Identity security explained in the Belgian NIS2 law

Belgium was the first European country to transpose NIS2 into national law, in April, through its “NIS2 law”. This set them apart, in a positive fashion, from their French, Dutch, and German neighbours, all late in the transposition process due to political instability.

In parallel, the CCB (Center for Cybersecurity Belgium), the local agency in charge of enforcing NIS2 compliance, has released the Safeonweb@work initiative. This sets out a detailed and practical framework all the measures that are required by the law, based an organisation’s size and sector of activity.

Having poured over the CCB’s recommendations, this blog post analyses the main requirements that pertain to identity security, which all Belgian “essential” and “important” entities will need to implement. We will also highlight how Silverfort can help these organisations in achieving compliance with these measures.

The CCB’s approach draws mainly from the NIST CSF framework, which identifies 5 core functions for securing information systems: identify, protect, detect, respond, and recover. The NIS2 law in Belgium requires an investment in each function proportional to the size and importance of every entity. We also find in the Safeonweb@work framework numerous references to the ISO27001 and ISO27002 standards, which establish effective measures to design and strengthen the security of information systems. These standards have achieved worldwide recognition and constitute a robust basis upon which any organization can build a cybersecurity programme.

Protection Requirements of NIS2

Each of the 5 functions in the NIST framework has an identity component. In the CCB’s recommendations, however, the chapters around protection and detection are clearly the most relevant. The former even includes an entire section (PR.AC) dedicated to identity management, authentication, and access controls. Identity experts will find in it the main measures pertaining to securing directories and users.

It is worth highlighting the fact that at the “basic” assurance level in annex A of the Safeonweb@work document, which applies to all entities subject to NIS2 regardless of their size or level of important, more than half of the “key” measures come precisely from the PR.AC section. It is therefore difficult to emphasize the extent to which identity weighs into the CCB’s framework for securing information systems.

We therefore find in these key measures required for all entities subject to NIS2:

• Appropriate management for users and credentials, encompassing provisioning and revoking access rights, regular audits, strong authentication on critical systems, and detection of suspicious behaviours (PR.AC-1).
• Securing remote accesses and SaaS applications with MFA (PR.AC-3).
• Implementing least privilege in access rights, particularly towards sensitive or critical systems, and separating personal and administrative accounts (PR.AC-4).
• Network security and the segmentation of critical systems (PR.AC-5).

Additional measures are also mandated for entities under the “Important” or “Essential” assurance level (in annexes B and C), including requirements around identification and governance for remote accesses (PR.AC-3), stricter monitoring for connections and communications around the key external and internal boundaries (PR-AC-5), a documented risk assessment, and the implementation of access controls proportionate to the risk of each transaction (PR.AC-7, at the “essential” assurance level only).

Concretely speaking, what do these measures imply? The answer varies depending on the size and level of importance of each entity. But overall, the CCB’s approach is pragmatic, only requiring tools that are already commonplace in business environments (IAM platforms, firewalls, MFA). Some additional investment will probably be necessary for essential entities operating legacy systems, since those aren’t natively compatible with modern security products. Other than that, only laggard companies from a cybersecurity standpoint will truly need to acquire new technologies.

Beyond the PR.AC section, access controls also appear in measures designed to protect data-at-rest (PR.DS-1), prevent the loss, misuse, damage, or theft of organizational assets (PR.DS-3) and data leaks (PR.DS-5). Regular audits are also recommended – with Active Directory explicitly mentioned (PR.DS-5) – to detect privilege misconfigurations which could open an attack pathway.

Finally, requirements around maintaining the integrity of critical systems (PR.DS-6) and mitigating the risks surrounding remote maintenance (PR.MA-2) probably imply session recording for privileged accesses.

Detection Requirements of NIS2

The “Detect” function in the Safeonweb@work initiative also includes multiple articles related to the field of identity. Unsurprisingly, these mirror quite neatly the recommendations that appeared in the “Protect” function.

Aggregating event data (DE.AE-1 and 3) appears first and foremost as a “key” measure, with particular attention given to critical systems. This data should emanate from multiple sources, including physical accesses and user/administrator reports.

Organizations are particularly called upon to monitor critical systems for unauthorized local, network, or remote connections (DE.CM-1), both from internal personnel and external service providers (DE.CM-3, DE.CM-6, et DE.CM-7). These efforts imply surveillance tools on the network and endpoint level. Some might even suggest going a step further with comprehensive protection platforms encompassing access points and domain controllers, thereby combining EDR with ITDR.

Overall, these measures reflect the requirements put forward in the “Protection” function against malicious activities (PR.DM and PR.MA), designed to block data leaks or damage.

How can Silverfort help with NIS2 compliance?

Silverfort can help comply with many of these requirements. In just 1 month, and without any heavy changes to your infrastructure, our platform can:

• PR.AC-1 :
  • Identify all privileged accounts within your multiple directories
  • Audit all your service accounts and hybrid accounts
  • Identify shadow admins
  • Identify shared accounts
  • Identify stale accounts
  • Identify accounts with old passwords
  • Protect accesses to critical systems, including legacy or on-prem, with MFA (compatible with Microsoft Authenticator, Okta, Ping, Duo, Yubico, and more) or with dynamic risk-based policies

• PR.AC-3 :
  • Alert or block any suspicious remote access attempt
  • Protect remote accesses (RDP, SSH), command-line interfaces (Powershell, PsExec, WMI), and SaaS or on-prem applications with MFA

• PR.AC-4 :
  • Identify and monitor all generic and shared accounts
  • Identify and monitor all authentications to file shares, servers, applications, databases, etc. even when on-prem
  • Identify and monitor all privileged accounts, including shadow admins and domain administrators
  • Detect and/or block all authentications breaching tiering principles (such as personal accounts or devices for administrative tasks, or vice-versa)
  • Detect and/or block all authentications in breach of least privilege
  • Place adaptive conditional access policies for administrative accounts and tools which take into account geographic, timing, or behavioural factors
    
    
• PR.DS-5 :
  • Establish granular access policies to all critical systems and applications, even on-prem
  • Monitor and block all malicious accesses to critical systems, including on-prem
  • Audit Active Directory to detect privilege creep and misconfigurations

• PR.DS-7 :
  • Block authentications that breach the integrity of the production or testing environments
  • Restrain privileges of administrative accounts to specific environments or applications

• PR.MA-2 :
  • Monitor and restrain the access rights of external providers to specific environments or applications
  • Protect remote accesses from external providers or partners with MFA
  • Block all attempts to hijack external provider or partner accounts or any unusual behaviours

• DE.AE-1 :
  • Log all Active Directory authentications, including their sources, destinations, protocols, and timestamp
  • Calculate a dynamic risk score for all Active Directory accounts and authentications

• DE.CM-1 :
  • Detect and block any unauthorized authentication in Active Directory or in any other compatible directory (PAM, RADIUS, Entra ID, Okta, Ping…).
  • Detect and alert when human or service accounts display unusual behaviour
    
    
• DE.CM-7 :
  • Detect and block any unauthorized personnel access to critical systems
  • Detect and block any unauthorized software access to critical systems

Is it worth exceeding expectations?

Often, the Safeonweb@work initiative suggests additional measures that would contribute to securing information systems (through the regular use of the word “Consider”), without necessarily making them compulsory. It also omits some simple and common hygiene measures that other agencies, such as the ANSSI in France, have more forcefully insisted upon.

In this category, we can mention the tiering of critical systems or users. The CCB requires using separate accounts for personal and administrative tasks (PR.AC-4) as well as network segmentation (PR.AC-5). But it does not mandate dedicated workstations (PAW) or operating systems for administrative actions, which would help avoid certain kinds of attacks such as Pass-the-Hash.

Another example: the CCB recommends using service accounts for automated processes (PR.AC-1). However, it does not forbid administrators from running automated tasks using their own accounts, nor does it prohibit using service accounts for actions that deviate from their intended purpose.

These might be missed opportunities for Belgian organizations, particularly “essential” entities under NIS2, which future attackers might successfully exploit. The CCB clearly tried to weigh the security benefits, and the financial or operational costs involved in each decision it made. The result remains nonetheless robust, and clearly raises the bar for many local organizations which had hitherto neglected their security posture. However, it will not immunize the country against the more sophisticated cyber attacks which have multiplied in recent years.

Want to learn more about how Silverfort can help you address the identity security aspects of NIS2?  Schedule a call with one of our experts or fill out this form for a pricing quote.