disservice. "As a company, we believe in consumerization. It can go hand-in-hand with user experience, but it needs to think about compliance and security as well as user freedom."
Modern whitelisting solutions are part of a trend of automating IT to help leverage infrastructure in an efficient way, says Janssen. "If you have a serious issue and need to solve it quickly, you need to rely on powerful automation. Speed of delivery from an automation standpoint is key, especially when the issue is security."