Gartner Blog Network

The Key to Successful Application Control is not to Control Applications

by Neil MacDonald  |  July 19, 2011  |  5 Comments

Counterintuitive? Yup.

I’ve worked with hundreds of clients on the design and implementation of application control (whitelisting) solutions. The key to a successful application control implementation is *not* have to manually manage the whitelist on an application-by-application basis.

Our goal should be to identify and approve how trust propagates to files on a system and not be forced to approve each file individually – a concept referred to as “trusted change”. For end-user desktop computing, manually managing a whitelist on a file by file basis simply won’t scale. How can we automate the management of the whitelist? Here are some examples:

  • If a file/application/update is digitally signed by an application publisher that I trust, then the entire installation is trusted. This is probably the most common example and is the foundation of Microsoft’s improvements with Windows 7 AppLocker over Windows XP’s Software Restriction Policies.
  • If a file/application/update is installed by a trusted process (e.g. software distribution agent) on a system, then the entire installation is trusted.
  • If a file/application/update is installed by a self-updating application (e.g. iTunes, Chrome, Firefox), then these changes are automatically trusted.
  • If a trusted user/group (e.g. IT admin, departmental admin) installs the application, then the entire installation is trusted.

These are just a few of the more common examples out of the 20 or so scenarios that I believe are important. I’ve outlined these for clients evaluating application control solutions in a spreadsheet toolkit with the evaluation categories and suggested weightings.

Bottom line: Controlling whether or not a given file can execute is the easy part. The success of any end-user targeted application control project is in the automated care and feeding of the whitelist. There is simply no way this can be managed on a file by file basis.

Category: virtualization-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on The Key to Successful Application Control is not to Control Applications

  1. Peter Doyle says:

    This must be the worst title to an article I have ever seen (in the world of IT Security / governance) – foolish!

  2. Neil MacDonald says:

    Within the apparent paradox lies a great truth.

    Our goal should be to identify and approve how trust propagates to files on a system and not be forced to approve each file individually.

    Don’t control applications, control trust models.

    Make sense?

  3. Shaloo Shalini says:

    As opposed to explicit control or ‘brute force’ control which is similar to whitelisting and has apparent scalability/zero-time issues – the author is (most likely) referring to implicit or ‘not-so-obvious-control’ strategy based on trust relationships. This is a well researched aspect in ‘social interactions’ context.

    Well, Trust based, dealing with rules/norm/sets for reputation/deception is the kind of scalable model for security that seems to be gaining a lot of traction lately. Especially in the context of cloud computing. Not sure if you have looked at the nuggets from Simon Crosby (Citrix->Bromium – stealth startup for security in a ‘cloud world’).

  4. Paul Zimski says:

    Title preference aside (I kind of liked it), I think this is spot on Neil. The idea of manual whitelist maintance will never scale nor be agile enough to meet the needs of most organizations and their end-users. By setting up automated trust decisions its possible to strike a good balance between security, flexibility and overhead. If you think about reputation services (your high integrity haystack analogy), one of the biggest reasons to build such a taxonomy is to provide the “trusted change engine” with enough metadata to help make some of these decisions. I also think that this approach changes the perception that application control has to mean “lockdown”. It really doesn’t. With a trusted change approach the organization gets to implement a policy that is relevant to their appetite for risk and their need for flexibility.

  5. Michael Bower says:

    I totally agree. With our Bit9 deployment, working with the Trusted Directory and Trusted Publisher features, we can dynamically add new software to our whitelist. I have found that it is easier to manage that process vs trying to tackle the nightmare of adding software manually.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.