Safely enabling applications means not only defining the list of applications you want to allow, but also enabling access only for those users who have a legitimate business need. For example, some applications, such as SaaS applications that enable access to Human Resources services (such as Workday or Service Now) must be available to any known user on your network. However, for more sensitive applications you can reduce your attack surface by ensuring that only users who need these applications can access them. For example, while IT support personnel may legitimately need access to remote desktop applications, the majority of your users do not. Limiting user access to applications prevents potential security holes for an attacker to gain access to and control over systems in your network.