Building a Modern Identity Capability to Tackle DORA
Hackers are quickly taking advantage of every vulnerability in an organisation’s armoury, particularly exploiting poorly managed identities. An organisation might have the strongest firewalls, encryption, anti-malware, vulnerability scanners, and risk management tools in the world, but if identities are not managed securely, this still leaves one critical gap in its cybersecurity arsenal.
Identity-based cyber-attacks focus primarily on compromised user credentials to access systems and data. Unfortunately, cybercriminals know that identities are one of the best ways to gain control over the IT environment. These attacks not only impact the business, but also its customers, stakeholders, and the organisation’s wider partner ecosystem.
The emergence of new regulation
To tackle this growing risk and other systemic cyber risks associated with digital systems, the European Union (EU) is forging ahead with new regulations. The Digital Operational Resilience Act (DORA), which comes into force on 17th January 2025, is primarily focused on driving operational resilience improvements across the EU’s 22,000 financial entities. The Act covers five key areas:
- IT risk management
- Incident management and reporting
- Digital operational resilience testing
- Third-party IT risk management
- Information sharing
DORA applies not just to banks, but to credit institutions, payments providers, insurance companies, investment firms, fund managers, pension funds, crypto-asset services, IT third-party service providers, crowdfunding services, and more. Therefore, any financial services organisation operating in the EU – or based outside the EU but providing services to EU citizens or banking entities – that is under the illusion that DORA doesn’t apply to their business, should think again.
Robust identity management will help companies comply
To comply with DORA, financial organisations and critical third-party IT providers will be required to define, approve, oversee, and be accountable for the implementation of all arrangements related to DORA’s risk-management framework. One of the ways to meet these requirements is to have robust identity and access management (IAM) in place.
Modern IAM ensures that only the right people have access to the right information at the right time from trusted devices, networks, and endpoints. Access management can be defined from a departmental level down to an individual role-based level with different attributes that define what they can access based on their functional roles and responsibilities. This allows people to access data and make changes in ways that are crucial to their jobs, and nothing else.
DORA mandates firms to adopt IT governance and control frameworks, including an IT risk management framework that is documented and regularly reviewed. With this mandate, it's critical that an organisation’s IAM provides visibility across all levels of access in the information, communication, and technology (ICT) environment.
Managing the employee identity lifecycle
Adding automation to your IAM processes helps to manage access for one of the most fundamental elements of your ICT ecosystem - your employees. Modern IAM tools and platforms let you automate the entire lifecycle of your employees and their access. Consider a common example: an employee joins a company in one role, gets promoted or even changes departments and business units, and then leaves the company. At every step, organisations need to ensure that the right access is available, dynamic, and most importantly, closed off immediately when an employee leaves a role, department, or organisation. This prevents ‘access creep’ and prevents ex-employees from retaining access.
Key to DORA is the requirement for organisations to promptly log any cyber security incidents and report major incidents to the appropriate authorities. IAM that leverages modern IAM tools and platforms makes it easier to trace what was done, who did it, and where it happened in the system. It can also help to define who has reporting obligations and to which regulatory authorities.
One challenging aspect of DORA is the need to have secure IT systems beyond the boundaries of the primary organisation and into third-party suppliers. By defining access rights with suppliers and partners, you can continue to provide critical services with better security over your ICT ecosystem.
A plethora of identity tools
Organisations are often using a variety of IAM tools to manage their identities. However, many are outdated or lack integration - with each other or the broader ICT environment - leaving IT professionals to stitch this patchwork of multiple tools together to increase their visibility of access across the organisation. This is where investing in a centralized platform provides the basis to build a modern identity management capability for users and businesses.
These platforms have the ability to grant immediate access to the right tools at the right time for the right folks, removing access requests from help ticket queues. Likewise, users are equipped with the information and apps they need from the first moment they log in.
How a modern identity platform can help
Many organisations implement best practices for long, complex passwords. But, this drives users to resort to unsecure methods for remembering them or re-using the same password across multiple business accounts.
A critical component of modern identity management is providing single sign-on (SSO), which eliminates password fatigue as users only need to provide one global password to access approved applications and tools. Coupled with the use of biometrics or authenticator apps, these platforms help to enhance security by centralising all authentication through one platform. Reducing the number of authentication points inherently limits an organisation’s points of vulnerability and minimises the chances of a cyber-attack.
This centralised user management approach allows IT teams to make changes to user identities seamlessly in the background, ensuring that any updated or restricted permissions automatically apply the next time a user logs in with SSO.
As we look ahead to 2025, with the ongoing complexity that comes with continued globalisation, hybrid work environments, and a multitude of devices and access points in an organisation’s ICT ecosystem, a modern approach to IAM will be crucial. With DORA enforced in January 2025, it will be important to provide seamless, frictionless access to the resources employees need, regardless of whether they’re office-based, hybrid, or fully remote while ensuring that organisations remain secure and compliant.