It's crucial for organizations to define and enforce a list of approved services, applications, and app stores that are acceptable for endpoints to use when accessing or storing company data. By centrally managing and applying these policies, you can significantly reduce the risk of data leakage or compromise. However, there are trade-offs to consider in terms of user experience and productivity.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full CCM here. The CCM provides a comprehensive set of security controls designed for cloud computing environments. For related guidance, check out the AWS documentation on managing user devices and endpoint security.

Who should care?

This control is important for:

• IT managers responsible for endpoint security
• Security teams seeking to prevent data leakage
• Compliance officers ensuring appropriate guardrails are in place
• End-users who want to safely access company data on various devices

What is the risk?

Without appropriate restrictions, end-users may inadvertently (or intentionally) use unapproved apps and services to access or store sensitive company data. This could lead to:

• Data leakage if info is synced/backed up to personal cloud storage
• Malware infections from dodgy apps
• Regulatory compliance violations (e.g. HIPAA, PCI-DSS)
• Reputational damage and loss of customer trust

While adopting a strict whitelist approach can significantly reduce these risks, determined insiders may still find ways to circumvent the rules.

What's the care factor?

For companies dealing with regulated data (healthcare, finance, government etc.), implementing this control is a must. The consequences of a breach are simply too high.

Even for lower-risk organizations, it's still strongly advisable as a security baseline. While a 100% locked-down environment isn't realistic for most, finding a balanced middle-ground is important. Don't underestimate the risk of well-meaning employees using shadow IT.

When is it relevant?

Application allow-listing makes sense when:

• Dealing with highly sensitive data
• Strict regulatory compliance standards apply
• Providing access to corporate data on BYOD devices
• High risk of malicious insider threats

It's less applicable for:

• Standalone systems not connected to core IT
• Low-risk data (public info, marketing collateral etc.)
• Heavily restricted environments (e.g. call centers, point-of-sale systems)

What are the trade-offs?

Locking down the endpoint app ecosystem comes with costs:

• Significant administrative overhead to define and maintain allow-lists
• Negative impact on user productivity if key apps are blocked
• Frustration and morale drop for employees
• Lack of flexibility for power-users who require niche tools

There's also the risk that overly restrictive policies will just push people to find risky workarounds. A pragmatic balance between security and usability is key.

How to make it happen?

1. Start by cataloging all software and cloud services currently used to access/store company data. Don't forget mobile apps.
2. Perform a risk assessment to classify apps as approved, restricted, or prohibited based on data handling practices, security posture etc.
3. Define allow-lists in a formal policy and communicate this to all staff. Provide business justifications and an exceptions process.
4. Configure endpoint management tools to enact the allow-lists. For example:
   • Use Microsoft Intune App Protection Policies to block copy/paste and restrict save locations.
   • Prevent app installs from 3rd party app stores via MDM.
   • Restrict browser extensions and plugins.
   • Block USB storage devices.
5. Monitor endpoints for installation of unapproved apps. Automate uninstall where possible.
6. Regularly review and update allow-lists as new apps emerge and business needs change.

What are some gotchas?

• Applying policies to BYOD devices can be challenging and may require employees to enroll personal devices in MDM.
• Technical issues can arise when restricting browser functionality. Test thoroughly before broad rollout.
• Overly long allow-list review cycles can lead to employees adopting unvetted apps. Put processes in place to fast-track approvals.
• Some advanced endpoint management settings require devices to be Azure AD joined. Consider the licensing implications.

What are the alternatives?

Rather than managing individual apps, some organizations adopt a data-centric approach:

• Use Cloud Access Security Brokers (CASBs) to monitor and restrict data flows to unsanctioned cloud apps.
• Deploy Data Loss Prevention (DLP) to enforce data policies directly (e.g. block PII from being saved to non-corporate storage).
• Adopt secure container solutions to isolate corporate apps and data within a managed environment on the device.

However, these solutions tend to be more complex and expensive to implement than simple allow-listing.

Explore further

• CSA Cloud Controls Matrix v4 - INV-04 (Endpoint Service Approval)
• NIST SP 800-53 Rev. 5 - [CM-7(4)](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=CM-7&keywords=allowed software) (Allowed Software)
• Microsoft - Endpoint Manager Intune Documentation
• SANS - A Guide to Managing Microsoft 365 App Policies

‍