Application whitelisting – that is, preventing unauthorized programs from running on a device – sounds like a no-brainer for security professionals who want to maintain a secure business. The idea of whitelisting becomes even more appealing to security professionals as BYOD practices become more integrated – whether IT teams like it or not – into business. The problem, however, is avoiding an uphill battle on all fronts, from developing and maintaining in-house applications to calming employees who want the freedom to choose their own applications, to even gaining support from leadership.
Featured Download: Social media access at work. Do your employees know the rules?
Wisegate, a community of senior IT professionals who exchange knowledge within a secure, vetted environment, held a roundtable discussion with security professionals to find out the best practices for incorporating whitelisting into a security policy, not to mention how to avoid as many of the above-mentioned battles as possible. Here’s what we found.
Take control of your BYOD policy
Mobile devices are often personally owned, so users assume the right to install apps of their own choice. However, they also expect the freedom to connect to corporate networks. Acknowledging this, the best solution to protect company data is to take control of users’ devices that are connected to the company network. You can allow employees to use personally-owned devices but mandate that if it is connected to the corporate network, it must have certain controls running, including application whitelisting. You can allow all of those whitelisted personal apps to be on the system and still have a level of comfort in the security controls that you have around that system.
Keep up with in-house application development
One of the toughest pieces of the whitelisting puzzle is making sure native applications are upgraded and changed to stay on the whitelist. Being diligent about this process can help prevent in-house applications from getting blocked.
Evaluate third-party whitelisting tools in “listening” mode
Gain an understanding of the whitelisting product you wish to incorporate into your process and use it as an alert system rather than a block enforcer. This allows your business to evaluate both the whitelisting product and the problem with the application you want to block.
The act of implementing whitelisting is challenging, but perhaps even more daunting is the task of acquiring executive support. Higher-ups may not want to take on the challenge of calming disgruntled users when they don’t have the freedom to choose their own applications. However, you need only point to the number of data breaches we hear about today and the amount of data lost in these incidents to demonstrate the rationale behind whitelisting.
A shift in a company’s mindset to a more security-focused culture could help make this transition easier. And ultimately, your company will thank you for it.
By Elden Nelson, Editor-in-Chief, Wisegate
About Wisegate
Wisegate is passionate about unlocking the potential of the collective expertise of IT’s top professionals. The company calls it next generation IT advisory. Through advanced matching and social technology, a trusted peer network and hands-on help, IT practitioners connect to share best practices and answer IT’s toughest questions, directly and without vendor influence. Wisegate curates these conversations into searchable content and formal reports as a service to its members and often the outside world. See a list of our public reports and other wisdom unveiled here.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.