Managing Unapproved Applications

In today’s workplace, users aren’t satisfied with the applications provided by the internal IS staff.  In an effort to maximize their productivity and to improve their work environment (at least those are the reasons given), many users install applications brought in from home, downloaded from the Internet, or provided by a friend.  So if it makes your users happy, what’s the big deal?  

In this article, we’ll take a look at how the changing nature of network security is increasing the importance of end point security.  In addition, we’ll review the risks presented to your organization through the installation of unapproved and unmanaged applications.  Finally, we’ll explore some of the things you can do to protect your network from personal application installations. 

When PC networks first entered the computing stage, locking down the perimeter was usually sufficient to protect an organization’s information assets.  But today things have changed.  Laptops, wireless access points, and various mobile technologies are creating computing environments in which the perimeter should only be one component of a layered, integrated security infrastructure.  These devices bypass perimeter defenses, providing access to the network by applications that might or might not be managed and controlled.   Within such environments, end point device (desktops, laptops, etc.) security is more important than ever.

Most organizations provide best-practice protection in the form of anti-virus and anti-spyware software.  These solutions are a good start.  But if the end point devices on which they reside are wide open to the installation of unapproved applications, security is significantly reduced.  Aside from the argument that personal applications use up business bandwidth, these unmanaged programs are typically neither patched nor securely configured.  Since they are typically unknown to the IS department, they provide long term vulnerabilities to both the host device and other devices connected to the same network – including servers running critical business applications.

Employees using pirated software for business purposes is another risk related to unapproved applications.  It’s often unclear as to the organization’s liability in such cases.  However, taking steps to identify and control the use of unlicensed software shows that management does not condone its use.

There are essentially three things a security manager can do to deal with the spread of unapproved applications:

  1. Ignore it, and hope for the best
  2. Prohibit the installation of all unapproved applications
  3. Manage the installation of unapproved applications

Ignoring a problem hoping it will either go away or that you’ll beat the odds is not a very smart course of action – either for your organzation or your career.  I don’t think we need to spend any more time on this approach.

Prohibiting the installation of unapproved applications is certainly an effective way to control the problem.  But it presents additional problems for the team responsible for enforcement.  A list of approved applications must be developed and maintained.  Depending on the size and diversity of the business, this list might be very large and dynamic.  Locking down the end user devices is not difficult.  Proper configuration of rights and permissions, such as not allowing users to log in as local administrators, is very effective. 

Another approach involves allowing all applications except those on a “black list.”  If the black list is a short list of applications with known unacceptable risk, users have more freedom to install their personal favorites.  However, the problem of updates and secure configurations remains.  If the black list is extensive, it has the same effect as prohibiting all but approved applications.  In the latter scenario, selecting approved applications and maintaining the black list can be monumental tasks. 

In both prohibition approaches, an organization must either mandate that IS install all applications, or it must install a software compliance system that automatically monitors for new application installations resulting in activities to ensure policy compliance.   

A security manager might be able to pull off a policy of software prohibition, either complete or through the use of an extensive black list, if the rest of the IS department satisfies every need of the business users.  This includes responding to most if not all requests for functionality believed to be critical for personal or departmental success.  As most IT professionals know, this is a rare occurence. 

The third solution takes the middle ground between the previous two.  I found a description of it in an article by Dr. Todd Brennan entitled “Automatic graylisting of unwanted Software” (see link in Sources).  In his article, Brennan proposes that managers allow the installation of unapproved applications under the following circumstances:

  1. Once an unapproved application is installed, a policy directed action should take place immediately.  This can include one of two actions:
    1. Use of the application is blocked for a specified period until the assessment team checks out and approves or denies use of the application.
    2. Use of the application is allowed for a specified period while the assessment team checks out and approves or denies the use of the application.
  2. A system is in place to notify the application assessment team that an application not on the approved application list was installed.  The notification should include the identity of the PC on which the installation took place.
  3. The assessment team evaluates the new software based on the risk it presents to the organization.  It then approves the application and releases it for use or it denies its use.  In the first scenario, the application is added to the approved applications list.  In the second, it’s added to the application black list; the application is either disabled or uninstalled from the target machine

Choosing any one of these three approaches has consequences.  How you approach this issue depends on your organization’s culture and the level of risk your management team is willing to accept.

Author:  Tom Olzak 


Automatic graylisting of unwanted software

Outsourcing Security

Rogue Applications: What’s your Compliance Risk

Five Steps to Enforcing your Endpoint Security

Your email:  
subscribe unsubscribe  


Leave a Reply

You must be logged in to post a comment.