Don't be an application bigot

Many security decisions and acceptable use policies are based on a false categorization of applications. "Business applications" are good, safe and have business value. "Personal applications" are bad, unsafe and have no business value. Companies decide how to treat an application based on who installed it, who authorized it and how it is perceived, rather than the intrinsic security or value of each of its features. That false categorization is very common because it is implicit and unacknowledged --we make the cognitive error without noticing. Think of it a bit like the equivalent of "racial profiling" of applications and consider how it results in poor decisions: good applications are banned because of prejudice and security suffers because unsafe applications get a free pass because of their "pedigree".

Researchers tout unique automated firewall fault fixer

Of course, a lot of this depends on your definition of "application."  For applications that are installed on a machine, you can define what is and isn't part of the application. But for the many Web-based applications, the definition is much more nebulous. Web applications such as Facebook, Google and Salesforce, for example, are really platforms containing dozens or hundreds of applications. Furthermore, any application may contain dozens of features with varying degrees of risk and security. Increasingly, enterprise applications are also sprawling collections of mini-applications, modules and features.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Many security decisions and acceptable use policies are based on a false categorization of applications. "Business applications" are good, safe and have business value. "Personal applications" are bad, unsafe and have no business value. Companies decide how to treat an application based on who installed it, who authorized it and how it is perceived, rather than the intrinsic security or value of each of its features. That false categorization is very common because it is implicit and unacknowledged --we make the cognitive error without noticing. Think of it a bit like the equivalent of "racial profiling" of applications and consider how it results in poor decisions: good applications are banned because of prejudice and security suffers because unsafe applications get a free pass because of their "pedigree".

Researchers tout unique automated firewall fault fixer

Of course, a lot of this depends on your definition of "application."  For applications that are installed on a machine, you can define what is and isn't part of the application. But for the many Web-based applications, the definition is much more nebulous. Web applications such as Facebook, Google and Salesforce, for example, are really platforms containing dozens or hundreds of applications. Furthermore, any application may contain dozens of features with varying degrees of risk and security. Increasingly, enterprise applications are also sprawling collections of mini-applications, modules and features.

I've written a number of articles arguing that many personal applications have very significant business value and yet are banned in organizations. The justifications for banning personal applications today are based on the same arguments used to justify banning e-mail in the 90s (it can't possibly be useful for our business) and phones in the 30s (what if our employees use them to chat with their friends all day?). Assuming that a personal application is insecure or has no business value because it was not installed, authorized or paid for by IT is shortsighted and will ensure your company is always competitively disadvantaged. Worse, your users will ignore you and since you have "banned" it you will lack policies, controls and oversight over the application.

However, the more insidious impact of "profiling" applications based on pedigree or origin instead of the "content of their character" is that you are allowing dangerous features expose your business to significant risk, all with the blessing of IT. Consider Web conferencing, for example.  It's a popular IT-blessed application, considered "safe" and appropriate by many businesses. Yet, most Web conferencing applications have chat capabilities, file transfer capabilities and remote desktop control. Those features can be very dangerous if not controlled by policy or technology. If you start applying the same scrutiny to other "business applications" you will find that many contain high-risk, high-exposure features, modules and capabilities. Yet, they probably received a lot less scrutiny and have fewer controls than the "bad" personal applications.