Cloud Services are Secured with Multi-Phase Definitions

A foundational part of Samlink’s cloud journey is to establish a sufficient security platform for Samlink’s strategic Azure environment. The work is a cooperation between the IT architects guided by the Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).

The major security frameworks, e.g., ISO 27001 and the CIS Top 20 security controls list by the Center for Internet Security applicable to cloud resources have thoroughly been examined and it has been determined, which security controls are applied to Samlink’s modernized environment. The applicability of any given control will be dependent on the service provided and the data being processed, while always considering GDPR requirements.

The security requirements on a high level are driven by our contractual agreements with the Client Banks and the regulatory frameworks. They have then been further detailed to make it possible for the technical staff in Samlink to apply these for the different cloud-based environments. Some of the security functions are native to the cloud platform but they will be extensively tested and assessed prior to putting them into production to avoid unnecessary interruptions or incidents.

The process to define the security controls has been running for several weeks to make sure that the controls needed are included.

The next phase in early Q1 is to apply the security controls and start to test the setup to make sure everything works as designed, that the services being deployed into the cloud environment are sufficiently secure and that security alerts are received and monitored in the Security Operating Center.