Exploring SaaS Security with DORA

Written by

A few years ago, the EU recognized the need to strengthen the operational resilience of its financial institutions. Realizing that a significant cyberattack had the potential to undermine and overwhelm vulnerable financial institutions, it created legislation to force those in the financial arena – including EU-based banks, credit institutions, and even crowdfunding platforms and crypto-asset service providers – to reduce their cyber risk.

The Digital Operational Resilience Act (DORA) came into force over a year ago, but financial organizations have until 17 January 2025 to comply with the act.

Those who fail to create internal structures to limit their cyber risk could be fined up to 2% of their total annual global turnover or 1% of their average daily global turnover. Those penalties can be significant.

In response, EU-based financial services companies are looking at solutions that can secure their digital (and physical) landscape. Central to their effort is securing SaaS applications that are used to manage users, accounts, financial services, and other critical operational touchpoints.

DORA’s Security Demands

As part of DORA compliance, financial services companies must develop policies and deploy tools to monitor configurations and ensure the continued availability of the application. They must also document and manage all users, their roles, and their responsibilities within the application, as well as third party applications and their scopes.

As part of their SaaS security capabilities, organizations must be able to detect Indications Of Compromise (IOC) within the application, and identify threats. For example, if a user logs in to an application from an untrustworthy IP address using a different computer operating system than usual, that action should be flagged and investigated.

Organizations must also build an audit trail for the purpose of post-breach analysis following any cybersecurity incident. In practice, this means capturing the application logs.

The Right Tool for DORA’s Backpack

Companies typically take one of three approaches to secure their SaaS stack. Some rely on manual audits, although these snapshots in time lack the automation required by DORA. Any breach occurring to a company using manual audits should expect to be hit with significant financial penalties for essentially ignoring DORA.

A second approach is the use of cloud access security brokers (CASB) to secure SaaS applications. CASBs are somewhat effective in securing SaaS applications. However, it views the application from the outside, leading it to miss user-SaaS context and behaviour nuances. Its lack of adaptability and difficulty in tracking history makes CASB a poor choice for DORA compliance.

SaaS Security Posture Management (SSPM) was designed to secure the SaaS stack. It automates configuration monitoring from every application, manages users, and discovers third party apps that are connected to the SaaS applications. SSPM also delivers important Identity Threat Detection & Response (ITDR) capabilities. ITDR identifies indications of compromise (IOC) and alerts users when those indicate a threat is underway. WIth its deep visibility into SaaS applications, as well as its audit trail capabilities, SSPMs are ideal for DORA compliance.

Finding the Right SSPM Provider

There are a number of SSPM products available on the market today, but not all provide the same level of coverage. The ideal SSPM is one that provides coverage against all SaaS attack vectors, including misconfiguration management, identity security governance, user-device monitoring, and third party application discovery.

SSPMs should also enable users to manage permissions of complex applications, such as Workday or Salesforce, and monitor permissions on shared documents and data files. It should also work within the existing security infrastructure, connecting to SIEM and SOAR tools that are used to remediate issues.

It’s clear that the EU is taking steps to reduce cyber risk within its member states. DORA and NIS2, an additional directive targeting critical infrastructure and services entities, both are reactions to the increased pressure the region is feeling from threat actors, and give teeth to law enforcement. Organizations looking to avoid probes by regulators should implement an SSPM solution to secure their SaaS stack.

Brought to you by

What’s hot on Infosecurity Magazine?