I’ve written multiple times on the power of whitelisting (default deny) for applications running on end-user workstations and servers. I am convinced that whitelisting should be foundational in our strategy for securing endpoints.
So far, the application control vendors have focused on whitelisting what applications are allowed to run. This is straightforward in concept, but more difficult in practice. This approach works well for servers and some types of users where the compute environment is relatively static, but becomes more difficult in environments where the applications change frequently or where the end user’s needs to modify and extend their computing environment change frequently.
Is there another approach?
What if we instead placed mandatory access controls with a default deny approach on the data instead?
The thinking would be to allow any application to run, but limit access to sensitive data that might be stored on the endpoint to only those applications that require it (the whitelist). Instead of whitelisting which applications are allowed to run, we whitelist which applications are allowed to see a given set of sensitive data. How? Likely using some type of cryptographic protection mechanism where only the applications which are whitelisted are given the key.
To be clear, not all data access on the endpoint would need to be whitelisted – only the sensitive data (including the OS system files).
Any application can run. Even malware. But without being whitelisted for sensitive data access, they can’t access sensitive information. The vast majority of malware is rendered harmless.
Food for thought.
Category: beyond-anti-virus endpoint-protection-platform information-security
Tags: beyond-anti-virus defense-in-depth endpoint-protection-platform information-security next-generation-security-infrastructure whitelisting
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.