The original NIS standards, set out in 2016, applied to UK and EU organisations. The EU has now created NIS2, while the UK is set to follow in its footsteps with its own update.
Security measures relating to managing privileged access feature as a key component within NIS2, building on the existing guidelines.
And it’s the latest example of regulations that contain this emphasis, following various cybersecurity standards that have been developed in recent years.
A guide to best practices for the original NIS was defined by the NCSC in the form of the Cyber Assessment Framework (CAF). Within the framework, the key to success is good management of identity and privileged accounts.
There are also parallels with the UK’s Cyber Essentials scheme, which itself provides a foundation for other regulatory standards such as the NHS Digital Security and Protection Toolkit (DSPT).
What’s the key focus of NIS2?
NIS2 calls for greater protection of utilities – transport, water, energy etc – which it highlights as being increasingly vulnerable to cyber attacks as they become more digitally connected with each other.
NIS2 stresses the importance of protecting critical infrastructure from ransomware attacks which, EU officials say, Europe has “faced an exponential increase”.
How does PAM and EPM help to achieve NIS2’s goals compliance?
There are a few key areas the NIS2 directive points to relating to privileged access security and endpoint management:
1) Limitation of administrator-level access accounts
The directive states that cyber hygiene is “essential to enhance the level of cybersecurity within the Union, in particular in light of the growing number of connected devices that are increasingly used in cyberattacks”. It says that restricting elevation of privileged accounts is a key part.
The directive states (paragraph 49): “Cyber hygiene policies provide the foundations for protecting network and information system infrastructures. Cyber hygiene policies comprising a common baseline set of practices, including…the limitation of administrator-level access accounts…enable a proactive framework of preparedness and overall safety and security in the event of incidents or cyberthreats.”
The use of “access management, and automated access decisions, should be promoted” to safeguard public electronic communications (paragraph98).
A PAM system reduces the risks of attacks by isolating sessions, managing credentials and enabling just-in-time access.
Managing endpoints (laptops, for example) is another important component for complying with NIS2’s directions around hygiene. That happens through the safe removal of local admin rights, thereby preventing privilege escalation.
The problem for many organisations is a proliferation of administrator accounts on end-users’ workstations and laptops, amplifying the risks of a ransomware attack.
The best way to tackle the ransomware risk - highlighted as the biggest threat in NIS2 - is to prevent it from being installed in the first place by stopping users from installing applications themselves on their laptops or workstations.
3) Data back ups
The directive also cites backing-up of data as a key point. This is so important because ransomware attacks love to hunt out critical systems across IT, especially backup management systems. Once the attack is established, it steals vital data, encrypts local copies, deletes backups, and leaves you powerless to react.
The National Cyber Security Centre says: “Backup accounts and solutions should be protected using Privileged Access.”
4) Zero trust principle
The directive also states that organisations should adopt the Zero Trust principle as one of an essential range of cyber hygiene practices (see paragraph 89). At the heart of Zero Trust is separating the authentication from the authorisation – which can be achieved through Privileged Access Management.
PAM authenticates against a variety of sources. Active Directory is the most common, followed by a number of multi-factor authentication providers.
Being able to trust the operating systems in your endpoints is another key part of Zero Trust. Endpoint Privilege Management means that your users cannot run elevated processes without permission – giving you control of what is and is not installed on your endpoints.
Want to learn more about how PAM and EPM solutions can help you with regulatory compliance and enhance cyber resilience?