Identify Your Application Allow List
The application allow list includes the sanctioned applications that you provision and
administer for business, infrastructure, and user work purposes. It also includes
tolerated applications that you choose to allow for personal use. Before you create your
internet gateway security policy, create an inventory of the applications you want to
allow.
There are many ways to create an application inventory. Your IT department might already
have a list of sanctioned applications, but that doesn't necessarily mean that IT knows
every application on your network. Involve stakeholders in different business areas to
help identify the applications that you use in those business areas. For example, a
stakeholder involved with finance applications probably doesn't know which applications
your developers require for business purposes and vice-versa, so you need
representatives from both areas to understand which applications to sanction, which
applications to tolerate, and which applications you don't need to allow on your
network.
Your business and your business goals help determine how to approach allowing
applications. If your business is a security-first business such as a bank, to minimize
the attack surface, you want to allow only the required business applications. However,
if you business is an availability-first business such as a university, you probably
want to be more liberal with allowed applications.
Strategies for identifying the applications that you actually need for business purposes
include examining business goals to understand which applications are required to
support your business and using temporary rules to help understand application
usage.