In our two-part series, we would like to discuss the current guidelines issued by the TeleTrusT working group and present our perspective. Let’s get started 😊.

“State of the art” – PART 1

What does “state of the art” mean in IT security—and why is it so important now?

The IT security situation remains tense and pressure on companies is mounting: new legal requirements such as NIS-2, DORA, the GDPR, and the upcoming NIS2UmsuCG not only demand more security measures, but also proof of compliance. At the heart of many regulations is a term that sounds clear but is anything but unambiguous: state of the art.

But what does that mean in concrete terms? What measures are considered appropriate today? And how can companies prove that their protective measures comply with current standards?

Answers can be found in the recently published “State of the Art” report from the German Federal Association for IT Security (TeleTrusT) 🚀. The annually revised guide has long been regarded by experts as a valuable guide not only for KRITIS operators, but for all organizations that want to set up their IT security in a legally compliant, effective, and future-proof manner.

In the following, we will shed light on what exactly TeleTrusT understands by “state of the art,” which legal requirements must be observed, which technical and organizational measures companies should really implement today, and where exactly we at Teal can provide targeted support.

What is the current state of the art?

The term “state of the art” sounds objective, but in practice it is often difficult to grasp. According to TeleTrusT, it refers to the best performance available on the market for a measure that is suitable for effectively achieving legal IT protection goals such as availability, confidentiality, and integrity. It is therefore not necessarily about the latest or most innovative solution, but rather about what has proven itself in a professional environment and actually provides protection.

In comparison:

• • The state of science and research encompasses highly innovative solutions – often not yet ready for the market.
  • The generally accepted rules of technology are proven methods – but may be outdated or easily vulnerable.

What does this mean for companies? The state of the art is not a single measure, but always depends on the protection requirements, the threat situation, and the specific application. It can be achieved through a bundle of measures and must be regularly reviewed and adapted to remain effective.

Which regulations require state-of-the-art technology?

The term “state of the art” now appears in almost all relevant security and data protection regulations, even though it is never clearly defined there. As a result, companies must decide for themselves what exactly is ‘appropriate’ or “necessary,” and this can quickly become a legal gray area.

Some important examples:

• • NIS 2 Directive: Far-reaching EU regulation with reporting obligations and requirements for security and risk management – including explicit consideration of the state of the art.
  • DORA: Mandatory for the financial sector and requires robust ICT risk management measures that must be “appropriate” and “proper.”
  • GDPR (Art. 32): Data protection by design (privacy by design) requires technical and organizational measures, taking into account risk, costs, and the state of the art.
  • BSI Act & IT Security Act 2.0: Obliges KRITIS operators, but also companies of particular public interest (UBI), to implement technical and organizational measures, including verification.
  • TISAX, ISO 27001, BSI Basic Protection: Norms and standards that operationalize the state of the art in the form of concrete requirements or best practices.

Compliance with the state of the art is therefore not a “nice to have,” but a legally established minimum standard. And: Anyone who disregards it risks fines, liability issues, and loss of reputation.

Relevant building blocks for IT security

Teal specializes in identity protection. That is why we focus primarily on the topics described in the TeleTrusT guide, with which we have gained a wealth of experience over the past few years. In our view, the measures outlined in the following modules are essential for operating a modern and secure infrastructure.

Password management

At first glance, password management seems relatively “easy” to master. However, upon closer inspection, several questions arise for which there may be multiple solutions. At the same time, end users must be able to cope with the required specifications and, ideally, not be adversely affected by them. The same applies to password management for “non-human identities” (service accounts) and administrative users, who are often a much more attractive target for attackers and are usually poorly secured.

In the TeleTrusT guide, the chapters “3.2.1 Authentication,” “3.2.2 Evaluation and enforcement of strong passwords,” and “3.2.3 Multi-factor authentication” describe the secure handling of passwords.

The assessment in the TeleTrusT report shows in the following two graphs that, compared to the 2023 assessment, the topics of “evaluation and enforcement of strong passwords” and “multi-factor authentication” have become significantly more important.

1: Evaluation and enforcement of strong passwords

2: Multifaktor-Authentifizierung

The measures are primarily intended to prevent

• • other people from guessing weak passwords,
  • stolen or known passwords from being used by others,
  • and someone from stealing, misusing, or fraudulently using another person’s identity.

Authentication generally distinguishes between knowledge (e.g., a password), possession (e.g., a FIDO stick), and biometric characteristics (e.g., a fingerprint). The combination of these principles ensures authentication, but the following additional factors should also be taken into account:

• • User accounts, and especially administrative users, must be secured with an additional authentication factor. Windows Hello for Business, Azure MFA, or SCAMA can help here.
  • Using complex passwords is essential. Passwords should also be secured according to your individual protection needs. In a domain environment, Fine Grained Password Policies (FGPP) can be used here, for example.
  • In addition, it is imperative to regularly check whether compromised passwords are in use. If this is the case, users must be informed and asked to change their passwords. Administrators can use commercial offerings such as Azure Password Protect or free offerings such as DSInternals.
  • Regularly changing passwords for service accounts and functional users is an often neglected but essential security measure. Where possible, the use of Group Managed Service Accounts should be considered to automate this process. If this is not feasible, alternative automation solutions can significantly reduce the administrative effort. If this is also not feasible, the password change should at least be documented and specifically delegated to third parties, such as a service provider or trainee. In this way, the burden on administrators, who are already under considerable strain, can be specifically reduced.

(3.2.5) Encryption of data carriers

Encrypting data carriers is a tried-and-tested method for effectively protecting “data at rest.” This measure is already widely used, particularly in the client sector, and prevents data loss if, for example, a laptop is stolen from a hotel room during a conference or similar event. The assessment of the TeleTrusT working group was already clear in 2023. Encrypting data carriers is an indispensable component of IT security. In the 2025 report, this measure has been rated even higher, which once again highlights its urgency.

Hard disk encryption has not yet been established across the board in the server sector. In our view, this is mainly due to the fact that for many years, it was only possible to encrypt guest systems on VMware hypervisors with additional software. However, this can now also be implemented with on-board tools – and should be implemented as standard as a matter of urgency.

Companies using Hyper-V had advantages here from the outset: similar to the client sector, encryption with BitLocker could be used and combined effectively with pre-boot authentication. This requires a PIN to be entered before the system starts up, before the user can access it.

Regardless of the technology used, it is essential to store the associated decryption keys securely and protect them reliably against unauthorized access. In the case of BitLocker, for example, backup in Active Directory is a good option. This enables help desk staff to provide effective support when needed, for example, if a PIN is forgotten or technical problems arise.

In summary, this is a long-established security measure whose implementation should now be a matter of course in every company.

(3.2.8) Protection of electronic data traffic with PKI

When information is exchanged, two things are of central importance. First, the recipient must be sure that the sender is actually the sender. Second, both parties must be sure that the message arrives at the recipient unchanged. To ensure both of these things, many companies operate a public key infrastructure, also known as a certificate authority. It is also possible to purchase trusted certificates from external providers. The TeleTrusT guide recommends this measure to protect against the following threats in particular:

• • Identity theft / falsification of identity
  • Manipulation of the content of electronic messages or files
  • Manipulation of the timing of messages or files

The measure has long been classified as state of the art and has been slightly upgraded again in the 2025 report:

However, anyone who operates their own certification authority should be aware that these systems are also targeted by attacks. Since domain controllers, among other things, also have certificates for encrypted communication, the certification authority is often the starting point for compromising the entire environment. Active Directory Domain Services (ADDS), for example, is Microsoft’s solution, which is often not operated securely. Historically grown systems, poor documentation, and high complexity make the system vulnerable to cyberattacks. We have addressed the various attack techniques on certification authorities and Active Directory in detail in a separate blog post: PSPKI Audit – Why you should analyze your PKI

Even a relatively simple attack vector illustrates how essential it is to secure a PKI system. Attackers repeatedly exploit the possibility of issuing certificates with a so-called Subject Alternative Name (SAN). Many certificate templates allow the use of such alternative names, for example to secure web servers or similar services.

Problems arise when authorized users can independently issue certificates with arbitrary SANs – such as administrator@domainname – and use them for authentication. In such cases, the PKI system quickly becomes a gateway for attacks.
Therefore, the resilience of the public key infrastructure should be checked regularly and with the highest priority.

(3.2.21) System hardening

By default, many operating systems—whether Windows, Linux, or appliances—are anything but securely configured. Unused services, open interfaces, and weak default settings provide an unnecessarily large attack surface. This is exactly where system hardening comes in: it ensures targeted protection of systems by disabling unnecessary functions, restricting interfaces, and enforcing secure configurations.

The principle: only what is really needed remains active – everything else is deactivated. This applies to physical servers as well as virtual machines, cloud instances, or special management clients such as Privileged Access Workstations (PAW).

Once properly implemented, system hardening not only protects against the infiltration of malware or ransomware, but also against identity theft, data leakage, sabotage, and the misuse of your infrastructure – for example, for crypto mining or sending spam. It also makes it more difficult for attackers to carry out lateral movement, i.e., the undetected migration from compromised systems to other targets in the network.

In practice, system hardening is increasingly becoming an indispensable part of any IT security strategy. This is also evident from the latest TeleTrusT report: Compared to 2023, the topic is now rated much higher – with growing relevance in the catalog of measures and in the technical assessment by expert committees.

Those responsible for information security must implement a variety of technical and organizational measures. First, they must decide which settings to apply to the existing systems. It is strongly advised not to create each configuration completely independently. Instead, common recommendations from industry-proven bodies such as the Center for Internet Security (CSI), the Federal Office for Information Security (BSI), or manufacturer recommendations such as Microsoft’s Security Baseline should be used. These standards comprise hundreds of settings. They offer very good protection and can be adapted to individual needs.

Once the target configuration has been defined, the question arises as to how the settings can be implemented in the field. We have already presented our approaches (layered, rapid, and lifecycle hardening) in another blog post on the topic of “Three effective methods for introducing system hardening.”

A system hardening project always involves eliminating legacy issues, and auditors increasingly require reasonable reports as proof. That is why we work closely with our partner FB Pro GmbH on this topic. The Enforce Administrator solution makes it easy to combine industry standards and secure Windows, Linux, domain, and non-domain systems with a uniform technology. This allows state-of-the-art hardening configurations to be defined, rolled out to IT systems, and centrally managed throughout the entire lifecycle – transparently, traceably, and auditably.

If you want to check how a system is secured today, you can do so with the free Audit-Tap tool on GitHub from FB Pro. This allows you to generate compliance reports for your systems. The resulting HTML reports provide a transparent overview of the security configuration of your devices in comparison to international security standards and hardening guides.

(3.2.28) Securing administrative IT systems

Many administrators still manage their systems from the same machine that is used for writing emails and surfing the web – the “normal office PC”. Office computers are not adequately protected and are vulnerable to phishing and other attacks. Once an office device has been compromised, attackers can exploit this to steal administrative login credentials and gain further access. That is why office work must be separated from administrative work.

The administrative IT systems used for this purpose – i.e., clients or servers that control and manage other systems – are at the heart of many IT infrastructures. This also makes them a particularly lucrative target for attackers: if they succeed in gaining access here, entire networks or production environments are often compromised. This makes it all the more important to secure these systems with particular care – technically, organizationally, and operationally.

What needs to be considered?

• • Use only for administration: Administrative systems belong in isolated network segments and may only be used for administrative tasks – not for email, Office, or web access.
  • System hardening & secure authentication: These systems must also be consistently hardened. Access should ideally be via multi-factor authentication (MFA) over encrypted channels – always via personal, traceable accounts.
  • Logging & rights assignment: All activities must be centrally logged and regularly evaluated. Important: Admins should not have access to their own logs – the dual control principle is the gold standard here.
  • Software control: Only approved software may be run on administrative endpoints. Untested tools, browsers, or test scripts have no place there.
  • Securing sensitive zones: Access to highly sensitive network areas should ideally be via dedicated jump servers or admin terminals – logically separated from the rest of the network.

In practice, so-called privileged access workstations (PAW) are used. We have described our view on this topic in a detailed blog article: PAW – Deep Dive and Practical Implementation

However, many companies find it difficult to provide each administrator with an additional, dedicated device. In our view, this is particularly necessary for the administration of domain controllers or other critical systems (T0 systems). However, taking risk assessment into account, different mechanisms are also conceivable for “normal” server systems. For example, more and more companies are successfully using privileged access management (PAM) systems. Solutions such as CyberArk quickly become very expensive and can be replaced by software such as Devolutions or Passwordstate. Among other things, these systems can control the temporary assignment of admin rights, document them automatically, and ensure traceability at all times. This keeps your admin systems lean, secure, and under control.

PAWs and/or PAM systems are no longer an optional extra. The current TeleTrusT Report 2025 clearly shows that securing administrative IT systems is now one of the central, fundamental building blocks of modern IT security architectures. Compared to the 2023 report, the measure has developed significantly in terms of both its proven effectiveness in practice and its recognition by experts in the field.

Conclusion

Now is the right time to make a move

The new “State of the Art” report clearly shows that IT security is not a one-time project, but rather a continuous process. Companies must not only comply with legal requirements—they must actively protect their systems against current threats. And this is precisely where we at Teal come in.

We help you identify the right measures, implement them professionally, and continuously improve them—whether it’s monitoring and protecting directory services, system hardening, cloud security, business continuity, or secure authentication. Together, we bring your IT to a modern, regulatory-compliant, and, above all, secure level.

Get in touch with us!

Whether you are just starting out or want to update your existing security concept, we support you with sound advice, proven tools, and many years of practical experience. Teal is your point of contact for identity protection.

In the second part of the series (to be published in early July), we will discuss other important components from the state-of-the-art guide:

• • 2.29 Überwachung von Verzeichnisdiensten und identitätsbasierte Segmentierung
  • 2.31 Cloud-Sicherheitsplattform
  • 3.9 Absicherung privilegierter Benutzerkonten
  • 3.17 Geschäftskontinuitäts-Management (BCM)
  • 3.18 Notfall- und Krisenmanagement
  • 3.20 Technische Sicherheitsüberprüfung