The Case for Authorized Application Lists
An Authorized Application List, or Whitelisting Applications is a method to approve applications for enterprise use if the business need exists while controlling and validating the source of the applications. If the application is not on the authorized list, it cannot be installed on the end device. An exception can be submitted and reviewed for approval by the Senior Leadership of the Organization.
This control may seem simple and low risk, but with the increased use of mobile devices, mobile applications have increasingly been used to scrub sensitive information from the mobile device, which increases the necessity of implementing and satisfying this security control. Applications are gaining access to the sensitive data for multiple reasons, it helps focus their marketing of products, the data can be sold to third party organizations for profit or used to install malware directly onto the device. These are just a few examples but many more exist. Be mindful of the “free” applications as well – if there isn’t a direct cost for the application, there is a high probability you become the product for their third-party partners. These examples have focused on personal data on the mobile device, such as contacts or web habits, but if the applications have access to storage areas, they can also scrub sensitive business information as well.
An Authorized Applications List or Whitelisting can be implemented and enforced in many ways, but the top-level approach should be a Corporate Policy defining the organizations stance on Authorized and Unauthorized Applications. Once the policy is written and authorized by the senior leadership of the organization, a procedure is written which allows all personnel involved with the ability to follow a repeatable process of evaluating the software. The list can be as simple as an Excel Spreadsheet to a fully deployed security suite that will evaluate if rogue software is trying to be installed and executed on the end device, therefore preventing the process from running. What method is used is not as important as having it defined. Just keep in mind it needs to be evaluated on a periodic basis or it will become out of date and ineffective.