IT departments and their parent organizations must make significant decisions on letting employees download and use outside applications. This is a tricky situation: While many of these apps bring value to the business, they are real security risks.
Processor offers some good insight into this vexing issue. The first step as it invariably is when the topic is security is educating employees on what to do and what not to do. It is important to remember that most workers want to do the right thing. They just don't always know how.
The story suggests that simply outlawing all employee-originated applications probably isn't the right answer. But there are easy calls. There are few good reasons for an employee to use peer-to-peer (P2P) in the enterprise, and whatever rationales there are are easily outweighed by the dangers. Law.com has a scary article about the dangers of P2P. The piece notes cases of dangerous leaks of personal and corporate information from the Walter Reed Army Medical Center, Citigroup's ABN Amro Mortgage Group and Pfizer. The bottom line is that not too many people are aware of how easily data can be lost by even innocent use of P2P.
There are other applications that bring more obvious value and are tougher calls. How actively an organization confronts employee-introduced applications depends to a great extent on how sensitive the organization's data is. A medical center must be more careful than a lumber company. Within this context, there are a number of technical options available, from eliminating employee installation rights in essence, making him or her ask every time he or she wants to add something to whitelisting.
Whitelisting is an old technology that is getting a new life because of the changing dynamics of the Internet. Simply put, the traditional signature-based means of stopping malware is fading in effectiveness because of the speed with which it is being produced and disseminated. Whitelisting lets companies check applications that are attempting to run on users' machines against databases of approved software. If it isn't on the list, it isn't approved and any potential problem is averted. Indeed, this InformationWeek columnist seens to think that whitelists are a key to the future.
This approach is increasingly used in conjunction with not instead of traditional antivirus software. Last week, for instance, Bit9 and McAfee announced an agreement under which Bit9's whitelisting software can be managed within McAfee's ePolicy Orchestrator. This type of coordination and integration can help find and make a hands up or down decision on consumer-originated programs.
Another and seemingly somewhat related approach to making sure employees' machines are safe is known as reputation-based analysis. This ZDNet post says that Symantec is working on a system that mines the huge database of its users. The company looks at the number of times each machine has been infected and characterizes their users as safe, somewhat safe and careless. When a program is detected on a machine for the first time, the system looks at the classifications of machines running it. If, for instance, the preponderance of PCs using the software are in the safety-first class, the rating is good and the software most likely is allowed. If the majority using the software are from the high-risk pool, the recommenation likely will be to nix the program.