Why Application Control Is Essential for Your OS
Even operating systems have an expiration date. When an operating system fades out, it no longer gets updates or patches, leaving your information vulnerable to outside security attacks. Application control is designed to deal with these system vulnerabilities and security threats so you can worry less.
This post reviews the ins and out of application control software, what it is, why it’s important, and gives examples of how application control solutions are used to protect operating systems and keep your data safe.
Why Keep an Outdated System?
One example of a system that no longer receives security updates is Windows XP. Windows XP security updates officially ended April 2014, at which point, organizations still using XP were out of luck (as if luck has anything to do with it…).
We know you wonder why on Earth any organization serious about security—or even not so serious—would still use XP. That is a legitimate question with two very reasonable answers.
1. Legacy Applications
For one, some legacy applications still only run on XP. It may not be worth the investment—or even possible, depending on legal/ownership issues—to migrate to a modern operating system.
A similar situation arises with compliance requirements to have applications qualified by a government agency.
We see this a lot in healthcare, where the OS cannot even be patched without going through a lengthy and painful qualification process. That doesn’t happen, so on XP it stays. Despite Microsoft’s best efforts, XP isn’t going away any time soon.
What Is Application Control?
The struggle of upgrading and securing legacy systems is where application control solutions come in. Application control software uses security measures to recognize authorized and unauthorized files attempting to execute on the network, and blocking any that have been restricted to ensure system security. By preventing unauthorized or blacklisted applications from running on your operating system, you minimize risk to company data.
Why Is Application Control Important?
Application control is important because outdated systems no longer receive patch updates or security updates and are therefore vulnerable to outside security threats. Application control limits the applications that can run on system devices to prevent applications from executing if they could potentially risk the operating system security and data. Application control solutions use validity checks, authentication, input controls, forensic controls, identification, and authorization to ensure your system remains secure, even after security updates for your system have ended.
Features and Benefits of Application Control
PoS, PLCs, and other single-purpose systems can particularly benefit from application control because they have specific, limited functions that are easily secured and regulated through the use of application control. Single-purpose systems are ideal for application control software because they don’t need to run every application on the web, or download additional applications to function as intended.
Here are some additional features and benefits of application control that protect businesses from web-based, cloud-based, or third-party application threats.
- Control and identify current applications.
- Determine which applications you have and which ones you need.
- Protect your system from third-party applications or unpatched operating systems.
- Prevent unauthorized, unwanted, or malicious applications from executing on your system.
- Identify trusted software.
- Create a stable network with reduced malware risk.
Your application control software can also provide you with information on system threats, web traffic, patterns in data, and traffic sources so you can see where potential threats may originate from. The features and benefits of application control solutions can help companies of any size run applications effectively and maintain network security on outdated systems.
Example Uses of Application Control
Because of the cost, regulations, and compliance challenges of upgrading an old OS, legacy systems, like XP, won’t go out of use anytime soon and will still be a common target for attackers. This leaves organizations with little choice but to protect vulnerable devices somehow, and locking them down may be one of the few viable options for legacy systems. In this situation, using application control software in default deny mode (allowing only authorized applications to run) works well. Here are a few more examples of devices that use legacy systems and can benefit from application control.
Another use case we see frequently is fixed function devices, such as kiosks running embedded operating systems. Think ATM or payment station, where you never see the underlying operating system. These devices only run a select few applications built specifically for them.
In this scenario, there is no reason for any software besides authorized applications to run. Customers shouldn’t be browsing the Internet on an ATM machine, so application control is appropriate on kiosks.
Computer Labs, Libraries, Call Centers, etc.
Similarly, some desktop computers in places like call centers and factory floors only run very stable and small sets of applications. Locking them down provides protection both from malware and employees loading unauthorized software or stealing data.
In both these use cases, you will get little to no pushback from employees about their inability to install and run arbitrary software. Nothing in their job description indicates they should be loading software or accessing anything but the applications they need to do their jobs.
So in these scenarios, application control solutions are an excellent fit.
Another clear use case for application control is server devices.
Servers tend to be dedicated to a handful of functions, so they can be locked down to those specific applications. Servers don’t call the Help Desk to request access to iTunes, and admins can be expected to understand and navigate the validation process when they have a legitimate need for new software. Locking down servers can work very well—especially since servers, as the repository of most sensitive data, are the ultimate target of most attacks.
General Purpose Devices
There has always been a desire to lock down general-purpose devices, which are among the most frequently compromised. Employees using a general purpose device have a habit of clicking stuff and are notoriously hard to control.
Theoretically, if you could stop unauthorized code from running on these devices, you could protect employees from themselves. End users push back against this because sometimes they legitimately need to install additional software. People get grumpy if they can’t do their jobs.
Application control does have a role on general-purpose desktops—so long as there is sufficient flexibility for knowledge workers to load legitimate software. In most cases, the application control software allows a grace period of a few hours to a day or so to run a new application before it needs to be explicitly authorized by a manager or IT person.
There are other situations where application control’s trust model needs to be more flexible to meet the realities of enterprise use—such as permitting authorized software distribution products, authorized publishers, and trusted users to install and run software.
Secure Systems with Application Control Software
Loosening application control’s trust model introduces a window of vulnerability for new malware to compromise devices. This enables employees to run new software to get their jobs done but presents a tricky trade-off which requires careful balancing. Many organizations deploy application control solutions successfully this way, but be sure you have other controls in place—such as network security monitoring and malware callback detection—to identify compromised devices when application control isn’t tight enough.