Regulators are constantly keeping up with technological advancements and the new challenges they bring, resulting in frequent updates to compliance requirements. In the past 2024, several key regulatory changes and legislative acts came into force, among which stand out:
- EU Artificial Intelligence (AI) Act: This law introduces a risk-based classification for AI systems. The act outlines strict requirements for high-risk AI systems, such as conducting conformity assessments, implementing quality management systems and prohibiting their use in specific areas.
- The NIS 2 Directive: The NIS 2 Directive introduces stricter requirements on risk management, network security and incident reporting. It reflects the EU’s commitment to maintaining a high standard of cybersecurity in the Member States, ensuring that both public and private organisations are prepared to tackle today’s increasingly sophisticated cyber threats. One of the key focuses of NIS 2 is the requirement for organizations to identify the level of risk they face. Organizations covered by the NIS 2 are required to take measures to minimize cyber risks, including:
- Incident management;
-
- Supply chain security;
-
- Improved network security;
-
- Access control and encryption.
- The Cyber Resilience Act (CRA) aims to protect consumers and organizations when purchasing software and hardware products with a digital component. The act imposes obligations on manufacturers to remediate vulnerabilities and provide security updates, increasing transparency for users.
- Digital Operational Resilience Act (DORA): DORA introduces a universal framework with specific technical standards for risk mitigation, which aims to ensure comprehensive information and communication technology (ICT) risk management and improve the resilience of the financial sector against cyber incidents.
- PCI DSS (Payment Card Industry Data Security Standard) v4.0PCI DSS is an international security standard that focuses on data protection when making debit and credit card payments. PCI DSS v4.0 provides greater flexibility in meeting requirements and focuses on purpose and results. Advanced security controls include encryption of sensitive data, secure authentication methods, and regular vulnerability scanning.
- NIST Cybersecurity Framework v2.0 – Expands the scope of the NIST cybersecurity framework to include considerations of supply chain risks, cloud computing, and the growing proliferation of IoT devices. NIST 2 emphasizes risk management practices and provides improved guidance for measuring and monitoring cybersecurity performance. Although NIST is not a regulatory requirement, the standards set by NIST are incorporated into acts such as the Federal Information Security Management Act (FISMA), HIPAA (healthcare), and GLBA (finance).
These regulatory changes highlights the need the organisations continuosly adapt their compliance strategies to keep, pace with the evolving re gu latory land sca pe.
How to meet regulatory requirements through an identity management solution?
Maintaining regulatory compliance places a significant burden on organizations. Identities are at the center of compliance, as they regulate access to secure systems and limit privileges to mitigate risks while providing clear audit pathways. For this reason, identity and access management (IAM) systems and their derivatives – Privileged Access Management (PAM), Identity Management and Administration (IGA), and Customer Identity and Access Management (CIAM) – play a fundamental role in ensuring compliance.
Identity and access management (IAM) systems are key to implementing many of the basic security principles that are increasingly emphasized in regulations and best practices:
- Least privileges: IAM systems enforce the use of granular permissions through RBAC and ABAC. This ensures that users only have access to resources necessary for their roles and thus minimizes the risk of unauthorized access and internal attacks.
- Zero Trust Authentication: A trusted authentication partner is a cornerstone for Zero Trust security as it helps organizations implement durable identity management processes. It also allows for stricter access control through multi-factor authentication (MFA) and imposes consistent and continuous verification of all users and devices. IAM systems provide visibility into all identities in the organization.
- Accountability and Auditing: IAM helps generate detailed audit trails that log user activity, access requests, and permission changes. These tools are crucial for proving compliance, investigating security incidents, and maintaining an accurate record of actions in the system.
The Benefits of IAM in Ensuring Compliance
PREVENTION OF UNAUTHORIZED ACCESS
- Multi-factor authentication (MFA) is the absolute minimum for providing secure access in organizations. MFA increases security by requiring multiple authentication factors, making it much more difficult for attackers to try to compromise accounts.
- Risk-Based Authentication (RBA) adds another smart layer of protection to access control. The RBA analyzes factors such as user location, device, and behavior to assess the risks associated with login attempts. In case of high risk, such as logging in from an unusual location, outside of business hours, or from an unknown device, the RBA may require additional authentication factors, such as a one-time password or biometric verification.
- In addition to MFA and RBA, organizations can implement advanced authentication methods such as Passwordless Authentication, through the use of biometrics or security keys, continuous authentication, and just-in-time authentication.
RESTRICTION OF PERMISSIONS
- Role-based access control (RBAC) enables organizations to simplify user management by assigning permissions to roles rather than individuals. Roles can be created according to current compliance requirements. The RBAC allows for the adjustment of permissions for each role, in case of a change in regulations.
- Policy-based access control (ABAC) enables organizations to restrict employee access to only the data they need to perform their job duties.
- Privileged access management (PAM) solutions focus on securing and managing privileged accounts. Privileged accounts are assets with a high degree of access to critical systems and data, and can lead to the largest compliance violations and serious fines.
Identity Governance & Administration (IGA)
- The creation of roles and identities is subject to changes, including changes to users, apps, and compliance policies. Identity management and administration (IGA) systems automate the process of regularly reviewing and validating users' access rights, ensuring that permissions are appropriate and aligned with roles, responsibilities, and regulatory environments.
- The implementation of IGA also optimizes the entire lifecycle of identities, from the addition of new users to the termination of work of departing employees. This ensures that access rights are granted and revoked in a timely manner and in accordance with requirements, reducing the risk of isolated accounts and unauthorized access.
THIRD-PARTY RISK MANAGEMENT AND IAM
- Identity and Access Management (IAM) systems can be considered as an essential tool in providing secure access to third parties. For example, identity management, in the form of "federation", enables organizations to extend their IAM systems to external users by providing secure and seamless access for partners and suppliers.
- Just-in-time authentication provides temporary and limited access to third parties based on their specific needs, minimizing the risk of unauthorized access.
- IAM's tools provide the ability for continuous monitoring by tracking third-party access and activity and allowing organizations to identify and mitigate potential risks proactively.
