“State of the art” – PART 2

In our two-part series, we would like to discuss the current guidelines issued by the TeleTrusT working group and present our view. This is the second part of the series in which we address these topics:

• • 2.29 Monitoring of directory services and identity-based segmentation
  • 2.31 Cloud security platform
  • 3.9 Securing privileged user accounts
  • 3.17 Business continuity management (BCM)
  • 3.18 Emergency and crisis management
  • 3.20 Technical security review

In the first part of the series, we looked at the following topics:

• • Password management
  • 2.5 Encryption of data carriers
  • 2.8 Protection of electronic data traffic with PKI
  • 2.21 System hardening
    2.28 Securing administrative IT systems

But now it’s time to get started… 😊

Other relevant components for IT security

(3.2.29) Monitoring of directory services and identity-based segmentation

Many successful cyberattacks—whether carried out by state-sponsored groups or professional cybercriminals—have one thing in common: they exploit compromised user accounts. Often, the attack begins with a single point of access, such as leaked credentials or poorly secured service accounts, and ends with the complete compromise of the environment—often without the use of malware.

Directory services such as Microsoft Active Directory or EntraID are a particular focus here. Attackers first take over a seemingly unimportant system and then spread further and further.

Silently and partially automated, they gradually expand their permissions – a process known as lateral movement. Until the highest privileges have been achieved and the entire environment is compromised.

Therefore, monitoring directory services and intelligent, identity-based segmentation of the infrastructure are among the most important protective measures today.

This measure is specifically aimed at:

• • Attacks with stolen or darknet-traded access data – without any malicious code.
  • The exploitation of vulnerabilities in directory services and poorly protected service accounts.
  • The unnoticed spread of attackers through permission inheritance and faulty access paths.
  • The misuse of privileged accounts, including privilege escalation and identity theft.

Separate identities & limit risks

Microsoft’s tried-and-tested tiering model helps to mitigate precisely these attack vectors. The infrastructure is logically and technically divided into three security zones (tiers):

• • Tier 0 protects identity management and other critical systems, such as domain controllers, PKI systems, and backup servers.
  • Tier 1 comprises enterprise applications such as databases and file servers.
  • Tier 2 contains all end devices and user accounts for office activities, the internet, and email.

The aim of the model is to isolate critical accounts and systems from each other – through separate administration channels, user accounts, and login paths. This allows the effects of an attack to be specifically limited in the event of an emergency. A compromise in Tier 2 thus remains in Tier 2 – and does not immediately endanger the entire infrastructure.

The model is supplemented by continuous monitoring of directory services, with a focus on unusual login attempts, changes in rights, or suspicious access patterns – even when attackers use legitimate access data and classic endpoint protection systems fail.

Those who do not segment and monitor their identities and directory services risk losing complete control in an emergency. The combination of intelligent rights allocation (tiering) and continuous monitoring helps to significantly reduce the attack surface – and even stop sophisticated identity attacks at an early stage. Our blog articles and webinars offer concrete assistance in introducing a tiering model.

Interestingly, in the current TeleTrusT Report 2025, the measure continues to be rated highly, both in terms of its proven effectiveness in practice and its recognition by experts in the field.

(3.2.31) Cloud-security platform

The use of cloud solutions is now part of everyday life for most companies. It is the result of numerous cloud-first initiatives and efforts to deliver IT services faster, scale flexibly, and reduce costs at the same time. In practice, however, the hoped-for cost savings have not always been realized—not least against the backdrop of current geopolitical tensions and the increasing importance of data sovereignty.

Nevertheless, cloud services are now an integral part of modern IT architectures. This makes it all the more important to ensure that both the respective cloud tenant and the services used are configured and operated securely. The hardening recommendations of the Center for Internet Security (CIS), which were also discussed in the chapter on system hardening, provide helpful guidance here.

The cloud security platform covers all three areas of a security strategy (availability, integrity, and confidentiality).

TeleTrusT calls for the following measures to be implemented as a minimum:

• • Infrastructure-as-code testing prior to resource provisioning (compliance, misconfigurations (IaC / code security)
  • Compliance testing and detection of misconfigurations in the cloud (CSPM) against relevant compliance and recommended best practice frameworks
  • Prioritized vulnerability analysis from development to runtime (vulnerability management)
  • Display of possible attack paths, chaining of vulnerabilities, authorization keys, and misconfigurations (CASM)
  • Inventory of cloud infrastructure components
  • Verification of permissions (CIEM)
  • Behavior analysis and early detection of malicious activities within cloud accounts (UEBA)
  • Immediate detection of malicious activities through sensors within active workloads, including malware detection and file integrity monitoring (CWPP)

A good first step is to review the current situation. In our Cloud Security Assessment, we not only follow the recommendations of TeleTrusT, but also examine the following in particular:

• • Know-how transfer to understand the methods used by attackers and protective mechanisms.
  • Verification of identity protection and thus of selected resources and their configuration, e.g., key vaults
  • In general, Azure policies offer a technical means of implementation; if the customer already makes use of them, we also have access to the corresponding compliance reports, which we can analyze.
  • Checking Defender KPIs and the frequency/quality of processing vulnerabilities found at runtime
  • Presentation of possible attack paths, chaining of vulnerabilities, authorization keys, and misconfigurations (CASM). If misconfigurations are detected, the resulting attack path is discussed in detail again in the assessment report
  • Quality of the inventory of cloud infrastructure componentsReview of permissions (CIEM)
  • Behavior analysis and early detection of malicious activities within cloud accounts (UEBA), in particular log forwarding, use of SIEM (e.g., Sentinel), staffing of the SOCReview of risk-based conditional access policies in use (risk assessment by Microsoft based on user behavior)
  • We generally review the use of Defender products or products that offer a comparable range of functions to meet this requirement.

Contact us to find out how secure your cloud tenant is.

(3.3.9) Securing privileged user accounts

Securing privileged user accounts remains an urgent measure that needs to be implemented:

In security assessments, we repeatedly find that permissions in corporate infrastructures have grown historically, are not or insufficiently documented, and there are no established processes that control the granting and revocation of permissions. Companies are overwhelmed by the task of precisely defining who needs which rights and mapping this technically. PAM systems can help with this, but here too, it must be defined who should have access to what. In addition, service accounts must be assigned to an owner. The owner, in turn, must define the required access rights.

In summary, the measure must ensure the following:

• • Guidelines and regulations for the use and handling of administrative permissions and accounts must be established.
  • A restrictive permission strategy must be pursued, according to which access to resources is generally prohibited unless it has been explicitly permitted or approved.The need-to-know and least privilege principles must be observed when assigning
  • administrative permissions.
  • The assignment of administrative permissions must be carried out in a defined and controlled process in which a request is approved and documented.
  • Each administrative user account must be uniquely assignable to a person. In the case of functional users, however, a responsible person must be documented.
  • When granting temporary administrative permissions, these must have a time/logical restriction and must be revoked when they are no longer needed.
  • Up-to-date and complete documentation of all administrative accounts with their respective permissions must be maintained.

If you do not have a PAM system in place, you can also use a simple Excel list to document highly privileged users. We like to use such lists in the Tier 0 area or for smaller customers.

However, it is essential to start defining roles and specifying their permissions. Once this has been done, users can be assigned to these roles. Only after approval has been granted are users added to the roles. The process is rounded off by a continuous review (e.g., annually) to determine whether permissions are still needed or can be removed.

(3.3.17) Business continuity management (BCM)

Companies that are prepared for crises not only secure their business processes, but also their very existence. This is precisely where business continuity management (BCM) comes in.

BCM is not a reactive emergency tool, but rather a strategic, systematic approach that companies can use to prepare for outages and ensure that time-critical business processes can be maintained or quickly restored even under adverse conditions.

The goal: minimizing downtime, protecting against reputational and financial damage, and strengthening organizational resilience.

What does a functioning BCM consist of?

An effective Business Continuity Management System (BCMS) consists of several components:

1. 1. Risk assessment & threat analysis
      What are the realistic risks for your company—and how severe could their impact be? This analysis forms the basis for all further measures.

1. 2. Business Impact Analysis (BIA)
      Which processes are critical to operations? How long can they be down without serious consequences? BIA helps to set priorities and plan a sensible recovery strategy.

1. 3. Strategy development & role clarification
      What measures need to be taken in an emergency? Who is responsible? Effective BCM requires clear structures—and employees who know their tasks in a crisis and are able to carry them out.

1. 4. Implementation & Testing
      Plans alone are not enough: emergency strategies must be implemented in practice, tested, and regularly updated—using tests, simulations, and real incidents.

(3.3.18) Emergency and crisis management

When systems fail, data is encrypted, or an attack hits the entire infrastructure, every minute counts. But not every incident is the same—which is why different strategies are needed to respond appropriately. This is where emergency and crisis management come into play.

Emergency management aims to respond quickly and effectively to acute IT disruptions such as cyberattacks, system failures, or technical errors. The focus is on minimizing the impact and quickly restoring business operations – with clear processes, responsibilities, and decision-making paths.

Crisis management always comes into play when an event has a major impact – or when an IT emergency turns into a company-wide crisis. This is not just about operational measures, but about strategic crisis management: communication, leadership, protection of people, assets, and reputation.

To prevent chaos from turning into panic, a structured approach is needed:

1. 1. Assess the situation – What has happened?
   2. Evaluate the situation – What are the potential consequences?
   3. Plan measures – What needs to be done?
   4. Implementation – Who is responsible for what, and how quickly?

Differences from BCM – and why all three concepts must work together

Although BCM, emergency management, and crisis management overlap in terms of content, they have different perspectives:

Companies are well advised to identify suitable partners for emergencies at an early stage. Together with our partner HvS Consulting, we offer companies a comprehensive solution for dealing with IT emergencies and security incidents – from the initial alarm to complete technical resolution.

IT emergencies and crises often hit companies faster and harder than expected. In such cases, it is crucial not only to react quickly, but also to take sustainable action – and this is exactly where our cooperation comes in.

Teal and HvS combine their expertise to provide companies with the best possible support throughout the entire incident lifecycle:

The roles at a glance:

• • HvS specializes in incident detection and response:
    They make threats visible (Identify), increase resilience (Protect), detect attacks early (Detect), respond professionally in an emergency (Respond), and ensure initial stabilization after incidents (Recover).
    Important: HSV does not offer technical implementation of remediation measures – this requires the right implementation partner.
• • This is where Teal comes in:
    We take care of remediation – i.e., the sustainable resolution of security incidents, closing vulnerabilities, hardening systems, and restoring secure operating conditions.
    Important: TEAL does not offer incident response, but implements targeted technical measures after the initial response.

Why this is a real advantage for you as a customer:

Combination of two strong portfolios – seamless, without overlapping competencies
Clear division of tasks: HVS detects & responds, TEAL implements sustainably
Higher service level through well-coordinated cooperation
One contact person – full coverage in the event of a crisis and beyond

Our goal is to work together to offer a mutually enhanced service—for greater security, less downtime, and IT operations that not only function again but emerge from the incident noticeably stronger.

Both recognition by technical experts and proven performance in practice are at the top of the scale – a clear sign of how essential this area of action has become for modern IT security strategy.

(3.3.20) Technical safety inspection

Certified companies are accustomed to conducting regular audits to meet regulatory requirements such as ISO 27001, TISAX, DORA, NIS2, or KRITIS. However, these audits often focus on reviewing processes, while technical aspects are usually only considered marginally and examined superficially.

For this reason, the guide recommends supplementing established process reviews with in-depth technical analyses.

In addition to configuration analyses and system hardening measures, regular vulnerability scans and penetration tests are also recommended. The latter in particular are already established in many organizations and are an integral part of their security strategy.

However, we repeatedly notice that the identified vulnerabilities are often not consistently remedied, and the results of the penetration tests are often ignored. Instead of structured follow-up, the reports end up in a drawer – if anything, only the obvious weaknesses, the so-called ‘low-hanging fruits’, are addressed.

In our view, this approach poses a significant security risk and lulls those responsible into a false sense of security.

Instead, IT security managers should insist on continuously working on vulnerabilities and eliminating them. For example, we rely on the following regular checks and mitigations for our customers:

• • Pingcastle Check and eliminate at least one vulnerability
  • Bloodhound Collect and evaluate data
  • Evaluate password quality with DSInternals
  • Set administrative account to “Is sensitive and cannot be delegated”Set domain admins as owners of all AD objects
  • Set domain admins as owners of all GPOs
  • Check permissions on all GPOs
  • Change KRBTGT password
  • Change built-in administrator password
  • Change DSRM passwords
  • Identify “stale” computers
  • Identify “stale” usersCheck membership of defined high privilege groups
  • PKI check

By performing these steps on a monthly basis, you will not only stabilize and improve your IT security, but also identify new vulnerabilities at an early stage.

Conclusion

Now is the right time to act

The new “State of the Art” report clearly shows that IT security is not a one-time project, but rather a continuous process. Companies must not only comply with legal requirements—they must actively protect their systems against current threats. And this is precisely where we at Teal come in.

We help you identify the right measures, implement them professionally, and continuously improve them—whether it’s monitoring and protecting directory services, system hardening, cloud security, business continuity, or secure authentication. Together, we bring your IT to a modern, regulatory-compliant, and above all, secure level.

Get in touch with us!

Whether you are just starting out or want to update your existing security concept, we support you with sound advice, proven tools, and many years of practical experience. Teal is your point of contact for identity protection.