In an older post we discussed the 10 minimum security measures listed in Article 21 of the NIS 2 Directive. These measures include organizational, operational, and technical measures.
In this article we focus on those technical measures that relate directly to GoodAccess and explain how deploying our ZTNA platform can help you cover a significant part of NIS 2 technical compliance.
Table of contents
Why does it matter if you’re NIS 2 compliant?
For essential and important entities the answer to this question is simple: since October 2024 it will be mandatory. But not just for them.
The NIS 2 will require obliged entities to contractually bind their business partners to comply with the Directive as well. More organizations will have to secure their supply chain and require proof of a high standard of cyber and information security from suppliers.
This is already true in the case of HIPAA in the USA, where the suppliers of healthcare organizations have to be HIPAA-compliant. Now, the same obligation will appear in the EU as well.
Technological requirements of NIS 2 compliance
Technological requirements of the NIS 2 Directive conform to its goal of protecting critical services (e.g. power supply, water supply, hospital services, transportation).
First, the company must analyze the risks to this service. Based on this the organization can define what critical resources the service depends on.
Then, depending on the severity, the entity will start implementing the cybersecurity risk-management measures it is required by its national law (a transposition of the NIS 2 Directive).
For example, access control — employees will receive access to resources only after they have been properly authenticated and will only be allowed to use the resource for a legitimate purpose. If there is any wrongdoing, the organization must have means of detecting it, evaluating the incident, and responding accordingly.
How GoodAccess can help you cover the technological requirements of NIS 2 compliance
GoodAccess is a network security solution that provides identity-based authentication, network encryption, and threat detection as part of a zero-trust network as a service package.
This unique approach delivers network segmentation with maximum granularity. It uses virtual access cards to control access to resources, which are defined as network services (with an IP address, port, and protocol).
In this way, users never receive access to the whole network, but always only to the specific service.
GoodAccess provides network security that covers a majority of NIS 2 risk-management measures, and we collaborate with our technology partners and alliances to provide the remaining security measures and deliver auditing services.
Small and medium-sized businesses that fall within the scope of obligated entities can directly offload a major part of their technological cyber risk-management measures directly onto us.
Other businesses can rely on us to improve their network security and deploy identity-based access management to fortify their supply chain.
Why seek NIS 2 compliance by outsourcing network security?
The Directive requires obligated entities to test every application and critical resource for vulnerabilities. The more in-house network devices you manage (e.g. firewall, VPN concentrator, load balancer, etc.), the harder your infrastructure becomes to manage and scale, and the more vulnerability tests you will have to perform.
By using a network-as-a-service solution, part of this obligation passes on to the supplier. Using GoodAccess’ cloud infrastructure increases security and eliminates the cost and effort of maintenance, testing, and upkeep of network devices.
The sections below describe specific cybersecurity measures that GoodAccess can provide.
Incident handling and threat detection
Complementary to EDR solutions, GoodAccess has a built-in DNS filter called Threat Blocker that automatically defends against online threats on the network level.
It draws on threat intelligence feeds that are updated several times a day, and when a threat is detected, it automatically blocks the communication and notifies the user and admin.
Device posture check
Device posture check prevents vulnerable devices from entering your perimeter.
You can define your own device security policy and enforce it centrally and fully automatically, regardless of how many devices your employees are using. This is a huge advantage nowadays, when the number of connecting devices may be three times the number of employees, something that is hardly within the ability of any IT team to manage.
The criteria by which you assess device security are up to you — you may choose to check devices for the presence of an active antivirus software, disk encryption, OS type and version, pre-installed certificate, and many more.
Devices that fail the posture check will be logged and (optionally) blocked from accessing critical resources or the entire perimeter.
Network encryption
We use strong encryption for all communication that passes through the GoodAccess secure environment.
GoodAccess only uses unbroken ciphers to encrypt communication, as well as a combination of layer 3 (network layer), layer 7 (application layer, e.g. end-to-end encryption), and layer 6 (presentation layer, e.g. SSL/TLS encryption).
Unlike application-layer encryption, network-layer encryption encrypts packet headers and DNS names as well.
This helps protect sensitive data from interception and eavesdropping, defending against threats like man-in-the-middle attacks, and provides protection on unsecured Wi-Fi and ensures total privacy from ISPs.
Identity-based access management
Identity-based access control is a major component of NIS 2 compliance. GoodAccess takes a network-based approach that gives companies robust access controls that are easy to manage and maintain.
You can use either an identity provider (e.g. Okta, MS Azure, JumpCloud, or any other SAML-compatible provider) or GoodAccess as a source of identity for your users.
Access control is role-based and assigned centrally, which ensures that users only receive access privileges to those systems they need to perform their tasks.
In addition, GoodAccess supports account and group synchronization via the SCIM protocol, which greatly simplifies access policy management, allowing you to manage user access permission in one place (e.g. at the IdP side) and having GoodAccess implement them on the network level automatically.
The network-based approach is particularly useful if your IT environment consists of heterogeneous resources. Some systems, like older control systems in manufacturing, do not support SSO or MFA, and it would be very difficult for organizations to modify them to comply with these requirements. But network-based access control envelops these systems and adds a security layer to them all equally, including SSO, MFA, system-level access logging, and least-privilege access control.
Multi-factor authentication
GoodAccess provides network-level multi-factor authentication (MFA). Users are authenticated upon entry to the software-defined perimeter, after which all network communication and network access to critical resources is fully authorized.
This is not exclusive with MFA handled by the identity provider on the application layer. In fact, it is a good idea to have both enabled at the same time.
Access logs
GoodAccess collects logs on the level of systems, gateways, and devices. This enables you to monitor activity both on the perimeter and inside it. This is an essential component of NIS2 compliance, as you need granular logs for incident detection, investigation, and reporting.
Logs can also be exported to a SIEM solution for correlation.
Summary
As of October 2024, important and essential entities throughout the EU will need to comply with the national transpositions of the NIS 2 Directive, including compliance with technological criteria.
Some organizations do not have the means to meet these criteria using their own devices, and for such businesses a feasible strategy is to outsource the obligation to a third-party supplier.
By deploying GoodAccess’ ZTNA-as-a-service, organizations can comply with a majority of NIS 2 technical requirements and gain:
- Identity-based access control throughout their entire organization.
- Comprehensive zero-trust access management for anytime-anywhere access to multi-site/multi-cloud hybrid environments.
- Device posture check.
- Granular access logs
- Central management and full control in one UI.
