Slowly but surely, Application Control is changing the way most people think about traditional security policies. And in this day and age, it's becoming a mainstay in a comprehensive security-driven environment.
The reason? Major security threats have evolved, says Jason Clark, Fortinet security evangelist. But the way users consume information and access the Internet has evolved too.
Instead of consuming static content such as a hardbound encyclopedia, users consistently now access dynamic content such as Wikipedia - a development not lost on hackers, Clark says.
Meanwhile, hackers have learned that traditional firewalls do an adequate job of blocking connection-based attacks, and intrusion and antimalware technologies often successfully detect content-based threats. Subsequently, the low hanging fruit are often unknown vulnerabilities in specific, often popular applications, Clark says.
But why is it so important these days? True to its name, Application Control not only gives organizations the ability to control services such as HTTP, but also control specific applications. In lots of different ways.
Like traditional firewall enforcement technology and other security mechanisms, Application Control gives IT administrators the ability to enforce written policy, but takes security policy up a notch by not only looking at the packet header information, such as source or destination port, but also into the packet payload to identify granular applications, Clark said.
But contrary to popular belief, there is abundantly more to the technology than just blocking or accepting applications, Clark contends.
“The most important aspect of this technology involves securing the applications in addition to securing the end user consuming or hosting the application,” he says.
Google Talk, for example, is considered a business application, but it can also become a threat if it's used as a vector for malware or phishing. Application Control gives administrators a way to effectively react to these types of threats.
In addition, Application Control is also commonly used in the workplace to give administrators accurate readings into application usage and respective bandwidth consumption. Many organizations also take advantage of Application Control to conduct risk assessments and bandwidth analysis to determine what type of applications are being used on their network. Organizations can subsequently take steps to block malicious or offensive apps, as well as limit time-wasters and bandwidth consumers-- all while applying role based application policies.
“For example,” Clark says, “Rick in the marketing department may be allowed to access social media applications for marketing purposes, while customer service representatives should have limited if any access to social media applications. This is an example of why a role based application policy can not only increase employee productivity but also secure and control application usage.”
But it can also cause problems, especially when one group (marketing) is allowed access to popular applications that another (janitorial) is not. And politics can certainly play a role for some organizations when applying role-based security, Clark says, although the majority of organizations have a written policy known to most employees.
To alleviate tensions, many organizations have started taking on Application Control in a phased approach, with the first phase being the implementation of visibility to determine what applications are currently in use and by whom. Ideally the phase should last for at least two weeks before being assessed by policy makers, Clark says.
The second phase should generally consist of delineating acceptable application usage based on employee roles within the organization and informing users about what their specific application usage should look like. The final phase is the enforcement of the newly defined application security policy.
“At this point administrators now have a clear understanding of what applications are on the network, how much bandwidth they are consuming, and who should be allowed to use said applications,” Clark says. “Application Control should be considered an extension of existing Web usage policies in that organizations now have the ability to protect users from malicious application usage while increasing the catch rate on unproductive activity. Once management understands the ease of deployment with most application control systems I think any previous concerns will subside.”