Unveiling the Power of Allowlisting in a University Setting

Unveiling the Power of Allowlisting
In a University Setting

Australia’s universities are prime targets for cyber-attack and are prioritising cybersecurity as a result. Implemented and managed well, allowlisting and execution control can be a powerful addition to universities’ cybersecurity arsenals.   

This blog explores the strategies and measures institutions can apply to successfully deploy allowlisting.   

Common gaps that exist in university environments

University cybersecurity postures and policies are maturing quickly to overcome the challenges presented by legacy IT environments and diverse user groups with different needs and expectations. At Airlock Digital, we see opportunities for institutions to address security issues that include:   

• Default acceptance of untrusted code: allowing untrusted code by default can introduce threats through internet downloads, phishing emails, USB devices, temporary directories and other means. 
• Limitations of Next Gen Antivirus (NGAV) and Endpoint Detection and Response (EDR): many NGAV/EDR platforms provide only limited automated blocking of malicious files, and require extensive, active threat hunting to resolve cyber incidents.
• Limited visibility and control in temporary directories: if universities cannot gain visibility of and control over files executing in temporary directories, users may use potentially unsafe files and breach security policies. 
• Increased cyber risk from academics and researchers: these roles carry comparatively high risk, as the type of work involved can be difficult to apply cyber security controls to.   
• Vulnerabilities in existing software: zero-day vulnerabilities in software on endpoints poses a significant risk.
• Legacy systems with limited vendor support: security vendors and technologies may not fully support legacy servers, devices and software.

What is allowlisting? 

Allowlisting entails creating an 'allowlist’ of files trusted by a university to run in its environment and blocking all other files by default.   

With allowlisting, universities can enable users to run these trusted files, while preventing all untrusted code, even when injected into trusted software, from executing. 

This helps proactively defend against potential cyber threats. 

What are the benefits of allowlisting?

Allowlisting provides a range of benefits to university security teams and end-user computing teams:

• For security teams: allowlisting implements a deny-by-default strategy that proactively blocks malware and reduces reliance on NGAV and EDR platforms. It also reduces exposure to zero-day vulnerabilities and phishing attacks. 

• For  end user computing teams: allowlisting enforces better change management, reduces service desk tickets, supplements patch controls, and provides real-time visibility for issue resolution.

Common allowlisting pitfalls (and how to overcome them)  

• Striving for perfect security versus practicality: by striking the right balance between security and practicality when deploying allowlisting, universities  can maximise the value of the project. This means avoiding the temptation to adopt strict security policies and take a granular approach from the start, which can significantly increase implementation timelines
• Aligning goals across teams: each team involved in an allowlisting deployment has its own priorities and interests. By making sure all stakeholders, including security, end-user compute and server teams are aligned, a university can lock in support for the project.  

Time and resource burdens: by selecting a lightweight, simple to use, secure and compliant allowlisting solution, universities can avoid time-consuming manual configuration and management burdens implementing the technology. This is a particular benefit for university IT teams experiencing the skills crisis and managing a long list of priorities. 

A strategic approach to allowlisting deployment

At Airlock Digital, we recommend universities take the following approach to successfully implement allowlisting:

• Start the deployment with servers, student labs, instrument devices such as microscopes and lab equipment, and corporate workstations before moving to more complex use cases involving academics and researchers.
• Focus on moving to enforcing policy as fast as possible. Universities with an enforced allowlist of 20,000 files, for examples, are in a considerably stronger position than those without any control over the files and applications in their environment.  Commence with audit mode to identify what files are running in the environment and build an allowlist informed by file reputation and expected behaviour. This could mean initially establishing some broad rules to achieve enforcement. After this is done, a university can refine the allowlist to become more restrictive and secure. . 
• Start with executable files (.exes) and software libraries (.dlls) and once enforced, perform script control.
• Align with the recommended Australian Signals Directorate Essential Eight maturity journey. Start by allowlisting program files and addressing temporary directories (Level 1 of the journey). Then progress to Level 2 and Level 3. 
• Be lenient when providing exemptions to users so you minimise disruption and secure support from stakeholders.
• Formulate a strategy to secure day-one alignment on the allowlisting solution from all relevant teams, including end-user compute, security, service desk and server and secure executive support. 
• Ensure each team has the access needed to perform its role with flexibility and freedom. Administrators of standard operating environments and servers administer policy, security specialists oversee decision and helpdesk teams provide exemptions.  A server team can have the ability to make changes to server policies and grant themselves exemptions as needed.

Reduce your  management overhead post-implementation

• Undertake a comprehensive audit of files and software within your environment to minimise disruption when building an allowlist 
• Integrate allowlisting into existing software management and deployment processes 
• Ensure you have can identify the need for exemptions in real-time and provide them quickly.
• Provide self-service exemption capabilities to power users to ensure they can access the software and files they need to on demand.

Implementing allowlisting in university environments is a nuanced endeavour that requires a comprehensive, balanced approach. By understanding the opportunities, embracing best practices, and involving all relevant stakeholders, your university can fully leverage allowlisting to improve its security posture. Airlock Digital’s allowlisting platform is simple, easy to use and has proven to effectively address risk in university environments.  

This article was written by Shantanu Gupta
Book a demo with Shantanu by clicking the button below.