makspogonii - Fotolia

G Suite feature for whitelisting apps helps IT protect data

Google G Suite and other cloud services use app whitelisting to prevent untrusted third-party applications from accessing and exposing critical data.

Whitelisting has emerged as a viable option to help IT administrators control third-party applications' access to corporate data and cloud services.

Data leakage is a primary concern for any organization, especially those under strict regulatory guidelines. Cloud business apps such as Box, Salesforce and Microsoft Office 365 have high security standards, but third-party applications that access their data might not -- making them a potential weak point. Google G Suite followed in the footsteps of these and other services in implementing a new feature for whitelisting apps, giving IT the ability to approve of only third-party applications it trusts.

"You need to control your information flow, because if you don't, you'll be out of business pretty soon," said Willem Bagchus, a messaging and collaboration specialist at United Bank, an Office 365 shop based in Parkersburg, W.Va. "You have no idea what that app will do with your information, so you can't just let any app run in your system."

How G Suite app whitelisting works

Google's new whitelisting feature lets IT approve specific apps that can access G Suite data through OAuth, a token-based authentication standard for many cloud services. OAuth lets a cloud service know that a third-party app has approval to access its data without giving away user credentials such as passwords.

Whitelisting is a primary function of IT.
Willem Bagchusmessaging and collaboration specialist, United Bank

Alternatively, IT can allow employees to use third-party apps with G Suite but just block the OAuth data sharing from taking place. Other productivity suites, such as Office 365, work the same way. 

"This is a step in the right direction," said Doug Grosfield, president and CEO of Five Nines IT Solutions, a consultancy in Kitchener, Ont. "It makes a point of protecting your data in today's age of interconnectivity."

Importance of whitelisting apps

Organizations have traditionally used app whitelisting to block users from accessing any app except for the ones IT authorized.

United Bank uses Office 365's whitelisting capability to prevent employees from downloading games and other non-work-related apps on corporate devices, as well as to prevent untrusted third-party apps from accessing Office 365. The interface works well for IT to easily pick and choose what applications to approve, Bagchus said.

Office 365 has thousands of application integrations, so blacklisting all of the ones the organization doesn't want their employees to use would be time-consuming, Bagchus said. Whitelisting makes more sense because it gives IT more say in what is acceptable for users to work with, he said.

"Whitelisting is a primary function of IT," Bagchus said. "You have to control what's in your system, because if you don't, something bad will happen."

Security still a balancing act

Although a common practice, whitelisting apps is not a perfect security measure, Grosfield said.

"It's an on-and-off switch," he said. "[When you whitelist an app], it doesn't mean you know what's happening with that data flow."

IT needs a way to have full visibility of data when it's both in and out of an organization's network, and to be able to eliminate data when it gets somewhere it's not supposed to go, Grosfield added.

"Right now, the best you can do is disallow that connection [to a third-party application], but it's not something you can control or see what exactly is happening with it," he said.

With any security software, IT must balance the need to lock something down while keeping usability in mind. Users may be more productive with certain applications, but IT has to follow regulations and security guidelines that may block those. Users may get upset they can't use certain apps, but they must understand the security reasons behind it, Bagchus said.

Jack Gold, founder and principal analyst at J. Gold Associates, an industry analyst firm in Northborough, Mass., agreed.

"In any heavily regulated industry, whitelisting is very important, but users will never like it," he said. "The users want to put on their PC or device any application they want to use. Whitelisting prevents them from doing that."

Next Steps

Delve into the best practices for information security risk management

Find out how to avoid advanced malware attacks with app whitelisting

Discover how app whitelisting helps retailers improve POS security

Dig Deeper on Network intrusion detection and prevention and malware removal