The Case for Authorized Application Lists

January 12, 2019

An Authorized Application List, or Whitelisting Applications is a method to approve applications for enterprise use if the business need exists while controlling and validating the source of the applications. If the application is not on the authorized list, it cannot be installed on the end device. An exception can be submitted and reviewed for approval by the Senior Leadership of the Organization.

This control may seem simple and low risk, but with the increased use of mobile devices, mobile applications have increasingly been used to scrub sensitive information from the mobile device, which increases the necessity of implementing and satisfying this security control. Applications are gaining access to the sensitive data for multiple reasons, it helps focus their marketing of products, the data can be sold to third party organizations for profit or used to install malware directly onto the device. These are just a few examples but many more exist. Be mindful of the “free” applications as well – if there isn’t a direct cost for the application, there is a high probability you become the product for their third-party partners. These examples have focused on personal data on the mobile device, such as contacts or web habits, but if the applications have access to storage areas, they can also scrub sensitive business information as well.

An Authorized Applications List or Whitelisting can be implemented and enforced in many ways, but the top-level approach should be a Corporate Policy defining the organizations stance on Authorized and Unauthorized Applications. Once the policy is written and authorized by the senior leadership of the organization, a procedure is written which allows all personnel involved with the ability to follow a repeatable process of evaluating the software. The list can be as simple as an Excel Spreadsheet to a fully deployed security suite that will evaluate if rogue software is trying to be installed and executed on the end device, therefore preventing the process from running. What method is used is not as important as having it defined. Just keep in mind it needs to be evaluated on a periodic basis or it will become out of date and ineffective.

Email Signup

Sign up for periodic updates from our blog.

Monthly Blogs

The Top Metrics to Track in Cybersecurity

If you are a federal government contractor, you are preparing your organization for the Cybersecurity Maturity Model Certification (CMMC). The United States Department of Defense is moving towards the CMMC to standardize the cybersecurity requirements across the Defense Industrial Base (DIB). The goal is to ensure the federal government’s controlled unclassified information (CUI) is not at risk.

The New CMMC Controls for Security Awareness and Training

If you are a federal government contractor, you are preparing your organization for the Cybersecurity Maturity Model Certification (CMMC). The United States Department of Defense is moving towards the CMMC to standardize the cybersecurity requirements across the Defense Industrial Base (DIB). The goal is to ensure the federal government’s controlled unclassified information (CUI) is not at risk.

The Benefits of Hiring a Virtual CISO

Our day-to-day lives have become so busy, that we often forget to maintain and update passwords unless it is forced upon us by third-party applications or corporate requirements. As our lives move into a more remote lifestyle, a lot of our work has moved into cloud-based services.

Sitemap

About Us
Solutions
Industries
Community
Resources & Industry News