Zero Trust Security for NIS2 compliance: What you need to know

Over 100,00 organizations are expected to be impacted by Network and Information Security Directive (NIS2) cybersecurity standards that European Union (EU) member states must implement by October 2024. [i]

NIS2 was adopted in early 2023 as a response to increasing digitalization and rising cybersecurity threats stemming from the COVID-19 pandemic and the Russia-Ukraine War. NIS2 regulations expand on previous directives, most notably by broadening the scope of organizations subject to its cybersecurity requirements.

Under NIS2, any organization (1) with more than 50 employees or 10M Euro in annual revenue and (2) in a sector categorized as “essential and important entities” must comply with NIS2 directives. Sectors now subject to NIS2 compliance include food production, processing, and distribution; postal and courier services; and manufacturing and digital providers. [ii] (Organizations within sectors subject to previous NIS directive requirements must also comply with NIS2 mandates; those sectors include healthcare, banking and finance, and transportation.)

Zero Trust is a NIS2 requirement

Preamble 89 of the NIS2 directive outlines a variety of requirements for “Basic Cyber Hygiene,” including the adoption of Zero Trust principles. [iii]

Zero Trust principles require users and devices to prove their trustworthiness to gain access to the resources they need to do their jobs or fulfill their functions. This concept of least-privilege access is fundamental to Zero Trust Security practices.

Zero Trust Security also requires continuous monitoring of users and devices. Trustworthiness is constantly re-evaluated, and if a user or device begins to act suspiciously or in a fashion inconsistent with their role, their access may be limited or revoked. This limited and dynamically assessed role-based access security can help minimize and even prevent lateral spread of attacks.

The NIS2 requirement to adopt Zero Trust principles reflects the shortcomings of models based on implicit trust. For example, network security approaches focused primarily on protecting the perimeter grant broad access to users on corporate networks and corporate devices because they are implicitly trusted. Given rising IoT adoption, erosion of the corporate perimeter due to work-from-everywhere, and increasingly sophisticated threats that exploit “trusted” users and devices for malicious purposes, these security approaches can expose the organization to greater risk.

Zero Trust network security offers cybersecurity benefits vs. traditional perimeter-based network security models.

Overcoming challenges with Zero Trust adoption

Enforcement of least-privilege access and continuous monitoring are foundational to Zero Trust Security architectures, yet many organizations struggle to implement these practices.

According to research independently conducted by leading security research firm Ponemon Institute and sponsored by Hewlett Packard Enterprise, slightly less than half of organizations (49%) have not yet implemented Zero Trust Security. 19% of respondents believed that the adoption of Zero Trust was a “goal that will take time.” [iv]

According to the Ponemon report, one of the factors that slows down Zero Trust adoption is the lack of integration between tools. Access controls are often fragmented across multiple platforms that are not integrated, making it difficult to establish and enforce consistent policy without added complexity or inadvertent security gaps.

HPE Aruba Networking makes it easier for organizations to adopt Zero Trust capabilities with its HPE Aruba Networking Central NetConductor cloud-native network automation and orchestration solution. Central NetConductor includes all the tools organizations need to deploy, configure, and operate networks that support Zero Trust Security strategies.

Assessing Zero Trust adoption for NIS2 compliance

With the NIS2 compliance deadline looming, it can be helpful to assess current levels of cybersecurity implementation.

Consider using this Zero Trust Security checklist adapted from the guide, Implementing Identity-based Zero Trust and SASE Architectures, to start your assessment:

1. Do you have visibility into every device on your network, even if you do not manage it?
2. Do you have consistent methods for assigning privileges to users and devices?
3. Are you enforcing security standards before allowing a device onto the network?
4. Are you enforcing security policies consistently everywhere throughout the network?
5. Are you able to continuously monitor a subject’s security state using all available data?

Five core capabilities—visibility, authentication and authorization, role-based access, conditional monitoring, and enforcement and response—form the foundation of Zero Trust Security.

Resources to help with Zero Trust adoption

Newly subject to NIS2 directives and need to learn more about Zero Trust? Here are some resources that can help you gain a better understanding of Zero Trust Security principles.

• Get the facts about Zero Trust Security models
• How to achieve the five critical capabilities of Zero Trust network security
• HPE Aruba Networking Zero Trust Security Solutions
• Achieving compliance and operating within government regulations with HPE Aruba Networking solutions

This blog was published on blogs.arubanetworks.com on 8/30/2023.

***

[i] Sievers, T. Proposal for a NIS directive 2.0: companies covered by the extended scope of application and their obligations. Int. Cybersecur. Law Rev. 2, 223–231 (2021). https://doi.org/10.1365/s43439-021-00033-8 (#Fn19)

[ii] Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148. European Union.

[iii] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). European Union.

[iv] The 2023 Global Study on Closing the IT Security Gap: Addressing Cybersecurity Gaps from Edge to Cloud. Ponemon Institute. March 2023.