NIS2 needs IAM, even though it is not mentioned
The Network and Information Systems (NIS) 2 Directive is the new EU cybersecurity directive that aims to increase the level of cybersecurity in Europe in the longer term. On January 16th the directive will enter into force and in 2 years it must be translated in the legislation of the member states. The primary focus of NIS2 is organizations working in the critical infrastructure, but the target group is widened compared to the previous NIS (from 2016). The definition of vital infrastructure now is so wide, that you may assume that your organization needs to comply, rather than not!
And from our perspective… We support NIS2, but it does not specifically address Identity and Access Management, it only briefly mentions access control policies (ISO27000 series) in section 79. And that is a concern because IAM is the invisible foundation of NIS2. I will expand on this in this article.
NIS2 impact on organizations
‘Optional is no longer an option’ as spoken by minister of Justice and Safety Dilan Yeşilgöz Zegerius at OneConference in The Hague last October. Here it is, The NIS2 regulation of the EU. It will impact your organization’s operations and we expect it will have a significant impact. NIS2 covers more than just the highly critical and vital industry, related sectors are included by the Directive as well.
No longer do you have the option to just plan or to postpone implementing security controls, NIS2 is here now, and it states that implementing security is a responsibility of C-level. Even more, it covers “Accountability of the company management for compliance with cybersecurity risk-management measures”. It is not an option to just appoint a Chief Information Security Officer (the CISO, a position without mandate or budget) as the responsible person for security, no, it is the C-level with the mandates, the board, consisting of the CEO and CFO. The role of the CISO it to guide top-level management to reach an acceptable level of risk and security management, not to be a scapegoat for the real stakeholders. Anyway, the C-level needs to be aware of their role as accountable stakeholders for security (see strategic alignment whitepaper).
NIS2 impact on IAM
Identity Management and Access Control have always been core components in information security. In the international ISO 27002 security baseline a whole chapter covers access control and in several chapters specific access control topics are covered, like physical access control and in IT operations. But in NIS2 IAM is not mentioned. There is no reference to Access Governance, Identity Management, joiner-mover-leaver processes or RBAC (Role Based Access Control). Not even the EU Digital Identity wallet is mentioned.
Traditionally IAM is treated as an IT responsibility, enabling the business (more explanation in our Business to IT alignment report). Because of NIS2 this will have to change. Not in the least because of a fundamental change in how NIS2 treats security, especially by addressing the concept of the Supply Chain. The supply chain concept means that (almost) every organization is providing services to other organizations, but also consumes services from other providers. And as we have witnessed in the last few years is that this supply chain impacts security, organizations can fall victim to0 attacks in their providers. Security incidents such as (Non-)Petya and Solarwinds are examples of these risks.
Security controls are no longer limited to the organization itself, any organization (especially those organizations that are directly seen as the NIS2 subjects) is no longer treated as an autonomous entity but fills in part of the whole chain of events and services. The same is true for the concept of cloud. No longer is the cloud just part of networking and computing resources, cloud is an integrated concept in the field of business operations, it is no longer treated as external, cloud is part of the business. Contracts are key, it is not just about SLA’s and availability anymore.
More control over more identities
What this means for IAM is that organizations will have to be in control of more identities than just their own, they need to cope with indefinite numbers of identities (including identity of things!), but they also must address the complexities of managing access in the supply chain. Control is no longer restricted to an Active Directory. Governance is not just ‘what you see, is what you get’. It is also ‘what you want to allow, is what you need to manage’. Implementing mainstream access control concepts like role-based access control will need to be adapted to cope with supply chain integrations. Federation, access policy management and zero trust concepts must be added to the security toolkit. Continuous authentication will require new infrastructure and policy management. In fact, NIS2 explicitly addresses the concept of continuous and multi-factor authentication – zero trust is the way to go!
And this also implies that in NIS 2 new ways of reporting and auditing must be implemented. Auditors must face the fact that focusing on relatively simple traditional security controls like password policies and recertification of user accounts will no longer be effective.
Although Identity and Access Management is not mentioned anywhere in the regulation, you cannot be compliant with NIS2, if you are not in control of access. IAM is the invisible foundation of NIS2. A good starting point would be to create your own vision on access, build your strategy and roadmap. And please, do include a wider view on identity, to comply with NIS2.