The widespread digitalization of services is leading to an increasing amount of resources being moved to the cloud. While this approach brings numerous benefits, including flexibility and scalability, it also exposes these services externally, increasing the risk of unauthorized access. Managing access to cloud resources is becoming an increasingly significant challenge, especially in large organizations that operate with a growing number of users, contractors, and a diversity of roles and permissions.
This process has attracted the attention of the global community, which emphasizes the importance of tailoring secure practices to the specific needs of individual companies and the sectors in which they operate through guidelines and directives. Directive 2022/2555, known as the NIS 2 Directive, is the European Union’s response to these changes and the need to introduce a uniform set of information security obligations and standards across member countries. The main obligations arising from the directive include:
- The obligation to implement risk management measures and incident response protocols
- The obligation to report significant cybersecurity incidents to the relevant authorities.
- The requirement for cooperation between member states and with relevant authorities at the EU level.
- Dedicated requirements for key sectors such as energy, transport, health, and finance.
What Will Change with the NIS 2 Directive
The new regulations have extended coverage to more sectors and a larger number of organizations, including medium and large enterprises in critical industries. Stricter requirements for information security and reporting obligations have been introduced to increase resilience to cyber threats. According to Article 21, paragraph 3, companies are required to verify the overall quality of their suppliers’ and service providers’ cybersecurity products and practices, including their secure development procedures.
In the report “Foresight Cybersecurity Threats for 2030,” ENISA (European Union Agency for Cybersecurity) presented a detailed analysis of emerging cybersecurity threats up to the year 2030. Analysts identified the following key threats:
- Disruption of the software supply chain
- Shortage of skilled cybersecurity specialists
- Human errors and exploitation of legacy system
The latest reports on software supply chain security confirm that it is one of the biggest threats to cybersecurity. The report “The State of Software Supply Chain Security 2024” from ReversingLabs indicates that the number of attacks on the software supply chain has increased by 289% over the past four years, with most attacks concentrated on popular open-source repositories such as npm and PyPI.
In the ENISA publication, the danger associated with the growing dependence of key economic sectors on external IT services is also highlighted. This dependence can lead to an increased number of interactions in the digital landscape. As a result, key service providers are gradually becoming dependent on software whose development process is neither certified nor managed.
How to Ensure IT Solutions Compliance with the NIS 2 Directive
NIS 2 is a fairly general directive and does not explicitly state what actions to take or what steps to follow. Nevertheless, it sets a direction for cybersecurity measures, highlighting the following key actions:
- Ensuring uniform and verified authorized access to digital services, especially those processing personal data.
- Implementing continuous monitoring and security updates within enterprises for critical service access points.
- Standardizing access processes to digital services along with implementing a user identity management system.
- Reporting and monitoring the status of access to authorized services and data collections.
For this reason, we can expect an increase in interest in implementing IAM (Identity and Access Management) solutions in the near future. The primary issue is not only the implementation of the IAM system itself but also the ability to adapt it to the specific integration needs of various solutions:
- SSO with Keycloak – Significantly simplifies the authentication and authorization process within organizations, improving user convenience and system security. With single sign-on, users can more efficiently utilize different applications, thereby increasing productivity.
- Event Logging and Alerts – Keycloak logs various events such as logins, password changes, authentication errors, and system configuration modifications. Alerts help in rapid threat response, minimizing security breach risks and enhancing cloud resource protection.
- Custom Authorization Flow in Keycloak – Allows for the creation of custom authentication and authorization processes tailored to the specific requirements of an organization. The need for this solution arises from the necessity to provide flexibility and security in managing access to resources.
- Identity Providers – Integrating Keycloak with Microsoft Active Directory (AD) and Google Workspace enables central identity and access management. This allows users to utilize single sign-on (SSO), gaining access to multiple applications with one set of credentials.
- Scaling Keycloak – Allows handling a growing number of users and applications by running multiple instances in a clustered configuration, ensuring even load distribution and high availability.
How to Prepare for a Discussion on Implementing Keycloak in a Large Organization?
Technical discussions about implementing new tools can be lengthy and multi-staged, so it is essential to prepare properly to ensure the consultation phase proceeds quickly and both parties obtain sufficient information. We asked our CEO, Andrzej Chybicki, for advice on how to best prepare for implementing Keycloak.
WHAT ARE THE MOST COMMON NEEDS OF COMPANIES SEEKING CYBERSECURITY COLLABORATION?
Keycloak is a specific yet comprehensive solution that allows for the creation of advanced user authorization management systems. Its biggest advantage is the possibility of implementing it as on-premise software.
Even companies with extensive experience can face challenges when introducing a significant change such as a custom authorization flow in their login systems and often seek consultation. In such situations, they look for partners who have practical experience in similar projects, are familiar with common problems, and have proven methods for solving them.
Our clients include organizations at various levels of IAM experience – some are considering implementation, aware of the benefits of identity and access management but unsure where to start. Others have already begun implementation and installed necessary components but face challenges in configuring customization for users, partners, and employees, for instance, in designing complex authorization schemes required by their operations.
HOW TO PREPARE FOR THE IMPLEMENTATION OF KEYCLOAK TO ENSURE A SMOOTH PROCESS?
When helping companies create internal IAM solutions, our actions lead to two fundamental questions. First, it is essential to assess whether Keycloak, compared to other solutions like Okta or AWS Cognito, which might offer simpler handling and cloud-level automation, is the best choice. Then, it becomes crucial to outline authorization processes, application integration, installation type (on-demand or on-premise), technical support, and long-term strategy with system updates. These are the basic issues to discuss at the outset.
WHAT DO CLIENTS EXPECT FROM US AS A COMPANY COMPREHENSIVELY IMPLEMENTING KEYCLOAK?
Our experience shows that the greatest help for our partners is the specialized knowledge gained from similar initiatives. They often seek experts when they have specific requirements for customizing production software or need to create an add-on (plugin). They expect our support, counting on us to use experiences from previous projects and show how we handled similar challenges in the past. Examples range from ensuring scalability, configuring and integrating with cloud authorization flows to integrating with database systems handling millions of users simultaneously. Our task is to provide advisory services that meet their essential needs.
WE’VE IMPLEMENTED KEYCLOAK, BUT WHAT NEXT? DOES THE COMPANY NEED TO HIRE DEVELOPERS FAMILIAR WITH THIS TOOL TO MANAGE THE SYSTEM POST-IMPLEMENTATION?
The process of implementing and configuring Keycloak is complex, and the intensity of work during the project is not even. Such work is often overseen by the security department or individuals at the chief technical management level – thus requiring coordination among multiple employee groups. Coordination with support teams is also often needed to determine the optimal time to introduce changes in authorization processes.
Implementing Keycloak does not require the constant presence of dedicated experts within the organization. Keycloak is generally a stable tool, and it is crucial for system managers to know how it functions and to be able to operate Keycloak’s administrative panel, utilizing its features without the need for modification.
However, long-term support is essential, including regular security updates that the Keycloak community releases every few months. These updates are critical, and it is valuable to have access to skills and knowledge in case of critical issues.
[1] https://www.enisa.europa.eu/publications/foresight-cybersecurity-threats-for-2030-update-2024-extended-report