Develop an application whitelisting policy for better access control

In an era where more malware is being produced than applications, blacklists may be an anachronism. Increasingly CISOs are looking at application whitelisting — creating a list of applications allowed to run on a system, and everything else is blocked — to  improve access control.

Last month the U.S. National Institute of Standards and Technology (NIST) published a guide to help them understand the basics of application whitelisting as well has how to plan and implementation whitelisting technologies throughout the security deployment lifecycle.

The 17-page paper notes that an application whitelisting solution isn’t for every environment. In fact NIST says it’s best for hosts in custom environments at high risk of attack or data exposure where security takes high precedence over functionality. A standard enterprise (or what NIST calls a managed environment) should do a risk assessment to determine whether the security benefits provided by application whitelisting outweigh its possible negative impact on operations. A dedicated staff managing and maintaining the application whitelisting solution will be needed, it adds, just as one is needed for an enterprise antivirus or intrusion detection solution.

There’s also four other tips:

Consider using application whitelisting technologies already built into the host operating system, particularly for centrally managed desktops, laptops, and servers, because of the relative ease in managing these solutions and the minimal additional cost. If this isn’t possible look for third-party solutions with robust centralized management capabilities;

Use products that support more sophisticated application whitelisting attributes. Choosing attributes is largely a matter of achieving the right balance of security, maintainability, and usability. Simpler attributes such as file path, filename, and file size should not be used by themselves unless there are strict access controls in place to tightly restrict file activity, and even then there are often significant benefits to pairing them with other attributes. A combination of digital signature/publisher and cryptographic hash techniques generally provides the most accurate and comprehensive application whitelisting capability, but usability and maintainability requirements can put significant burdens on the organization;

Test prospective application whitelisting technology before deploying. This testing should include a thorough evaluation of how the solution reacts to changes in software, such as installing an update. An application whitelisting technology might be considered unsuitable if, for instance, it had to be disabled in order to install security updates for the operating system or particular applications;

Use a phased approach for deployment to minimize unforeseen issues and identify potential pitfalls early in the process.

Note these are recommendations for application whitelists. Whitelisting can also be used for software inventory, file integrity monitoring, incident response, email addresses, networks and mobile code. For mobile devices, consider an app store and/or a mobile device/mobile application  management system.

If you’ve been thinking about whitelisting this is a good research resource. See also this paper put out by the U.S. National Security Agency. for a quick intro.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now