Hello. I'm Martin Kuppinger, I'm principal analyst at KuppingerCole Analysts. I'm here with Anders Askåsen from Okta. And we are here to talk about NIS2, the upcoming EU regulation, focusing on a very broad definition of critical infrastructure organizations and how this also impacts what we do in identity management, particularly around authentication. Anders, welcome.
Thank you so much for being able to talk to you, Martin.
So maybe you quickly introduce yourself and your role at Okta and then we jump into our conversation.
Absolutely. So I've been in the identity business for quite some time, past 20 years. I'm currently heading up the technical marketing side for EMEA at Okta.
Okay, So we're here to talk about NIS2, and I think there's a huge interest in NIS2. I also expect that interest will continue to grow because the closer we come to becoming the regulations and their national transitions into place, the more organizations will understand, we need to act on we need to act quickly because there's not much time left. So from your perspective, what's in NIS2 everyone needs to consider?
Well, first of all, being a directive, the European Union has a tendency of not really providing the recipe, but rather, here's a broader framework that the member states need to comply with. We're currently in the process right now where the member states are being, where they’re transposing this into national law. And that's something that we need to see, what will happen for the individual member states. But to answer your question, I think there's really a couple of things that are critical. One is the new reporting. And the second one is the supply chain. Those are two new things that I think will take a lot of essential operators sort of with their pants down.
I fully agree. And I think you brought up one very important point, which is directive versus regulation. It’s maybe worth quickly explaining this: so there are regulations like the GDPR, which is in fact them, so to speak, an EU law versus a directive which mandates the member states to create their own national laws that comply with the directive, which is a bit different, so the laws in the Member States may vary a bit. What is important is that the Directive defines the baseline, the minimum, and Member States can add things on top of that. They, for instance, could define that other types of organizations and industries are in scope and things like that. And this is, I think just to keep in mind and to clarify what is behind the directive regulation. So you mentioned the reporting, and I think this is a funny area, yes. Because, you know, I think everyone was scared with the 72 hours notification period with GDPR. Right now we are talking 24 hours, isn't it?
Exactly. And that's a very quick turnaround time to report to what's referred to as the competent authority in the individual countries. But the good thing there is that you don't really need to provide the forensic information, but you need to provide a signal that there's been a significant incident or a breach. And this is the preliminary idea and scope of
Yeah. And I think organizations need to be very well prepared for that, because 24 hours is not long, 72 hours for a more thorough explanation of what happened. So a first root cause analysis, so to speak. These are all very short periods. And when you are not prepared, you're in trouble. And I think that brings us already to one other aspect, which I feel is very important to understand, which is fines and liability. Can you comment a bit on that?
Well, what happens with with the directive is that they separate two types of categories, one being the essential or critical service providers, which, you know, includes things like utility companies and transportation, etc.. And then they've introduced a new category which is important operators and digital providers. And the fines there are different. But one thing that is clear is, is that these fines can hit the highest level of management, including the board members. So there's much more of a personal responsibility and accountability to ensure that the posture and security is compliant with the directive.
Yeah, and I think specifically of the liability aspect means, when you do things fundamentally wrong, the management, so the Board, the CEOs move into a personal liability. Which is really a huge difference, the pressure is high, which is I think, which has a reason because we have seen these attacks on critical infrastructure in the US, the Colonial Pipeline attack and things like that. We know we are at risk. And so we need a strong security posture. I think it's also important to understand that, aside of these two types of organizations, it starts very early. So even organizations with 50 employees can be in scope of NIS2. And if you are a bit bigger in one of the industries that are defined, then you are definitely in scope of NIS2, which means you as an organization should very carefully look at: are we affected by NIS2? And if you are, then you must act now. So when we talk about acting, and Okta being an identity management company, starting with authentication, having added a couple of other areas. What specifically is in NIS2 with respect to IAM, what has a direct impact here?
Absolutely. So in NIS2, as you point out, constitutes essentially cybersecurity posture and being able to mitigate risk. So identity management is a portion of that, but it's a very important portion. One technical part, a capability that an important operator needs to implement is multifactor authentication. And of course, from Okta’s perspective, we think that there should be a phishing resistant MFA in place because that's the most secure. MFA is not the silver bullet, right? But that's one of the concrete things that needs to be part of that.
I think it even says, when I have the text in my mind correctly, more or less - not exactly in this wording - but that it's about a strong MFA which factually implies that you need to have something in place which has multi factors and which is really state of the art, which means we are when we talk about state of the art, from my analyst perspective, you're talking about things like phishing resistant and passwordless because everything else I would say is not state of the art anymore. And it's also interesting to see that this is the only part of identity management which is really directly referred to. Aside of that, there's a lot of indirect things. So at the end of the day, it's very clear you need to have a good risk management, you need to have a good cybersecurity posture, which also means you at least should be ISO 27,000 compliant, which means you need to have a lot of identity management controls in place. But MFA is the thing which really is written into the directive, and I think this is a very important point.
That's the one thing that's explicitly called out for. But keep in mind also that the reporting and the collection of evidence and forensic data, should there occur a breach, would require a good baseline when it comes to collecting that data. And that's typically provided from your identity layer. And that's where we have the capabilities and hashed out all this ability to quickly turn around and map to these very tight deadlines.
Yeah. By the way, this role of identity is also interesting when we look at zero trust. So we had a lot of talk about zero trust in the past three years or so, even while the concept is much older. But latest with the pandemic it had seen its uptake. And when I describe zero trust, I always say at the end of the day it starts with identity. The entire thing starts with Martin using a device, going over a network to a system or a service and doing something there and accessing data, etc.. So identity is at the forefront and I think also when we look at what happens nowadays, when we look at all the statistics, the majority of incidents are in some way identity related, like phishing for credentials in other ways. So identity is at the forefront. I think this also explains why MFA has such a highlighted position in the NIS2 directive because it's where everything begins, isn't it?
It is. And I mean, MFA has proven empirically that you mitigate the risk with somewhere in the range of between 75 and 80%. Now, there's good MFA and there's bad MFA. And we've in the past discussed that. But, I think going back to the whole zero trust, you're absolutely right. Identity is at the forefront and it's really the center of how to be prepared for this type of directive and once it's being transposed into law. One thing I would like to call out, and that's the supply chain, which is another very important part of this. Where the supply chain - you need to guarantee the supply chains integrity and mitigate the risks there. And we've seen a number of incidents in Europe where the actual providers of payment systems and all the rest have completely halted organizations ability to operate.
Yeah. And I think the supply chain risk - also we have seen a couple of major incidents in the past couple of years affecting various, also different types of supply chain attacks. So the ones coming in via software, so software supply chain attacks, the one coming in via suppliers that are connected to your IT systems, so your value chain supplier, so to speak. And yes, this is a huge challenge here. And we see also, by the way, just as a side note, we see other regulations like the EU CRA, the Cyber Resilience Act, which then bring in things that are supply chain related, like the need to have a SBOM, a Software Bill of Materials in place and other things. So a supply chain security definitely is in scope. And I think it's definitely one of the big challenges, which, by the way, to my understanding also is a very significant identity management challenge because it means we need to treat access from our partners, all the B2B identities B2B access the right way.
Absolutely. I mean, the identity layer expands into the entire supply chain to guarantee the integrity of it. So absolutely, you're absolutely right.
So what would you specifically recommend then around, for instance, supply chain security?
I think what we'll see there is a complete review when it comes to the procurement system or procurement process. I think we'll see the importance of ISO 27,000 certification establishing an ISMS is going to be critical. It's not the entirety of what needs to be done, but it guarantees that you're in very good shape if you are certified, if you have established an information security management system, had it certified, you're in good shape for once NIS2 is being transposed into national law.
Yeah. And in some industries like the automotive industry, we see even partially overlapping, partially adjacent internal certification standards like TISAX in the automotive industry, which add a bit of a sometimes different angle, and which are there to ensure that, to help to mitigate these risks. And I think, yes, I’m absolutely with you, we need this. So when we go back a bit more to NIS2 specifically, if an organization is in scope, what to do first?
The first thing is to identify the risks, do a gap analysis. Where's the posture today and how does that posture expand to the supply chain as well? Because these are very big points that needs to be addressed early on. So identify where the risks are, identify where the gaps are, and evaluate how is your information security management system in place? Is it certified and what's the gap between the local and applicable regulations versus where you stand today.
Yeah. And I think this also helps then, what I see frequently is when these regulations come, when findings come, when fines come, then organizations tend to act a bit in a panic mode or headless chicken mode where they then just throw technology on a perceived problem. And I believe it's super essential to do these things. I personally am also a big fan of starting with a business impact analysis, understanding what are your critical processes, what can impact them, what are the systems you need to protect most, looking at the entire posture up to also the resilience, including recovery, are you able to come back, for instance, after a ransomware attack? So really doing these steps thoroughly because this helps you also focusing your investment and not ending up with a too big slew of tools. You anyway will have a bit of a slew of tools in cybersecurity, but at least keeping it a bit smaller and more controlled is I think, very essential here.
I think what you're pointing out is correct. I think doing that preparatory work is essential. And I think if we look at the different categories of service providers, I think there are some providers that are more prepared than others. And I would argue that the ones that have been subject to the previous version of NIS, they're probably in better shape potentially and are not being caught off guard as much as the new ones that are being subject to it.
Yeah. So one other area we may have a quick look at, is privileged access, and is also that in the NIS2 context?
Well it is, because much of the inspiration of NIS2 is based on ISO 27,000 and within the controls part of ISO 27,000 you need to limit the privilege or the access, reduce the amount of access and make sure that it's the accurate access and timely access. So, yeah definitely.
Yeah. And - you’re from Okta - where does Okta come into play in this entire thing, aside of MFA.
Yeah, obviously our platform allows you to control the entire lifecycle around access, but it also offers the Privilege Access Management control where you can ensure that accounts, DBA accounts, root accounts, administrative accounts are under control, that whenever you use them, you can record the session and really see what's going on when these high privilege accounts are being utilized.
Yeah. Okay so we know NIS2 is coming, you need to be prepared. First step: check whether you are in scope or not. If you're in scope, start, act, understand your risk, your posture, all the things and then start closing the gaps. This is what we need to do here. Anders, any final closing recommendation to our audience?
So my closing recommendation is to highlight - if you're a CISO, highlight the importance to your management so that it really gets that support. I always say that NIS2 is potentially the CISOs wet dream and worst nightmare, right? Because the requirements are intense, but it also spotlights the work that needs to be done to protect the European economy and services being delivered. And it will allocate the necessary resources. And I think that's unique. But in order to prepare, if you have your ISO certification, I think you're in good shape. Make sure that you understand the entire supply chain. Make sure that you can deliver on these very intense timelines. Then I think you're in good shape if you just have everybody on board talking together and look at the gaps and address them in an efficient manner, you're in good shape.
Anders, thank you for all the insights. Was a pleasure talking to you.
Thank you, Martin. Looking forward to next time.
