The Network and Information Systems (NIS) 2 Directive is the new EU cybersecurity directive that aims to increase the level of cybersecurity in Europe in the longer term. On January 16th the directive will enter into force and in 2 years it must be translated in the legislation of the member states.
The primary focus of NIS2 is organizations working in the critical infrastructure, but the target group is widened compared to the previous NIS (from 2016). The definition of vital infrastructure now is so wide, that you may assume that your organization needs to comply, rather than not! And from our perspective… We support NIS2, but it does not specifically address Identity and Access Management. In fact, It only briefly mentions access control policies (ISO27000 series) in section 79. However we believe NIS2 needs IAM. More specifically, we believe IAM is the invisible foundation of NIS2. I will expand on this in this article.
NIS2 impact on organizations
‘Optional is no longer an option’. So stated minister of Justice and Safety Dilan Yeşilgöz Zegerius at OneConference in The Hague last October. Here it is, The NIS2 regulation of the EU. It will impact your organization’s operations, and we expect it’s impact to be significant. NIS2 covers more than just the highly critical and vital industry. Related sectors are included by the Directive as well.
Consequently, you no longer have the option to just plan or postpone implementing security controls. NIS2 is here now, and states that implementing security is a responsibility of C-level. What’s more, it covers “Accountability of the company management for compliance with cybersecurity risk-management measures.” For instance, appointing a Chief Information Security Officer as being responsible for security.
One reason for this is that the CISO typically is a position without mandate or budget. Instead, it is the C-level with the mandates, the board, consisting of the CEO and CFO. The role of the CISO is to guide top-level management to reach an acceptable level of risk and security management. Not to be a scapegoat for the real stakeholders. In any case, the C-level needs to be aware of their role as accountable stakeholders for security (see strategic alignment whitepaper).
NIS2 impact on IAM
Now let’s dive a bit more into why NIS2 needs IAM. We know that Identity Management and Access Control have always been core components of information security. There is a whole chapter on access control in the International ISO 27001 Security Baseline and we find specific access control topics in several other topics as well. Topics like physical access control and IT operations. But surprisingly, the NIS2 does not mention IAM. There is no reference to Access Governance, Identity Management, joiner-mover-leaver processes or RBAC (Role Based Access Control). Not even the EU Digital Identity wallet is mentioned.
Traditionally, IAM is treated as an IT responsibility. One that enables the business (more explanation in our Business to IT alignment report). Because of NIS2 this will have to change. Particularly because of a fundamental change in how NIS2 treats security, especially by addressing the concept of the Supply Chain. The supply chain concept means (almost) every organization that provides services to other organizations but also consumes services from other providers. As we’ve seen in the last few years, this supply chain affects security, and organizations can be attacked via their providers. Security incidents such as (Non-)Petya and Solarwinds are examples of these risks.
Security controls are no longer limited to the organization itself. Any organization, especially NIS2 subjects, is no longer treated as an autonomous entity but fills in part of the whole chain of events and services. The same is true for the concept of cloud. Previously, the cloud was external, part of networking and computing resources. Nowadays, cloud is an integrated concept in the field of business operations. Contracts are key; it is not just about SLA’s and availability anymore.
More control over more identities
What this means for IAM is that organizations will have to be in control of more identities than just their own. They need to cope with indefinite numbers of identities (including identity of things!), and must address the complexities of managing access in the supply chain. In other words, control is no longer restricted to an Active Directory. Governance is not just ‘what you see, is what you get’. It is also ‘what you want to allow, is what you need to manage’, and that’s where NIS2 needs IAM.
Consequently, implementing mainstream access control concepts like role-based access control will have to be adapted to cope with supply chain integrations. Federation, access policy management and zero trust concepts must be added to the security toolkit. Continuous authentication will require new infrastructure and policy management. In fact, NIS2 explicitly addresses the concept of continuous and multi-factor authentication – zero trust is the way to go!
And this also implies that in NIS2 new ways of reporting and auditing must be implemented. Auditors must face the fact that focusing on relatively simple traditional security controls like password policies and recertification of user accounts will no longer be effective.
To conclude, although Identity and Access Management is not mentioned anywhere in the regulation, you cannot only comply with NIS2 by being demonstrably in control of access. IAM is the invisible foundation of NIS2. A good starting point would be to create your own vision on access. Build your strategy and roadmap. And please do include a wider view on identity, to comply with NIS2.