Zero Trust Security for NIS2 compliance: What you need to know
Over 100,00 organizations are expected to be impacted by Network and Information Security Directive (NIS2) cybersecurity standards that European Union (EU) member states must implement by October 2024.
Over 100,00 organizations are expected to be impacted by Network and Information Security Directive (NIS2) cybersecurity standards that European Union (EU) member states must implement by October 2024. [i]
NIS2 was adopted in early 2023 as a response to increasing digitalization and rising cybersecurity threats stemming from the COVID-19 pandemic and the Russia-Ukraine War. NIS2 regulations expand on previous directives, most notably by broadening the scope of organizations subject to its cybersecurity requirements.
Under NIS2, any organization (1) with more than 50 employees or 10M Euro in annual revenue and (2) in a sector categorized as “essential and important entities” must comply with NIS2 directives. Sectors now subject to NIS2 compliance include food production, processing, and distribution; postal and courier services; and manufacturing and digital providers. [ii] (Organizations within sectors subject to previous NIS directive requirements must also comply with NIS2 mandates; those sectors include healthcare, banking and finance, and transportation.)
Zero Trust is a NIS2 requirement
Preamble 89 of the NIS2 directive outlines a variety of requirements for “Basic Cyber Hygiene,” including the adoption of Zero Trust principles. [iii]
Zero Trust principles require users and devices to prove their trustworthiness to gain access to the resources they need to do their jobs or fulfill their functions. This concept of least-privilege access is fundamental to Zero Trust Security practices.
Zero Trust Security also requires continuous monitoring of users and devices. Trustworthiness is constantly re-evaluated, and if a user or device begins to act suspiciously or in a fashion inconsistent with their role, their access may be limited or revoked. This limited and dynamically assessed role-based access security can help minimize and even prevent lateral spread of attacks.
The NIS2 requirement to adopt Zero Trust principles reflects the shortcomings of models based on implicit trust. For example, network security approaches focused primarily on protecting the perimeter grant broad access to users on corporate networks and corporate devices because they are implicitly trusted. Given rising IoT adoption, erosion of the corporate perimeter due to work-from-everywhere, and increasingly sophisticated threats that exploit “trusted” users and devices for malicious purposes, these security approaches can expose the organization to greater risk.
Zero Trust network security offers cybersecurity benefits vs. traditional perimeter-based network security models.
Overcoming challenges with Zero Trust adoption
Enforcement of least-privilege access and continuous monitoring are foundational to Zero Trust Security architectures, yet many organizations struggle to implement these practices.
According to research independently conducted by leading security research firm Ponemon Institute and sponsored by Hewlett Packard Enterprise, slightly less than half of organizations (49%) have not yet implemented Zero Trust Security. 19% of respondents believed that the adoption of Zero Trust was a “goal that will take time.” [iv]
According to the Ponemon report, one of the factors that slows down Zero Trust adoption is the lack of integration between tools. Access controls are often fragmented across multiple platforms that are not integrated, making it difficult to establish and enforce consistent policy without added complexity or inadvertent security gaps.
HPE Aruba Networking makes it easier for organizations to adopt Zero Trust capabilities with its HPE Aruba Networking Central NetConductor cloud-native network automation and orchestration solution. Central NetConductor includes all the tools organizations need to deploy, configure, and operate networks that support Zero Trust Security strategies.
Assessing Zero Trust adoption for NIS2 compliance
With the NIS2 compliance deadline looming, it can be helpful to assess current levels of cybersecurity implementation.
Consider using this Zero Trust Security checklist adapted from the guide, Implementing Identity-based Zero Trust and SASE Architectures, to start your assessment:
- Do you have visibility into every device on your network, even if you do not manage it?
- Do you have consistent methods for assigning privileges to users and devices?
- Are you enforcing security standards before allowing a device onto the network?
- Are you enforcing security policies consistently everywhere throughout the network?
- Are you able to continuously monitor a subject’s security state using all available data?
Five core capabilities—visibility, authentication and authorization, role-based access, conditional monitoring, and enforcement and response—form the foundation of Zero Trust Security.
Resources to help with Zero Trust adoption
Newly subject to NIS2 directives and need to learn more about Zero Trust? Here are some resources that can help you gain a better understanding of Zero Trust Security principles.
This blog was published on blogs.arubanetworks.com on 8/30/2023.
***
About Author
