Whitelisting Gives Employees Choice While IT Retains Security Control

Creating a corporate version of an app store with a selection of approved applications would give employees choice without compromising network security.

Application whitelisting and security as a service will help enterprises protect their data as employees adopt cloud services and bring their own devices to work, according to a Gartner analyst. These issues are becoming even more important as the bring-your-own-device (BYOD) trend increases in popularity, thanks to devices such as Apple€™s iPhone.

The explosion of mobile devices and increased adoption of cloud and software as a service has had a significant impact on enterprise security, John Pescatore, vice president and research fellow at Gartner, said during a Kaspersky Lab press event Feb. 8. Mobile devices and the consumerization of IT are "wrapped together" as they helped boost each other's popularity, he said.

The browser has become the universal client as more services and applications move online, Pescatore said during an interview. Employees want to be able to choose what applications and devices they can use to get their work done. Instead of exerting control and restricting what they can or cannot do, enterprises should shift to a security as a service approach, he said.

With a mobile workforce, IT departments should focus less on protecting the corporate laptop, which the employee might not even use to access enterprise applications, but on securing how the user gains access. Regardless of what device the user has, whether it's a PC, a mobile phone or the work laptop, enterprises can enforce strong password policies or deploy virtual private networks to secure the application.

The growing amount of financially motivated cyber-crime has businesses worried about potential threats to their networks, said Pescatore. IT departments don't know what kind of malware may have already infected the user's PC, and they are understandably concerned that allowing that computer access to the enterprise network would result in the organization being compromised.

While all threat activity would stop if all vulnerabilities in the browser, operating system and applications could somehow be eliminated, "obviously, you can't do that," said Pescatore.

It's also not possible to lock down the enterprise network to restrict what users can run or do to keep potential threats out of the environment. While enterprises have used dumb terminals in the past, "we are not going back to that world," said Pescatore.

Organizations can learn from the success of Apple's AppStore model to give customers limited choice, said Pescatore. Apple has proven that most users are willing to stick with what is available in the AppStore instead of jailbreaking the device to go install non-approved apps, he said. Instead of just letting users use whatever they want from any source, organizations can present a selection of approved options.

The key is to offer more than one choice, said Pescatore.

Instead of saying users can't install instant messaging clients or requiring everyone to standardize on one specific client, the IT department can offer several suggestions and tell employees where to go to download them, Pescatore suggested. This way, there is less chance of users downloading infected versions, and they feel as if they have a choice in what software they are using. The IT department can restrict the network so that only applications recognized by the whitelist can get access to the network or online. Since users have a choice on what to install, they are less likely to go looking for other applications, or protest when unapproved applications don't work, said Pescatore.

Threats evolve and security has to change in order to keep up, said Pescatore. Years ago, email macros wreaked havoc in organizations, but the improvements in email defenses have more or less obliterated that threat. As administrators get better at keeping up with patches, attackers have shifted their efforts to the browsers with phishing attempts.

"We are in an infosec refresh," said Pescatore said. "Our defenses have gotten better.€