Today I am writing on the subject of a security control known as whitelisting/blacklisting, or sometimes seen as “deny all, permit by exception”. This control is usually seen as part of cybersecurity compliance efforts, or when organizations have reached the maturity level to begin formalizing their security standards. This can refer to software, applications, websites, or other access rules. What is important is that there is a rule in place for utilizing these resources and a default behavior. This control is separate from an access authorization control. To simplify, I will discuss this control in the context of software.
Whitelisting is a process where all permitted software is listed. Users are prohibited from installing or using software not on the whitelist. This is what is meant by “deny all, permit by exception”. Users are denied all software, with a small exception list. There are major advantages to whitelisting. First and foremost, simplicity. For any organization, the list of permitted applications will be much shorter than the list of all possible bad applications. Secondly, ease of management and maintenance. It is easy to point to the whitelist and tell your users, “These are the tools you may use” and new applications may be vetted before adding to the list, thus improving security. Lastly, with everyone using only approved applications, it is easy to standardize business processes across your entire organization.
A major disadvantage is the limiting nature of approving exceptions. Users are familiar with their own preferred applications, and they may not want to use the whitelisted application. Vetting and approving software takes time and expertise to do correctly, and users may feel there is bureaucracy between them and productivity. Finally, the creation of a whitelist requires a certain amount of organizational maturity in order to correctly identify, and approve, the software each person in your organization requires. This often means breaking down applications into groups such as roles, or job titles.
Given that many organizations either don’t know all of the applications they need, or don’t want to limit their users to a list of applications, there is the opposite control, blacklisting. Here, users are permitted to utilize any application they want, and are prohibited from using any application on a smaller “blacklist”. Here the default behavior is to permit, unless expressly prohibited. The first advantage is less work for your IT. They simply need to ensure prohibited applications are not used and let users get on with their jobs. The second advantage is greater user control. Users are able to find the exact application they want without having to jump through hoops to get it approved.
However, blacklists have their own disadvantages, first and foremost, it takes more to maintain a blacklist than a whitelist as new programs are published. Blacklists often turn into “whack a mole” as IT attempts to update the list with new applications, they find causing problems on user’s equipment. Blacklists are never complete like a whitelist can be. They require constant monitoring and updating and are subject to greater pushback when users find their favorite program has been added to the prohibited list. Blacklists are even harder to maintain when it comes to websites as users will continue to find workarounds, new sites, and even as old sites change their names to avoid prohibition. Finally, blacklists need to be specific, and anything that does not specifically meet the blacklist criteria is permitted, so you may find users exploiting loopholes to use applications and services you thought you had prohibited.
Obviously, there is no one-size-fits-all approach, and many organizations utilize both whitelisting and blacklisting in different contexts, for instance, whitelisting applications while blacklisting websites such as social media. Firewalls are almost always configured using whitelists to explicitly allow traffic in, as well as blacklists to explicitly block traffic such as IP addresses coming from specified countries. Working with knowledgeable experts and having an understanding of your organizations IT needs will help ensure successful implementation that leverages the advantages and minimizes the disadvantages of each method.