The application allow list includes the sanctioned applications that you provision and administer for business, infrastructure, and user work purposes. It also includes tolerated applications that you choose to allow for personal use. Before you create your internet gateway security policy, create an inventory of the applications you want to allow.

There are many ways to create an application inventory. Your IT department might already have a list of sanctioned applications, but that doesn't necessarily mean that IT knows every application on your network. Involve stakeholders in different business areas to help identify the applications that you use in those business areas. For example, a stakeholder involved with finance applications probably doesn't know which applications your developers require for business purposes and vice-versa, so you need representatives from both areas to understand which applications to sanction, which applications to tolerate, and which applications you don't need to allow on your network.

Your business and your business goals help determine how to approach allowing applications. If your business is a security-first business such as a bank, to minimize the attack surface, you want to allow only the required business applications. However, if you business is an availability-first business such as a university, you probably want to be more liberal with allowed applications.

Strategies for identifying the applications that you actually need for business purposes include examining business goals to understand which applications are required to support your business and using temporary rules to help understand application usage.