Bit9

I'm writing my third posting in a series called "Are You Ready for Enterprise Application Whitelisting?" The purpose of these posts as I've mentioned previously is to help IT people understand if their processes and organization are advanced and mature enough to be ready for implementing whitelisting - and basically only letting software run on corporate PCs that has been pre-authorized.

My previous posts covered a couple questions, including "Is your IT staff stretched too thin?" and "Do you need better auditing, reporting, and compliance?" Both of these questions are related to the needs of the organization and the services IT provides. But our next checkpoint asks about the maturity of the systems that IT uses to manage PCs. So here it is:

Question 3: Are adequate software delivery (SMS, WSUS) systems in place?

So why do we ask this question? Well the reason is because if you have implemented good, strong processes for delivering software easily and efficiently to desktops, you are pretty much at the point where the next logical step for control would be to whitelist the software on those PCs.

Think about it this way. Most company's IT processes have matured over the years along a relatively consistent pattern:

1. Provisioning / Imaging: Make it easy to get a standard image of the operating system and core applications when a new PC is issued to an employee, without taking a lot of time.
   
2. Deployment / Delivery: Get new applications or updates to applications out to all the users without having an army of IT people carry CDs to each workstation one by one.
3. Patch Management: Every time a new vulnerability or exploit is announced, vendors rush to deliver patches. A smooth patch management process means you don't have to scramble to protect your PCs.

So once you have these three components, you have effectively achieved total control over pushing software out to your PCs. So what's next for you? What are you looking to achieve after control over "pushed software?"

The answer is control over "pulled software." Users will receive their provisioned PCs and use the apps that are pushed to them... but then they will get on the Internet and start downloading their own apps. And as powerful as your software deployment processes are, most organizations can not reach 100% coverage of the apps that their users need. So you have to rely on users being able to download apps for themselves so you don't have to send IT people to every user whenever they need something.

And now you've opened Pandora's box. Because you can't control what your users will install...

... unless you whitelist.

Because when you whitelist, you authorize your users to download certain apps, but they can't get whatever they want. This gives you control.