Skip to content

The 13 Key Requirements Impacting ZTNA, PAM, AM, and IAM Products

Under the European Union’s Cyber Resilience Act (CRA)

On October 23, 2024, a new regulation from the European Union was published regarding cyber resilience, more specifically under the title: “horizontal cybersecurity requirements for products with digital elements.”

The objective is clearly stated: “to ensure that hardware and software products placed on the market have fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle.”

It is important to note that this regulation must be applied, in particular, to public procurement processes, requiring purchasers to ensure “compliance with essential cybersecurity requirements […] including the manufacturer’s ability to effectively address vulnerabilities.”

This article focuses on the product-related impacts for software in the areas of Zero Trust Network Access (ZTNA), Privileged Access Management (PAM), Access Management (AM), and Identity and Access Management (IAM).

What areas of cybersecurity are involved?

Products are divided into several categories, each requiring increasingly stringent measures to comply with the Cyber Resilience Act.

  • The three most significant categories are:
  • Class I important products (Article 7),
  • Class II important products (Article 7),
  • Critical products (Article 8).

Class I includes the cybersecurity domains mentioned earlier, with the following criterion:
“The product with digital elements performs essential cybersecurity functions for other products, networks, or services, including securing authentication and access, intrusion prevention and detection, endpoint security, or network protection.”

Accordingly, in Annex III, which outlines the domains covered under Class I, we notably find:

  • “Identity management systems and privileged access management software and devices, including authentication and access control readers and biometric readers”
  • “Password managers”
  • “Products with digital elements providing Virtual Private Network (VPN) functionality”

This directly concerns the features available within the cyberelements SaaS platform, whether they relate to Zero Trust (ZTNA), Privileged Access Management (PAM), Access Management (AM), or Identity and Access Management (IAM).

The obligations can generally be divided into two main categories: those relating to the product itself, and those concerning communication about vulnerabilities or major incidents.
This section focuses on the product-related obligations.

The 13 Obligations for ZTNA, PAM, AM, and IAM Products

Manufacturers must maintain an assessment of their products’ compliance with the obligations arising from this regulation.

Typically, product documentation will include an analysis of how each obligation is implemented in the product.

The 13 points below have varying degrees of impact on the product :

  1. “Be placed on the market without any known exploitable vulnerabilities”: this may seem obvious, but here a form of conformity attestation regarding the absence of vulnerabilities is required. This issue will be particularly important for third-party components that may be affected. It will impact all types of solutions in the same way.
  1. “Be placed on the market with a secure default configuration,” including “the possibility to reset the product to its original state”: a prudent measure. One risk is the misuse of a cybersecurity product. In our domains, this may involve, for example, AES-256 encryption recommended and set by default, default access modes for ZTNA without any agent installed on the endpoint, or a set of default restrictions applied for resource access.
  1. “Be designed so that their vulnerabilities can be addressed through security updates, including, where applicable, regular automatic security updates enabled by default but easy to disable, communication to users of available updates, and the possibility to temporarily defer them”: this is a clear and precise operating mode that is necessary for each domain mentioned. It reflects what we have historically known about operating systems. However, the automated update supply chain, which is known to be potentially compromised, is not addressed.
  1. “Ensure protection against unauthorized access through appropriate control mechanisms, including, but not limited to, authentication, identity, or access management systems, and report any unauthorized access”: a fundamental principle that calls for the use of multi-factor authentication. These are Zero Trust principles that will impact every product administration console, for example. The system must therefore be able to integrate into an identity and access management infrastructure and be provisioned in real time to enforce Zero Trust access principles.
  1. “Protect the confidentiality of data stored, transmitted, or otherwise processed, whether personal or otherwise, for example by encrypting relevant data at rest or in transit using advanced mechanisms and other technical means”: this is also a standard expectation for any cybersecurity product. Data confidentiality in transit is ensured through end-to-end secure tunnels, from the user’s terminal to the network of the equipment or device being protected. It is also important to prevent any unprotected “downstream” access to the equipment: preference is given to “upstream” access through secure tunnels encrypted with a key held by the organization itself.
  1. “Protect the integrity of data stored, transmitted, or otherwise processed, whether personal or otherwise, as well as commands, programs, and configurations against any unauthorized manipulation or modification by the user, and report any corruption;” here, for example, we find the need for a binary integrity server that can verify the integrity of components at each execution. This may impact a product’s infrastructure. It can also apply to a privileged user management product, ensuring the integrity of session videos.
  1. “Only process data, personal or otherwise, that is adequate, relevant and limited to what is necessary for the intended purpose of the product containing digital elements (data minimization)”: this may concern information retention practices (video traces, for example), as well as the anonymization of sensitive data logged in any format. A subject particularly relevant to the management of privileged users.
  1. “Protect the availability of essential and basic functions, including after an incident, through resilience measures and mitigation against denial-of-service attacks” : beyond protection against denial-of-service, this involves implementing redundant system approaches at the infrastructure level and even at the data center level. The resulting costs may hinder certain cybersecurity equipment purchases.
  1. “Minimize as much as possible the negative impact caused by the products themselves or connected devices on the availability of services provided by other devices or networks” : this is a continuation of the previous point. For a PAM product, for example, what measures are in place in case the platform becomes unavailable to continue managing an information system? A redundant approach or a degraded SaaS mode, for example, could be implemented to maintain operations.
  1. “To be designed, developed and manufactured in such a way as to limit attack surfaces, including external interfaces”: this is the concept of “by design” security, which must be a point of attention at every stage of software development. This applies equally to all types of product. Particular attention must be paid to web interfaces, and simplicity is also a relevant approach to limiting attack surfaces, or to having a limited number of exposed services, or even to implementing a technology that does not expose services on the Internet (particularly for all “connected” devices).
  1. “To be designed, developed and manufactured in such a way as to reduce the repercussions of an incident, using appropriate mechanisms and techniques to limit the exploitation of vulnerabilities”: a point which quite naturally concerns global cybersecurity solutions. Here, for our subjects, it would be, for example, the implementation of behavioral analysis on a privileged user management product to detect user maliciousness and immediately block access. Or, in the field of Zero Trust, a dynamic approach to usage restrictions: if a parameter is changed, access is also blocked.
  1. “provide security-related information by recording and monitoring relevant internal activities, including access to or modification of data, services or functions, while giving the user the option of deactivating the mechanism”: we are at the heart of Zero Trust’s products for managing privileged users, with the notion of an advanced trace including session recording. The user’s consent must be sought, and operation in deactivated mode must be a matter for product administrators.
  1. “Give users the possibility of easily, securely and permanently deleting all data and settings, and where data can be transferred to other products or systems, ensure that this can be done securely. ” : In addition to simple attention to the need to be able to delete or transfer data and settings, it will also be necessary to provide users with some form of certification.

In conclusion, it is vital for our systems to continue to evolve to provide the best possible guarantees for our users. Some of the 13 measures are already standard for many solutions, so publishers will be obliged to document compliance, and some of the points will need to be adapted by interpreting the directive’s instructions in the best possible way.