Airlock Blog

What is allowlisting and why is it important?

Written by Iain Ferguson | 20 March 2024

What is allowlisting and why is it important?

Businesses, governments and the people who work for them are being targeted in increasing numbers by hostile actors using sophisticated tools and techniques including ransomware and spyware.

This environment makes cyber security a key priority for businesses and government organisations. A security posture that manages risk without compromising operations and innovation can pave the way for businesses and organisations to navigate this dynamic threat environment without disruption. 

Application allowlisting–formerly application whitelisting–is integral to achieving an effective security posture.

What is allowlisting?

So what is allowlisting and what does it do? Put simply, allowlisting allows only processes, files and applications approved by a business or organization to run in its environment, with all other processes, files and applications blocked. 

This reduces the risk of malicious code executing in that environment.

Allowlisting is increasingly recognized as a critical element of an effective cyber security architecture by bodies such as the Australian Signals Directorate, the United States National Institute of Standards and Technology, and the United States Department of Defense.

Supporting the practical way organizations operate

So what constitutes an effective allowlisting solution? At Airlock Digital, we believe allowlisting software should–above all–support the practical ways organizations operate, rather than a utopian security ideal in which almost nothing is allowed and no exceptions are made. 

The solution should be configurable to allow customers to make determinations on applications and files based on their own definitions of trust. This provides a higher level of security than if a vendor was to make decisions on behalf of customers, because attackers do not know what the customers’ definition of trust is. They cannot determine how to penetrate a customers’ environment simply by obtaining a copy of a product and testing malware against it.    

Functionally, an allowlisting solution should:

  • Block everything other than files defined as ‘trusted’ to stop unknown or untrusted code from executing
  • Provide access to real-time data to enable quick policy decisions that minimize business disruption
  • Be delivered through the cloud or on-premise 
  • Scale across all endpoints, including desktops, servers, mobile devices and more, in line with the needs of the business or organization
  • Give administrators a range of options to allowlist applications
  • Include exception management workflows that support user access and administrator requirements 
  • Incorporate a fast closed feedback loop when new applications and files are requested, to accommodate the fact users typically do not proceed with a task if they need to wait more than a few minutes for approval
  • Include blocklisting that overrides an allowlist and persists through exemptions as a further control against malicious code. 

Providing time-limited exceptions     

An effective allowlisting solution should enable administrators to provide time-limited exemptions to non-allowlisted applications and files requested by users. Imposing a time limited exemption after which an endpoint reverts to its previously allowlisted state ensures administrators do not leave endpoints in exemption states longer than necessary.  

This avoids ‘exemption sprawl’ whereby large numbers of endpoints operate in an exempt state, potentially compromising a business or organization’s security posture. 

Building security tools for non-security people

Further, allowlisting should be about providing security tools to non-security people. The reality is that a large number of organisations do not have dedicated security team members to manage deployments, but still need to manage risk in today’s increasingly complex threat environment. 

An allowlisting solution accessible and easy to use for key people within the technology function, such as system administrators who typically know what is running in an environment and can manage allowlisting at scale, is the answer. 

With the right allowlisting solution in place, businesses and government organizations can position themselves to seize the opportunities of the digital era while minimizing the risk presented by increasingly sophisticated threats.  

 

Airlock Digital is here to help!
Book a demo with any of our team members
by clicking the button below.