Whitelist or Blacklist Applications?

I get this question a lot from folks – both as it applies to mobile devices and also as it applies to the managed network in general.  Here are my thoughts.

A blacklist is a list of applications that are not allowed.  A whitelist is a list of applications that are allowed.  It is that simple.  In my opinion, a whitelist is MUCH easier to manage than a blacklist.

Why?  Because you know the applications that you want your users to have access to.  It is a finite, limited list, and if a new allowed application comes along, you can easily add it to the whitelist.  It should always be a fairly small list.  On the other hand, a blacklist is an infinite list of applications that are not allowed.  Can you imagine managing this?  How on earth do you manage this list without knowing about every application on Earth?  Granted, you could create a blacklist of applications already installed in the computing device that you don’t want the user to run and then lock that computing device’s image so that no additional applications could be installed, but that is more work.  This “image lock” method makes it difficult to push AV engine and signature file updates as well as Operating System patches.

Now with a whitelist, you still have to manage a list, but you know what applications you will allow.  And you can easily add to the list if needed.  Everything else is not allowed.  Now, this still allows a user to install pretty much anything they want, but they can not run it unless it is on the list.  And chances are good that the install will fail, as the install program will almost certainly not be on the list.  You may also have issues/difficulties with AV and Operating System updates/patches.

Bottom line – whitelists are easier to implement and manage, plus, they don’t require image lock.  You will have to figure out AV and Operating System updates/patches in either case.

As always, please let me know if you have questions.  I will do my best to answer or clarify.

Advertisements

About Tim Smeltzer
I am a husband, father, and technologist. While I am very much interested in almost all technology, my current area of specialty is secure mobile messaging. You will find me blogging from time to time on mobile technology - what I think is cool, what I think is not cool, and how to do things. Please be nice if you leave me comments. I am really trying to help!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: