Funnel overlay image

Blog | 3-minute Read

How does CAF 3.2 impact identity strategies in critical national infrastructure?

Steven Connelly

Head of Enterprise Identity

Published: 08 August 2024

The National Cyber Security Centre Cyber Assessment Framework (NSCS-CAF) has been updated with tighter controls around authentication and privileged access. Discover how this impacts critical national infrastructure (CNI) identity strategies, and how Microsoft Entra enables compliance.

Critical national infrastructure (CNI) sectors like power, healthcare, telecoms, and transport are crucial for a nation’s operations and economy. No surprise, therefore, that they’re prime targets for cyber threats from criminals and nation states.

They face threats including ransomware, denial-of-service attacks, and espionage. Jeopardising their system’s availability, integrity, and confidentiality.

With cyber vigilance crucial, the NCSC-CAF was created in 2018 to ensure robust standards of cyber resilience are maintained.

In reaction to ever-evolving threats and changes to working cultures, the NCSC announced some significant changes to CAF earlier in 2024. In this blog, we discuss these key updates, how they impact CNI organisations, especially in relation to identity and access management.

And how Microsoft Entra enables organisations to meet their compliance and security responsibilities across hybrid cloud environments.

Understanding the NCSC-CAF framework

The NCSC-CAF provides a structured approach for assessing the cyber security posture of organisations, particularly those responsible for critical national infrastructure. The framework is divided into four key objectives:

  1. Managing security risk
  2. Protecting against cyber attack
  3. Detecting cyber security events
  4. Minimising the impact of cyber security incidents

Each objective is further broken down into specific principles and contributing outcomes that organisations must achieve to demonstrate robust cyber security practices. The latest update, version 3.2, introduces several significant changes aimed at addressing evolving cyber threats and aligning with best practices.

Why the NCSC-CAF matters for CNI Organisations

Typically, an organisation working within the UK’s critical infrastructure will have particular challenges when it comes to achieving cyber resilience across its estate. This might include large, diverse workforces. Employees and third-parties who work across different locations, often involving remote work both at home and internationally. All requiring different levels of access to different resources from a multitude of devices.

A challenge often compounded by digital estates built up over time on a mix of legacy and cloud environments.

Given their societal importance, the vast amounts of data that needs to stay protected, the significant threats they face, and the potential internal and external implications of a breach, compliance with NCSC-CAF is essential.

Adhering to the regulations enables organisations to improve:

  • Compliance: NSCS-CAF enables organisation to meet NIS Regulations by providing measures to manage risks and report significant incidents, ensuring a consistent approach to assessing and enhancing cyber security.
  • Security Posture: NCSC-CAF improves cyber resilience, crucial for protecting critical infrastructure. It identifies and mitigates vulnerabilities in complex systems like smart grids and SCADA systems, enhancing best practices for cyber incident management.
  • Reputation and Trust: NCSC-CAF boosts business success and customer satisfaction by demonstrating commitment to cyber security and communicating progress to stakeholders in a regulated, competitive market.

The Complete Guide to Microsoft Entra [New for 2024]

Includes: An easy to understand Microsoft licensing chart, business case tips, and Entra Suite guide.

Key changes in NCSC-CAF version 3.2

The most significant updates in the latest version concern changes to the way organisations need to manage identity and access security.

CNI organisations, like most business sectors, have seen working cultures change. Workforces now need access to sensitive information, resources, and different cloud applications from remote locations beyond the traditional workplace.

Now, when you consider that up to 40% of cyber attacks were identity-related in 2023, managing who has access to what, and from where, is especially important.

It’s an area of increasing concern that has prompted the following updates in the framework.

Ebony fingerprint icon on transparent background

Enhanced multi-factor authentication (MFA) requirements

One of the most notable changes in CAF 3.2 is the expanded requirement for multi-factor authentication (MFA).

Whereas MFA was required for privileged access accounts, it’s now mandated for all users, including remote access, to all networks and information systems.

It’s a major expansion on the previous requirement, but not a surprising one when you consider how effective robust MFA policies are in stopping identity-related attacks.

Ebony and green mobile phone padlock icon on transparent background

Stricter controls on privileged access

The updated framework also tightens up policies around privileged access, especially in relation to the devices permitted to be used.

Privileged access must now be conducted only through corporately owned and managed devices. Additionally, administrative actions should be performed on devices separate from standard user activities.

‘Partially Achieved’ status allows these to be taken via devices that provide sufficient separation, using a risk-based approach, from the activities of standard users.

‘Achieved’ status mandates that privileged operations should only take place using highly trusted devices, such as Privileged Access Workstations.

Ebony and green monitor and settings icon on transparent background

Improved secure configuration practices

CAF 3.2 emphasises the importance of secure configuration practices. It now requires the removal or disabling of generic, shared, default, and built-in accounts. If this is not possible, the credentials for these accounts must be changed.

Addressing long-standing vulnerabilities in default configurations is critical for CNI sectors. While implementing these changes might be challenging and costly, especially with legacy systems, they are necessary to protect against attacks that exploit these default configurations.

Leveraging Microsoft Entra for compliance

Microsoft Entra offers a comprehensive suite of identity and access management tools that can help CNI organisations comply with the updated NCSC-CAF.

MFA and Conditional Access:

  • Entra ID provides robust MFA capabilities, ensuring that access to critical systems and data is protected by more than just passwords. This aligns with the new CAF 3.2 requirements for MFA for all user access​​.
  • Conditional access policies allow organisations to enforce access controls based on user, location, device state, and other risk factors. This ensures that only authorised personnel can access sensitive systems under secure conditions​.
quote icon

We advise organisations to take a risk-based approach for measuring credentials or sign-ins using tools like Microsoft Entra ID’s Identity Protection.

Mat Richards, Head of Secure Digital Transformation, Kocho

Identity protection and governance

Identity protection:

  • Entra ID Identity Protection uses machine learning to detect and respond to suspicious activities and potential vulnerabilities in real-time. This proactive approach helps mitigate risks before they escalate into significant security incidents​​.

Privileged identity management (PIM):

  • Entra ID PIM helps manage, control, and monitor access within Entra ID, Azure, and other Microsoft Online Services. By providing just-in-time privileged access and requiring approval for certain actions, PIM reduces the risk of misuse of administrative privileges​.

Compliance and regulatory adherence

Audit logs and reporting:

  • Entra provides extensive logging and reporting capabilities, essential for maintaining compliance with various regulatory requirements. These logs help CNI organisations track user activities, detect anomalies, and provide necessary documentation for audits​​.

Identity governance:

  • Entra ID provides identity governance capabilities that help ensure that the right people have the right access to the right resources. This includes managing user lifecycle, entitlements, and ensuring compliance with internal and external policies​.

Integration and interoperability

Seamless integration with existing systems:

  • Microsoft Entra integrates well with existing IT infrastructure, including legacy systems. This interoperability is vital for CNI organisations that often have a mix of old and new technologies. By providing a unified identity solution, Entra helps streamline operations and improve security across diverse environments​.

Scalability and flexibility

Scalability:

  • Entra ID and other Entra components are designed to scale with the organisation. Whether a CNI organisation is expanding its services or adopting new technologies, Microsoft Entra can grow to meet these needs without compromising security or performance​.

Adaptive security:

  • Entra’s adaptive security measures, including risk-based Conditional Access and adaptive MFA, ensure that security controls can dynamically adjust based on the threat landscape and organisational changes. This flexibility is crucial for CNI organisations facing evolving cyber threats​.
quote icon

UKPN chose Kocho to leverage our Entra ID investment. Bringing product knowledge to our Cyber Resilience Programme and achieving NIS CAF Enhanced Profile.

Justin Gibbs, Senior Security Architect, UK Power Networks

Conclusion

The updates to the NCSC-CAF in version 3.2 bring significant changes aimed at enhancing the cybersecurity resilience of critical national infrastructure organisations. By expanding MFA requirements, introducing stricter controls on privileged access, and improving secure configuration practices, the framework addresses the evolving cyber threat landscape.

CNI organisations must take these changes seriously and update their cyber security programmes accordingly. Leveraging comprehensive identity and access management solutions like Microsoft Entra can significantly aid in achieving compliance. Entra’s robust MFA capabilities, identity protection features, privileged identity management, and extensive logging and reporting make it an ideal solution for CNI organisations striving to meet the new NCSC-CAF requirements.

By adopting these practices and tools, CNI organisations can enhance their cybersecurity posture, ensure regulatory compliance, and safeguard the essential services they provide against cyber threats.

At Kocho, we’re already helping organisations help meet their NCSC-CAF compliance needs by leveraging the tools within Microsoft Entra and the broader suite of Microsoft security solutions.

Speak to our team today to find out how we can help your organisation.

Key takeaways

  • Compliance with NCSC-CAF is crucial for enabling cyber resilience in CNI organisations.

  • NCSC-CAF 3.2 requires enhanced MFA for all users, including remote access.

  • The latest updates have tightened up controls around privileged access from remote devices.

  • The framework emphasises removing or disabling default accounts.

  • Microsoft Entra provides tools like robust MFA and conditional access for compliance.

  • Entra’s PIM helps manage and monitor privileged access, reducing misuse risks.

  • Entra’s logging and reporting support regulatory compliance and security.

tag icon

A clear pathway

Book your Entra ID Discovery & Roadmapping Workshop

Understand how to achieve more efficient, secure, and cost-effective identity and access management.

This is your opportunity to:

  • Understand the gaps and challenges costing your organisation time and money.
  • Gain a strategy that aligns identity management with your long-term business goals.
  • Design an affordable solution that mitigates security risks and improves user experiences.
arrow icon Book Workshop

Next steps

Like this? Don’t forget to share.

tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image

Author

Steven Connelly

Head of Enterprise Identity

With over 20 years in identity management, Steven has traversed from MIIS, ILM, FIM, MIM to modern cloud technologies like Entra and Saviynt. Steven helps our clients translate complex details into strategic insights.

arrow icon Visit Profile
tag icon

Don't Miss

Great enterprise identity resources

  • Webinar

Microsoft Purview: Enable compliance and enhance Copilot for Microsoft 365 adoption

02 October 2024
  • Blog

Microsoft make MFA mandatory in Azure: User implications and actions

Securing cloud access
  • Blog

How does CAF 3.2 impact identity strategies in critical national infrastructure?

Achieving CNI Compliance

  • Webinar

Microsoft Entra Suite: Enable Seamless User Lifecycles

17 September 2024
arrow icon View More
Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.

chevron icon Contact Us