How does the Digital Operational Resilience Act (DORA) impact Active Directory and Entra ID?
The Digital Operational Resilience Act (DORA) is a proposed EU regulation that aims to enhance the cyber resilience of the financial sector. Getting started promptly with DORA is urgent, as enforcement begins January 17, 2025, for relevant financial entities and ICT third-party service providers.
It’s no secret that the information and communication technology (ICT) used across the finance industry suffers from systematic vulnerabilities, and there’s no consistent standard or framework for managing risk. DORA seeks to change this by providing uniform requirements for ICT risk management, incident reporting, testing and third-party oversight.
It’s easy to get overwhelmed by the number of frameworks and directives across the globe. DORA is the latest among an alphabet soup of industry or regional regulations. The NIS-2 Directive also includes the financial sector, but its scope is much broader, covering all critical infrastructure across the economy. DORA, however, specifically targets finance, introducing measures tailored to its unique characteristics and challenges.
While there are countless articles reciting the exhaustive list of items that make up the Digital Operational Resilience Act, this blog will focus on the articles that pertain to why Active Directory and Entra ID cyber resilience serve as a great starting point to begin your journey to compliance.
Active Directory and Entra ID impact every aspect of operational resilience
When one of your key applications becomes unavailable, the productivity of the teams who rely upon it will suffer. That’s bad enough. But if Microsoft Active Directory (AD) and/or Entra ID is unavailable, nearly everything shuts down. For this reason, these platforms sit at the center of all operational resilience and business continuity across any vertical, especially financial services and service providers subject to the Digital Operational Resilience Act. That’s because most organizations (about 90%) use Active Directory to manage identities and provide vital authentication and authorization services required to access nearly any business resource – your applications, databases, files and endpoints.
Further compounding the risk is the fact that 80% of breaches now involve the use of compromised identities, making Active Directory a prime target. The complexity of hybrid AD environments, combined with the growing potential for attacks, exposes vulnerabilities that malicious actors increasingly exploit such as kerberoasting, golden ticket and Pass-the-Hash attacks.
Executives should understand that at least 90% of their organization is dependent on AD to function.
– VP enterprise services, managed service provider
Whether you’re a bank, investment firm or credit institution, these business functions are wholly dependent on the availability of your organization’s identity environment. Active Directory and Entra ID act as the heart of any board-level strategic objective, including not only demonstrating compliance with Digital Operational Resilience Act or other regulations, but also mergers and acquisitions, reducing cyber security risks and accelerating digital transformation to the cloud. When directory services are made unavailable by cyberattacks or errors, risks become reality: financial services operations halt, customer transactions stall and reputations suffer. The costs of AD downtime are dire, reaching $730K per hour, as reported by Forrester.
Key DORA requirements that impact Active Directory and Entra ID
The Digital Operational Resilience Act seeks to ensure the continuity of critical financial services and mitigate the impact of operational disruptions caused by cyberattacks, IT failures or other incidents by establishing uniformity across ICT risk management, incident reporting, testing and third-party oversight.
When going through the regulation, it’s helpful to understand how it’s structured. There are nine chapters and 64 articles. This blog is not an exhaustive list of articles. If you want the authoritative source, you should consult the Official Journal of the European Union. This blog will focus on how hybrid Active Directory (and Quest solutions) play a pivotal role in each category.
ICT risk management
Financial entities are required to establish and maintain an internal governance and control framework that ensures effective ICT risk management frameworks, policies and procedures, taking into account the nature, scale and complexity of their activities and the level of ICT risk they face. Using an internationally recognized set of security principles, such as those from the International Standards Organization (ISO) or the National Institute of Security and Technology (NIST), can accelerate success through a comprehensive set of objectives, requirements and processes. From here, you can build a strategy and demonstrate your ICT risk management maturity to executives, auditors, shareholders and others.
The NIST Cybersecurity Framework (CSF) can be adapted easily to DORA. As you will see below, the six pillars of NIST – Identify, Detect, Protect, Respond, Recover and Govern – are easily mapped to the DORA ICT Risk Management Articles 5-12.
- DORA Article 5: Governance and organization, Article 6: ICT risk management framework and Article 7: ICT systems, protocols and tools. These DORA articles align to the newest NIST pillar: Govern. They are all about ensuring a holistic approach and framework to the other core functions listed below. Quest is perfectly positioned to help here, offering a complete suite of Active Directory security solutions that provide defense in depth across the cyberattack chain.
- DORA Article 8: Identification. Organizations must identify and document ICT business functions, assets, roles and dependencies to mitigate risk. They should assess cyber threats and vulnerabilities, and should maintain inventories of assets, processes tied to third-party providers and legacy ICT systems. This aligns perfectly to NIST Identify. Quest Security Guardian helps by proactively identifying and mitigating threats and vulnerabilities related to Active Directory.
- DORA Article 9: Protection and prevention. Organizations must create an information security policy, manage networks and infrastructure, implement access controls and strong authentication, and enforce patch/update policies. This aligns to NIST Protect, and implementing access controls and strong authentication is dependent on the confidentiality, integrity and availability of your hybrid AD environment. With Quest, you lock down critical Tier Zero assets from compromise and misconfiguration.
- DORA Article 10: Detection. This article reinforces the need for anomaly detection, regular testing, sufficient resources and capabilities to monitor user activity and have systems to effectively check trade reports for completeness. These measures enable financial entities to respond quickly and with appropriate resources to ICT incidents, including cyberattacks. This aligns to NIST Detect. Quest is a market-leader, helping financial services customers detect and alert administrators to suspicious or anomalous behavior immediately for faster response when Active Directory or Entra ID are compromised.
- Article 11: Response and recovery. Entities must put in place a comprehensive ICT business continuity policy and associated response and recovery plans. This aligns to both NIST Respond and Recover. Quest not only helps accelerate incident investigations to limit potential damage and reduce risk of exposure, but also recovers AD and Entra ID services 90% faster while saving over $19M from ransomware attacks.
- Article 12: Backup policies and procedures, restoration and recovery procedures and methods. This article requires financial entities to develop and document backup and restoration policies and procedures. These entities must also set up backup systems that can be activated without compromising security or data integrity, and that can test them periodically. This article aligns to NIST Recover. Quest Recovery Manager for AD Disaster Recovery Edition automates the disaster recovery process, including the 40+ steps outlined in Microsoft's AD forest recovery best practices. It also eliminates the risk of malware re-infection throughout your AD forest recovery, scanning for malware and minimizing its hiding places.
Digital operational resilience testing
Financial entities are required to perform regular and proportionate testing of their ICT tools, systems and processes, using appropriate methods such as vulnerability assessments, penetration testing and threat-led penetration testing (TLPT). The ESAs are mandated to develop common standards and methodologies for such testing, and to establish a list of qualified testers for TLPT.
- Article 24 - General requirements for the performance of digital operational resilience testing. This aligns seamlessly with AD and Entra ID disaster recovery best practices, ensuring plans are not just theoretical but proven in practice. Test the plan with people who didn’t develop the plan. Assumptions about what people understand can stall recovery or send it in the wrong direction. Also, practice the plan at least twice a year. Finally, update the plan regularly to account for changes in systems, compliance requirements, the recovery team and more.
Check out this blog post for best practices on AD disaster recovery planning to ensure operational resilience. https://blog.quest.com/how-to-avoid-the-7-most-common-mistakes-in-active-directory-forest-recovery/.
Managing of ICT third-party risk
Financial entities must manage third-party ICT risk as an integral component of their ICT risk management framework.
When it comes to managing third-party risk and securing the software supply chain, Active Directory (as well as any third-party AD software vendors like Quest) operates within an elevated privilege context in the infrastructure of financial services organizations. Therefore, it’s paramount for AD technology vendors and manufacturers to put security, integrity and customer experience at the core of its software development lifecycle practices.
By choosing Quest solutions, you get a partner with mature supply chain risk management practices. We apply proactive security measures to identify and minimize supply chain risks. In particular, Quest:
- Uses a Zero Trust R&D architecture
- Performs no development in countries of security concern
- Puts all new suppliers through an extensive trustworthiness assessment
- Controls access to the product in each step in the supply chain
- Strictly limits access to sensitive areas of the business, including product development
- Has achieved 100% compliance with NIST SP800-218 (based on Coalfire's assessment of MPM's 12 US Federal/DoD preferred products)
- Has earned multiple certifications, including SOC 2 Type 2 and ISO 27001, 27017 and 27018
- Uses an airgap-secured assembly process that exceeds industry standards