This project was delivered by Nixu, a DNV company. DNV, Nixu and Applied Risk joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cybersecurity services businesses.
The Finnish Government ICT Centre Valtori started its Cloud program in 2019 to enable around 100 Finnish public sector organizations to securely utilize cloud environments' capabilities. Therefore, Valtori needed to ensure that their Cloud Security is on par with the legal requirements and national information security criteria PiTuKri. DNV Cyber helped in realizing this goal by delivering a governance model and Cloud Security Posture Management (CSPM) framework for Valtori’s cloud services. DNV Cyber will continue to develop Valtori’s Cloud Security also in the future, as the contract has been extended until 2025.
The challenge for central government actors in using cloud platforms has been the information security aspect of cloud-based services. The security concerns meant that for a long time, the rule of thumb was to save only public information in the cloud. However, the tides turned in 2019 when the Finnish Ministry of Finance published new guidelines for public sector organizations on how to use cloud services. By the end of 2020, the same ministry already considered cloud an equal or even a preferred alternative to traditional data centers.
Valtori provides sector-independent ICT services for the central government as well as information and data communications technology services that meet the requirements of high preparedness and security. Valtori serves a client base that comprises of around 100 government agencies and departments with tens of thousands of service users. Therefore, Valtori has a large responsibility for providing secure ICT services to its clients.
Need for a secure governance model for cloud environments
One of the services that Valtori offers to governmental organizations is a governance model for cloud environments. A critical aspect of this service is ensuring that its information security corresponds with legal requirements and the Criteria for Assessing the Information Security of Cloud Services (PiTuKri). PiTuKri is published by the Finnish National Cybersecurity Center, NCSC, and implementing its criteria improves security in situations where authorities process classified information in the cloud. Consequently, it affects Valtori and all of its clients.
To offer a secure governance model, Valtori needed to find a service provider that could master the technical execution, that is, define the relevant security controls for measuring security posture, which would also match the PiTuKri criteria. Due to prior experience with similar projects, Valtori chose DNV Cyber's Cloud Security Business Unit as the service provider at the beginning of 2020. Behind DNV Cyber’s cloud expertise is a group of 10 senior-level experts focusing on all major public cloud platforms (Azure, AWS, and Google Cloud Platform).
In addition, DNV Cyber delivered documented instructions for implementing Cloud Security Posture Management (CSPM) for Amazon AWS and Microsoft Azure cloud environments and guidelines for further development and data protection. After a year of initial work, the project switched to the development phase in the spring of 2021.
Defining Valtori´s Cloud Security Posture Management and identifying risks
The project started with DNV Cyber defining and documenting with Valtori how Cloud Security Posture Management is structured in Valtori’s Azure and AWS cloud environments. The framework for these information security criteria is based on PiTuKri 1.1 and some additional best practices.
The outcome of this work is a vast set of platform-native detective controls that can be installed in customers' cloud environments, whether it be Azure or AWS. Through these controls, one gets a holistic view of the cloud security posture and can continuously monitor compliance against the PiTuKri framework.
DNV Cyber also created implementation instructions for vendor-specific governance models (AWS & Azure). This meant that Nixu’s cloud specialists compiled the best practices for public cloud environments and the relevant information security mechanisms to produce instructions that could be used alongside the vendors’ user documentation. A significant part of this phase was threat modeling, where attack vectors were identified and described in addition to the security controls used for blocking attacks.
DNV Cyber was also responsible for producing a risk management plan for Valtori’s public cloud environments. This included identifying and documenting risks on a strategic, tactical, and operational level, as well as their mitigation plans that are linked to the security controls.
I appreciate fluency, flexibility, and strong expertise because those elements ensure that the work gets done.
- Development Manager
- Valtori.
Data protection goes hand in hand with cloud security
The fourth and final assignment for DNV Cyber was to produce data protection guidelines for Valtori’s cloud environments that are in accordance with the PiTuKri criteria. This documentation was created to demonstrate how data protection by design and default is incorporated into Valtori’s cloud platforms. Hence, the execution of data protection follows the same principles as the execution of information security: general guidelines, design instructions, and threat modeling are in place. In addition, DNV Cyber’s privacy specialist ensured that Valtori’s data protection guidelines follow the requirements of the EU’s GDPR regulation as well as national and EU-level guidance and best practices. The design instructions were mapped against PiTuKri and ISO 27001 information security standard.
Data protection (privacy) in the cloud has been in turmoil for a few years. The Schrems II judgment in the summer of 2020 raised significant concerns about the legality and security of personal data in the cloud. It increased the need for data protection-related cloud guidance. Valtori’s extensive data protection-related documentation created during the project will help Valtori’s customers deal with these difficult issues.
“Valtori had a vision of Privacy by design (Data protection by design and default), meaning that privacy (data protection) is considered in the project right from the beginning. This is ideal for a privacy specialist, and working with Valtori’s multidisciplinary team to implement this has been smooth and rewarding,” commends DNV Cyber’s Privacy Specialist Tuisku Sarrala. “We were able to bring privacy and security closer together, for example, by aligning the threat models and mapping PiTuKri to the GDPR principles. It has been a great learning journey for both sides”.
Successful pioneer work results in real-time visibility and continuous compliance
After two years of successful collaboration with DNV Cyber, Valtori can now offer its public sector clients an information security service that enables the users to have real-time visibility on the status of their cloud security controls. The controls follow the defined framework and ensure that the cloud platforms continuously comply with the PiTuKri criteria. Around 75% of Valtori’s clients currently use cloud services, and the service package is installed into all AWS and Azure accounts. This makes life easier – and more secure – for the end users.
“Our ability to offer validated security controls to our clients advances the use of cloud within the public sector because it encourages cautious decision makers to trust cloud services and start building cloud environments within their organizations. They can focus on their core work and rely on the fact that if their cloud security controls are not up to date, this security component will notify them to make the needed fixes. Our clients can have peace of mind from a compliance point of view,” states Juha Nieminen, Development Manager at Valtori.
The partnership has been constructive and, with all the tackled challenges, also educational for both sides. “Working with Valtori has been smooth from day one. They had a well-thought vision which we started to work towards together in a very collaborative manner. You can see clearly how much emphasis is put on cybersecurity at Valtori, which makes the work meaningful for everyone involved”, praises Sakari Pihlhjerta, Business Unit Lead for Cloud Security at DNV Cyber.
“I appreciate fluency, flexibility, and strong expertise because those elements ensure that the work gets done. DNV Cyber’s team has delivered us that special know-how we have longed for, and I don’t think there are many other companies in Finland we could have executed this project with”, Nieminen concludes. “We were pioneers who, through iteration, worked to accomplish something that had never been done before. The information security solution we’ve created with DNV Cyber has been one of the biggest wins within our Cloud program.”
As the technologies behind cloud platforms evolve rapidly, DNV Cyber and Valtori continue to develop the service after the launch process. Further development includes upcoming new features and other necessary improvements that ensure the best possible user experience and security posture for Valtori and its customers. For example, critical findings will automatically create a ticket to the client’s IT department in the future, which saves the trouble of logging into the actual portal to check the current status.