Allowlisting, formerly referred to as whitelisting, is akin to a security guard at a concert making sure the only people that go backstage with the band are on the VIP list. On the opposite end of the spectrum is blocklisting.
Blocklisting is equivalent to the security guard letting everyone backstage except for a few untrusted people on the deny list. If you were in the band, which method would make you feel more secure? How do you know that the only people that mean you harm are listed on the untrusted list?
Allowlisting vs. blocklisting
What is Allowlisting?
Application allowlisting operates using a default-deny, Zero Trust philosophy. It allows admins to select what applications are permitted, and all others will be blocked. Instead of relying on known bad applications or bad behavior, any application, script, or library not contained on the allow list will be blocked by default.
The Zero Trust "never trust, always verify" ideology blocks known and unknown exploits, including zero-days and ransomware.
What is blocklisting?
In contrast, blocklisting operates by only blocking known bad applications. Admins designate a list of applications that will not be permitted, and everything else can run.
Blocklisting is effective in preventing known bad or unwanted applications. The problem arises when a new application is weaponized, a zero-day vulnerability is exploited, or an attacker uses novel malware.
Because these are not known bad applications, they will not be on the blocklist and will run without restriction. At that point, it would be up to antivirus or EDR (endpoint detection and response) solutions to recognize and stop any bad behavior.
Which application control approach aligns with Zero Trust?
Application control can take one of two approaches, allowlisting or blocklisting. Although both seek to place some control over the applications in an environment, only allowlisting truly aligns with the Zero Trust "never trust, always verify" philosophy.
In other words, nothing can be explicitly trusted, and every person, application, and network connection must be restricted to only the exact access they require. According to CISA (Cybersecurity and Infrastructure Security Agency) #StopRansomware Guide , "Use allowlisting rather than attempting to list and deny every possible permutation of applications in a network environment."
Zero Trust application control (Application Allowlisting) for compliance
Traditionally, allowlisting was difficult to implement as admins had to build and change the allowlist when applications updated to prevent trusted applications from being blocked.
However, ThreatLocker Allowlisting addresses the implementation challenge of allowlisting with Learning Mode. When first deployed, ThreatLocker will catalog all of the applications currently running in the environment and will automatically create policies to permit those applications, and anything that’s not on the allowlist will be blocked by default.
ThreatLocker has an entire team working 24/7/365 to capture updates for thousands of applications, helping ensure they will not be blocked when they update in an environment.
Custom rules can also be created for custom or specialty applications that are not included in ThreatLocker built-ins, to permit those one-off applications to update without impacting productivity.
For a deeper dive into allowlisting and application control, check out this webinar hosted by ThreatLocker CEO Danny Jenkins and CPO Rob Allen: New Allowlisting strategies to empower your security
