CLOUD
Nixu continues developing cloud security for Finnish government’s Valtori
The Finnish Government ICT Centre Valtori started its Cloud program in 2019 to enable around 100 Finnish public sector organizations to securely utilize cloud environments' capabilities. Therefore, Valtori needed to ensure that their cloud security is on par with the legal requirements and national information security criteria PiTuKri. Nixu helped in realizing this goal by delivering a governance model and Cloud Security Posture Management (CSPM) framework for Valtori’s cloud services. Nixu will continue to develop Valtori’s Cloud Security also in the future, as the contract has now been extended until 2025.
The challenge for central government actors in using cloud platforms has been the information security aspect of cloud-based services. The security concerns meant that for a long time, the rule of thumb was to save only public information in the cloud. However, the tides turned in 2019 when the Finnish Ministry of Finance published new guidelines for public sector organizations on how to use cloud services. By the end of 2020, the same ministry already considered the cloud an equal or even a preferred alternative to traditional data centers.
Valtori provides sector-independent ICT services for the central government as well as information and data communications technology services that meet the requirements of high preparedness and security. Valtori serves a client base that comprises around 100 government agencies and departments with tens of thousands of service users. Therefore, Valtori has a large responsibility for providing secure ICT services to its clients.
Need for a secure governance model for cloud environments
One of the services that Valtori offers to governmental organizations is a governance model for cloud environments. A critical aspect of this service is ensuring that its information security corresponds with legal requirements and the Criteria for Assessing the Information Security of Cloud Services (PiTuKri). PiTuKri is published by the Finnish Transport and Communications Agency's National Cyber Security Center, NCSC. Implementing its criteria improves security in situations where authorities process classified information in the cloud. Consequently, it affects Valtori and all of its clients.
To offer a secure governance model, Valtori needed to find a service provider that could master the technical execution, that is, define the relevant security controls for measuring security posture, which would also match the PiTuKri criteria. Due to Nixu’s proven Cloud Security expertise and prior experience with similar projects, Valtori chose Nixu as the service provider at the beginning of 2020. In addition, Nixu delivered documented instructions for implementing Cloud Security Posture Management (CSPM) for Amazon AWS and Microsoft Azure cloud environments and guidelines for further development.
Nixu also produced data protection guidelines for Valtori’s cloud platforms by the PiTuKri criteria. “Valtori had a vision of Privacy by design (Data protection by design and default), meaning that privacy is considered in the project right from the beginning. This is ideal for a privacy specialist, and working with Valtori’s multidisciplinary team to implement this has been smooth and rewarding,” commends Nixu’s Privacy Specialist Tuisku Sarrala.
Successful pioneer work results in real-time visibility and continuous compliance
After two years of collaboration with Nixu, Valtori can now offer its public sector clients an information security service that enables the users to have real-time visibility on the status of their cloud security controls. The controls follow the defined framework and ensure that the cloud platforms continuously comply with the PiTuKri criteria. Around 75% of Valtori’s clients currently use cloud services, and the service package is installed into all AWS and Azure accounts. This makes life easier – and more secure – for the end-users.
“Our ability to offer validated security controls to our clients advances the use of cloud within the public sector because it encourages cautious decision-makers to trust cloud services and start building cloud environments within their organizations. They can focus on their core work and rely on the fact that if their cloud security controls are not up to date, this security component will notify them to make the needed fixes. Our clients can have peace of mind from a compliance point of view,” states Juha Nieminen, Development Manager at Valtori.
The partnership has been constructive and, with all the tackled challenges, also educational for both sides. “Working with Valtori has been smooth from day one. They had a well-thought vision which we started to work towards together in a very collaborative manner. You can see clearly how much emphasis is put on cybersecurity at Valtori, which makes the work meaningful for everyone involved”, praises Sakari Pihlhjerta, Business Unit Lead for Cloud Security at Nixu.
“I appreciate fluency, flexibility, and strong expertise because those elements ensure that the work gets done. Nixu’s team has delivered us that special know-how we have longed for, and I don’t think there are many other companies in Finland we could have executed this project with”, Nieminen concludes. “We were pioneers who, through iteration, worked to accomplish something that had never been done before. The information security solution we’ve created with Nixu has been one of the biggest wins within our Cloud program.”