Bit9

This is my second posting in a series that is meant to help you determine if you are ready for enterprise application whitelisting. For the uninitiated, application whitelisting is a method of operating a PC environment that only lets authorized software run. That means unless you (as the IT department of a company or an organization) allow an application to run, it is prohibited from executing on a computer.

These days solution providers like Bit9 (the leader in Enterprise Application Whitelisting) are paving the way for companies to implement a whitelisting strategy that is easy and effective - and one that can really have an impact in how you secure your desktops and data.

But many companies are asking themselves: am I ready for application whitelisting? To help answer this, my previous post asked the question "Is your IT staff stretched too thin?"

Here is the second question you can ask yourself to determine if you are ready for enterprise application whitelisting.

Question 2: Do you need better auditing, reporting & compliance?

There has been a veritable explosion in requirements placed on companies to inventory and audit their software environments. Driving these demands are a number of different activities ranging from regulations to industry guidelines to software vendors. But one thing is for sure - companies can no longer afford to not know what is happening on their corporate desktops and laptops.

Let's look at a few specific examples of where compliance is being pushed into IT:

• PCI Compliance: organizations that accept payment cards including credit cards and debit cards (primarily retail, finance, healthcare, and many more) are subject to these industry requirements to ensure the integrity of any computing system that handles payment card information (credit card numbers, accounts, etc.)
• Sarbanes-Oxley: Public comapnies in the United States must ensure that their financial systems have not been tampered with and the integrity of the financial reporting data remains in tact.
• HIPAA: Hospitals, physicians, health insurance companies, and other health-related industries are required by law to protect the privacy of patients' information and history, ensuring that only authorized individuals and systems can access access any specific information.
• Federal Desktop Core Configuration (FDCC): Federal agencies in the United States are now required by the OMB (Office of Management & Budget) to harden their Windows desktops to a very specific and detailed Windows configuration.
• Software Vendor Licensing: Large software companies have been stepping up the fight against piracy by conducting large-scale audits of their customers to identify any gap between how many copies of a software product are in use and how many the company had paid for. This often results in an unexpected, but sizeable "true-up."
• Computer Forensics: With so much data being produced and transmitted throughout organizations, many are finding it in their interest to create a forensics capability. You can hope you don't need it, but in the case of lawsuits, disgruntled employees, and other unpleasant events, it can be very useful to understand who did what and when.
• Consolidation: As companies merge and acquire, IT departments end up being responsible for multiple redundant systems. Many of them become forgotten - although the company still pays a heavy maintenance stream. So knowing what is actually in use can reap significant savings in software costs.

What's happening at many companies is that they are finding themselves under the demands of several of these drivers at once. Take as an example a large, public retailer - they will have to adhere to rules and guidelines put forth by the PCI Council, SOX, and their software vendors... maybe others as well.

Precisely because of these overlapping requirements, companies are proceeding along two simultaneous paths:

1. Simplify the data trail with a single, multi-purpose audit stream.
   
2. Enforce more, audit less by putting better controls around the desktop that limit policy violations and vastly reduce the data processing involved in demonstrating compliance.
   

Application whitelisting is a critical activity for both of these because having a rich inventory of the applications in use, and being able to prevent unauthorized software from being used can greatly reduce the cost of getting to compliance and systematically proving it on a regular basis.

So if you are under pressure to audit and report on the software in your environment and to prove that your computers are in compliance, you have met criteria #2 for being ready for Enterprise Application Whitelisting.

Over the past few months we've been reading more and more about how application whitelisting solutions - like Bit9's - may end up becoming the de facto mechanism for securing corporate Windows PCs in the near future.

So let's assume for a moment that yes, application whitelisting is the wave of the future and yes, you will be basing your security strategy on only allowing software that you know and trust to run in your environment. The next obvious question is...

What can you do to prepare for running an environment where people can only use company-authorized software? In the next few postings I'll present some ways to assess your readiness for enterprise application whitelisting.

Without further ado, here's the first question you can ask yourself to determine if you are ready for whitelisting.

Question 1: Is your IT staff stretched too thin?

If you have got an IT staff that is too busy "fighting fires" on users' systems and cleaning up after messy software downloads or ugly malware incidents, you are probably aching to get more control over your desktops. After all - your IT staff's time is too valuable to be spent on every little problem that comes up. There are bigger fish to fry, like when you are going to deploy Windows Vista, or how to consolidate computing resources across the enterprise, or how to achieve PCI, SOX, and HIPAA compliance.

Yet many IT departments simply get behind the 8-ball with respect to their desktop infrastructure. As users' computers age, the software on them drifts so that they look very different from how they looked when they were first provisioned. Those inconsistencies cause problems in everything from security to auditability to software licensing costs.

But imagine for a minute what would happen if you could eliminate those inconsistencies. If you could ensure that a software you provisioned did not drift from your original copy of it - and only software you approved or authorized was allowed to run on it.

Wouldn't this make your job so much easier? Wouldn't it reduce the number of problems you have to deal with on a monthly and even daily basis? You bet it would! And customers who have implemented application whitelisting are realizing every day how much more productive they can be when they aren't spending all their times firefighting.

So if you think your IT staff hasn't got the time to address the initiatives it should be... you are probably ready for enterprise application whitelisting!