Creating a corporate version of an app store with a selection of approved applications would give employees choice without compromising network security.
Application whitelisting and security as a service will help
enterprises protect their data as employees adopt cloud services and bring
their own devices to work, according to a Gartner analyst. These issues are
becoming even more important as the bring-your-own-device (BYOD) trend
increases in popularity, thanks to devices such as Apples iPhone.
The explosion of mobile devices and increased adoption of
cloud and software as a service has had a significant impact on enterprise
security, John Pescatore, vice president and research fellow at Gartner, said during
a Kaspersky Lab press event Feb. 8. Mobile devices and the consumerization of IT
are "wrapped together" as they helped boost each other's popularity,
The browser has become the universal client as more services
and applications move online, Pescatore said during an interview. Employees want
to be able to choose what applications and devices they can use to get their
work done. Instead of exerting control and restricting what they can or cannot
do, enterprises should shift to a security as a service approach, he said.
With a mobile workforce, IT departments should focus less on
protecting the corporate laptop, which the employee might not even use to
access enterprise applications, but on securing how the user gains access. Regardless
of what device the user has, whether it's a PC, a mobile phone
or the work laptop, enterprises can enforce strong password policies or deploy
virtual private networks to secure the application.
The growing amount of financially motivated cyber-crime has businesses
worried about potential threats to their networks, said Pescatore. IT
departments don't know what kind of malware may have already infected the
user's PC, and they are understandably concerned that allowing that
computer access to the enterprise network would result in the organization
While all threat activity would stop if all vulnerabilities in
the browser, operating system and applications could somehow be eliminated,
"obviously, you can't do that," said Pescatore.
It's also not possible to lock down the enterprise network
to restrict what users can run or do to keep potential threats out of the
environment. While enterprises have used dumb terminals in the past, "we
are not going back to that world," said Pescatore.
Organizations can learn from the success of Apple's AppStore
model to give customers limited choice, said Pescatore. Apple has proven that
most users are willing to stick with what is available in the AppStore instead
of jailbreaking the device to go install non-approved apps, he said. Instead of
just letting users use whatever they want from any source, organizations can
present a selection of approved options.
The key is to offer more than one choice, said Pescatore.
Instead of saying users can't install instant messaging
clients or requiring everyone to standardize on one specific client, the IT
department can offer several suggestions and tell employees where to go to
download them, Pescatore suggested. This way, there is less chance of users
downloading infected versions, and they feel as if they have a choice in what
software they are using. The IT department can restrict the network so that
only applications recognized by the whitelist can get access to the network or
online. Since users have a choice on what to install, they are less likely to
go looking for other applications, or protest when unapproved applications
don't work, said Pescatore.
Threats evolve and security has to change in order to keep
up, said Pescatore. Years ago, email macros wreaked havoc in organizations, but
the improvements in email defenses have more or less obliterated that threat. As
administrators get better at keeping up with patches, attackers have shifted
their efforts to the browsers with phishing attempts.
"We are in an infosec refresh," said Pescatore
said. "Our defenses have gotten better.