Balancing user control and flexibility with the potential dangers of compromising security is no easy task.
Application control is a sure way to make sure malware isn’t unknowingly installed on a machine or network. But there are some features you should look for before selecting an application control product.
1. Library of executables
If the application control product doesn’t know about your applications, it takes considerable work to get the system set up.
A large and current application library is critical to both initial setup and scaling the technology, given the number of applications in use in a typical enterprise. You want a library which is kept updated, especially for patches and updates.
Application control won’t recognize updated versions of programs until they are explicitly added.
2. Flexible trust model
Speaking specifically of patches, you should be able to define certain software publishers whose code can run on your devices. That way, as long as the code is properly signed by a trusted software vendor, it can run without manual authorization.
Similarly, you should be able to define trusted distribution products that can automatically install software, trusted directories where applications can be found, file “owners” that ensure executables are installed by trusted accounts, and perhaps even authorize specific users to install their own software. Each decision to trust is a security trade-off, but they make the technology much more workable at scale.
3. Policy setup
The product should be able to monitor which applications are used on managed devices and build a baseline for the environment. This baseline can be used to quickly define which applications are legitimate and which are not for a good first cut at your policy base.
4. Easy to manage policies
The most resource-intensive aspect of deploying application control is keeping policies up to date, so you need an easy system for defining what is authorized and what is blocked for groups of users.
5. Flexible enforcement
You should have flexible options in case of policy violation.
For instance, you might want to allow an employee to run the software and alert the IT group. Or you may choose to allow users to run the application for a limited amount of time (a grace period) before it needs to be authorized. Or you could simply block execution. Policies should be based on device type, user, and/or group to satisfy your organization’s security requirements.
Fortunately, application control technology has been on the market for several years, with a number of offerings can provide all these capabilities. One other criterion to consider is leveraging other technologies already in place. For instance, if you add application control as part of an endpoint protection or management suite, you can leverage agents already on devices to simplify management and policy maintenance.
Application control can be useful — particularly for stopping advanced attackers and securing unsupported operating systems. There are trade-offs as with any security control, but with proper planning and selection of which use cases to address, application control resists device compromise and protects enterprise data.