Software whitelisting is the process of establishing what software is authorised to be installed on RRU’s computers. The question we’re often asked is “why are you trying to control what I have on my computer. I just want the software I like to use when doing my job”. We’ll try to answer this question for you in the next couple of paragraphs.
The “Whys” of Software Whitelisting
While security isn’t the only reason it is a compelling one. Attackers continuously scan target organisations looking for vulnerable versions of software that can be remotely exploited. Or they send attachments with embedded code that try to exploit known vulnerabilities in our software. Without proper knowledge or control of the software deployed on RRU’s computers we can’t properly secure them against malicious activity.
Some software also represents a higher risk. Java is a good example of this. Some software relies on a computer having Java installed in order to run, however Java is frequently a target of cyber criminals and as a result is regularly updated. Therefore while we find that we may need to install Java to make a specific piece of software work, the risk is such that we don’t want to install it on everyone’s computer.
Also, we need to be fiscally and legally responsible. If we have software that does a particular job we’d rather not install a different version of software to do the same job. The best example of that is we install Microsoft Word for word processing as opposed to Corel Word Perfect. We also have to make sure that the software we install is properly licensed and that the licences are tracked and budgeted for. Finally, and this is true of Software-as-a-Service (SaaS) or “web apps”, we need to ensure that the provider meets the required security and privacy standards. Just because an app is on the web and it’s free doesn’t mean we can use it.
What do we look for when reviewing software or SaaS applications? This isn’t a comprehensive list but it will give you a good idea:
Is the software required for you to do your job?
Does the software duplicate something we already have in-house? For example, We have Microsoft Project in-house and ready to install. We’d rather you use that then engage a SaaS provider for their on-line project management software.
Does the software / SaaS application meet our security and privacy standards. If it’s open source, is it a well-supported project? If it’s a SaaS application, where is the data stored, what are their security policies, does the vendor have disaster recovery plans in place, etc.
How does it integrate with our current systems? Will we need to do any customisations to integrate it into our network?
Is the need better met using an enterprise-wide solution? For example, we all have our own favourite chat / messaging application but for the sake of integration across the university we will support one primary one. Others may be supported but only after careful review of the underlying business requirements.
Finally, we want to simplify the software installation process and for that reason we’re working towards an environment where you will be able to install many of our approved applications directly from your computer without IT involvement.