With the second, and final set of Regulatory Technical Standards for DORA fulfillment (Digital Operational Resilience Act) now available, EU-based financial institutions must ensure their cloud and network infrastructure is properly documented, critical functions identified and mapped, and that actual configuration and policy are aligned with your intended, secure state.
Our team has worked with cybersecurity experts at ICTTF to understand exactly what controls the network team should focus on for a smooth DORA compliance program, at least as it pertains to the IT network and cloud infrastructure.
Once you understand these controls, you must think about 1) implementation, and 2) proof for auditors. Do you have mechanisms in place to account for all that DORA requires?
Today, we'll look at the ten DORA controls we have identified that an automated network assurance platform like IP Fabric can solve for you with minimal effort to help you form your own DORA platform.
1. Maintain Accurate Network Diagrams
(DORA Article 8.4, Article 8.5)
We've often stressed the importance of an accurate, up-to-date visual representation of your cloud and network architecture; DORA makes this mandatory.
Mapping critical functions across the network to understand interdependencies is crucial, and maps should include all devices, connections, and their configuration. This is useful to assess criticality (here you can determine and potentially limit your audit scope!), identify third-party borders, and analyze risk based on accurate network "situational awareness".
Manual network mapping - pencil to paper, Visio diagrams - produces a static tool that could, if not completely useless, prove dangerous if relied on as the 'truth' about your network. Modern financial institutions require a more dynamic solution so that the map you're handing over as proof of operational resilience is as recent and comprehensive as possible. IP Fabric builds a flexible map and model of your network with every snapshot taken, on a schedule you set. You can easily export or share this map to reports or adjacent teams, and they can self-serve this information as needed.
2. Identify and Inventory Network Assets
(DORA Article 8.1, Article 8.4)
It may seem simple, but with constant change, evolving requirements, and shadow IT at play, it's not uncommon for financial enterprises to lack a clear understanding of exactly what's in the IT estate that they are responsible for.
In fact, most CIOs have no single network architecture model and rely on a patchwork of incoherent knowledge to understand their environment.
This uncertainty would be unacceptable in the Accounting department, and DORA ensures that it's unacceptable for IT operational resilience too. Network teams must identify and maintain an accurate inventory of all assets, as well as a record of security protections on each asset.
As with diagrams, automating this process ensures recency; technical guardrails are also embedded in, for example, IP Fabric's automatic SSH network discovery process, ensuring completeness. This eliminates not just the time taken, but also the frequent human error that results in manual information gathering, either from natural oversights or reliance on bad documentation.
3. Understand Information Flows
(DORA Article 9.2, Article 11.5)
DORA places significant emphasis on business continuity and requires that redundancies are in place and well-documented as part of business impact analysis (BIA), analyzing their exposures to severe business disruptions.
To properly understand the impact of exposures on the business, this BIA must consider identified and mapped business functions, support processes, third-party dependencies, and information assets, and their interdependencies to assess potential impact. Modeling how ICT information flows through the network from one endpoint to another massively benefits this understanding and speeds fault isolation.
IP Fabric's end-to-end path lookup models how data moves through the network, identifying critical data paths and ensuring - through regular validation - appropriate security controls are in place to protect data integrity and confidentiality.
This provides a means to proactively maintain resilience and solve issues quickly when they do come up.
4. Continuously Perform Security Assessments and Audits
(DORA Article 25)
DORA mandates that your compliance program include appropriate testing, including network security assessments and vulnerability scans, end-to-end testing, and penetration testing.
Whatever your intended security approach, you must regularly validate that controls placed on devices, segmentation or micro-segmentation, and access policies are performant as expected. Identify rouge or unsecured devices before they become an issue, and understand changes in network behavior from one day to the next.
Using network assurance to automate security assessments increases the accuracy of this testing, and increases the frequency of these internal audits. Using IP Fabric's custom or built-in intent checks, you can craft a security audit to run daily, or twice daily, or on whatever schedule you prefer.
That's peace of mind that even the most rigorous external auditors can't disrupt.
5. Implement Strong Access Control
(DORA Article 9.2, Article 9.4)
Ensuring that only authorized users can access critical network resources is vital to avoid bad actors disrupting your operational resilience. This likely requires using role-based access control (RBAC) and the principle of least privilege to minimize exposure to potential breaches.
Automated network assurance provides the means to test these access policies across the entire network and understand how access is operating at a specific point in time. Access to the complete network state means you can regularly validate that segmentation, or microsegmentation, is in effect and that policies are, as intended, preventing unwanted traffic flows.
This validation practice, along with providing the proof of compliance necessary for DORA, helps "maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit." (Article 9.2).
6. Regularly Update & Patch Systems
(DORA Article 9)
It's essential to operational resilience, and mandated for EU Financial institutions under DORA, that you keep all software and hardware components up-to-date with the latest patches and updates to protect against known vulnerabilities.
Using IP Fabric to check your network inventory and state against NIST's published CVE (Critical Vulnerability and Exposures) database helps you proactively identify, and act on, vulnerabilities. For example, were you affected by CVE-2024-3400?
Additionally, you need to ensure and validate that policies such as hardening and crypto standards for in-transit data are deployed accurately. By creating specific intent checks (or using 150+ built-in best practice checks), you can automate this validation to be conducted every time you run a discovery snapshot (daily, twice daily - the choice is yours). You can even use alerts of non-compliance to trigger remediation (and after the fact, validate that the change has had the intended effect). This closed-loop automation of your security policies is a game-changer for proactive network protection and incident prevention.
And of course, it's all automatically documented and security teams can self-serve this information as needed.
7. Effectively Monitor Network Traffic
(DORA Article 9.1)
Even without the DORA obligation driving your observability needs, you likely know to continuously observe your network traffic for unusual activity or potential threats.
Classic real-time monitoring tools are therefore an essential part of your network toolset. However, there are gaps in visibility, context, and completeness that they simply aren't designed to fill. For example:
- are you sure you're monitoring everything in your network? How was your monitoring tool populated, and is there a reliable process to update these systems with new network elements?
- you are alerted that something is wrong, but can you isolate the cause?
- is your team overwhelmed with alert fatigue, because you can't diagnose what is a true issue and what's just noise?
IP Fabric's automated network assurance platform ensures your monitoring tools are up-to-date; it also provides deeper context for quick fault isolation and troubleshooting, and necessary details to diagnose alerts without the need for manual data collection. So, while you may have monitoring in place, is it effective at the level required for true operational resilience?
8. Develop & Test Incident Response Plans
(DORA Article 11.2-b)
DORA prescribes that enterprises must "quickly, appropriately, and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritizes the resumption of activities and recovery actions."
Access to a complete and up-to-date network model ensures that you're testing and accurately validating your incident response plans, with a clear understanding of the dependencies at play and redundancies in place.
What's more, is you can easily automate parts of your incident response process for faster resolution. For example, automatically embed key network intelligence (e.g. end-to-end network path lookup, network diagrams) into service tickets to kickstart issue resolution.
For example: IP Fabric Integrates with ServiceNow
9. Implement Redundancy & Failover Systems
(DORA Article 11.4, Article 12)
Your network and cloud infrastructure were likely architected with key redundancy for critical network components and services. Is the reality of your network's operational state, however, aligned with this vision? Network assurance can validate that your intended network state is reflected in your actual, observed network state, as well as alert you to deviations from intent.
Additionally, assurance platforms like IP Fabric allow for the maintenance of backups of all individually managed network devices, storing configuration and policy details so you can roll back changes easily.
If an incident should occur and business continuity plans kick in, IP Fabric can validate that your networks will function, and are functioning, as expected.
These elements are central to the resilient systems that DORA was intended to create.
10. Report on Network Activities with an Accurate Historical View
(DORA Article 19)
Updates to documentation are made automatically with every snapshot taken, meaning you always have access to an up-to-date network report capturing your network state at a specific point in time. Because IP Fabric stores all the snapshots of your network, you have access to a historical view of your network over time which is invaluable for retroactive incident analysis and reporting.
This aids massively in fulfilling DORA's stated reporting and record-keeping obligations and information-sharing pillar, eliminating tedious and error-prone data gathering and analysis by network team members.
6 Months to DORA: Identify, Maintain, Test, Prove
As we distill the DORA controls into actionable network strategy, you'll notice repeated themes emerge. Understanding what's in your network through clear and complete identification, maintaining this up-to-date understanding, rigorously testing and validating the network posture, and having the means to document and prove your stance, are all integral to facing DORA audits with confidence. These are pillars of operational resilience you should cement now, not in six months when the risk of financial, reputational, and criminal penalties is all too real.
How will your team spend the next six months as we approach the DORA enforcement date, January 17th, 2025?
If the day-one benefits of network assurance, as chronicled above, would help you, then get in touch with our team today (add DORA to your message so we know your concern), or get in touch with an expert team member directly: Joe Kershaw ([email protected]).
