I’ve written multiple times on the power of whitelisting (default deny) for applications running on end-user workstations and servers. I am convinced that whitelisting should be foundational in our strategy for securing endpoints.
So far, the application control vendors have focused on whitelisting what applications are allowed to run. This is straightforward in concept, but more difficult in practice. This approach works well for servers and some types of users where the compute environment is relatively static, but becomes more difficult in environments where the applications change frequently or where the end user’s needs to modify and extend their computing environment change frequently.
Is there another approach?
What if we instead placed mandatory access controls with a default deny approach on the data instead?
The thinking would be to allow any application to run, but limit access to sensitive data that might be stored on the endpoint to only those applications that require it (the whitelist). Instead of whitelisting which applications are allowed to run, we whitelist which applications are allowed to see a given set of sensitive data. How? Likely using some type of cryptographic protection mechanism where only the applications which are whitelisted are given the key.
To be clear, not all data access on the endpoint would need to be whitelisted – only the sensitive data (including the OS system files).
Any application can run. Even malware. But without being whitelisted for sensitive data access, they can’t access sensitive information. The vast majority of malware is rendered harmless.
Food for thought.
Category: Beyond Anti-Virus Endpoint Protection Platform Information Security Tags: Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Information Security, Next-generation Security Infrastructure, Whitelisting