With an increasing number of MSMEs in exports, becoming a dependable link in the supply chain to large enterprises and MNCs, and going global with their own products, I strongly sensed the need to write this blog. It is now the writing on the wall that MSMEs are subject to global standards of competition. They need to run the business by systems, policies, and processes. IT adoption is essential to transforming businesses driven by systems, policies, and processes. Let us focus on policies and ways to enforce policies by systems and processes. There could be intuitive or zero-trust policies. Let us understand the difference between intuitive and zero trust policies by examples.
Data Centralization Policy
Enterprises centralize data to achieve data protection objectives. They invest in on-premise or on-cloud servers to centralize and access data from central infrastructure. They can devise an intuitive or zero-trust policy to achieve the objective of data centralization. Admin can educate the users about the hazards of data decentralization or scatteredness and request the user to store the data on central infrastructure. It is an intuitive policy. If the user follows the instructions, the objective of data centralization is achieved. The objective is not achieved if the user keeps saving data on local computers. Let’s see what happens in a zero-trust policy approach. The user’s computer system is hardened, forcing him only to save the data in central infrastructure, whether the user wants it or not. Thus the zero trust policy leaves no room for digression from the policy. Our product BLACKbox hardens the computer system of the user such that the user can save data on a central location or secure local drive created by the BLACKbox and enforces a zero trust data centralization policy.
Data Deletion Policy
Enterprises require the users to delete the data with accountability. It is done by requesting the users to be responsible while deleting the data, and that too, without using the shift+del command for permanent deletion. It is an example of an intuitive policy. If the user uses the shift+del command, one can delete all the data, and data may not be recoverable. Let’s see what happens in the zero-trust policy approach. By this policy, whatever data is deleted using the shift+del command is captured and made available for restoration. Not only that, but also a system is devised to inform who deleted the data using shift+del. By such a zero-trust policy, the data is not lost no matter whether the user used shift+del and identification of the user who deleted the data can be done. Our product BLACKbox captures the deleted data and makes it available for restoration to maintain business continuity and hold the user accountable with evidence.
Data Backup Policy
Enterprises need to back up their application, email, and file data. They have the policy to take multiple backups, on-premise and off-premise, to deal with disaster or hardware failure. They have the policy to maintain multiple versions of the data backup to deal with ransomware. They advise users to regularly copy their email and file data to a central backup location. They engage IT Admin to take backup of applications on multiple hardware. They also depend on manual off-premise backup. It is an example of an intuitive policy. Here, the fate of backup depends on the user’s discretion. Suppose the users or admin are not sincere in following the backup processes; the enterprise will lose business continuity in the event of data loss due to deletion, ransomware, disaster, or hardware failure. It calls for a zero-trust policy of backup. It will automatically backup applications, files, and email data, maintain backup versions, and push data off the premise to the cloud or data centre. It will also generate the report on the status and report any backup errors proactively. Our product BLACKbox helps enterprise zero trust backup policy with nil involvement of users or admin with a proactive report on backup health status.
Data Leakage Prevention Policy on USB Port
A policy of blocking USB ports does not serve the purpose as users need to use USBs for keyboard, mouse, and printer. A few users need USB port access to the HASP license dongles, digital signatures, or equipment testing. Few users genuinely need to copy data over a USB as a genuine business need. As a part of the intuitive policy, users are requested to use USB ports with integrity, accountability, and responsibility. If some users use a USB port to leak or steal enterprise data, an enterprise can be competitively exploited; or held liable for breach of non-disclosure agreements with the customers. With a zero trust policy, an enterprise can allow only keyboard, mouse, and printer type of non-mass storage devices over USB so users cannot leak the data. For users who need access to a USB port for digital signatures, HASP license dongles, or equipment testing, USB ports can be allowed only to inward the data and prevent it to outward the data so users cannot leak the data. For the users who need to copy data on USB media, the enterprise can allow the user to outward data over USB with a report to the supervisor about what data is outwarded to USB. Our product BLACKbox offers these controls on USB to enforce a zero-trust IT policy.
Data Leakage Prevention Policy on Acceptable Email
The users use enterprise emails to communicate with the world. The email system is an enabler of communication and can also be misused to leak enterprise data. The enterprise must have a well-jotted email usage policy. The intuitive method of defining email usage policy includes educating the users to use the email system for communication and avoid its misuse to leak the data. At the same time, the zero trust policy includes framing the policy around email usage as required by the user’s job profile. Under the zero-trust approach, one can divide users into various categories defining the permissions and rights in the email system. E.g. A group of users can be categorized to be able to send emails internally only in the organization. Another group of users can be categorized to be able to send emails only to white-listed parties in their professional circle. Another group of users can be categorized as able to send emails only if the superior approves. Such policy defines controls on attachments exchanged over emails. The enterprise can allow certain users to send emails to anyone worldwide, but it is reported to the superior as a copy of the email.
Data Leakage Prevention Policy on Acceptable Internet Usage
The users need the Internet as a resource for research, business development, government compliance, bidding, banking, etc. The Internet is an enabler and can be misused to leak enterprise data. The enterprise must have a well-jotted internet usage policy. The intuitive method of defining internet usage policy includes educating the users to use the internet system for research, business development, and compliance and avoid its misuse to leak the data. At the same time, the zero trust policy includes framing the policy around Internet usage as required by the user’s job profile. Under the zero-trust approach, one can divide users into various categories defining the permissions and rights in the Internet system. The enterprise can define its users’ minimum required list of websites and allow those websites without any restrictions. When the user needs to access a website that is not included in the list can be accessed with permission or by isolating sensitive enterprise data. Our product BLACKbox provides on-demand Internet access for such websites and automatically isolates sensitive enterprise data.
It is about defining enterprise IT policies with either an intuitive or zero-trust approach.
Tags:
Laptop Security Software India