Appendix C: Corporately approved and partially-managed devices for sensitive data
This appendix provides guidance to manage risks associated with Scenario C. This scenario involves devices with a hardware model and operating system version that:
- is chosen by the employee from a corporately approved shortlist
- has moderate risk management controls applied
- uses corporately managed separation of organisational data and personal data, for example using remote virtual desktop software, a managed container or partitioning functionality built into the operating system
- uses a corporately managed mechanism to access and potentially store sensitive data, for example using remote virtual desktop software or corporately approved native applications combined with a Virtual Private Network.
For Commonwealth entities, sensitive data is defined for the purpose of this document as data that is marked as OFFICIAL: Sensitive.
Devices in this scenario might be provided to employees by the organisation, with a reasonable degree of personal use permitted. Organisations might retain ownership of devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property. Enabling employees to choose a device from a corporately approved shortlist is referred to by some vendors as Choose Your Own Device, especially if the device is purchased, owned and managed by the organisation.
This appendix builds upon and incorporates the high level objectives and risk management controls discussed in Appendix B which covers arbitrary corporately unmanaged devices used to access non‐sensitive data. High level objectives associated with the example scenario in Appendix C also include:
- protect the organisation’s financial investment in the cost of devices
- maintain the availability and integrity of organisational data for business continuity
- maintain the confidentiality of sensitive data
- maintain corporate ownership of organisational data created by employees using their device
- rapidly respond to policy violations, data spills and other cyber security incidents
- be able to perform electronic discovery for litigation cases and freedom of information requests.
Some of the risk management controls described in this appendix might be unnecessary or impractical depending on the organisation’s business case, the sensitivity of data accessed by devices, the use of other risk management controls and the type of device noting that some controls focus primarily on smartphones and tablets rather than laptops.
An example shortlist of devices from which employees can choose is a smartphone or tablet device running:
- iOS version 12 or later
- Android version 9 or later running on devices from vendors with a history of distributing security patches in a timely manner.
The shortlist of devices is regularly updated to reflect newly available devices on the market and is limited to only devices that:
- are compatible with required business applications developed by the organisation and by third parties
- the organisation has the technical knowledge to support, resulting in more predictable support costs
- meet minimum requirements specified by the organisation, including compatibility with the organisation’s chosen risk management controls such as Mobile Device Management as well as managed separation mechanisms such as managed containers
- provide the organisation with adequate assurance of the device’s ability to appropriately protect sensitive data
- comply with Australian legislation  and are covered by Australian warranties .
Corporately enforced risk management controls
The organisation is able to manage risk by enforcing the following technical controls.
Overview of managed separation, remote virtual desktop and Mobile Device Management
Devices without Australian Signals Directorate (ASD) approved encryption should not store sensitive data. Additionally, employees should be prevented from installing unapproved applications that can access sensitive information.
Risk management controls used to follow this guidance include using managed separation such as an encrypted managed container, preferably combined with Mobile Device Management to provide some basic assurance in the device’s underlying operating system configuration, or using appropriately configured remote virtual desktop software. Use of the phrase ‘remote virtual desktop software’ in this document incorporates virtualised applications and Virtual Desktop Infrastructure (VDI).
Organisations might choose to use managed separation for some business cases such as an ASD evaluated encrypted managed container  on smartphones with small screens, and remote virtual desktop software for other business cases or devices with large screens.
Detailed information about managed separation, remote virtual desktop software and Mobile Device Management is provided in the following pages of this appendix. Figure 2 shows the comparative ability of these risk management controls to protect organisational data and their negative impact to the employee’s user experience. All of the implementations shown include basic risk management controls such as applying vendor security patches in a timely manner, using up‐to‐date anti‐malware software and performing backups of work data to backup servers specified by the organisation. These risk management controls won’t prevent a malicious employee from copying organisational data by taking a screenshot or photograph of their device’s screen.
Figure 2. Risk management controls vary in their ability to protect organisational data and their negative impact to the employee’s user experience.
Managed separation helps protect and isolate organisational data stored on devices. Organisational data is logically separated from the employee’s personal operating environment, limiting the ability of such data to spread, and facilitating the remote wiping of only organisational data.
There are several different types of separation mechanisms including partitioning functionality built into the operating system as well as mechanisms bolted on top of the operating system such as managed containers . In addition, technology such as type 1 hypervisors and type 2 hypervisors can provide a locally virtualised operating system . Some separation mechanisms are designed to ensure that organisational data can only be accessed by applications that have been assessed by the organisation.
Managed containers, type 2 hypervisors or other mechanisms bolted onto the operating system provide reduced security if there is inadequate assurance in the integrity and security posture of the operating system.
Use of a managed container has the following corporate benefits with associated potential impacts to the employee’s user experience:
- requiring employees to enter an additional passphrase to access organisational data
- data encryption that is independent of the encryption provided by a device’s operating system –software‐based encryption might slow down the device due to cryptographic overhead
- reducing the risk of data leakage by restricting employees to use only corporately approved applications to handle organisational data, while limiting the ability of such applications to copy organisational data to corporately unapproved cloud services or elsewhere beyond the managed container.
Organisations considering using a managed container need to determine whether the vendor has access to organisational data or cryptographic keys used to decrypt organisational data.
Remote virtual desktop software
Appropriately configured remote virtual desktop software helps keep organisational data in the organisation’s data centre and not stored on devices, while still enabling employees to access organisational data and applications.
Sensitive data exchanged during the entire remote virtual desktop session must be encrypted using ASD approved encryption.
Experience shows that remote virtual desktop software does not necessarily keep organisational data in the data centre or prevent such data being transferred to and from devices. Some remote virtual desktop software contains functionality to deliberately enable organisational data to be copied to and from devices, including the ability for malware on devices to be introduced into the remote virtual desktop as shown in Figure 3 below.
Figure 3. In this example, an employee is accessing their Android device’s file system and removable media from within the remote virtual desktop running Microsoft Windows. The employee is able to copy organisational data to their device, and introduce malware into the remote virtual desktop. This employee behaviour results in a less stringent audit trail than if email was used to extract organisational data or to introduce malware.
There are a variety of ways in which organisational data might leak out of the remote virtual desktop and be stored unprotected on devices. Risk management controls to help mitigate such data leakage include:
- appropriately configuring remote virtual desktop software running on the server and on the device to help mitigate the employee printing to local printers, printing to local files, accessing their device’s file system and removable media from within the remote virtual desktop, and using the clipboard to copy and paste data in both directions between the remote virtual desktop and the device
- using full device encryption to help protect organisational data that might inadvertently be stored on the device, especially if the device is a laptop due to the possibility of data in memory being written to disk as part of a page/swap file or hibernation/sleep file
- obtaining written agreement from employees to avoid deliberately copying organisational data to their device and to avoid introducing potential malware from their device into the remote virtual desktop
- partially mitigating keystroke logging software and malware that enables an adversary to take screenshots of the remote virtual desktop by using up‐to‐date anti‐malware software on devices, ensuring that all vendor security patches are applied to devices as soon as they are available from the vendor, and educating employees to avoid installing potentially malicious applications
- configuring the remote virtual desktop to lock its screen after a short idle timeout period to help mitigate an adversary using a compromised device to control the remote virtual desktop’s mouse and keyboard
- disallowing the use of keyboard applications featuring a custom dictionary or predictive text which capture sensitive words or word combinations typed into the remote virtual desktop and save such sensitive data on the device’s local file system.
The following impacts of remote virtual desktop software should be considered prior to implementation:
- the requirement for employees to have reliable internet connectivity
- the impact on the employee’s user experience especially for devices with small screens such as smartphones, for example, using remote virtual desktop software to turn a smartphone into a dumb terminal might frustrate employees trying to send an email using Microsoft Outlook running on an older version of Microsoft Windows that was not designed for a touch interface
- the potential requirement for the organisation to upgrade their network and data centre’s storage and server processing capacity
- the potential requirement for the organisation to purchase additional Client Access Licences for Microsoft Windows server and client operating systems as well as for Microsoft Office.
Mobile Device Management
Mobile Device Management configures and audits devices, including enforcing aspects of the policy such as:
- the device enrolment process, which might involve installing software on the device to assist the organisation to manage the device and a digital certificate to authenticate the device to the network
- unlock passphrases having a specified minimum length and required complexity
- the device idle timeout period until the device’s screen is automatically locked
- the number of consecutive failed passphrase attempts until the device is automatically wiped
- the capability to perform remote tracking, locking and wiping of devices
- the ability of employees to print to non‐organisational printers
- encryption of data at rest and in transit, including Virtual Private Network configuration settings
- the ability for employees to use their device’s camera, microphone, Bluetooth, USB interface, removable media or GPS, particularly while on organisational premises
- detecting, reporting and blocking devices that are jailbroken or rooted, noting that detection is not perfect and relies on an untrusted device to tell the truth about its software
- endpoint compliance checking including whether security patches and anti‐malware software are up to date
- disabling the backup of unprotected sensitive data to consumer-grade cloud storage such as iCloud, while still enabling an employee’s personal data to be backed up
- configuring appropriate email and Wi‐Fi connectivity settings
- disabling inbuilt voice recording applications that send captured voice over the Internet
- ongoing device management, monitoring and asset tracking.
Mobile devices accessing sensitive data:
- should use Mobile Device Management to ensure that organisational policy is applied, enabling organisations to centrally manage the configuration of devices and audit adherence to policy
- must prevent employees from disabling security functions on a device once provisioned
- should be regularly tested to ensure that devices are still secure, for example that their configuration aligns with the organisation’s policy and that security patches have been applied on a regular basis.
Using Mobile Device Management to enforce an organisation’s unreasonably strict policy, especially when employee is not using their device for work‐related purposes, might negatively affect the employee’s user experience.
Organisations considering using Mobile Device Management need to determine whether the vendor has access to sensitive data such as a device’s unlock passphrase.
Multi‐factor authentication helps mitigate an adversary accessing organisational systems by using an employee’s compromised corporate user account credentials .
Multi‐factor authentication must be used for remote access to organisational systems.
Employees should log off organisational systems when finished, so that multi‐factor authentication is required to regain access. Organisational systems should be configured to log users off after an idle timeout period.
A physically separate hardware multi‐factor authentication token with a time‐based value, stored separately to the employee’s device, can provide greater security than a soft token such as an SMS or mobile appn that displays an authentication token value on the employee’s device. If the device is compromised   or if its SIM card is reissued to an adversary , the employee’s soft token value can be accessed by the adversary, thereby defeating the multi‐factor authentication mechanism.
Using multi‐factor authentication doesn’t completely mitigate the risk of an adversary obtaining an employee’s corporate passphrase when the employee types it into a compromised device. The adversary could then use this passphrase during a subsequent intrusion, for example by gaining physical access to a corporate workstation and simply logging in as the employee. Alternatively, the adversary could use a spear phishing email to compromise any employee’s workstation on the corporate network and use the previously obtained passphrase to access sensitive data on network drives.
To help mitigate this risk, either require multi‐factor authentication for all employee logins including logins to corporate workstations in the office, or require that corporate passphrases entered by employees into untrustworthy devices are different to corporate passphrases entered into corporate workstations in the office.
Encryption of data in transit
Encrypting data in transit helps mitigate organisational data being accessed by an adversary who has access to device’s network communications. Such access might result from the use of a Wi‐Fi access point that is unencrypted, or the use of any networking infrastructure that is not controlled by the organisation and is therefore considered untrustworthy.
ASD approved encryption must be used to encrypt sensitive data in transit over untrustworthy network infrastructure. For example, data sent over an untrusted network such as the Internet could be protected by using ASD approved encryption implemented via a Virtual Private Network or remote virtual desktop software. ASD approved Wi‐Fi Protected Access 2 (WPA2) could be used for protecting data that only requires protection when exchanged between a device and an organisation’s Wi‐Fi access point.
Split tunnelling must be disabled on devices supporting this functionality when accessing an organisational system via a Virtual Private Network.
Remote tracking, locking and wiping
Remote tracking helps to recover a device that has been lost or stolen.
Remote locking and wiping helps to protect organisational data on a device that has been lost, stolen, or de‐provisioned including when the employee ceases employment.
The consequences of wiping an employee’s personal data can be reduced by educating employees to regularly backup their personal data or by using managed separation to avoid wiping personal data in the first place.
Attempting to remotely track, lock or wipe a device that is not network accessible will fail. For example, remote wipe functionality is circumvented if a thief configures a device for aeroplane mode, which can easily be done from the locked screen of some devices.
Successfully remotely wiping a device provides the organisation with a false sense of security if the data has already been accessed or copied by the person who found or stole the device.
Low privileged corporate user accounts
Using corporate user accounts with reduced privileges and limited access to sensitive data helps mitigate an adversary accessing sensitive data by using compromised employee corporate account credentials or a compromised device.
Privileged accounts should not be allowed to remotely access organisational systems containing sensitive data.
Provide a secondary corporate user account, which has reduced privileges and limited access to sensitive data, to employees who either:
- have administrative privileges
- have access to significant amounts of sensitive organisational data
- are at higher risk, for example due to temporarily travelling overseas  – such employees might temporarily use a separate corporately provided device.
Network architecture control access to organisational data and systems
Network Access Control helps to implement contextual security to determine if an employee attempting to access organisational data should be permitted based on:
- the device’s security posture as determined by endpoint compliance checking, including the degree to which the device is corporately managed
- the employee’s identity and the strength of authentication used to prove their identity
- the sensitivity of the data being accessed
- the destination of the data, for example whether data is to be stored on the device or shared via corporately managed enterprise-grade cloud storage
- the employee’s network connectivity, for example whether the employee’s device is connecting using the organisation’s Wi‐Fi network or an external less trusted network connection
- the geographic location of the employee and the device
- the time and day of the week.
Devices that don’t comply with security policy can be quarantined to have limited internet access but no access to organisational systems.
Devices simultaneously connecting to the organisation’s network and an additional network via 3G/4G or Wi‐can bridge the two networks thereby creating an additional internet gateway on the organisational network. Risk management controls to help mitigate this include:
- using Mobile Device Management to configure devices on organisational premises to either force all device traffic to an organisational Virtual Private Network endpoint, or to turn off a device’s 3G/4G data connectivity while still allowing phone calls
- organisations setting up a custom Access Point Name to control data sent from devices via 3G/4G
- forcing devices to use the organisation’s gateway to connect to the organisational network – this also assists the organisation to use existing gateway mechanisms for logging, auditing, and filtering malicious or otherwise undesirable network traffic.
The network flow of sensitive data to devices can be limited by using mechanisms such as Enterprise Rights Management or Data Loss Prevention solutions, for example to prevent a device downloading an email from the organisation’s email server if the email or attachment contains specific keywords indicating sensitive data.
Operating system exploit mitigation mechanisms
Limit devices on the shortlist to those devices with operating system exploit mitigation mechanisms such as:
- Address Space Layout Randomisation 
- Data Execution Prevention
- applications and security patches that are cryptographically signed by a trusted authority
- application sandboxing to compartmentalise applications, restrict their ability to access data stored on the device, and restrict applications interacting with other applications or the operating system.
User-reliant risk management controls
The following technical controls and policy controls to manage risk rely on employees complying with policy.
Regular backups of work data
Obtain written employee agreement to regularly backup work‐related data created or modified by their device, only to backup servers specified by the organisation. This helps mitigate an employee’s work being lost due to sudden cessation of employment or their device being damaged, lost or stolen.
Access to email, files and other data of archival significance
Obtain written employee agreement to ensure that work‐related data of archival significance is accessible to the organisation. This involves employees using their work email account instead of their consumer-grade webmail account, and using corporately managed file storage instead of storing files locally or in consumer-grade cloud storage. This helps mitigate:
- non‐compliance with legislation such as the Archives Act 1983
- corporate knowledge being lost when the employee departs the organisation
- the organisation being unable to properly perform security investigations or electronic discovery for litigation cases or Freedom of Information requests.
Avoid unauthorised cloud services for data backup, storage and sharing
Obtain written employee agreement to avoid exposing sensitive data to consumer-grade cloud services used for webmail, data backup, data storage or data sharing.
Some consumer-grade cloud storage and sharing services automatically sync between an employee’s devices potentially copying sensitive data to a device that has not been approved to handle such data.
To facilitate the authorised exchange of data between devices, the organisation might need to arrange employee access to a corporately managed and remotely accessible file storage and sharing capability, hosted in‐house or by a trusted third party .
Strong passphrase configuration settings
Obtain written employee agreement to use strong passphrases and associated configuration settings.
Obtain written employee agreement to avoid configuring their device’s operating system or applications to remember authentication credentials such as corporate passphrases used to access organisational systems.
Recommended device configuration settings, based on the sensitivity of data being accessed or stored, are provided by the ISM, device consumer guides and device hardening guides such as the iOS Hardening Configuration Guide .
Cyber security incident reporting and investigation
Obtain written employee agreement to immediately report cyber security incidents and cooperate with security and legal investigations including providing the organisation with access to their device for forensic analysis.
Employees must be directed to report cyber security incidents to the organisation as soon as possible.
Cyber security incidents requiring reporting include a device suspected of being infected with malware or otherwise compromised, as well as device loss or theft. Additional activities, whilst not necessarily considered to be cyber security incidents, that need to be reported by the employee to the organisation include de‐provisioning a device for sale or passing to a family member, or if the employee ceases employment.
An organisation’s cyber security team requires plans and procedures to respond to cyber security incidents, for example disabling and monitoring the employee’s organisational accounts including Virtual Private Network and remote access accounts, as well as remotely tracking the device and wiping organisational data if appropriate.
Organisations permitting the use of personally owned devices are accepting the residual risks of their use, such as any potential cyber security incidents or consequences of legal proceedings including electronic discovery for litigation cases and Freedom of Information requests. Therefore, organisations need to ensure that they have risk management controls to prevent and respond to cyber security incidents and legal investigations. Organisations should not assume that ASD’s Australian Cyber Security Centre (ACSC) has the legal authority and resources to assist with performing incident response or forensic analysis that involves personally owned devices.
A security or legal investigation might require an employee to temporarily surrender their device, which the employee might refuse unless required by law, for example due to law enforcement having evidence of a crime to warrant seizing the device. Organisations performing appropriate logging and regular backups of work‐related emails and files assists with electronic discovery or other investigations involving employees who refuse to cooperate or who have departed the organisation.
Avoid jailbreaking and rooting
Obtain written employee agreement to avoid jailbreaking or rooting their device to circumvent the protective security controls implemented by the device’s vendor, which might result in the device being unmanageable by the organisation and easily compromised.
Employee education to avoid physical connectivity with untrusted outlets or devices
Educate employees to avoid allowing connectivity between their device and either a potentially malicious charging outlet  or an untrusted device.
Employee education about Bluetooth, Near Field Communication and Quick Response codes
Educate employees to avoid:
- pairing with an unintended or insecure Bluetooth device
- exchanging data with an untrusted Near Field Communication (NFC) device 
- scanning NFC tags  or Quick Response (QR) codes  that are untrustworthy and potentially malicious.
Devices storing or accessing sensitive data:
- must be configured to remain undiscoverable to all other Bluetooth devices except during pairing
- must only connect to the intended Bluetooth device during pairing
- must be configured to avoid supporting multiple simultaneous Bluetooth headset connections
- must use Bluetooth version 2.1 or later due to the introduction of secure simple pairing and extended inquiry response which facilitates secure pairing with the desired device – a device’s Bluetooth version can be determined by reading the product’s specifications or by using the Linux btscanner program.
Employee education to avoid installing potentially malicious applications
Educate employees using devices that have an official application marketplace to:
- only install applications from the organisation’s enterprise application store or from official application marketplaces such as Apple’s App Store, Google’s Play Store or Microsoft’s Windows Store
- prior to installing or updating an application, determine the risk of exposing sensitive data by reading user ratings, user reviews and the application’s requested permissions to ensure that they align with the application’s stated functionality   – noting that such analysis is not guaranteed to avoid malware .
Educate employees using devices that don’t have an official marketplace to obtain software from the official website of mainstream vendors.
Employee education to avoid being victims of shoulder surfing
Educate employees to avoid sensitive data on their device’s screen being visible to either:
- people without the appropriate security clearance and need to know 
- surveillance video cameras  
- members of the public
- anyone, including family members, who are not authorised to see sensitive data.
Using a privacy filter on a device’s screen might negatively impact the device’s touch functionality.
Employee education to avoid common intrusion vectors
Educate employees to avoid:
- sharing their device with unauthorised people who are able to access and expose sensitive data
- sending or receiving unencrypted sensitive data using an untrustworthy Wi‐Fi access point, such as a public Wi‐Fi access point or any Wi‐Fi access point that isn’t owned by the organisation
- leaving their device in insecure locations such as an unattended car, checked‐in airplane luggage or a hotel safe, especially in a foreign country
- interacting with emails and SMS messages from suspicious or unfamiliar sources, for example clicking on hyperlinks or email attachments
- selecting weak passphrases
- reusing the same passphrase for multiple systems
- unnecessarily exposing their work email address and personal details on publicly accessible websites.
All personnel who have access to an organisational system must have sufficient cyber security awareness and training including an awareness of social engineering threats.
Obtain written employee agreement to apply all vendor security patches for the operating system and applications as soon as they are available from vendors.
Mobile devices permitted to access sensitive data should have security patches applied as soon as they become available.
Historically, Apple has provided iOS devices with security patches for at least two years from device availability enabling employees to use devices supported with security patches for the duration of their contract with their telecommunications carrier.
It is comparatively straightforward to apply security patches to some Android devices that don’t have third party additions or modifications to baseline Android code. However, applying security patches to other Android devices might be challenging due to the cooperation required from the device’s vendor and the employee’s telecommunications carrier to tweak, test and distribute security patches. Some vendors and telecommunications carriers might focus their efforts on developing and selling newer devices rather than maintaining the security of the employee’s current device, even if the employee is forced to continue using their current device due to a contract with the telecommunications carrier . Some devices are immediately orphaned and never receive security patches . In addition to security vulnerabilities in baseline Android code, some security vulnerabilities are introduced by device vendors   .
Some cheaper Android devices have the bare minimum hardware specifications required to run the version of the operating system shipped with the device, and might not be suited to running newer major versions of the operating system that require additional memory or processing power. Patching security vulnerabilities in the operating system running on such devices might be challenging when security patches are only available in newer major versions of the operating system and are not backported to current and previous operating system versions.
In 2012, an ASD employee purchased a brand new Android smartphone. The employee subsequently discovered that on the day the smartphone was sold, it contained a security vulnerability that at the time had been publicly known for over seven months. The smartphone’s vendor and the employee’s telecommunications carrier did not make a security patch available.
To demonstrate a targeted intrusion, the smartphone was deliberately compromised by exploiting this security vulnerability. The compromise enabled the microphone to be surreptitiously turned on to record nearby audio conversations and the recordings to be transmitted to an adversary over the Internet.
This demonstration highlighted some consequences of organisations permitting the use of devices with publicly known security vulnerabilities that the employee is unable to patch. In this case, over 18 months after the security vulnerability was publicly disclosed, a security patch still hadn’t been made available via the vendor and telecommunications carrier.
Ownership of Intellectual Property and copyright
Obtain written employee agreement that the organisation retains ownership of intellectual property and copyright of work performed on a formally assigned task that the employee is paid to perform, regardless of whether the employee performs the work on their device or outside of traditional business hours.
Encryption of data at rest
Obtain written employee agreement to use full device encryption to help mitigate organisational data being accessed by an adversary who has physical access to a lost or stolen device.
Devices without ASD approved encryption should not store sensitive data. Also, ASD approved encryption should be used to encrypt a device’s internal storage and any removable media.
Full device encryption doesn’t limit which applications can access or spread organisational data stored on the device. Therefore, its effectiveness relies upon the use of additional complementary risk management controls.
Encryption needs to be active when the device is not in use. Depending on the type of device, the effectiveness of encrypting a device’s internal storage might be reduced if the device is lost or stolen while it is in sleep mode or powered on and screen locked.
Using software‐based encryption might negatively impact the employee’s user experience.
Apple’s iPads and iPhones use hardware‐based cryptographic acceleration for protecting data.
Android version 3 Honeycomb introduced full device encryption , though depending on a device’s manufacturer, third party software might be required to encrypt removable media .
Avoid printing via untrusted systems
Obtain written employee agreement to avoid printing sensitive data via untrusted printers outside of the office such as from home, an airline lounge, a hotel or an internet cafe. Otherwise, sensitive data might be exposed to third parties due to printers or print servers storing a cached copy of printouts, or printouts being accidentally left on the printer.
Obtain written employee agreement to use a personal firewall to help limit the exposure of network accessible services and control which applications can access the network.
This risk management control is not applicable to some devices, such as those running iOS, that don’t expose personal firewall functionality and avoid using network accessible services. Some devices, such as those running Android, use an inbuilt application permission mechanism to control which applications are able to access the network.