The first Finnish audit criteria for cloud services released – PiTuKri improves cloud security

June 2019 by Marc Jacob

The Finnish National Cyber Security Centre (NCSC) has released new audit criteria for cloud services called PiTuKri. The implementation of the criteria improves security in situations where authorities process classified information in the cloud.

Katakri, the national security audit criteria (kansallinen turvallisuusauditointikriteeristö), has been a suitable auditing tool for authorities in Finland for over a decade now. However, the fact that Katakri does not consider the particularities of cloud environments constantly underlined the need for a modern auditing tool amid growing adoption of cloud computing in many industries. The Finnish Ministry of Finance has advised public sector to utilize cloud services but to take into account information security. PiTuKri (Pilvipalveluiden turvallisuuden arviointikriteeristö) can be used in an acquisition of a new cloud service or when assessing operational cloud environment’s security.

Nixu contributing to the creation

Nixu has a strong background in secure cloud services. Nixu has taken part in developing the European Security Certification (EU-SEC) framework, creating concepts for European security verification. In addition, Nixu Certification, an information security inspection body, is an accredited CSA STAR (Cloud Security Alliance,Security Trust Assurance and Risk) and Katakri auditor. Based on this experience, Nixu contributed to the PiTuKri development process by commenting the framework along the way.

Next steps towards safe digitalization

Nixu Certification is already working on a first cloud service assessment utilizing PiTuKri. This attests to a strong demand for the criteria. ”We’ve invested in building a solid foundation for secure cloud in the EU-SEC framework. I’m happy that we can make a valuable impact on the national criteria as well,” says Niki Klaus, Managing Director of Nixu Certification. The security requirements for cloud services are under constant re-evaluation. NCSC will collect feedback for further updates. The criteria will soon be published in Swedish and English.