On to the inclusion of cloud services, it is now a requirement for organisations to demonstrate account separation and multi factor authentication for administrators across all their used cloud services. Whilst the organisation will not require multi factor authentication on all user accounts until 2023 (when the organisation will automatically fail if multi factor authentication is not configured), it’s worth implementing now, especially as a larger organisation. That said, if you’re not using multi factor authentication on cloud services, you should definitely consider implementing it for the level of protection it provides. We configure multi factor authentication as a standard as it’s a fine way to easily protect your user accounts and data.
There are also some changes in terms of how the assessment is scoped – picture this scenario, your organisation has a legacy 2008 (read: unsupported) server running a line of business application which is required for historic data purposes. Previously, if this server was blocked from accessing the internet, it would effectively remove it from the scope of the assessment, even if it was on the same logical network as the rest of your devices. Easy peasy, no longer an issue.
Now, under the changes in Evendine, this server must be in a ‘sub-set’, which in simple terms is a separate network, without internet access which must be configured using a firewall or network switch. Or, put these devices on a separate network with internet access, but not certify the entirety of your organisation and declare it as such, for example: “Joe Bloggs Company Ltd, excluding the legacy network”. However, the NCSC prefer an organisation to achieve “whole company” wherever it can.
This might not be an issue for most organisations, but there certainly will be some challenges achieving this requirement for some.