Understanding OTPs 
in Airlock’s Allowlisting Solution

For many years, the case for allowlisting fragmented as soon as a C-suite executive found they could not, at short notice, run a video collaboration app to connect with their chairperson, key investor or other important stakeholder. An administrator had no way of quickly giving the executive the access they needed. 

However, now, cybersecurity leaders and administrators can provide timely exceptions that avoid these unfortunate circumstances. At Airlock Digital, we enable organisations to generate OTPs that enable exceptions for certain periods during which users can access applications and files not included on allowlists. 

The OTP process generates a code specific to a particular endpoint that can only be used once for a predetermined time period. That code effectively operates as a secret key that disappears completely rather than remain in a database, application or other location. 

We applied years of experience with allowlisting in large corporates to design this process to be as seamless as possible, and to transform allowlisting into a critical security control that lets end users get on with their jobs. 

That extends to acknowledging that security teams at most organisations are time- and resource-constrained, and that many smaller organisations may not have these teams at all. 

Airlock is designed to be administered by people in different roles and the OTP process reflects this decision. 

For example, help desk team members can generate OTPs and provide them to users when exceptions are needed. Those users then manually input the OTP into relevant endpoints to enable requested files and apps to run. We also recognise that, in some circumstances, it makes sense for certain users and teams to manage exceptions themselves. An organisation can set up self-service based on users’ membership of groups within their directory services. Enabling these users to generate OTPs themselves reduces the load on administrators, and helps maintain user acceptance of and support for allowlisting within an organisation.   

When a user has activated an OTP, all information about the file and user activity are captured within Airlock and made visible to the administrator for review. The administrator then decides whether to trust that information and, if so, adds it to the bulk workflow within the product to be allowlisted.  

This process activates our guiding principle at Airlock Digital and what differentiates us from other application control vendors: we help our customers to define and implement a level of trust appropriate for their business and its context. 

When talking about OTPs, we should also address a common question we receive from customers: what happens if a user is allowed through the exception process to run files or applications that are vulnerable to or include malicious code? The answer is that Airlock includes a blocklist that takes precedence over our allowlist, so users can be restricted from running high-risk scripts or files even if an exception may permit software to invoke them. 

Additionally, organisations should consider that without allowlisting, users effectively have an exception perpetually in place with no administrative visibility. In this context, performing allowlisting with time-limited exceptions significantly reduces risk. 

To ensure exceptions through OTPs are available to organisations and individuals under all circumstances, we have ensured they continue to work when network connectivity is poor. For example, if an executive or salesperson is travelling in an area with no internet coverage and can only be reached by phone, OTPs and the associated back and forth is still operational. 

With seamless exception management through OTPs in Airlock, administrators can minimise interruptions to team members’ work and and, importantly, avoid tirades from unhappy senior executives. 

Airlock Digital is here to help!
Book a demo with any of our team members by clicking the button below.