By Siham Boutayeb, Sr Principal Solutions Engineer & Olivier Michel, Compliance Officer 

In an increasingly digital world, the financial sector faces unprecedented cyber threats and information and communication technology (ICT) disruptions.

The Digital Operational Resilience Act (DORA) represents a comprehensive framework aimed at bolstering the resilience of financial entities in the European Union. Whether you are a financial services company operating within the EU or a third-party ICT service provider supporting these entities, understanding and adhering to DORA’s stringent requirements is paramount. 

This article marks the beginning of our series on DORA, where we will delve deeper into its various aspects and offer insights on achieving compliance and enhancing operational resilience.

Understanding DORA’s Relevance to Salesforce Data

DORA encompasses several critical sections including general provisions, ICT risk management, and digital operational resilience testing. The ICT risk management section is particularly pertinent to cloud environments and SaaS platforms. DORA explicitly mandates that all critical ICT third-party service providers, including cloud computing services, comply with its regulations, underscoring the shared responsibility model of data protection on SaaS platforms.

Given the growing reliance on cloud-based solutions in the financial services sector, it’s essential to consider specific examples of SaaS platforms that play a pivotal role in managing sensitive data. One such example is Salesforce, a leading SaaS provider widely used for customer relationship management (CRM) and more critical business processes. As financial entities integrate Salesforce into their operations, it’s crucial to understand its alignment with DORA’s requirements. 

Let’s explore how Salesforce fits into the regulatory framework, and how Odaseva helps our enterprise customers achieve best practices for ensuring compliance.

Meeting DORA Requirements with Odaseva

As organizations increasingly rely on Salesforce for customer relationship management and other critical operations, the responsibility for data protection—encompassing availability, authenticity, integrity, and confidentiality—rests squarely on their shoulders. 

Here’s what’s needed to ensure compliance with DORA, and how Odaseva helps:

1. Robust Backup and Recovery Procedures

Article 12 : Backup policies and procedures, restoration and recovery procedures and methods

• Independent Backups: DORA stipulates that backups must be physically and logically segregated from the source ICT systems.
  • Odaseva provides secure, independent cloud environments for storing backups, ensuring the highest level of accessibility even during provider outages with our Ultra High Availability solution.
  • Odaseva also offers Restore Readiness Audits to assess your organization’s ability to recover data, pinpointing potential barriers and providing tailored recommendations for overcoming them.

• Defined RTO and RPO: DORA enforces you to define clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to ensure rapid and precise data restoration, minimizing downtime and data loss.
  • The Odaseva Enterprise Data Security Platform is tailored to meet these requirements, ensuring rapid recovery with minimal disruption. With Odaseva, customers can backup as often as every five minutes.

• Efficient Restoration: DORA obligates you to establish, regularly test, and update recovery plans to ensure prompt restoration after ICT-related disruptions.
  • Odaseva’s forensic-level restoration processes maintain the integrity of metadata and relationships, preventing broken links and ensuring data consistency. Our platform can restore lost or corrupted data precisely, preserving the structure and functionality of your datasets.
  • Our team includes a Managed Backup Services team that will custom-craft and fine-tune your backup plan to eliminate roadblocks to a successful restore, and provide support with any backup-related need.

2. Cybersecurity Measures

Article 9 : Protection and prevention

• Data Classification and Encryption: Classify sensitive data based on a comprehensive ICT risk assessment and apply appropriate encryption to safeguard it from unauthorized access and potential breaches.
  • Odaseva’s data encryption capabilities are designed to protect data at rest and in transit, ensuring compliance with stringent security standards.

• Strong Authentication and Access Controls: Deploy robust authentication mechanisms and restrict user access to essential data only, ensuring that information assets are protected from misuse and unauthorized entry.
  • Odaseva supports the strongest authentication and access controls mechanisms, such as IP restriction, multi-factor authentication up to hardware based tokens (U2F), role-based access control as well as the capability to fully delegate authentication to the customer’s identity provider through SAML enterprise SSO.

3. Continuous Monitoring and Incident Response

Article 8 : Identification

• Proactive Monitoring: Analytics provides advanced data insights, helping organizations optimize Salesforce data management, compliance, and performance. It enables you to make informed decisions with comprehensive data analysis and visualization tools.
  • Odaseva Data History enhances auditability and compliance by providing complete tracking of modifications within Salesforce. Additionally, with the brand new Zero Trust Vault, this monitoring can be improved with a full audit log on all the data stored in your vault.

• Smart Alerts and Forensic Analysis: Utilize smart alert systems to detect abnormal data deletions or corruptions, and perform comparative analyses between backups to identify affected accounts and data, facilitating quick and informed incident responses.
  • Odaseva’s forensic capabilities provide deep insights into incidents, helping organizations mitigate risks efficiently.

4. Regular Testing and Risk Assessments

Article 13 : Learning and evolving

• Business Continuity Plan Testing: Periodically test your ICT business continuity plans and backup restoration procedures to ensure their effectiveness and reliability.
  • Our Data Recovery Readiness and Response service streamlines these exercises, helping organizations maintain operational resilience.

• Risk Assessments: Conduct regular risk assessments to identify and mitigate potential vulnerabilities.
  • Odaseva’s automation and security risk insights enhance these processes, ensuring that your systems remain resilient against evolving threats.

• Resilience Training: DORA focuses on training financial entities to handle digital risks and cybersecurity threats, ensuring organizations can maintain operations during disruptions. This training is essential for a resilient financial sector.
  • Odaseva Sandbox Seeding allows you to populate a dedicated environment for training with real-case scenarios.

Enhancing Resilience with Advanced Solutions

Leveraging Odaseva’s industry-leading solutions can help organizations achieve DORA compliance, including:

• Odaseva Backup & Restore: Specializing in targeted data restoration, ensuring minimal impact on unaffected data and preserving overall system integrity.

• Odaseva Data Security: Providing automation and security risk insights, facilitating efficient data classification and proactive monitoring.

• Data Archiving: Offload older, unused data onto secure third-party systems, reducing the volume of data at risk during ICT incidents. Odaseva Data Archiving helps organizations manage data lifecycle efficiently.

Adhering to DORA is not just about compliance; it is about fostering a resilient and secure digital environment for financial institutions.

By implementing comprehensive backup and recovery procedures, robust cybersecurity measures, continuous monitoring, and regular risk assessments, organizations can significantly reduce their vulnerability to cyber threats and ICT disruptions.

As the enforcement of DORA approaches, now is the time to enhance your Salesforce data protection strategies and ensure operational resilience in the face of ever-evolving digital challenges.

For tailored solutions and expert guidance, consider partnering with Odaseva, the strongest data security solution for enterprises running on Salesforce. Let our experts help you navigate the complexities of DORA compliance.

For more information on how to bolster your DORA compliance efforts, contact us today.