In an increasingly digital world, the European Union has introduced the Digital Operational Resilience Act (DORA), a regulation that strengthens IT security frameworks across the financial sector. DORA mandates that financial institutions build robust defenses against cyber risks and maintain digital continuity in the face of cyberattacks, software failures, and other operational disruptions.

While much of the attention is focused on human users and systems, an often-overlooked aspect of cybersecurity is the management of Non-Human Identities (NHIs)—entities like service accounts, API keys, tokens, and machine identities that automate operations within modern infrastructures. DORA’s emphasis on digital resilience underscores the critical need to secure these NHIs to prevent security breaches and ensure regulatory compliance.

What is DORA?

DORA provides a unified regulatory framework that ensures financial institutions such as banks, insurance companies, and investment firms are well-equipped to manage IT-related disruptions. The Act focuses on six core areas:

  • ICT Risk Management: Comprehensive management of information and communication technology (ICT) risks.
  • Third-Party Risk Management: Risk management of third-party ICT providers.
  • Operational Resilience Testing: Ongoing resilience testing against operational disruptions.
  • Incident Reporting: A standardized framework for cybersecurity incident reporting.
  • Information Sharing: Secure sharing of threat intelligence across firms.
  • Critical Third-Party Oversight: A framework for overseeing critical ICT third-party providers.

The Role of Non-Human Identities in Financial Operations

NHIs are integral to automating modern financial systems, enabling operational efficiency, scalability, and reliability. These identities operate across the enterprise landscape, interacting with cloud platforms, SaaS applications, and on-premise systems. However, securing NHIs presents challenges. They often carry elevated privileges, allowing access to sensitive data and operations. When compromised, NHIs become a gateway for cyberattacks that can have devastating consequences.

DORA’s Urgency for Securing NHIs

DORA mandates that financial institutions manage ICT risks holistically, including those posed by NHIs. Ensuring robust NHI security requires focus on the following areas:

  1. Visibility and Governance: NHIs are often decentralized across various environments—cloud, on-premise, and third-party services. To comply with DORA, organizations must gain full visibility into all NHIs, track their usage, and enforce governance policies to control their access and privileges.
  2. Posture Management and Policy Enforcement: NHIs frequently accumulate excessive privileges or go unmonitored, creating security vulnerabilities. To align with DORA’s ICT risk management mandates, organizations must enforce least-privilege access policies and continuously monitor NHIs to minimize risks.
  3. Lifecycle Management: API keys, tokens, and other NHIs can outlast their intended use and become stale. DORA emphasizes the need for proactive lifecycle management, ensuring NHIs are properly decommissioned and rotated to reduce unauthorized access risks.
  4. Detection and Response: Meeting DORA’s operational resilience testing and incident reporting requirements necessitates continuous monitoring for abnormal NHI behavior. Detecting and responding swiftly to anomalies will mitigate threats and ensure compliance.
  5. Third-Party Risk Management: Third-party ICT providers often use NHIs to interact with financial systems. If these identities are unmanaged or over-privileged, they pose a significant security risk. A recent example is the Cloudflare Thanksgiving 2023 incident, where attackers exploited stolen service account credentials from the October 2023 Okta breach. This highlights the importance of securing third-party NHIs and enforcing proper controls to prevent breaches.

Timeline for Implementing DORA

DORA was adopted by the European Parliament in December 2022, taking effect on January 16, 2023. Financial institutions and ICT providers have until January 17, 2025 to comply with the regulation. During this period, firms must strengthen their operational resilience frameworks, conduct regular testing, and ensure third-party providers adhere to DORA’s requirements.

The Path Forward: Securing NHIs for DORA Compliance

To comply with DORA and enhance digital resilience, organizations must make NHI security a core element of their cybersecurity strategy. Key actions include:

  • Implementing a Unified NHI Security Platform: Centralizing NHI management across cloud, SaaS, and on-prem environments ensures organizations have the visibility and control required to govern identities effectively.
  • Automating NHI Governance: Automated solutions can monitor NHIs in real-time, enforce policies, and manage lifecycles to ensure that only authorized identities access sensitive systems.
  • Regular Security Audits: Including NHIs in security audits will help identify vulnerabilities early, ensuring that organizations can remediate potential risks before they escalate.
  • Adopting Zero Trust Architecture: Under a Zero Trust model, each NHI must continuously validate its trustworthiness before accessing systems or data, limiting the damage potential of compromised NHIs.
  • Moving Toward a Secretless Approach: Transitioning from static credentials to ephemeral tokens or roles significantly reduces attack surfaces and enhances NHI security.

Conclusion

Securing NHIs is crucial to achieving DORA compliance and maintaining operational resilience. By addressing the unique risks these identities present, financial institutions can strengthen their security posture, reduce vulnerabilities, and ensure the continuity of critical operations. Implementing a comprehensive NHI security strategy—including centralized visibility, lifecycle management, posture monitoring, and third-party risk mitigation—will position organizations to meet DORA’s stringent requirements while enhancing their overall cybersecurity.

DORA represents more than a regulatory obligation; it is an opportunity to rethink and enhance cybersecurity strategies in an increasingly automated and interconnected financial landscape.

To learn more about how Clutch can help you comply with DORA and bolster your security posture - book a demo here!