The European Union’s Digital Operational Resilience Act (DORA) came into force on 16 January 2023, but organizations have until 17 January 2025 to become compliant. Financial institutions, including banks, insurance companies, and investment firms, must comply with the legislation’s strict rules for cybersecurity protection, detection, containment, recovery, and repair capabilities or face penalties.
DORA was created by the EU to strengthen the operational resilience of its financial entities. The EU recognized that the digital transformation taking place in the financial services industry placed an unprecedented reliance on technology. Financial services would be impacted if that technology were compromised by a cyber attack. DORA covers Information and Communications Technology (ICT), which includes cloud-based SaaS applications.
What Requirements does DORA place on Financial Services Companies?
DORA encompasses five primary domains crucial for the robust functioning of digital operations within financial services:
ICT Risk Management
Strategies and protocols for identifying, assessing, and mitigating risks associated with information and communication technology (ICT) systems
Reporting
Procedures and standards for comprehensive reporting on operational resilience and risk management activities.
Digital Operational Resilience Testing
Testing methodologies and frameworks to evaluate the resilience and reliability of digital operations under various stress scenarios.
Management of Third-Party Risk
Practices and protocols for managing risks posed by third-party service providers, vendors, and partners in the digital ecosystem.
Information and Intelligence Sharing
Mechanisms for the exchange of critical information and intelligence related to cyber threats, vulnerabilities, and incidents among relevant stakeholders.
Financial service providers must demonstrate capability in the following key areas to ensure compliance with DORA and uphold operational resilience:
Identification
The ability to document all users, their roles, and their responsibilities within the application
Protection and prevention
Must develop policies and deploy tools that monitor configurations to ensure the resilience and continued availability of the application
Detection
Promptly monitor user behavior to detect indications of compromise (IOC) for the application
Learning and evolving
Build an audit trail for the purpose of post-breach analysis following any cybersecurity incident
Manage third-party risk
Ensure that all integrated applications maintain the same security standards that are applied to the hub SaaS applications
How Does DORA Impact SaaS Security?
SaaS Security is a subset of ICT risk management focused on securing SaaS applications and platforms utilized within financial service operations. Organizations working toward DORA compliance must secure these applications from all the known attack vectors.
Misconfigurations
Organizations must take steps to identify settings that are poorly configured and can lead to data breaches and service outages.
Identity Security
Security teams must monitor and manage all users, ensuring that entitlements follow the principle of least privilege. Furthermore, organizations must be able to identify users who retained access after termination, dormant user accounts, and accounts for external users.
Devices
Each user device brings an element of risk to the SaaS application. Security teams must eliminate this risk by identifying high-risk devices and associating them with specific users.
Third-Party Applications
Many applications request intrusive scopes beyond what is needed for their functionality, exposing the company to potential malicious apps or legitimate apps that are taken over by a threat actor
Data Management
Organizations must secure documents and other digital assets through access controls and share permissions. Documents shared with anyone with a link, for example, cannot be secured without changing the share settings.
In addition, DORA requires that financial entities have mechanisms in place to detect anomalous activities and identify material single points of failure. These mechanisms must enable multiple layers of control and lead to incident response activities.
What Tools Secure the SaaS Stack and Comply with DORA?
Organizations striving for DORA compliance should deploy a SaaS Security Posture Management (SSPM) platform. SSPMs automatically review application settings, and alert stakeholders when configurations drift. This dashboard visibility into applications allows app administrators and security teams to protect the application.
SSPMs also review user logs. They can identify over-permissioned users, find dormant accounts, monitor external users, and ensure that terminated employees are fully deprovisioned from corporate applications. They can also associate devices with users, making it easy to find high-risk devices being used by high-privilege accounts.
Third party detection and monitoring is another key SSPM function. SSPMs review connected apps, identify those which are acting anomalously or have excessive scopes, and allow users to decouple the application.
Can an SSPM Detect Threats?
SSPMs with Identity Threat Detection & Response (ITDR) capabilities use data from across the SaaS stack to find threats and alert security teams. The ITDR finds user behavioral anomalies and scans audit logs to detect indicators of compromise (IOC) and threats.
Threats can be based on any number of things, ranging from IP data to user behavior. Data comes from across the SaaS stack, for a far richer data set and more context into the threat. This type of threat detection is compliant with DORA requirements.