Dora and SaaS Security

What is DORA?

The European Union’s Digital Operational Resilience Act (DORA) came into force on January 16th, 2023, but organizations had until January 17th of 2025 to become compliant. Financial institutions, including banks, insurance companies, and investment firms, must comply with the legislation’s strict rules for cybersecurity protection, detection, containment, recovery, and repair capabilities or face penalties.

Where does DORA fit in with SaaS security?

DORA was created by the EU to strengthen the operational resilience of its financial entities. The EU recognized that the digital transformation taking place in the financial services industry placed an unprecedented reliance on technology. Financial services would be impacted if that technology were compromised by a cyber attack. DORA covers Information and Communications Technology (ICT), which includes cloud-based SaaS applications.

What requirements does DORA place on financial services companies?

DORA encompasses five primary domains crucial for the robust functioning of digital operations within financial services:

• ICT risk management: Strategies and protocols for identifying, assessing, and mitigating risks associated with information and communication technology (ICT) systems.
• Reporting: Procedures and standards for comprehensive reporting on operational resilience and risk management activities.
• Digital operational resilience testing: Testing methodologies and frameworks to evaluate the resilience and reliability of digital operations under various stress scenarios.
• Management of third-party risk: Practices and protocols for managing risks posed by third-party service providers, vendors, and partners in the digital ecosystem.
• Information and intelligence sharing: Mechanisms for the exchange of critical information and intelligence related to cyber threats, vulnerabilities, and incidents among relevant stakeholders.

Financial service providers must demonstrate capability in the following key areas to ensure compliance with DORA and uphold operational resilience:

• Identification: The ability to document all users, their roles, and their responsibilities within the application.
• Protection and prevention: Must develop policies and deploy tools that monitor configurations to ensure the resilience and continued availability of the application.
• Detection: Promptly monitor user behavior to detect indications of compromise (IOC) for the application.
• Learning and evolving: Build an audit trail for the purpose of post-breach analysis following any cybersecurity incident.
• Manage third-party risk: Ensure that all integrated applications maintain the same security standards that are applied to the hub SaaS applications.

How does DORA impact SaaS security?

SaaS Security is a subset of ICT risk management focused on securing SaaS applications and platforms utilized within financial service operations. Organizations working toward DORA compliance must secure these applications from all the known attack vectors.

Misconfigurations

Organizations must take steps to identify settings that are poorly configured and can lead to data breaches and service outages.

Identity security

Security teams must monitor and manage all users, ensuring that entitlements follow the principle of least privilege. Furthermore, organizations must be able to identify users who retained access after termination, dormant user accounts, and accounts for external users.

Devices

Each user device brings an element of risk to the SaaS application. Security teams must eliminate this risk by identifying high-risk devices and associating them with specific users.

Third-party applications security

Many applications request intrusive scopes beyond what is needed for their functionality, exposing the company to potential malicious apps or legitimate apps that are taken over by a threat actor.

Data management

Organizations must secure documents and other digital assets through access controls and share permissions. Documents shared with anyone with a link, for example, cannot be secured without changing the share settings.

In addition, DORA requires that financial entities have mechanisms in place to detect anomalous activities and identify material single points of failure. These mechanisms must enable multiple layers of control and lead to incident response activities.

What tools secure the SaaS stack and comply with DORA?

Organizations striving for DORA compliance should deploy a SaaS Security Posture Management (SSPM) and application security posture management (ASPM) platform. SSPMs automatically review application settings, and alert stakeholders when configurations drift. This dashboard visibility into applications allows app administrators and security teams to protect the application.

SSPMs also review user logs. They can identify over-permissioned users, find dormant accounts, monitor external users, and ensure that terminated employees are fully deprovisioned from corporate applications. They can also associate devices with users, making it easy to find high-risk devices being used by high-privilege accounts. 

Third-party detection and monitoring is another key SSPM function. SSPMs review connected apps, identify those which are acting anomalously or have excessive scopes, and allow users to decouple the application. 

Can an SSPM detect threats?

SSPMs with identity threat detection & response (ITDR) capabilities use data from across the SaaS stack to find threats and alert security teams. The ITDR finds user behavioral anomalies and scans audit logs to detect indicators of compromise (IOC) and threats.

Threats can be based on any number of things, ranging from IP data to user behavior. Data comes from across the SaaS stack, for a far richer data set and more context into the threat. This type of threat detection is typically compliant with DORA requirements.

Best practices for SaaS providers

Some best practices for SaaS providers include:

• Leverage security platforms: Utilize comprehensive security and compliance platforms tailored to the unique needs of SaaS applications in the financial sector. These platforms can facilitate identity management, misconfiguration management, threat detection, and data management, ensuring alignment with DORA requirements.
• Regular resilience testing: Conduct regular testing of digital operational resilience, including scenarios where a cloud service provider fails. This ensures preparedness and the ability to execute transitions smoothly to minimize customer impact.
• Robust backup and recovery: Implement backup policies and procedures that ensure data is protected from risks arising from data management, including human error. Regularly test these procedures to ensure prompt restoration after ICT-related disruptions.