The National Cyber Security Centre Cyber Assessment Framework (NSCS-CAF) has been updated with tighter controls around authentication and privileged access. Discover how this impacts critical national infrastructure (CNI) identity strategies, and how Microsoft Entra enables compliance.
Critical national infrastructure (CNI) sectors like power, healthcare, telecoms, and transport are crucial for a nation’s operations and economy. No surprise, therefore, that they’re prime targets for cyber threats from criminals and nation states.
They face threats including ransomware, denial-of-service attacks, and espionage. Jeopardising their system’s availability, integrity, and confidentiality.
With cyber vigilance crucial, the NCSC-CAF was created in 2018 to ensure robust standards of cyber resilience are maintained.
In reaction to ever-evolving threats and changes to working cultures, the NCSC announced some significant changes to CAF earlier in 2024. In this blog, we discuss these key updates, how they impact CNI organisations, especially in relation to identity and access management.
And how Microsoft Entra enables organisations to meet their compliance and security responsibilities across hybrid cloud environments.
Understanding the NCSC-CAF framework
The NCSC-CAF provides a structured approach for assessing the cyber security posture of organisations, particularly those responsible for critical national infrastructure. The framework is divided into four key objectives:
- Managing security risk
- Protecting against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber security incidents
Each objective is further broken down into specific principles and contributing outcomes that organisations must achieve to demonstrate robust cyber security practices. The latest update, version 3.2, introduces several significant changes aimed at addressing evolving cyber threats and aligning with best practices.
Why the NCSC-CAF matters for CNI Organisations
Typically, an organisation working within the UK’s critical infrastructure will have particular challenges when it comes to achieving cyber resilience across its estate. This might include large, diverse workforces. Employees and third-parties who work across different locations, often involving remote work both at home and internationally. All requiring different levels of access to different resources from a multitude of devices.
A challenge often compounded by digital estates built up over time on a mix of legacy and cloud environments.
Given their societal importance, the vast amounts of data that needs to stay protected, the significant threats they face, and the potential internal and external implications of a breach, compliance with NCSC-CAF is essential.
Adhering to the regulations enables organisations to improve:
- Compliance: NSCS-CAF enables organisation to meet NIS Regulations by providing measures to manage risks and report significant incidents, ensuring a consistent approach to assessing and enhancing cyber security.
- Security Posture: NCSC-CAF improves cyber resilience, crucial for protecting critical infrastructure. It identifies and mitigates vulnerabilities in complex systems like smart grids and SCADA systems, enhancing best practices for cyber incident management.
- Reputation and Trust: NCSC-CAF boosts business success and customer satisfaction by demonstrating commitment to cyber security and communicating progress to stakeholders in a regulated, competitive market.
Free Guide
The Complete Guide to Microsoft Entra [New for 2024]
The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.
Discover how you can:
- Cut costs by removing 50% management effort
- Elevate security – reduce breach chances by 45%
- Automate provisioning to ensure compliance
Key changes in NCSC-CAF version 3.2
The most significant updates in the latest version concern changes to the way organisations need to manage identity and access security.
CNI organisations, like most business sectors, have seen working cultures change. Workforces now need access to sensitive information, resources, and different cloud applications from remote locations beyond the traditional workplace.
Now, when you consider that up to 40% of cyber attacks were identity-related in 2023, managing who has access to what, and from where, is especially important.
It’s an area of increasing concern that has prompted the following updates in the framework.
Leveraging Microsoft Entra for compliance
Microsoft Entra offers a comprehensive suite of identity and access management tools that can help CNI organisations comply with the updated NCSC-CAF.
MFA and Conditional Access:
- Entra ID provides robust MFA capabilities, ensuring that access to critical systems and data is protected by more than just passwords. This aligns with the new CAF 3.2 requirements for MFA for all user access.
- Conditional access policies allow organisations to enforce access controls based on user, location, device state, and other risk factors. This ensures that only authorised personnel can access sensitive systems under secure conditions.
Identity protection and governance
Identity protection:
- Entra ID Identity Protection uses machine learning to detect and respond to suspicious activities and potential vulnerabilities in real-time. This proactive approach helps mitigate risks before they escalate into significant security incidents.
Privileged identity management (PIM):
- Entra ID PIM helps manage, control, and monitor access within Entra ID, Azure, and other Microsoft Online Services. By providing just-in-time privileged access and requiring approval for certain actions, PIM reduces the risk of misuse of administrative privileges.
Compliance and regulatory adherence
Audit logs and reporting:
- Entra provides extensive logging and reporting capabilities, essential for maintaining compliance with various regulatory requirements. These logs help CNI organisations track user activities, detect anomalies, and provide necessary documentation for audits.
Identity governance:
- Entra ID provides identity governance capabilities that help ensure that the right people have the right access to the right resources. This includes managing user lifecycle, entitlements, and ensuring compliance with internal and external policies.
Integration and interoperability
Seamless integration with existing systems:
- Microsoft Entra integrates well with existing IT infrastructure, including legacy systems. This interoperability is vital for CNI organisations that often have a mix of old and new technologies. By providing a unified identity solution, Entra helps streamline operations and improve security across diverse environments.
Scalability and flexibility
Scalability:
- Entra ID and other Entra components are designed to scale with the organisation. Whether a CNI organisation is expanding its services or adopting new technologies, Microsoft Entra can grow to meet these needs without compromising security or performance.
Adaptive security:
- Entra’s adaptive security measures, including risk-based Conditional Access and adaptive MFA, ensure that security controls can dynamically adjust based on the threat landscape and organisational changes. This flexibility is crucial for CNI organisations facing evolving cyber threats.
Conclusion
The updates to the NCSC-CAF in version 3.2 bring significant changes aimed at enhancing the cybersecurity resilience of critical national infrastructure organisations. By expanding MFA requirements, introducing stricter controls on privileged access, and improving secure configuration practices, the framework addresses the evolving cyber threat landscape.
CNI organisations must take these changes seriously and update their cyber security programmes accordingly. Leveraging comprehensive identity and access management solutions like Microsoft Entra can significantly aid in achieving compliance. Entra’s robust MFA capabilities, identity protection features, privileged identity management, and extensive logging and reporting make it an ideal solution for CNI organisations striving to meet the new NCSC-CAF requirements.
By adopting these practices and tools, CNI organisations can enhance their cybersecurity posture, ensure regulatory compliance, and safeguard the essential services they provide against cyber threats.
At Kocho, we’re already helping organisations help meet their NCSC-CAF compliance needs by leveraging the tools within Microsoft Entra and the broader suite of Microsoft security solutions.
Speak to our team today to find out how we can help your organisation.
Key takeaways
Compliance with NCSC-CAF is crucial for enabling cyber resilience in CNI organisations.
NCSC-CAF 3.2 requires enhanced MFA for all users, including remote access.
The latest updates have tightened up controls around privileged access from remote devices.
The framework emphasises removing or disabling default accounts.
Microsoft Entra provides tools like robust MFA and conditional access for compliance.
Entra’s PIM helps manage and monitor privileged access, reducing misuse risks.
Entra’s logging and reporting support regulatory compliance and security.
A clear pathway
Book your Entra ID Discovery & Roadmapping Workshop
Understand how to achieve more efficient, secure, and cost-effective identity and access management.
This is your opportunity to:
- Understand the gaps and challenges costing your organisation time and money.
- Gain a strategy that aligns identity management with your long-term business goals.
- Design an affordable solution that mitigates security risks and improves user experiences.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Don't Miss
Great enterprise identity resources
Got a question? Need more information?
Our expert team is here to help.