Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

The Key to Successful Application Control is not to Control Applications

by Neil MacDonald  |  July 19, 2011  |  5 Comments

Counterintuitive? Yup.

I’ve worked with hundreds of clients on the design and implementation of application control (whitelisting) solutions. The key to a successful application control implementation is *not* have to manually manage the whitelist on an application-by-application basis.

Our goal should be to identify and approve how trust propagates to files on a system and not be forced to approve each file individually – a concept referred to as “trusted change”. For end-user desktop computing, manually managing a whitelist on a file by file basis simply won’t scale. How can we automate the management of the whitelist? Here are some examples:

  • If a file/application/update is digitally signed by an application publisher that I trust, then the entire installation is trusted. This is probably the most common example and is the foundation of Microsoft’s improvements with Windows 7 AppLocker over Windows XP’s Software Restriction Policies.
  • If a file/application/update is installed by a trusted process (e.g. software distribution agent) on a system, then the entire installation is trusted.
  • If a file/application/update is installed by a self-updating application (e.g. iTunes, Chrome, Firefox), then these changes are automatically trusted.
  • If a trusted user/group (e.g. IT admin, departmental admin) installs the application, then the entire installation is trusted.

These are just a few of the more common examples out of the 20 or so scenarios that I believe are important. I’ve outlined these for clients evaluating application control solutions in a spreadsheet toolkit with the evaluation categories and suggested weightings.

Bottom line: Controlling whether or not a given file can execute is the easy part. The success of any end-user targeted application control project is in the automated care and feeding of the whitelist. There is simply no way this can be managed on a file by file basis.


Category: Virtualization Security     Tags:

5 responses so far ↓

  • 1 Peter Doyle   July 19, 2011 at 11:33 am

    This must be the worst title to an article I have ever seen (in the world of IT Security / governance) – foolish!

  • 2 Neil MacDonald   July 19, 2011 at 12:12 pm

    Within the apparent paradox lies a great truth.

    Our goal should be to identify and approve how trust propagates to files on a system and not be forced to approve each file individually.

    Don’t control applications, control trust models.

    Make sense?

  • 3 Shaloo Shalini   July 20, 2011 at 1:24 am

    As opposed to explicit control or ‘brute force’ control which is similar to whitelisting and has apparent scalability/zero-time issues – the author is (most likely) referring to implicit or ‘not-so-obvious-control’ strategy based on trust relationships. This is a well researched aspect in ‘social interactions’ context.

    Well, Trust based, dealing with rules/norm/sets for reputation/deception is the kind of scalable model for security that seems to be gaining a lot of traction lately. Especially in the context of cloud computing. Not sure if you have looked at the nuggets from Simon Crosby (Citrix->Bromium – stealth startup for security in a ‘cloud world’).

  • 4 Paul Zimski   July 20, 2011 at 10:24 am

    Title preference aside (I kind of liked it), I think this is spot on Neil. The idea of manual whitelist maintance will never scale nor be agile enough to meet the needs of most organizations and their end-users. By setting up automated trust decisions its possible to strike a good balance between security, flexibility and overhead. If you think about reputation services (your high integrity haystack analogy), one of the biggest reasons to build such a taxonomy is to provide the “trusted change engine” with enough metadata to help make some of these decisions. I also think that this approach changes the perception that application control has to mean “lockdown”. It really doesn’t. With a trusted change approach the organization gets to implement a policy that is relevant to their appetite for risk and their need for flexibility.

  • 5 Michael Bower   July 22, 2011 at 9:08 am

    I totally agree. With our Bit9 deployment, working with the Trusted Directory and Trusted Publisher features, we can dynamically add new software to our whitelist. I have found that it is easier to manage that process vs trying to tackle the nightmare of adding software manually.