Building robust security is now becoming an important issue for businesses as technology and regulations continue to advance. In both the EU and the UK, operational resilience regulatory frameworks are evolving, accompanied by serious consequences for those who fail to comply. For instance, the Digital Operational Resilience Act (DORA) and the NIS2 Directive are two major pieces of European cybersecurity legislation. These pieces of legislation aim to strengthen operational resilience and cybersecurity across various sectors, including finance. While they share common goals, they focus on different aspects and have distinct scopes of application.
Designed to strengthen IT security across a wide range of financial entities, DORA comes into force in early January 2025 and focuses heavily on improving resilience “in the event of a severe operational disruption.” It is relevant to financial services industry organisations that supply services inside the EU. Failure to comply can result in penalties of up to 2% of the total worldwide revenue for any organisation found to be in breach.
The NIS2 Directive has been active since January last year and aims to improve the level of cybersecurity protection across the EU, with an emphasis on harmonising security requirements and reporting obligations. In addition, it encourages member states to integrate new areas, such as supply chain security, vulnerability management and cyber hygiene, into their national cybersecurity strategies.
The Role of Critical Third Parties
In the UK specifically, regulators have looked closely at the role played by Critical Third Parties (CTPs) – external organisations whose services are vital to the operational integrity and resilience of financial institutions. CTPs could include cloud service providers such as AWS or Microsoft and also include a range of other technology businesses that play a key role in supporting the sector. Additionally, the Cross Market Operational Resilience Group, chaired by the Bank of England, provides detailed guidance on operational resilience for the financial services sector, which whilst not legally binding, act as a good base for best practice.
Getting Savvy with New Compliance Obligations
Our recent survey conducted at Cloud & Cyber Security Expo at Tech Show London in March with 100+ cloud professionals indicated that awareness remains low around new compliance obligations. Nearly half – 46.5 % – were unsure of their organisation’s ability to comply with supply chain regulations and frameworks such as NIS2 or SBOM. And of those respondents who work in the finance sector, 30% were unaware of the Digital Operational Resilience Act (DORA). Just over a third – 35% – were confident of their organisations’ ability to comply.
Additionally, the shift towards cloud-native technologies, with their distributed systems and microservices architectures, presents a new set of challenges for regulatory compliance and operational resilience. This environment, characterised by the dynamic scaling of resources to meet demand, introduces complexities in maintaining compliance amidst the fluid nature of containerized deployments and autoscaling practices.
Autoscaling, a hallmark of cloud-native environments, allows for efficient resource management but necessitates a nuanced approach to operational resilience. The ability of systems to automatically adjust resources complicates adherence to stringent regulatory frameworks, requiring organisations to adopt innovative monitoring and management strategies that align with the fluid dynamics of cloud-native operations.
Implementing Best Practice Security Measures
So what impact are these regulations making (or will they make) in practical terms, and what technology priorities should organisations address to ensure compliance? Across the current financial industry ecosystem, for example, there is an increasing reliance on the provision of agile, scalable and reliable applications, with Kubernetes and DevOps among the platforms and methodologies playing an important role in software development and delivery strategies. In this context, resilience and security are – understandably – key considerations.
Building Robust Security is Key for Operational Resilience
For organisations working with Kubernetes and cloud environments, operational resilience ensures that the infrastructure and applications deployed are robust, secure and capable of recovering swiftly from disruption. This includes implementing best practices for Kubernetes security, ensuring high availability and disaster recovery capabilities and effectively managing third-party risks associated with cloud service providers. Operational resilience in these environments also involves continuous monitoring, incident response planning and regular testing of recovery procedures to ensure the organisation can maintain its critical functions under a variety of adverse conditions.
In relation to DevOps, which has become a widely adopted software development methodology globally, security can be improved by integrating advanced measures directly into development and deployment processes. This includes the implementation of “Compliance as Code”, which integrates automated compliance checks within the CI/CD pipeline. The most effective approaches enforce compliance policies and regulatory requirements directly in the infrastructure as code (IaC) templates and container configurations. This ensures that every deployment automatically adheres to necessary compliance standards, reducing manual review processes and the potential for human error.
This should be accompanied by the use of immutable security policies for the containerised applications and Kubernetes clusters. By defining strict security policies that cannot be altered once a container or service is deployed, this approach ensures that any attempts to change the security posture can only be done through the CI/CD pipeline, enforcing consistency, auditability and compliance with existing security standards.
Ensuring Security and Integrity of Software Applications
Looking more closely at the issues associated with CTPs or the wider supply chain, the creation of a Software Bill of Materials (SBOM) is a critical component in ensuring the security and integrity of software applications and their dependencies. This approach is increasingly relevant in the context of broader cybersecurity strategies and compliance with regulatory requirements such as DORA.
SBOMs are a critical tool for risk management in the supply chain, but they must be part of a larger holistic security. While SBOMS provides a comprehensive inventory of all the components present in a software application, including those that may not be actively loaded into memory or called during runtime, these inactive components can still pose security risks. Inactive but vulnerable components could potentially be used as part of an exploit chain or become an active threat at a later date if the application’s functionality changes over time.
Therefore, it’s essential to consider the security implications of all components within a software application, even if they are currently unused. Maintaining a comprehensive SBOM and regularly reviewing it for vulnerabilities, even in inactive parts, are crucial security practices.
Concrete steps for complying with operational rules
To stay ahead of the curve and ensure compliance with emerging regulations, organisations must act now. Some concrete steps they can take include:
- Educate staff on the requirements of DORA, NIS2, and other relevant regulations, and taking steps to assess the current level of compliance.
- Engage with industry peers, regulatory bodies, and security experts to stay informed about best practices and evolving threats.
- Partner with trusted security vendors and service providers who can provide the expertise, tools, and support needed to implement effective security measures and maintain compliance over time.
- Develop a roadmap for compliance by asking IT teams pertinent questions such as:
- Automated Remediation: “Have we integrated automated remediation playbooks that can act on incidents immediately, in line with DORA’s operational resilience requirements?”
- Unified Security Framework: “Does our security monitoring extend seamlessly across all environments—containers to serverless—to uphold NIS2’s comprehensive cybersecurity directives?”
- Image Management: “Is there an automated system in place for image pruning to maintain the system integrity mandated by DORA and NIS2, ensuring only compliant and secure images are in use?”
- Configuration Workshops: “How regularly are we conducting workshops to prevent misconfigurations, a key practice for the governance and risk management aspects of DORA and NIS2?”
- SBOM and Package Provenance: “Do we maintain a current SBOM for each application, and how do we verify the provenance and security of the packages we use, as expected by DORA and NIS2 for operational resilience?”
Building Robust Security for the Future
In a climate where the role of regulation seems likely to increase even further. Organisations building robust security into their development processes will be better placed to adopt future changes.
Written by Philip Pearson, Field Chief Information Security Officer, Aqua Security