Security Criteria Awareness

Overview of Security Criteria Awareness in Finnish Companies

Rantanen

Master’s Thesis 05 2021 Technology, communication, and transport Master’s Degree in Cyber Security

Description

Rantanen, Otto

Security Criteria Awareness - Overview of Security Criteria Awareness in Finnish Companies

Jyväskylä: JAMK University of Applied Sciences, May 2021, 79 pages.

Technology, communication, and transport. Degree Programme in Cyber Security. Master's thesis.

Permission for web publication: Yes

Language of publication: English

Abstract

Dell is a large American company with roots dating back to 1984. In 2015, Dell embarked on a project to acquire EMC Corporation, which was completed in one of the largest acquisitions in the IT industry and re- sulted in Dell Technologies. Because of its broad product and service portfolio, Dell Technologies is involved in the infrastructure of almost every Enterprise-level company and, to a significant extent, smaller compa- nies.

The idea for the work came from my empirical findings when working with client companies. Dell Technolo- gies ’service portfolio is constantly expanding, but leveraging it more efficiently requires an understanding of customer companies’ internal processes and needs. The purpose of the dissertation is to get an idea of Dell Technologies' customer companies’ knowledge of security criteria’s, as well as the possible need for external assistance in the Finnish customer field, so that Dell Technologies can better target its services to the right needs in a right way.

Theme interview was chosen as the research method as it allows gathering large amounts of data from a relatively small sample. Theme interview is qualitative research method and results from the interviews were analysed by using narrative analysis and pointing out the answers to the questions. Other relevant and possibly useful data was also analysed and the data from which the conclusions were drawn can be found from the document.

The most significant consideration was how large the difference in knowledge and application of the crite- ria was between public and private sector actors. Due to the small sample size, this should be treated with caution and the companies' industry can also have a significant impact on the results.

Conclusions were drawn from a seemingly small sample, but the data collected helped to a significant ex- tent to understand the needs of customer companies and how to target services to them. Possible further research around the topic could improve Dell Technologies' competitiveness in Finland's relatively small market area where service provision plays a significant role.

Keywords/tags (subjects)

Appliance, Cyber Security, Dell Technologies, Framework, Security Criteria

Miscellaneous (Confidential information)

Appendices 3-6 are confidential and removed from the public thesis. The basis for secrecy is section 24(17) of the Act on the Openness of Government Activities (621/1999), a company’s business or trade secret. The period of secrecy is five (5) years, the secrecy will end on 25th of May 2026.

1

Contents

Acronyms ...... 4 1 Introduction ...... 5 1.1 Thesis Scope and Goals ...... 6 1.2 Dell Technologies ...... 7 1.3 Selected Research-Method ...... 8 1.3.1 Narrative Analysis ...... 12 1.3.2 Sentiment Analysis...... 12 1.4 Goal of this Thesis ...... 13 1.4.1 Research Question ...... 13 1.5 Previous Research ...... 14 1.5.1 Summary ...... 14 2 Theoretical Base ...... 16 2.1 DELL Technologies Services ...... 17 2.1.1 Basic Deployment ...... 19 2.1.2 ProDeploy ...... 19 2.1.3 ProDeploy Plus ...... 19 2.1.4 Additional Deployment Time ...... 20 2.2 Appliance-based Infrastructure Solutions...... 20 2.2.1 Dell Technologies Cloudboost ...... 21 2.2.2 Dell Technologies PowerStore ...... 21 2.2.3 Dell Technologies VxRail ...... 22 2.3 Appliance Related Vulnerabilities ...... 22 2.4 Global Cyber Events ...... 26 2.4.1 1994 – Russian Hacker Case ...... 26 2.4.2 Slammer Worm ...... 26 2.4.3 2020 – Vastaamo Data Breach in Finland ...... 27 2.5 Common Frameworks for IT-system Benchmarking ...... 28 2.5.1 NIST Cybersecurity Framework ...... 28 2.5.2 HIPAA ...... 30 2.5.3 PCI-DSS ...... 32 2.5.4 KATAKRI ...... 33 2.5.5 PITUKRI...... 34 2.5.6 Common Criteria - ISO/IEC 15408 ...... 38 2.6 Theory Summary ...... 39

2

3 Theme Interviews ...... 41 3.1 Interview Invitation ...... 41 3.2 Interview Participants ...... 41 3.3 Interview Questions ...... 42 3.4 Interview Summaries ...... 43 3.4.1 Company A ...... 43 3.4.2 Company B ...... 45 3.4.3 Company C ...... 47 3.4.4 Company D ...... 48 4 Interview Results ...... 51 4.1 Overview of Results ...... 51 4.2 Sentiment Analysis Results ...... 60 5 Analysis ...... 65 6 Conclusions ...... 69 7 Discussions ...... 72 8 Further Study ...... 75 Appendices ...... 78 Appendix 1. Interview Invitation mail ...... 78 Appendix 2. Interview questions in english ...... 79

Figures

Figure 1. Sentiment analysis example...... 12 Figure 2. Information and Cyber security illustrated...... 16 Figure 3. Dell Technologies ProDeploy service suite ...... 18 Figure 4. Orca Security vulnerability report ...... 23 Figure 5. Orca Vulnerability Research Summary of Results...... 24 Figure 6. Appliances sorted by grade...... 25 Figure 7. Five functions of NIST cyber security framework ...... 29 Figure 8. HIPAA compliance checklist ...... 31 Figure 9. High-level overview of PCI-DSS requirements ...... 32 Figure 10. PiTukRi Definition of responsibilities...... 35 Figure 11. PiTukRi information types...... 37 Figure 12. A typical model for division of responsibility...... 38 Figure 13. 5 steps to ISO/IEC 15408 compliance...... 39

3

Tables

Table 1. Company Profiles ...... 42 Table 2. Interview results overview ...... 52 Table 3. Google sentiment analysis data ...... 61

4

Acronyms

COBIT CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY

EPHI ELECTRONIC PERSONAL HEALTH INFORMATION

HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

IAAS INFRASTRUCTURE AS A SERVICE

IEC INTERNATIONAL ELECTROTECHNICAL COMMISSION

IDPA INTEGRATED DATA PROTECTION APPLIANCE

ISO INTERNATIONAL ORGANIZATION FOR STANDARDIZATION

KATAKRI NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

NIST NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

PITUKRI NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

PAAS PLATFORM AS A SERVICE

PCI-DSS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

PHI PERSONAL HEALTH INFORMATION

SAAS SOFTWARE AS A SERVICE

VAHTI NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

5

1 Introduction

During spring of 2020, I had been trying to get second-tier supervisors interested in my thesis for several months without echo and started to feel a bit frustrated. My lecturers had constantly urged me to come up with the topic of the thesis, preferably myself, to make it as pleasant as pos- sible. Fortunately, I had decided to complete all the courses with honour first and only then focus on the thesis, as it would have been too burdensome to complete them at the same time.

During summer of 2020, I finally got an idea on the topic of my thesis, which I could do without having to force some technical work, but in turn I would get information about the current situa- tion in customer environments, around an important topic. This topic was strongly related to the knowledge of security criteria’s and to the need for outside help in managing and improving the security of production systems, as my empirical findings had led me to the perception that in many companies, security was implemented using outdated methods and cybersecurity was known mainly at the conceptual level.

Since I have always been a good conversationalist and listener, which in turn has helped me in my current job, I decided to interview representatives of multiple companies and to get an overall pic- ture of their cyber security-related expertise and the willingness to acquire any cyber security-re- lated services from third parties. My original idea was to conduct the survey in electronic form but after discussing with my lecturer, I concluded that this way it would be almost impossible to obtain a sample large enough for a reliable research. After a long reflection and background work, I ended up choosing a thematic interview as the research method, because in that way a large amount of information can be obtained, from a relatively set of people.

In October 2020, co-operative negotiations took place in my company, which resulted in the dis- missal of my supervisor and two peers. The replacement supervisor was found quite quickly from Denmark, but this caused its own challenges, e.g., for communication. He also had to get ac- quainted with the thesis, after which we decided together to continue without changing the idea of the original work at all. Although the aim of this work is to find out the need to improve the se- curity of technical entities that are only slightly related to the criteria, I will go through the best- known criteria’s, because understanding and knowledge about the criteria that company uses for

6 enhancing their security can at best provide a framework for the security related work assign- ments.

Chapter one reviews the chosen research method, and briefly introduces Dell Technologies and reviews the research objectives of this Thesis as well as the chosen research method. The second chapter reviews the service offerings of Dell Technologies that are relevant to the Thesis, provides a brief overview of the most common security criteria, introduces a few Dell Technologies applica- tion-based solutions, and reviews a few security incidents that could probably have been avoided with an adequate level of security for which the security criteria’s aim. The third Chapter reviews the interview process and presents in summary form the answers of the companies interviewed to the Thesis and these answers are presented in a simplified way in Chapter Four. In Chapter Five, I analyse the data obtained from the interviews using narrative analysis, the conclusions of which are presented in Chapter Six. Chapter seven discusses the work from an ethical perspective, high- lighting possible factors that influenced the results, and chapter eight highlights’ opportunities for further research which can be done based on this work.

1.1 Thesis Scope and Goals

Idea for the thesis came from my personal notices from onsite work at Dell Technologies. I have worked for Dell Technologies for over ten years and during those years I have implemented or de- ployed multiple solutions into the customer environments. What has been interesting, is that many customers will allow new systems to be put into production without going through system- atic auditing or benchmarking before production can start. In smaller companies, even auditing criteria’s might be unknown or not so well-known for sysadmins and other IT professionals, but instead information security is built by only following industry best practices. It is also noteworthy that a large proportion of appliance-based information systems contain cloud service components that are increasingly used, and some of the appliances are cloud service systems themselves, which means that there is an interface to the Internet that needs to be adequately protected.

I thought for a good thesis subject for a long time and initially I wanted to make a technical thesis. This however seemed to be harder that I had thought because chain of command showed no in- terest in supporting thesis work. My local manager showed interest into my studies and finally I came up with the idea of doing a theoretical work which could give some benefit to my company,

7 in the form of gathering information about customer’s needs and using that information to offer additional deployment time to customers and enhancing their company’s information security. Technical work was ruled out as an alternative, mainly because its implementation would have re- quired a very high "view" of customer environments and would have bound participating custom- ers to a significant extent.

Few Finnish customer had already bought some consultation hours from Dell Technologies and the work order was to do a basic security assessment into their environment and the target for the as- sessment was the Dell Technologies storage devices that were sold and implemented by Dell Tech- nologies. Work order was somewhat inadequate as methods or criteria for the assessments were not told by customer but were instead freely chosen by Dell Technologies. This showed the lack of systematic processes for enhancing information security and information on which criterion would be best for them. After initial idea I noticed that Dell technologies started to send posts that ser- vices portfolio will be expanded to offers, which include cyber security related products. Given the interest shown towards our company in procuring cyber security services in the past, I was won- dering if the services could be commercialized locally. This gave rise to the idea of interviewing cli- ents who I could easily get involved in the thesis.

1.2 Dell Technologies

Dell Technologies is a consortium of two technology giants dating back to 1979, when former fel- low students Richard Egan and Roger Marino founded EMC in Newton, Massachusetts. Five years later, in 1984, Michael Dell founded a company called "PC's Limited" for only a thousand dollars and finished his studies at the end of the first year because he had a vision of how technology should be designed, produced, and sold. 1987 “PC’s Limited”, founded by Michael Dell, publishes its first computer and in the same year opened its first office in the UK. The following year, 1988, sales began to grow at an annual rate of 80 percent, and Dell was listed on the stock exchange un- der the name "Dell Computer Corporation." With listed financing, the company expanded its busi- ness in Europe by launching production in Ireland and better serving customers in Europe, the Middle East and Africa. 1995 Dell expanded its global operations to Europe, Asia, and Japan to drive its business ideas globally. (Dell Technologies 2021.)

8

1996 Dell’s “world conquest gained momentum with the opening of a customer center in the APAC area of Penang, Malaysia. The following year, 1997, EMC receives worldwide recognition as the market leader in open storage. In 1998, Dell will open a new sales, manufacturing and support center in Xiamen, China, as well as announce production facilities in Ireland, Brazil, and the United States. Production and service expansions continue and in 2001 will reach two major milestones, the first being 1st as a global supplier of computer systems and the second being 1st as a supplier of Intel-based servers. These developments will be followed by a partnership with EMC in 2001, when Dell signed an agreement with EMC to provide more affordable enterprise-class data stor- age services to customers of all sizes. (Dell Technologies 2021.)

In 2004, Dell will rank third in China as a supplier of computer systems and services, with more than 60 percent growth in deliveries, four times the comparable market. 2006 EMC expands its software development by opening its first research and development unit in Shanghai, China. 2013 Michael Dell buys its company off the stock market along with Silver Lake Partners to focus on long-term investments, as well as innovation, and accelerate its strategy. This will result in a signif- icant increase in customer satisfaction, which will peak in 2015. In 2016, Dell and EMC will join forces in the largest technology acquisition as Dell acquires EMC through large-scale financing ar- rangements, creating a common story to reach customers and their great ideas globally and pro- mote human development. (Dell Technologies 2021.)

1.3 Selected Research-Method

Theme interview was chosen as a research method, as it allows gathering detailed data from a small set of people. This method is widely used in the behavioural and social sciences but is also applicable to other fields of research. A significant advantage of a thematic interview is its flexibil- ity and the opportunity it offers to gather in-depth information. To get an idea of people’s world of values and ideas, as well as accurate, word-of-mouth information around the theme of the inter- view, it’s a good idea to talk to them. The interview is generally perceived as a pleasant method and the interviewees are aware of the content of the upcoming theme, which helps them to pre- pare for the interview. Although the interview is seemingly easy as a method, the methodological literature warns against the deception of obvious ease and simplicity. Significant interview prob- lems include the contextual and situational nature of the interview, and the interpretability of the results. (Hirsjärvi & Hurme 2008, 11.)

9

There are many open questions at the beginning of the research, which play a significant role in the success of the research. Should the research be done quantitatively, qualitatively, or a combi- nation of these types. The credibility of the research can be increased by conducting a literature review at the beginning of the research, which confirms the basis of the research, e.g., showing how the phenomenon has been studied in the past and with what results, as well as whether some relevant questions remained unanswered to provide direction for new research. (Hirsjärvi & Hurme 2008, 13.)

According to Valli and Aarnos (2018, 26), reaching the interviewees and, according to their availa- bility, the interview is a laborious but rewarding process in which investing rewards. When looking for interviewees, it is also advisable to ask possible replacements for the primary interviewees in the same context in case the primary interviewees are prevented from participating. Valli and Aar- nos (2018, 26) emphasize the effectiveness of direct contact and recommend in the first contact in connection with the interview to briefly talk about the idea of the interview, the goals and why the person just targeted has been chosen as the subject of the interview. Reviewing the above matters provides the contact subject with the opportunity to decline the interview at an early stage if he or she does not feel that he or she is a suitable person to be interviewed. If the material is to be pro- cessed anonymously, it is a good idea to mention this at the beginning. Anonymous handling of material can also make it easier for interviewees to get involved, especially if the topic being dis- cussed is in any way sensitive. The interviewees may also have their own motives for participating in the interview, and according to Valli & Aarnos, such may be e.g., presenting your own position, company, or operational perspective or if the interviewee happens to have positive experiences of previous participation in scientific research. (Valli & Aarnos 2018, 26.)

Once consent for the interview is obtained, it is important to decide where and when the inter- view will take place and it is a good idea to agree on weeks, even months ahead, as especially when moving on a fast schedule, the interviewees ’calendars may be full. The importance of the interview venue is great, and the interview venue can be almost anything but too much back- ground noise should be ruled out to make it easy to focus on the conversation and possible when using a recorder, making the recording as clear as possible. In some cases, the interview environ- ment can also act as a stimulus and thereby add value to the interview, especially in nature-re- lated and in-nature interviews. When choosing an interview location, ease should be viewed from

10 the interviewee’s perspective and end up with an option that is as natural and effortless as possi- ble for the interviewee or interviewees. If interviewees experience uncertainty in the interview sit- uation due to poor choice of location, the interview situation may become unnatural and stiff. If the interviewee invites the interviewer to their home, this is often a sign of commitment to the interview and trust in the interviewer, but in turn the interviewer must adapt to the situation, e.g., adjusting their behaviour to the expectations of the interviewee as they see fit. In summary, the behaviour of the interviewer and the interviewees is greatly influenced by where the interview is conducted, the “ground” of the interviewer or the interviewee. It is also not necessary to arrange the interview as an individual interview, but if necessary, a group interview can also be used, but this can make possible post-production spelling more challenging, e.g., to distinguish a speaker from another. (Valli & Aarnos 2018, 28.)

Because the interview is comparable in nature to normal social interaction, both parties have some idea of appropriate behaviour appropriate to the situation. For this reason, the interview is influenced by e.g., the gender, class differences, age, educational background, and position in the organization or society of the parties. Social interaction involves preconceptions, and this might present a strong defence of the interviewee’s own point of view or the party they represent. Due to preconceived notions, the interviewer must think about e.g., the effect of their own behaviour, dress, and background on the interview. An unfamiliar environment, inexperience with interviews, or simply character traits can cause an interview tension that is good to start to unleash by starting the interview by first discussing other things and moving calmly toward the interview. The topic to be addressed may be sensitive in nature, e.g., because of the handling of confidential matters by the company or the interviewee, which is why it is important to build trust right from the start. The interviewee can also be made to “open up” by using a power transfer technique that ad- dresses a topic that the interviewee knows more about than the interviewer. (Valli & Aarnos 2018, 29-30.)

The benefits of the interview are the opportunity to emphasize the interviewees in the interview situation as a subject, thus offering them the opportunity to raise issues as freely as possible. The interview is suitable as a form of research for the study of issues about which there is basically lit- tle information and the interviewee's speech is to be placed in a broader context. The method also offers an opportunity to clarify the answers e.g., asking the interviewee for reasons for his or her

11 answer. There is no certainty in the minds of researchers as to whether an interview as a form of research is suitable for researching sensitive topics, because then the research subject may remain anonymous and intentionally distant. The disadvantages of the interview are the possible inexperi- ence of the interviewer and therefore the inability to regulate the collection of material flexibly, in the way required by the situation and in accordance with the respondents. It is also quite a time- consuming process, as e.g., finding interviewees, conducting an interview, and usually spelling out at the end of an interview is a slow and time-consuming work. Incorrect information is also possi- ble, as interviewees can give socially desirable answers and thus adversely affect the information collected. The interview as a form of research is quite free-form and this poses its own challenges for the analysis, interpretation, and reporting of research results, as there are no ready-made models for these tasks. (Hirsjärvi & Hurme 2008, 35.)

In many cases, agreeing on interviews is one of the most difficult things to do with a thematic in- terview, because people's approach and possible disappointments, e.g., refusals can affect motiva- tion during the interview process. Direct contact is usually the best way to get people for an inter- view but there are exceptions to this as well. When it comes time for an interview, it is important to be prepared for possible disappointments because the researcher usually has their own expec- tations and the interviews given may not match them. Other problems can also occur, and they can be e.g., failure of technology, delay of the interviewer, or premature termination of the inter- view. It would be a good idea to hone your own practices in advance and do a few pre-interviews that can reveal any mistakes in the body of the interview. In an interview, it is also important to remember your own role as an interviewer, and not an interrogator, i.e., pressure to get answers should be left out, as interviews are based on volunteering. (Valli & Aarnos 2018, 42-42.)

After the first interviews, the researcher may be struck by despair and the notion that nothing can be gained from the collected material. However, this is often not the case, and after a few read- ings, there is usually quite a lot of usable information in the material, and "interim analyses" can also make it easier to find the information. Changing the theme body can also come to mind and how much it can change. Also, one's own behaviour in the interview can be busy afterwards, and for the unfamiliar, hearing one's own voice from the recordings can also be confusing. After the interviews, it’s time to spell, which is good to do as quickly as possible from below and here you

12 can take advantage of several tools. Spelling is quite tedious, and it can take an entire working day to unwind an hour of recording. (Valli & Aarnos 2018, 43.)

1.3.1 Narrative Analysis

Narrative, or narrative, material can be personal or public, and there is no exact limit on its length, i.e., it can be long or short. Typical of narrative analysis is its use in the analysis of stories with a beginning and an end, but the method is also suitable for the analysis of interviews where, for ex- ample, the plot structure is not examined. Narrative methods are suitable for the analysis of freely expressed things. Narrative analysis is characterized by the creation of content reports, abstracts, and plots. Narrative methods can provide significant information, but its structuring and analysis requires going through the source data several times. (Tampere University)

1.3.2 Sentiment Analysis

Sentiment analysis is a way to get emotional states out of a written text, no matter how carefully it is written, because the text always contains emphases, either in the direction of positive or nega- tive emotions. The essential questions in sentiment analysis are how to obtain credible emphases from a text that contains emotional text. Sarcasm poses its own challenges to sentiment analysis because computers do not understand it. (Arginelli 2015, 65-70.)

Figure 1 shows Google Cloud Natural Language snippets and their scores, from sample data en- tered to it from the spelled interviews used in this Thesis:

Figure 1. Sentiment analysis example.

13

1.4 Goal of this Thesis

Finland is a so-called "hybrid country" in its operating model, which has led to a wider range of ex- pertise than usual for Dell Technologies field engineers, which enables their capabilities to extend beyond basic equipment installations. The purpose of this Thesis is to find out whether companies need to use external resources to develop or audit the security of information systems. As a Field Engineer, I have over the years received several suggestions and tips about how to develop the service portfolio. Since it is a good thing to bring the security of the systems to a sufficient level immediately at the time of installation, whether it is based on criteria or not, it would be natural for field engineers to continue working from installation to system hardening, benchmarking or both. Because the application-based systems offered by our company are usually the endpoints of the IT infrastructure and store the most essential thing for the entire communication, i.e., infor- mation, it is very important to protect them. Our company offers good guidance e.g., in terms of telecommunication requirements and as experts in these systems we have strong skillset and knowledge of what network. This would also ensure an appropriate level of security in the systems they install from the start.

1.4.1 Research Question

The aim of the dissertation is to find out whether companies are interested in procuring work from third parties, such as Dell Technologies, in accordance with the requirements of the security crite- ria as a purchasing service. Section 3.3 reviews all the questions to gather the required date from the thematic interviews but the main question is:

Have you seen the need for external expertise to improve system security?

An answer to the research question is expected to be with the questions set out in section 3.3 and additional information around the topic is collected with supplementary questions that clarify e.g., procurement and criteria processes. As the thematic interview is a widely used form of research, the aim is to analyse all the information collected, as it can be of significant benefit in the future. Knowing the customer environment and operating models helps to serve the customer better.

14

1.5 Previous Research

Finding previous research data related to the expertise and understanding of Finnish IT experts about security criteria’s that are strongly linked to cyber security proved to be challenging. How- ever, in her book "Change Management Competence - Key Contributor to Project Success", the results obtained by Anu Pokela in a thematic interview show that the method works when you want accurate information from a small group of people. Through its interview, Pokela finds clear areas for improvement, especially regarding the qualifications of project managers, who feel they need additional training to perform their tasks better, and regarding change management teams, whose qualifications should be guaranteed from the beginning of the project. In particular, the ex- perience of project managers moving away from important parts of the project was clearly per- ceived as a challenge and they felt a significant part of their working time was secondary to the success of the project. (Pokela 2013, 51-53.)

In their study "Security Assessment Process of IT Components for Cloud Infrastructure" conducted by Livshitz, Lontsikh, Golovina, Kunakov & Kozhukhova, researchers state that any IT system can act as a weapon against itself if it has not undergone an adequate security assessment. The same study refers to a Cisco report that found that about 57% of data is hosted in cloud services, but traditional data center-based IT is not disappearing anywhere, which means demands are also made on the parties involved in data center maintenance, installations, and deployments to pro- tect the data. The conclusions of the article state that establishing a functioning process for IT se- curity assessment is a significant and important step in ensuring the security of all IT components. To solve information security problems, the researchers recommend a "hybrid model", which is based in the first part on e.g., ISO27001, which is the administrative framework for security assess- ment. The second section may be based, for example, on the ISO15408 series of standards that implement the technical security requirements of the environment. (I. I. Livshitz, P. A. Lontsikh, E. Y. Golovina, E. P. Kunakov & V. V. Kozhukhova 2020, 1-4.)

1.5.1 Summary

Finding research data that goes beyond the topic covered in this thesis proved difficult, but re- search done by Livshitz, Lontsikh, Golovina, Kunakov & Kozhukhova shows that, especially for cloud services, early security assessment for new production systems plays an important role in

15 overall data security. Anu Pokelas’ thesis, on the other hand, shows that a thematic interview can produce significant results with a small sample, if the questions are correct and targeted at the right people. The same is also supported by the theoretical part of the thematic interview pre- sented in section 1.3. My own research increases the general understanding of companies operat- ing in Finland in terms of information security criteria, which helps to provide possible additional services in connection with product sales that they might otherwise acquire elsewhere. IT infra- structure auditing and benchmarking can be broken down into several parts, allowing systems de- livered by Dell Technologies, for example, to be audited, hardened, or benchmarked by Dell Tech- nologies engineers.

16

2 Theoretical Base

The rapid development of technologies has inevitably led to a rapid tightening of cyber security requirements. Because in a highly digitalized world, we are constantly more dependent on services and technology, we are also becoming more vulnerable to the threats associated with it. Cyber se- curity extends the concept of information security to people and things and transfers the responsi- bility for security to all of us, although normally, for example, information security is used to be thought of only as a technological matter and this is a significant shortcoming. (Limnéll, Majewski & Salminen 2014, 9-10.)

Security in general, involves the protection of both digital and physical information. Cyber security focuses on protecting digital data, as Figure 2 demonstrates. Since the output of "traditional" in- formation security may be, for example, a printed document from an ICT system, the two are strongly linked. For this reason, cyber security also includes requirements for the processing and protection of physical information, but the weighting is in protection of digital information.

Figure 2. Information and Cyber security illustrated. (Understanding difference between cyber security & information security. 2016)

17

Cyber security is a relatively new concept in the corporate world and its understanding is still in- complete in many respects. Because of this, adopting new processes and moving from a tradi- tional security model to a new model that encompasses much more than technical security, can be quite a laborious process.

According to Limnéll, Majewski & Salminen (2014, 202-203), adopting cyber security practices in a company can face significant resistance, which can be alleviated by explaining to employees ex- actly how they affect the company’s overall cyber strategy and its implementation. However, when thinking about cyber strategy, it is important to find out which things can be done with your own expertise and where it is desirable to get outside help. The advantage of purchasing services is that when they are used, the in-house know-how also accumulates and can be disposed of if necessary. Expertise is required for cloud services and social media services.

Limnéll et al. (2014, 306) state that for companies to adapt to today, it requires a change in strate- gic thinking, a snapshot of their own IT infrastructure and understanding its current state, prepar- edness for more advanced threats and flexible solutions to combat them, centralized manage- ment, and optimization of resource use and their ability to maintain operations under attack.

2.1 DELL Technologies Services

Dell Technologies offers multiple bundles of services for both enterprise and smaller client cus- tomers businesses. Bundle can be agreed during acquisition phase of new systems or after pur- chase which adds more flexibility based on customer needs. Available service bundles are:

• Consulting Services • Deployment Services • Support Services • Managed Services • Education Services • Virtustream Cloud Services

18

Portfolio is available in 118 countries worldwide. ProDeploy suite consists of multiple service levels which can be bought alone or with additional deployment time, which increases flexibility in the offerings. Deployment work usually starts after hardware or software has arrived at customer premises by going through the packaging lists to ensure required assets are available, and by ob- taining initial information about customer expectations. Dell Technologies internal research shows that deployment time is 66% shorter when compared to deployment done by customers them- selves. This sub-chapter goes through Deployment Services -suite more thoroughly as it is the bun- dle that suits best for new environment related service offerings. Figure 3 summarizes the in- cluded services per selected deployment suite service level. (Dell Technologies 2020, 4.)

Figure 3. Dell Technologies ProDeploy service suite. (Dell Technologies 2020, 5.)

In connection with the acquisition of the ProDeploy package, the customer's needs are mapped in procurement negotiations and e.g., adding security consulting services at this stage is easy. The scope, content and interfaces of the work are always agreed on a project-by-project basis so that responsibilities are clear. It is possible to include consultation or data security shaving work, for example in 4 hours in blocks. These "blocks" are the work defined in the terms of the procurement and may be included in the amount required for the procurement.

19

2.1.1 Basic Deployment

Basic deployment is the default level bundle which involves Dell Technologies deployment techni- cian doing the onsite hardware installation tasks, which are usually equipment racking that stack- ing (R&S), backend cabling and packaging material disposal by following Dell Technologies best practices. This level of service is available only during office hours and frees customer company employees from basic installation tasks. (Dell Technologies 2020, 5.)

2.1.2 ProDeploy

ProDeploy suite offers 24/7 availability to help customers in IT transformation. It is a full-service portfolio from planning to implementation with consistent expertise from a single source. ProDeploy guarantees Dell Technologies certified deployment engineer via remote connectivity services (Zoom, WebEx, Skype etc.) to finalize the system configuration. (Dell Technologies 2020, 5.)

With ProDeploy comes single point of project management, which means that Dell Technologies dedicated Project Manager (PM) will assists the customer during the whole installation project. After the project is finished Dell Technologies PM delivers full project documentation with knowledge transfer to the customer. This can be as an example logical/physical topology docu- mentation with network configuration parameters related to the installed systems. (Dell Technolo- gies 2020, 7.)

2.1.3 ProDeploy Plus

Widest offering available is ProDeploy Plus -suite which helps customers minimize the risks with mission-critical systems. ProDeploy Plus guarantees an onsite on in-region Dell Technologies certi- fied Deployment Engineer for the work together with Technology Service Manager (TSE) for best possible deployment experience. Other value increasing services included are 30-days on post-de- ployment configuration assistance which gives the customer fast access to customer support in case any more consultation is required. Dell Technologies also includes some training credits with ProDeploy Plus which can be used at Dell Technologies Education Services web site for product re- lated professional level training. This service offering includes possibility to add tailored services bundled to the systems acquisition. (Dell Technologies 2020, 7.)

20

2.1.4 Additional Deployment Time

This is a service product sold in conjunction with hardware configurations, which allows the free- dom to freely determine the service package to be sold, as well as its scope. In Finland, these pack- ages are sold from time to time and have been purchased, for example, for technical reporting, security assessment or some additional work not included in the basic installation. This gives Dell Technologies and the client company ordering the work quite a wide range of opportunities to agree on additional work, but a precise delineation of responsibilities is desirable.

2.2 Appliance-based Infrastructure Solutions

As modern technology advances and new functionalities are intruded one after another, that means installing and deploying new productions systems comes increasingly complex. Solution for that is appliance-based products which are designed to offer limited services but include every- thing they are designed to do in the appliance itself. Wikipedia and many dictionaries specify com- puter appliance with the following description:

“Computer appliance: a computing device with a specific function and limited con- figuration ability”? (Wikimedia Foundation, 2019).

This is true indeed as appliances are usually built and designed to deliver very specific set of func- tions and usually allow limited configuration abilities as devices are initially factory-configured and requires just a deployment to customer environment after which production use can be started. However, appliances often contain several different and even complex hardware and software packages, which makes it challenging to protect them.

Dell Technologies offers various appliance-based solutions for many purposes. Most common solu- tions are RecoverPoint, Integrated Data Protection Appliance (IDPA), VxRail and CloudBoost. IDPA has combined multiple Dell Technologies (Avamar, Data Domain, and related software) into a sin- gle appliance to provide effective backup and recovery of data and has sophisticated built-in algo- rithms for de-duplication and compression. Dell Technologies VxRail is a hyper-converged solution, which allows a deployment of fully featured and functional VMware virtualization environment in a matter of hours. CloudBoost is a product meant for companies that run hybrid-cloud solutions

21 and it automates and accelerates backup and recovery workloads of cloud workloads. Dell Tech- nologies is a multi-billion-dollar company, and a full review of the product portfolio would be irrel- evant to this Thesis, so I will go through a few well-known products that are suitable from the per- spective of this Thesis. Following subchapter give a short overview of these appliance-based solutions that are top offerings of Dell Technologies.

2.2.1 Dell Technologies Cloudboost

CloudBoost enables organizations to back up Networker (also Dell Technologies product) workload to either public, private, or hybrid cloud. It can be installed in vCenter from an OVA file and is a vir- tual appliance. The benefit to the company is the layer of abstraction it provides that removes vendor locks from backup operations. CloudBoost supports multiple cloud providers and uses strong encryption technologies for data transfer by default. Significant cost savings can be achieved by using CloudBoost, as there is no need to set up your own data center for backups, but third-party services may be used. (Dell Technologies. 2015, 6.)

2.2.2 Dell Technologies PowerStore

Dell Technologies PowerStore is an appliance-based storage system based on Intel processor tech- nology, designed to be scalable. As technologies have become increasingly complex, the design premise has been to provide rapidly deployable and scalable technology that incorporates signifi- cant new technologies such as NVMe-based disks and VMware integration. PowerStore uses state- of-the-art technology such as container-based micro-services, advanced storage technologies, and integrated machine learning to make more efficient use of data. (Dell Technologies. 2021a, 6.)

It is available in two different models, T and X. The T model supports block, file and vVol resources and includes several advanced features e.g., running relational databases, electronic patient rec- ords, and content repositories. The X model allows applications to be run directly from the disk system using the advanced AppsOn feature enabled by the VMware ESXi running on the device. The PowerStore configuration can be deployed with a single appliance, which can later be added, clustered as needed to achieve more resources. PowerStore's modern features also include Active / Active synchronization between the two data centers with separately purchased Metro node hardware and software components. (Dell Technologies. 2021a, 9.)

22

2.2.3 Dell Technologies VxRail

In today’s world, the demands on digital services have grown exponentially and this has posed sig- nificant challenges to the IT organization as the complexity of the systems has also increased sig- nificantly. Every company has its own way and pace to meet these requirements, but noteworthy is Gartner’s 2019 survey, which found that IT staff spend half of their time troubleshooting existing infrastructure problems, hardware change processes, and hybrid cloud strategy development and implementation tasks. Because half of the working time goes to maintaining existing infrastruc- ture, it makes the transition to new systems or cloud services challenging. By reducing the com- plexity of IT, the company could free up resources for the design and implementation of new sys- tems. (Dell Technologies 2021b, 5.)

The traditional way to build a new information system that includes e.g., storage, computing power, networks, data protection, monitoring and reporting and then designing how these all work together will take up to 70% of a company’s IT resources and budget. Solution to these chal- lenges is Dell Technologies' hyperconvergence system VxRail, which includes a traditional three- tier system (servers, storage, and network) in easy-to-install appliances. The transition to hyper- convergence systems reduces the administrative tasks of the company and thus frees up resources for the transition to a more modern IT infrastructure. HCI systems have the potential to reduce in- frastructure costs and facilitate management regardless of the size of the workload and the depth of implementation. Lifecycle management and one-stop support are also significant benefits of HCI solutions. Buying versus building speeds up system deployment and over a five-year cycle, sav- ings can be as much as 489% compared to a self-built system. (Dell Technologies 2021b, 6-7.)

2.3 Appliance Related Vulnerabilities

In 2020 Orca Security scanned 2218 virtual appliances by using their own SideScanning technology and published a report about the results. Appliances were scored on a scale from 0 to 100 (0 being the worst possible) and lowest score was 6. Criteria for scoring 0 points meant that systems would have needed to have an out-dated operating system, include any of four critical vulnerabilities de- fined by Orca Security, have 20 or more vulnerabilities with CVSS score of 9 or greater or 100 or more CVSS vulnerabilities with score between 7-9, or as the last criteria have 400 or more unique vulnerabilities. Figure 4 shows how the results were distributed. (Orca Security Inc. 2020, 4.)

23

Figure 4. Orca Security vulnerability report. (Orca Security Inc. 2020, 5.)

As previous Figure 4 shows, 44 % of appliances are at” Above average” or higher security level. 25 % fall into ”Mediocre” group and 31 % of appliance have either poor, or as per Orca’s statement, failed security level. This means that almost one third of appliance-based solutions need attention to make those safe to use. Figure 5 summarizes the results for the whole research and the scoring criteria. 100 points means that there were no vulnerabilities to be patched in the system and the operating system is currently maintained and only 103 (4.6%) of the scanned appliances reached this result.

24

Figure 5. Orca Vulnerability Research Summary of Results. (Orca Security Inc. 2020, 14.)

Appliances suffer from pretty much the same vulnerabilities as "normal" information systems. This is largely due to the basic nature of the appliance, as it is an entity with several independent sys- tems. An example is DELL Technologies' IDPA, which includes Avamar, Networker and PowerPro- tect systems, all of which are also available as separate systems. A significant advantage of the ap- pliance is the ease of the upgrade. For example, all hardware and software components in IDPA and VxRail can be upgraded with a single upgrade package, which may remove multiple software- based vulnerabilities at once. As many hardware appliances also include software appliances as well, this introduces more vulnerable components into the systems. One Dell Technologies appli- ance-based solution ”CloudBoost Virtual Edition” was involved in the Orca research and even

25 though it was only 6 months old software version during the research, if got an ”F” in from two cri- teria’s, this result is not within the worst ones but is neither acceptable for any business.

What was noteworthy in the study was that only 8% of the investigated appliances achieved ex- emplary scores, i.e., did not contain known vulnerabilities as seen in figure 6. Both small and large players had significantly vulnerable appliances and often also at both ends of the spectrum. The number of vulnerabilities was directly related to the age of the appliance and more expensive product did not necessarily mean safer product. (Orca Security Inc. 2020, 7-8.)

Figure 6. Appliances sorted by grade. (Orca Security Inc. 2020, 19.)

Orca’s study was not selective, and 2218 appliances were selected for it, from 540 public marketplaces. Some vendors had only 1 appliance and some several. The only reasons to exclude the appliance from the study were the high cost and the highly heavily customized or unusual operating system to which traditional vulnerability databases do not apply. (Orca Security Inc. 2020, 14.)

26

2.4 Global Cyber Events

Cyber-attacks cause companies mainly financial losses, but at worst they can lead to business clo- sures or even threats to life and health. In the following sub-chapters, I will go through some large- scale cyber events that could probably have been prevented with adequate protection and suffi- cient and modern cyber security countermeasures.

2.4.1 1994 – Russian Hacker Case

John G. Voeller's book "Cyber Security" tells of a chain of illegal transfers of funds in 1994, when a group of Russian hackers managed to transfer nearly $ 3 million worth of money using a transfer procedure based on Citibank's static passwords. The attack system was called the "Citibank Cash Management System". The system processed about 100,000 remittances daily and the total value of the transfers rose to as much as 500 billion US dollars a day. Criminals had managed to hijack the static passwords of some users and by taking advantage of them, they were able to transfer money to their own account. The traces eventually led to the Russian hacker Vladimir Levin. He was caught via a monitored telecommunications line, which he used to carry out a fraudulent transfer, and was arrested. As a result of the event, static passwords were switched to using one- time authentication tokens, which are in common use nowadays and part of 2-factor authentica- tion which help prevent thefts like this. (Voeller 2014, 107-108.)

2.4.2 Slammer Worm

On January 23, 2003, an SQL injection called "Slammer Worm" began to spread online rapidly around the world, infecting computers at a rapid pace. As many as 75,000 computers were in- fected within 10 minutes of its release, and although a patch had been released, many companies had not installed it. The effects of the virus remained relatively small, but protocols were devel- oped to facilitate the sharing of information in similar cases, and these protocols were applied dur- ing several subsequent virus / worm attacks, including: oBig.F and BugBear.b. (Voeller 2014, 107- 108.)

27

2.4.3 2020 – Vastaamo Data Breach in Finland

In 2018–2019, the Finnish psychotherapy center Vastaamo was subjected to a hacking that be- came public on 21 October 2020. A total of 33,000 people's personal and patient data were seized and some of them were published on the Torilauta website, which is Finland's most popular TOR network in Finnish. The hacker nicknamed “ransom_man,” tried to extort money from both cus- tomers and the company itself by threatening to publish patient data. The unscrupulous nature of the hacking was considered exceptional and sparked a wide-ranging debate in Finland regarding privacy and cyber security. (Wikipedia 2021.)

The first part of the hack is estimated to have occurred on November 25, 2018, followed by a sec- ond hack in March 2019. In the latter hack, the attacker is thought to have received all the compa- ny's patient data for the period before November 2018 and in part after that. The stolen infor- mation includes patient records and personally identifiable information, including personal identification number, as well as information about Vastaamo's employees. The hacked server has been open on the Internet and the blackmailer / attacker claims to have used default credentials to infiltrate the system. (Wikipedia 2021.)

The blackmail measures began on 28 September 2020, when the blackmailer sent his claim to Vastaamo, which believed that only about a thousand customers' data had been compromised, and they reported the breach to the Data Protection Officer the following day. On Wednesday, Oc- tober 21, 2020, “ransom_man” wrote to the TOR-based discussion platform (Torilauta) about hacking and demands to get 40 bitcoin ransoms from the company, or he will start publishing pa- tient data for 100 patients daily. On Friday, October 23, the blackmailer uploaded a large file over 10GB to Torilauta, and he is thought to have accidentally released much more data than intended. Later, the blackmailer also began blackmailing individuals, demanding a ransom of € 200-500 for non-disclosure of information. Reactions to the actions of the blackmailer were quite negative. The police received significant help from IT experts, as well as security companies, who felt it was their moral and ethical duty to help catch the perpetrator. To date, some 25,000 crime reports have been filed in the wake of the hack and some ten victims have paid the ransom required by the blackmailer. (Wikipedia 2021.)

28

According to Yle's news (YLE. 2021a), the hacking of Vastaamo in Finland was a significant peak in crime statistics. In 2020, 21,100 criminal reports were filed for the dissemination of privacy-in- fringing information, which is 20,700 more than in 2019. YLE news (YLE. 2021b) reported in Febru- ary 2021 that Vastaamo had been filed for bankruptcy and no customer or patient data would be transferred to the part of the company to be sold, so that the new owner could start from a "clean slate" after the scandal.

2.5 Common Frameworks for IT-system Benchmarking

There are several models of security management, so today it is less common for a company to develop its own model. In this section, I present the best-known criteria for information security management, the implementation and application of which in a company is affected by the func- tionality of the criteria in the company's own operating environment. HIPAA, for example, may not be suitable for a company operating in many respects with electronic payment transactions, but is again suitable for the social and health sector. It is essential to know the criteria and their charac- teristics to make the choice as successful as possible for the development of information security in the company's operating environment.

The criteria are very broad in their content and their application at different stages requires famili- arity. For this work, the focus is on the technical requirements of the criteria’s, which are strongly linked to the implementation of the new production system, as the new information system may be introduced in the company as soon as it is ready for use. This does not mean that it is still safe. The following subsections go through the most well-known standards related to information secu- rity in general, and the emphasis is on a more detailed description of the technical requirements of the standards. KATAKRI and PITUKRI are discussed a little more deeply than other criteria, as they are encountered quite often in my work and are designed and valid for the purpose of Finnish state actors from a legal point of view. The NIST criteria will also be reviewed a little more closely, as it is part of Dell Technologies internal certifications, in appropriate roles.

2.5.1 NIST Cybersecurity Framework

NIST, short for "National Institute of Standards and Technology," is a set of criteria developed by the U.S. Department of Commerce that is used primarily in North America. It has been developed

29 based on US Presidential Executive Order 13636 and is strongly linked to COBIT5; a framework de- veloped by ISACA for information technology governance that differentiates management from governance. Its purpose is to help companies identify and address cybersecurity risks as part of their overall risk management. It is divided into three sections, which are Framework Core, the Im- plementation Tiers, and the Framework Profiles. It is suitable for international cooperation and companies, no matter how technology-oriented the company is. Figure 7 shows the five core func- tions of the NIST framework that can be used to improve enterprise security. (National Institute of Standards and Technology 2018, 5.)

Figure 7. Five functions of NIST cyber security framework. (What is the NIST cybersecurity framework? 2020.)

The core of the framework is a set of desirable outcomes and applicable guidelines from the indus- try that create the conditions for the implementation of the framework. Core basic functions are Identify, Protect, Detect, Respond and Recover. The tiers of the framework determine how a com- pany sees cybersecurity risks and processes to manage risk and tier selection is the outcome of a multivariate careful consideration, which are e.g., environmental, legal, and regulatory require- ments. A framework profile is a profile suitable for a specific implementation environment that considers the suitability of standards and guidelines in the company's operations and is strongly

30 based on the company's risk assessment. Profiles can be used for self-assessments. (National Insti- tute of Standards and Technology 2018, 3-4.)

2.5.2 HIPAA

HIPAA stands for “Health Insurance Portability and Accountability Act” and is primarily designed for social and health purposes and is designed to enhance and secure the processing of confiden- tial information. Above all, HIPAA is strongly concerned with the efficient, secure, and private transfer of patient data and is comparable to the transfer of data related to customers, employ- ees, and partners in normal business environments. In addition to processing information more securely, it also generates cost savings, for example in the form of saved paper. The main purpose of HIPAA is to provide the healthcare industry with a standard on how to handle data securely. As a rule, states impose strict requirements on the protection and processing of patient data, regard- less of whether the data is "at rest" or in transit. In the health sector and in accordance with the HIPAA standard, "in transit" data movement in any form. HIPAA sets Administrative-, Physical and Technical Safeguards for the environment. (Pabrai 2003.)

HIPAA's technical safeguards consist of e.g., network encryption, access control, EPHI data integ- rity verification, device encryption, accurate log collection of processed EPHI data, and automatic logout. Physical safeguards include. workstation management, access control and mobile device security, as well as information on the physical location of data (server tracking). Administrative safeguards include risk assessment and systematic risk management, adequate staff training, pre- vention of unauthorized access, accurate documentation of all security incidents, and business continuity planning and testing for disasters. (HIPAA compliance checklist - what is HIPAA compli- ance? 2020.)

HIPAA also imposes rules on the company, of which privacy rules play a significant role if the com- pany’s information is compromised. Privacy rules require e.g., to inform both patients and the HHS in the event of a security breach and if the breach targets more than 500 patients, the information should be extended to the media. The security breach notification must include a description of the information that was the subject of the breach, who accessed the system without permission, whether the information was collected only or whether it was also seen and at what level the

31 harm mitigation is currently. Figure 8 summarizes the HIPAA compliance checklist. (HIPAA compli- ance checklist - what is HIPAA compliance? 2020.)

Figure 8. HIPAA compliance checklist (HIPAA compliance checklist - what is HIPAA compliance? 2020.)

32

2.5.3 PCI-DSS

PCI-DSS stands for “Payment Card Industry Data Security Standard” it was developed for payment card industry to cover all entities who are involved in payment card processing, which are as an example, merchants, processors, acquirers, issuers, and service providers. Besides the previously mentioned, PCI-DSS also applies to and entities that store, process, or transmit cardholder data (CHD) and/or Sensitive Authentication Data (SAD). Figure 9 explains the high-level overview of PCI- DSS. (PCI Security Standards Council, LLC. 2018, 5.)

Figure 9. High-level overview of PCI-DSS requirements. (PCI Security Standards Council, LLC. 2018, 5.)

PCI-DSS covers the entire system and all its components where payment card traffic is processed, and this can be abbreviated to Cardholder Data Environment (CDE). It includes people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. In the PCI-DSS environment, the systems to be audited / strengthened include e.g., authentication servers and firewalls, virtualized components (virtual machines, virtual switches, virtual applica- tions / desktops, and hypervisors), all physical network components, applications (internal and ex- ternal, acquired, and customized), and any components or devices included in or connected to the CDE. (PCI Security Standards Council, LLC. 2018, 10.)

33

2.5.4 KATAKRI

Katakri is a framework designed by Finnish Ministry of Defence as a part of Finland’s internal secu- rity programme and it was produced 2009. After Katakri was finished it was updated for the first time in 2011 by Ministry of Interior, which had taken responsibility of managing and updating the criteria. Katakri’s second revised version had so many major changes that it was no longer consid- ered as an updated version but instead a new criterion itself. The name Katakri however was so well-known that it was maintained as a name for the audit tool for authorities. (Finnish Ministry of Foreign Affairs 2016, 2.)

As many other criteria’s, Katakri is also a tool for an organization to assess their abilities to protect sensitive information. Katakri only introduces the minimum requirements based on national legis- lation and international information security obligations instead of setting mandatory require- ments, for protecting national and international classified information and is therefor well suited for Finnish Defence Forces. Important source in building Katakri has been Council Decision on the Security Rules for protecting EU Classified Information (2013/488/EU) and transparency of Katakri has been ensured by always referring to source when introducing demands in the assessment cri- teria. (Finnish Ministry of Foreign Affairs 2016, 3.)

Katakri has been divided into three distinct subdivisions which have different aims for information security management. First subdivision (T) aims for that the organization has sufficient security management abilities and skills to ensure that sensitive information is handled the right way. Sec- ond subdivision (F) sets and describes the physical security requirements by dividing areas where information is handled into administrative area, secured area, and technically secured area. Kata- kri subdivision F requirements should be based on continuous threat surveys and risks assess- ments, which means that the company should have implemented Cyber Security Management Systems (or equivalent). Third subdivision (I) defines the requirements for the IT systems for infor- mation assurance. Requirements allow multiple ways to implement the IT systems for increased flexibility. Subdivision “I” also works as a supplement for protecting physical information, in addi- tion to protecting digital information. (Finnish Ministry of Foreign Affairs 2016, 3.)

Katakri can be used, both for the development of information security and as a guarantee of the level already achieved. This means that the framework can be used to demonstrate a company’s

34 ability and processes to securely process information where it is needed. One of the aims of the framework is also to ensure that safety requirements are considered in the processes that address their requirements. Careful planning and implementation of safety measures can ensure that an adequate level of safety is achieved in relation to the risks. What is important in a company's abil- ity to demonstrate the level of security achieved is systematic risk management. Adequate levels should be achieved by balancing between requirements, costs, and residual risk. (Finnish Ministry of Foreign Affairs 2016, 5.)

2.5.5 PITUKRI

PiTukRi is a criterion developed by the Finnish Transport and Communications Agency (Traficom) to improve the security of data stored in the cloud. It is intended as a tool for the security assess- ment of cloud systems and has been prepared with the national needs of the Finnish state in mind, which is why national legislation has also been considered in its preparation. The latest ver- sion of PiTukRi has been revised in early 2020 and has been compiled with the help of the BSI Cloud Computing Compliance Controls Catalog (C5) 3, the Cloud Controls Matrix (CCM) of the Cloud Security Alliance (CSA) 4, the ISO 270015 and ISO 270176 standards as well as the KATAKRI criteria. PITUKRI encompasses general RESTRICTED-level data protection requirements, giving its users the tools to keep known data protection risks at an acceptable level. It also covers level 4 (classified) of the Finnish state's national data protection requirements. The current version of PITUKRI is 1.1, which has been developed from the original e.g., with feedback collected by the National Cyber Security Center Finland (NCSC-FI). (Traficom 2020, 3.)

In addition to improving the security of cloud services, PiTukRi can also be used to support the in- dependent information security work of a cloud service provider. It is designed to be applicable to a wide range of scenarios and cloud services, and its application must consider its "case specific" nature. In most cases, the interfaces for data protection can be defined, both by the cloud service provider and by the client, as shown in Figure 10. Regarding the customer's environment, the re- quirement of the criteria must usually be considered partly for the cloud and partly for the cus- tomer's other infrastructure, and the environmental review can be supplemented e.g., KATAKRI 2015 using the criteria. It can be very case-specific whether the criteria should be applied, for ex- ample, only to the customer's cloud-based components, to the components of the cloud service

35 provider, or to both. The implementation of some protections may require cooperation at the in- terface between the customer and the service provider for the criteria to have the desired effect and this also requires sufficient competence from all parties. (Traficom 2020, 4.)

Figure 10. PiTukRi Definition of responsibilities. (Traficom 2020, 4.)

When making evaluations, it is advisable to consider any evaluations or certifications performed by the service provider himself, as well as the technical details of the contract. The use of an inde- pendent body for safety assessment is desirable and it should also be noted that the reliability of the results is largely influenced by the methods used for the assessment, such as document review vs. proper technical environmental testing and verification. The environmental assessment should be continuous and other criteria can be used to verify compliance with PiTukRi requirements, but it should be noted here that other criteria and certifications measure different things. It is also noteworthy that some criteria get their emphasis from the risk analysis performed by the com- pany and this approach is different from when protecting classified information, no matter where it resides. (Traficom 2020, 5.)

36

As the correct use of PiTukRi is case-specific, a well-designed risk analysis is a prerequisite before the criteria are applied and in a multi-party collaboration where the assessment service is pro- vided by a single central operator, each party is responsible for its own "plot". Possible overlaps should also be considered here, so that evaluations are not made more than once for the same issue. The availability of the service must also be considered, because even if the platform or appli- cation layers are redundant, a failure in either can prevent the system from being used. If several agencies are evaluated together, then the potential residual risk will also be accepted by all par- ties. PiTukRi is divided into eleven subdivisions, the first of which defines to a significant extent the possibilities for continuing the assessment for other chambers and supports the data protection work of the authority regarding information to be kept secret. Subdivisions consist of "require- ments cards" that contain a description of the theme of the requirement, as well as the scope of the specific requirement and application itself, as well as additional information to support the in- terpretation and implementation of the requirement. As information is generally of interest to dif- ferent levels of security, the information should be classified into the different types of infor- mation presented in Figure 11. (Traficom 2020, 6-7.)

37

Figure 11. PiTukRi information types. (Traficom 2020, 8.)

As per Traficom (Traficom 2020.) figure 12 illustrates normal responsibility interfaces in cloud ser- vices of different frequencies. At its simplest, a client company can rent or purchase a mere con- nection to the software needed for business operations and everything else remains the responsi- bility of the cloud service provider.

38

Figure 12. A typical model for division of responsibility. (Traficom 2020, 10.)

A typical cloud service provider has a view of all unencrypted data, in which case it is necessary to consider e.g., whether the company operates in the private or public sector, in which country the head office is located and whether the company is multinational, as well as other variables caused by international policies and legislation that affect information security in general. Data access re- quirements and agreements between national bodies may impose several requirements on where the service should be located. (Traficom 2020, 12-13.)

2.5.6 Common Criteria - ISO/IEC 15408

ISO / IEC 15408 is a flexible and constantly evolving standard for the development and evaluation of information security, whether software or hardware, with the aim of preventing the unauthor- ized use, modification, or interception of systems. Its flexibility allows for the use of several differ- ent assessment methods, which, however, requires caution from its practitioners so that this flexi- bility is not misused, the framework should be well known. The results of the evaluation are strongly linked to the methods used and the safety parameters considered, so the properties of

39 the components under consideration and the methods used must be well known to obtain credi- ble and relevant results. ISO / IEC 15408 does not cover assessment methods but are included in ISO / IEC 18045. ISO / IEC 18045 also does not cover the evaluation of results. Figure 13 summa- rizes the 5 steps principle. (ISO/IEC 2009, 6-7.)

Figure 13. 5 steps to ISO/IEC 15408 compliance.

2.6 Theory Summary

There are multiple criteria to choose from and everyone has their own approach to security. Choosing the most suitable criteria for an organization ensures best security approach. It is also possible for a company to use more than one criterion and in some cases, this may even be man- datory if, for example, the company operates in more than one regulated industry. Orca's re- search, on the other hand, showed a low level of security for one Dell Technologies product at the time of installation. Typically, systems are upgraded during installation, but this does not guaran-

40 tee that new vulnerabilities will be discovered after installation if the company does not take ad- vantage of the systematic security management described in a few options in Chapter 2.5. Dell Technologies offers several appliance-based systems, only a few of which were introduced in this section. Appliance-based systems typically include multiple software components, making overall security management more challenging.

Chapter 2.4.2 introduced a cyber attack that infected 75,000 computers within 10 minutes of its release, even though there was a patch against it that companies had not installed. This clearly shows the criticality of the updates and patch management. In this case, the virus fortunately did not cause serious financial losses to companies.

The examples presented in Chapter 2.4 show that security incidents have led to improved prac- tices but can also be due to very small errors. The events of Example 2.4.1 led to the introduction of multi-step authentication and the abandonment of static passwords in banking services, thus potentially preventing many similar burglaries. 2.4.2 sub-chapter events were quoted e.g. In Fin- land, as the future sections of the work tell and led e.g., security audits and even the acquisition of a SOC service. The Dell Technologies service portfolio offering also includes much more than the offering outlined in Section 2.1, but it can be customized and tailored for specific company needs.

41

3 Theme Interviews

Client companies with which I already had professional connection were selected for the interview phase, as the trust built between the interviewees and the interviewer facilitates the conduct of the interview. As a result of many years of cooperation, the company's representatives were also considerably willing to help with the research, and I even received mentions on the subject that the work is topical and relevant, as experts say there is room for improvement in cyber security understanding. Because of Covid19, it was decided to conduct the interviews via Zoom, although an interview at the client company’s premises was not ruled out if the opportunity arose.

3.1 Interview Invitation

The invitation to the interview was sent in the form of an informal e-mail as show in appendix 1, as the clients to be invited were already familiar to me from relatively long period of time. The invita- tion was sent in Finnish to avoid misunderstandings and to get more precise output from the inter- viewed representatives as communication with on native language is easier, that using foreign lan- guage. Already in the invitation, representatives of the companies were also sent exemplary questions to get an idea of the structure of the interview. After agreeing to the interview, I sent each employee participating in the interview a document in accordance with appendix 2 in which the interview questions were asked. The document was sent in both Finnish and English. At no point company representatives invited to the interview were expected other than the use of their own mother tongue in the interview.

3.2 Interview Participants

Table 1 summarizes the company profile and the interviewed employees with official titles. The number of employees shown in the table has been intentionally rounded, so that the exact num- ber does not lead to a company trace, for example in an Internet search. However, the numbers have not been corrected by more than 10%.

42

Table 1. Company Profiles

Public / Pri- Company Size vate Industry (employees) Participants Roles Public Admin- Team Leader, IT Public 10000 2 istration. Specialist

Company A Leading Expert, Social and Private 700 2 Chief Security Spe- Health Services. cialist

Company B Education ser- Security Manager, Public 2500 3 vices. IT Specialist (2)

Company C Public Admin- Public 8000 3 istration. IT Specialist (3)

Company D

3.3 Interview Questions

The interview questions were chosen in such a way that they clearly show the potential need of companies for external assistance or consultation regarding security services. All company repre- sentatives were asked the questions listed below in the same format and only the supplementary intermediate questions differed from the template. Below are listed the main questions that were asked in every interview:

Does your company use a systematic information security management and devel- opment model?

Are new systems being audited prior production, either in-house or by a third party?

43

Are production systems “hardened” against certain criteria? If yes, what criteria’s do you use?

Have you seen the need for external expertise to improve system security?

Have you used consulting services related to IT security?

Has security been a major priority in the acquisition of an appliance-based produc- tion system?

Recently, has there been any security-related events in the world that have led to security-related measures in your own IT environment? What was the event and the actions that were caused by it?

Does our company offer enough information about current security vulnerabilities related to the systems you have acquired from them?

3.4 Interview Summaries

Abstracts are written by extracting from the spelled interviews the information content relevant to the research topic. The summaries only talk about companies and individuals behind aliases to en- sure anonymity. Spelled interviews not attached into the appendices of this thesis so that the in- terviews cannot be linked to the target companies or the employees interviewed from the compa- nies.

3.4.1 Company A

The first company interviewed was a provider of IT services to a city and there were two partici- pants. Both interviewees are long-standing experts, employed by the same company. They do not use a general model or criteria, but there were references in internal documents, e.g. To the ISO27001 standard. Responsibility for information security is divided into different units of the or- ganization, which are e.g., social and health services, and educational services. This division can be

44 justified e.g., because the activities of the units are very different, as is the information to be pro- tected. The customer's representative specifically mentioned the strong data protection require- ments for patient data. A data protection officer has been appointed for each unit, who is respon- sible for ensuring that the unit works and processes the information in accordance with the relevant requirements. Those in charge of the unit report to the city's data protection officer.

The company does not audit individual devices, but entire information systems or their fragments. They do not have the time or resources to audit the firmware or the Software to individual de- vices, but this relies on the fact that the equipment supplier will take care of the appropriate up- dates. For this reason, hardware and software are sought to be purchased through maintenance contracts that cover the above measures. Information acquired as a rule, outsourcing service and their security is largely the responsibility of a third party. The company has also carried out inter- nal audits, which have revealed vulnerabilities that need to be corrected. Penetration testing has also been done with own resources. However, for new information systems, procurement relies very heavily on the know-how of service providers. The audit is also, in part, a mere control of us- age, as the company also has services that are produced, for example, by a hospital district and that run in an external data center. In this case, the responsibility for information security lies else- where, but the company itself has control over the correct use of the information.

Hardware fault tolerance also plays a significant role in the company and efforts have been made to duplicate information systems. The easy upgrade of equipment and systems is a significant ad- vantage that had played a significant role for the company, e.g. When purchasing a VxRail hyper- convergence system. The single-pack upgrade philosophy significantly lightens the customer's workload.

The company had faced attacks that led to an improvement in the level of security over the past year. These had not targeted the company’s own information systems, but similar information sys- tems in other cities. The measures had started with malicious software encrypting information sys- tems, and as a result, a 24/7 SOC service had been acquired for the company. The company had also encountered a smaller software vulnerability for which a reasonably priced fix was no longer available. The software vulnerability affected Microsoft software. Official patch from Microsoft would have required a license renewal, and brought maintenance costs, so that option was

45 avoided by correcting the vulnerability by using a third-party patch, which was according to the customer's view in some sense even better option than using Microsoft patch.

When asked if they thought they were getting enough information about updates and vulnerabili- ties, it turned out that Dell thought they were providing enough information. Representatives of the company did not feel that they had missed any important information on these topics.

3.4.2 Company B

The second interview was attended by specialists and the roles of employees in the company are “Systems Specialist” and “Leading Security Specialist”. The company mainly operates as an end-to- end service provider in the social and health sector with long experience. They are certified with ISO20000 ERP system, ISO9001 quality system and ISO13485 medical device quality system, as well as an active project to obtain ISO27001 certification. Audits leading to current certifications have been performed by KIWA Inspecta. The interviewees were aware that ISO27001 audits in Fin- land are mainly performed by KPMG and Nixu. Audits are competitive but the aim is for most au- dits / certifications to come from the same operator, which reduces the amount of duplication of work.

The company performs commissioning testing whenever new systems are deployed and the re- quirement applies to them as well as to third parties but within the limits of the agreements. I can also confirm this with my own experience, because in the interview we also stated that I partici- pated in the deployment testing of the hyperconvergence system and, above all, the duplication of its services. The company has extensive internal expertise in benchmarking, safety improvement, penetration testing and other similar measures, so they do not feel the need for external expertise in these areas. Audits are a separate issue as they must be carried out by an impartial third party. Customers and third parties have also conducted audits in the direction of the interviewed com- pany.

The company demonstrated knowledge of the criteria, e.g., stating that HIPAA does not affect them because we are not in America, nor does PCI-DSS because they are not involved in payment card transactions. KATAKRI said they use “in some situations” and because they are dealing with SOTE systems, they need to meet the essential security requirements of the Finnish Department of

46

Health and Welfare Class A systems. Vastaamo case received widespread attention in Finland led to client-side security audits.

The company has placed emphasis on the easy upgradability of equipment and systems, and the customer mentioned e.g. A VxRail system whose all software components can be upgraded with a single upgrade package. This has achieved significant benefits in terms of service availability and ease of upgrades. In procurement, information security requirements have been quite absolute, for example, information security either exists or does not exist. In other words, security require- ments are mandatory requirements and other scoring requirements. One pain point has been the middleware components, the software above and below which has been kept up to date but sometimes the middleware layer that was once installed has not been updated. These have been quoted and various measures have been organized to remedy the problems.

A company spokesman also noted that many system vendors appear to have dropped from the wave of development in terms of what improvements have been made to security over the past 30 years. They have been strongly micro-segmented for the last 1-2 years, and thus there are no single large network areas. A major problem they have encountered is related to the old-fashioned demands of system vendors for direct connections to their system. The differentiation of sub- strates used for different purposes by micro segmentation appears to be a challenge with such systems. The documentation of the systems supplied by the system suppliers has also been par- tially incomplete. For the last 4–5 years, the company has invested heavily in documentation and knowledge management, because of which the interviewees dare to claim that their company's documentation is above average. The customer also emphasizes that heuristics, vulnerability, and update notifications are at a very good level.

One of the company’s representatives is a “Certified Information Systems Auditor” and in addition, he had just passed the “ISO27001 Lead Auditor” certification. The certified representative has been active in the company's audits, in which e.g., subcontractors, technology and equipment sup- pliers have been audited.

47

3.4.3 Company C

The third interview was attended by three employees and their job titles are “Chief Information Security Specialist” (C), “Team Leader” (T) and “System Specialist” (S). All participants have exten- sive experience in IT assignments. The company has a security management model based on the ISO27001 framework but is not certified. As a public administration actor, the company also re- ceives guidance from the Ministry of Finance and the Digital and Population Agency. Although the company operates under public administration, it has not come under pressure in terms of certifi- cation.

When acquiring new systems, the company uses its own resources to inspect the systems. None of the interviewees could say whether audits of the new systems had been commissioned from third parties. A security assessment is also performed for the new systems, which is based on a list of requirements prepared by the company itself, which is based on e.g., KATAKRI and VAHTI guide- lines, as well as the application of the ISO27001 standard. The evaluation model is currently being developed and your starting point is the newly adopted PITUKRI. The hardening of the systems is not done because of the hardening itself, but rather the aim is to find out that the basics are in or- der. There are no absolute requirements or criteria in the company's guidelines, except in some exceptional cases. Necessity and risk assessments are performed as the systems are reviewed. The company aims to carry out external system audits 1-2 times a year, but the audit is not tied to the procurement and commissioning phase, but to the systems already in production. These are car- ried out by third parties. The interview emphasized that more audits would be desired, but the large number of systems did not allow for this. Ideally, company representatives talk about a model in which all systems would go through in five-year cycles.

During the commissioning phase and when making configuration changes, e.g., what services the systems have and what ports they listen on, as well as firewall rules and data ownership. If defi- ciencies are identified, they will be reported forward, and efforts will be made to correct them as soon as possible. The interviewees were able to report that they have used an external consulting service at least once during the deployment phase of the new cloud service to find out how the system should be configured to be secure enough.

48

In the procurement of device-based systems, performance and scalability have been given more weight and data security has remained secondary during the procurement phase. According to the company, the procurement requirements are mainly limited to large players, in which case the ba- sics are already in principle in order. An example of information security aftercare is the compa- ny's report, according to which they know that they have vulnerable systems as such, whose infor- mation security is patched e.g., network technology methods. According to the interviewees, security is not very important in procurement, but it comes with technical requirements. In their opinion, the procurement model could also be developed, but they still see it as good enough for now. There has also been resistance in procurement and security has been seen, even as a poten- tial threat that makes procurement difficult. The interviewees showed both their belief and hope that the role of information security will be strengthened in future procurement.

Representatives of the company could not name any single event in near history that would have caused direct action on their part of the organization. According to the interviewees, security inci- dents leading to immediate measures are generally rare in their organization and due to the slow- ness of the organization, the incidents usually lead first to discussions and thus to policies and im- provements. However, known vulnerabilities are being actively patched.

Representatives of the company expressed satisfaction with the vulnerability reports received by DELL Technologies. Satisfaction was also shown with the workarounds provided by DELL in cases where no formal correction is yet available. Overall, both representatives working on the “tech- nical interface” were quite satisfied with Dell’s security-related communication.

3.4.4 Company D

The fourth group interviewed consisted of three systems experts who are extensively involved in the company’s IT projects in an expert role. The company does not have a security management model based on any criteria, but one is currently being developed. To be certain, this was not dared to be confirmed, but the experts thought that they would have knowledge if a similar model were in use. New systems in the company are being tested at the basic level, but there is no for- mal model for that either, although one is being developed. Individual devices for existing systems are not tested separately.

49

When hardening production systems, the company has used e.g., KATAKRI, HIPAA and general good practices in the IT industry. The company has processes in place for ordering and using exter- nal expert assistance, and external assistance has been used e.g., one-off inspections, for some systems on an ongoing basis, and for some systems on an annual basis. The importance of device- level information security in procurement has not been emphasized in the past, but it is also under change and, according to the expert group, it will be at the top of the priority list in the future.

The company monitors security events around the world, whether it’s a bigger hack or a smaller event, so they respond, and systems are constantly being developed and improved. The experts mentioned e.g. The case of the respondent, which was quoted quite accurately. The Asian “state” was also mentioned, and, above all, its activities were perceived as relevant to information secu- rity. Crypto tightening programs

The fourth group interviewed consisted of three systems experts who are extensively involved in the company’s IT projects in an expert role. The company does not have a security management model based on any criteria, but one is currently being developed. To be certain, this was not dared to be confirmed, but the experts thought that they would have knowledge if a similar model were in use. New systems in the company are being tested at the basic level, but there is no for- mal model for that either, although one is being developed. Individual devices for existing systems are not tested separately.

When hardening production systems, the company has used e.g., KATAKRI, HIPAA and general good practices in the IT industry. The company has processes in place for ordering and using exter- nal expert assistance, and external assistance has been used e.g., one-off inspections, for some systems on an ongoing basis, and for some systems on an annual basis. The importance of device- level information security in procurement has not been emphasized in the past, but it is also under change and, according to the expert group, it will be at the top of the priority list in the future.

The company monitors security events around the world, whether it’s a bigger hack or a smaller event, so they respond, and systems are constantly being developed and improved. The experts mentioned e.g. The case of the respondent, which was quoted quite accurately. The Asian “state”

50 was also mentioned, and, above all, its activities were perceived as relevant to information secu- rity. Crypto tightening programs have also caused the company to wake up to device-level secu- rity, and mitigation of DOS attacks has also played a significant role. According to experts, global policy and states do not so much guide the choice of equipment supplier, but the partners with whom to cooperate. Recent events included a fire in France involving equipment that the com- pany interviewed also has. The events in France led to investigations into equipment security in their data centers. Under the investigation, e.g., whether the equipment can be adversely af- fected.

According to company representatives, DELL provides sufficient information about vulnerabilities and updates, but the information was felt to come in “batch runs”. By this, the representatives meant that the information was not targeted at them, but that they received all the information related to the Data Domain, for example, and they had to filter for themselves whether the infor- mation was relevant to their business or not. The structure of the information was also felt to be unclear and finding sources was sometimes found difficult. This was felt to have generally gone worse and, according to experts, 10-15 years ago things were better in this respect and today the responsibility is increasingly on the customers themselves. One of the customer representatives said he had recently given Dell feedback on the confusion of the support site.

Representatives of the company showed a clear interest in a TAM-type (Technical Account Man- ager) service that would ease their workload for the hardware of that supplier (e.g., Dell). One of the interviewees mentioned that in unclear situations it is still customary to call a company repre- sentative and ask for advice and the TAM service is well suited for this. Interviewees also ex- pressed a direct interest in working with Dell on security services, especially to get the right things done, faster and better. Closer cooperation was included in the discussion on the customer's initi- ative. Data was felt to be increasingly critical, and the focus of data security was felt to be in data networks and communications and thinking about what happens to stored data has been ignored. Increasing understanding in this regard was important.

51

4 Interview Results

All participants in the interview were between the ages of 30 and 60, and even the shortest work experience in the field was 10 years. The interviewees showed an active and interested attitude towards the interview and, as a rule, even though one of the interviewees took the lead in answer- ing the questions in every interview, others actively supplemented the answers if necessary. At the end of each question, the interviewees were asked if anyone had anything to supplement so that nothing essential was left out.

4.1 Overview of Results

The results of the interview largely corresponded to my own experiences. In table 2 are shown the answers of the referred interviews to the question relevant to the study. As the tables shows, there is a lot of dispersion in companies' own security expertise and there is clearly room for improvement. It is noteworthy that of these four companies, by far the strongest internal security expertise or knowledge pointed by the interviews was found within the only company operating in the private sector, which is Company B.

52

Table 2. Interview results overview

Statement Company A Company B Company C Company D The company has an infor- mation security management model based on No. Internal doc- The company has the ISO27001 uments however an ISO20000 ERP standard. There refer to system, ISO27001 are no plans to ISO27001 in certification is un- certify the some cases. As a derway, and its standard, nor is public admin- goal is to be com- there any pres- Systematic in- No. Projects to istration actor, pleted in 2021. sure from any- formation develop more they follow / One of the inter- one. As a public management formal pro- must follow viewees is actor, the com- system in cesses are un- state-level guide- ISO27001 Lead Au- pany is also place? derway. lines, which in ditor certified, so guided by the turn depend on clearly expertise in Information Ac- the nature of the auditing and its re- quisition Act information pro- quirements can be and the com- cessed in the sys- found in the pany receives tem. house. instructions e.g., the Ministry of Finance and the Population In- formation Agency. How- ever, ISO27001

53

Statement Company A Company B Company C Company D is a clear main framework.

From the ad- New hardware ministrator's in a system al- point of view, Deployment test- ready in produc- the new sys- ing is performed in tion can be tems are au- the customer envi- commissioned dited using the New hardware is ronment on its without inspec- company's own New systems not audited own behalf and is tions, but new resources. At being audited when put to pro- also required from production sys- least according before produc- duction, but new suppliers when de- tems are in- to the inter- tion? productions sys- ploying new infor- spected at the viewees, third tems are. mation systems. commissioning parties have not Strong internal stage, without, been used for competence and however, being inspections. testing ability. tied to any offi- cial reference From the infor- framework. mation security point of view,

54

Statement Company A Company B Company C Company D the systems are inspected based on a list of re- quirements pre- pared by the company itself based on KATAKRI and the VAHTI guidelines. The amendments are "light" but the experts will do a more de- tailed technical examination. The assessment framework is currently under development and PITUKRI has been taken as a new starting point.

55

Statement Company A Company B Company C Company D The hardening is done follow- ing the best practices in the field, but the hardening of the systems is not No. Internal doc- self-worth, but uments however even in the pro- refer to The company op- curement phase No. Within the ISO27001 in erates in the SOTE the main em- company, how- some cases. As a sector, so some phasis is on ever, there are public admin- systems use the in- checking references to Hardening is istration actor, formation security whether, for ex- KATAKRI and done per they follow / requirements of ample, the ba- HIPAA that are known crite- must follow KELA and the Na- sics have been likely to be the ria? state-level guide- tional Institute for done well. Ne- starting points lines, which in Health and Wel- cessity and for the design of turn depend on fare. KATAKRI is based on a risk the future the nature of the also partially in assessment and framework. information pro- use. e.g., in connec- cessed in the sys- tion with system tem. upgrades, e.g., services running on the systems, active network ports, and ac- cess and data ownership are reviewed.

56

Statement Company A Company B Company C Company D Because the com- pany is in the Due to audits, ISO27001 certifica- Interviewees in- external re- Safety of new tion process, they dicated that ex- sources have production sys- must use external ternal expert been used. One tems relies heav- expertise for au- services are interviewee was ily to vendors diting. In other used on an on- External exper- also able to and purchased words, the audit is going basis, for tise has been name a case consultation. required from the both regular and used for secu- where an out- Customer stated outside because it one-off inspec- rity improve- side consultant clearly that exter- cannot be done by tions. They have ment? had been used nal expertise has yourself but all the processes and to help with been used and it pre-audit work, in- existing con- how the cloud is ongoing pro- cluding technical tracts in place to service should cess. hardening, is done order this type be configured to internally and with of work. be secure. the company’s own resources.

The ease of the Information se- upgrade has been curity has not a significant factor No, but as previ- Has security Fault tolerance been empha- e.g. When pur- ous responses been a major and ease of up- sized in any way chasing a VxRail show, change is priority during grading of sys- in the infor- hyperconvergence coming, and se- acquisition of tems play a sig- mation of those system. Repre- curity will play a new produc- nificant role in interviewed in sentatives of the significant role tion systems? procurement. procurement, company men- in the future. but it was stated tioned as a signifi- that the tech- cant advantage nical require- the updating of

57

Statement Company A Company B Company C Company D the whole system ments of pro- with all its compo- curement usu- nents with one ally limit suppli- data package. One ers to large of the interview- players, in which ees emphasized case at least the that in procure- basics are in or- ment processes, der. Representa- security require- tives of the ments are quite company said absolute and not they hope the flexible. importance of information se- curity will be emphasized in procurement, but within the company, end customers sometimes see it as a necessary evil that they would like to ig- nore.

58

Statement Company A Company B Company C Company D The company monitors all se- curity events in the world very closely and, es- Global security pecially since incidents mainly The back-office in- the Vastaamo cause discussion cident caused case, they have and thus action measures within received signifi- within the com- the company that cant attention. pany. Critical led to the discov- The importance vulnerabilities ery of someone’s of equipment are patched as Company has “non-critical” vul- safety has also soon as they are noticed secu- Cyber attacks nerability. The been raised in noticed and, ac- rity events against Finnish Covid19 pandemic recent years and cording to the which have led city Lahti led to has also led to the attention has interviewees, to actions in acquisition of introduction of begun to be this is “business their environ- 24/7 SOC-service. new systems, and paid to it. Inter- as usual”, i.e., ment? security concerns viewees also quite common- have played an im- mentioned the place for them. portant role in reputation of There have these, as one sys- the "Asian" been no direct tem has, for exam- state, which has threats to the ple, been remote caused security company itself patient reception. concerns. They within last year wanted to make or more. it clear that this is not so much about the coun- try we work with, but about what partners

59

Statement Company A Company B Company C Company D are used. Against DOS at- tacks and cryp- tographic black- mail programs, there are e.g., countermeas- ures have been introduced.

The technical The customer is participant in satisfied with Representatives of the interview Company repre- e.g., access to the company said expressed satis- sentatives think vulnerability in- DELL Technolo- they were pleased faction with the that they get formation but gies offers with the update vulnerability enough infor- hopes for devel- enough infor- and vulnerability bulletins pro- mation from Dell opment work on mation about reports related to vided by Dell Technologies if its structuring current secu- heuristic data and Technologies they register here, as they rity vulnerabili- system infor- and said that when registered feel that the in- ties? mation provided they would be to online ser- formation is not by Dell Technolo- available soon vices. targeted but gies and VMware. after the vulner- "bundled" infor- abilities became mation pack- apparent. ages from which

60

Statement Company A Company B Company C Company D they need to ex- tract infor- mation that is relevant to them. By utiliz- ing the installa- tion portfolio, the information could be cus- tomized to the customer and thus easier to use.

4.2 Sentiment Analysis Results

Each spelling was translated into English, using our own language skills and Google’s translation service. The sections that contain information relevant to the analysis have been extracted from the spellings, in the form in which they have been provided by the customer. Data was collected by entering English-translated spelled interviews into the Google Cloud Natural Language tool. The quotations and results used in the work have been obtained with the Demo version of Google's sentiment analysis tool, where the parameters cannot be influenced by yourself. Table 3 shows the answers in the form of quotations, broken down by interview questions:

61

Table 3. Google sentiment analysis data

Does your company "There are very strict regulations and development, but we do use a systematic infor- not have any general commercial model." mation security man- agement and develop- "In practice, we go in accordance with public sector guidelines ment model? and laws."

"The industries have always defined data protection officers, and there is a Data Protection Officer at the top level."

Are new systems be- "If we are talking about an infrastructural device, then there is no ing audited prior pro- inspection in use." duction, either in- house or by a third "We don't have the time or resources to do that." party? "However, we don't have the resources, and if there's a vulnera- bility in Dell's hardware that Dell can't fix, then we don't have the resources to do so either."

"Various scans and network area visits and other such studies have been carried out on a risk-based basis."

"Those assessments are more or less light, we cannot go very deep under the hood in general either, that then itis J and the partners who do the more technical examination , from their own starting point."

Are production sys- "If you think about the patient system that is produced for us by tems “hardened” the hospital district, it runs in their data center, but then again, we have users using it and we must audit its use for us, then we

62 against certain crite- have not asked the third party to check whether it is okay as far ria? as I know."

" Actually, HIPAA now we're not touched because we're not in America and PCI-DSS doesn't touch us either because we don't do things with financial traffic."

Have you seen the "We have more than a dozen experts in the safety and risk man- need for external ex- agement group and then, of course, the personal and expertise of pertise to improve production and information management on top of that." system security?

Has security been a "And that was also the case with the acquisition of VxRail, so in major priority in the my opinion that those updates had to come by pressing one but- acquisition of an appli- ton in a way, that it then updates all the companies and drivers ance-based produc- and all from one piece that you don't have to read any horrible tion system? matrix to read that when you get to upgrade which company and it requires a boot and what dares to do."

"I am not saying that I am entirely satisfied with the way in which procurement is made, but I think that the current system is quite functional in spite of everything."

"I am not talking about our internal procurement either, but if, for example, a faculty wanted to acquire a service, then we would rather bypass that security than include it in that discus- sion."

63

Recently, has there "Maybe that 6 months is still a short period on the public side, been any security-re- but if you take a little more of that time interval, here are a few lated events in the municipalities that had to take such an intrusion that there were world that have led to malware or cryptographic programs installed there and their op- security-related eration clotted." measures in your own IT environment? "However, the acquisition of the SOC service, for example, is such a large and expensive purchase that it is not done very quickly."

Does Dell Technolo- "Aces and Skylines and VxRail's update, and vulnerability notifica- gies offer enough in- tions are at a good level, at a really good level." formation about cur- rent security "It has improved considerably in recent years." vulnerabilities related to the systems you "I can't answer for the technical side, and I haven't even been have acquired from kicking any tech guy to do something, but of course this, cyber them? events like this always cause discussion and reflection on whether things are the way it should be in our organization."

"I am particularly pleased that once a week there is such a bat- tery of vulnerabilities and bugs coming to me in an email and I read it through every week and see if there is something we need to react to."

"In that sense, I am very pleased with Dell Technologies' actions in this respect, that there will be those weekly coverages and, in addition to that, if something critical comes up, it will be emailed immediately."

"Then if I go into that information again, it will not be sensibly structured in any way."

64

Other quotes from the "As such a small anecdote, I have to say that the incredible re- interviews sistance to change is in the app providers to these security im- provements, and incredibly ignorant are some of the suppliers in terms of how security has been improved over the last thirty years."

"If you throw it from the hip, then telecommunications account for 90% of data security and 10 % is the equipment itself in the background, it clearly has a development side and it is not our core area of expertise, that is, there is clearly a place for develop- ment."

65

5 Analysis

Does your company use a systematic information security management and development model?

The results show that two companies (B and C) out of four used a systematic management model based on the ISO27001 framework to maintain and develop their security, and one of these com- panies (B), which operates in the private sector, is also expected to certify that model within 2021. Two of the companies (A and D), on the other hand, did not have clear, company-wide processes or models for information security management, and one relied more on government guidance and the other has ongoing projects to implement the models. Considering that Company A and C are similar public sector actors, it can be concluded that there are large differences between the models and processes used by the companies even though working on the same sector.

Are new systems being audited prior production, either in-house or by a third party?

Regarding audits or inspections of new systems before implementation, it is noteworthy that all interviews had to supplement whether they were talking about, for example, a single device or an entire information system. In Company A and D, inspections are systematically performed only for new information systems but not for new hardware components of an existing information sys- tem. Company B carries out production acceptance testing during the commissioning phase and participation is also required from third parties. Company C acts like B and carries out a "sanity check" type inspection of new systems, with its own resources and they do not require the in- volvement of a third party.

Are production systems “hardened” against certain criteria (e.g., HIPAA, KATAKRI, PCI-DSS, etc.)? If yes, what criteria’s do you use?

All companies showed in interviews that the criteria that are essentially related to information se- curity are not unfamiliar to them, although they may not be completely familiar. Company A's rep- resentatives only mentioned that they had noticed references to the ISO27001 standard in their internal privacy statements, but no criteria are an official guideline. Company B currently had an

66 ongoing project to obtain ISO27001 certification in 2021 and had an ISO20000 ERP system in place. One of Company B's interviewees had just passed the ISO27001 Lead Auditor certification, so systematic security maintenance is clearly in place, especially given that the certified inter- viewer has a leadership role in the security-related organization group.

Have you seen the need for external expertise to improve system security (benchmarking, secu- rity enhancements, etc.)? Have you used consulting services related to IT security?

Only one of the companies interviewed did not see a possible need for external expertise in sys- tems security development and this was Company B, which is also the only private sector com- pany. All other companies have used or continue to use external expertise to develop security and properly configure systems to achieve an adequate level of security. Company C is e.g., used an external consultant for the correct configuration of the cloud service. Company D has an ongoing contract and internal processes for the use of external consulting and is used on a regular basis. Company D also most clearly expressed the opportunity to deepen the collaboration between Dell and the customer on security consulting services. Company B has required the equipment / sys- tem supplier to participate in the commissioning testing, but this is usually already included in the procurement.

Has security been a major priority in the acquisition of an appliance-based production system (e.g., VxRail)?

Regarding equipment procurement and the emphasis on security in them, the clearest position was expressed by Company D, whose representatives said that there was almost no emphasis on security in procurement, but this is changing due to ongoing projects. Company C, for its part, stated that security is loosely emphasized in procurement, and for B, certain security requirements are "absolute" in procurement. Company A only emphasized the importance of fault tolerance and ease of upgrades in procurement.

Recently, has there been any security-related events in the world that have led to security-re- lated measures in your own IT environment? What was the event and the actions that were caused by it?

67

When interviewees were asked about recent security incidents and whether they have caused ac- tion in the company, representatives responded quite extensively. Company A mentioned a recent incident involving municipal sector players in which cryptographic and malware programs caused a significant downtime in production systems, leading to the acquisition of a 24/7 SOC service in Company A. Company B operates in the SOTE sector and they had control measures caused by the middleware software components and requirements caused by COVID19 for remote patient clinics and video communication services , which needed to be set up within short period, set their own requirements for Company B also. Company C said they are notifying significant security incidents and events will lead to action as needed, guided by an internal discussion. Critical vulnerabilities are aimed at e.g., to patch up quickly at Company C, and no single event has led to any anomalous inspection recently. Within Company D, concerns have been raised about a recent fire in France involving UPS systems such as those used by their company, as the problem intersects with the physical security of the data center, which could be affected from a security point of view by tele- communications.

Does Dell Technologies offer enough information about current security vulnerabilities related to the systems you have acquired from them?

Company A was most clearly satisfied with the security bulletins it received and was familiar with the use of the Dell Technologies Support Portal. Company B also reported that, thanks to heuris- tics and data that communication is at a very good level, especially when it comes to Dell Technol- ogies subsidiary VMWare. Company C mentioned as a good thing a weekly collection of new vul- nerabilities that make it easy to go through potentially new vulnerabilities in its own products, and the overall updates and security vulnerabilities reported by Dell Technologies were considered very good.

The most critical of the level of information was Company D, whose representatives said that in- formation was available but that they did not think it was very well structured. In their view, notifi- cations of updates and vulnerabilities come in a so-called "batch run" and do not target them pre- cisely to their installation base, but only loosely, which is why they themselves must do a lot of work going through the data and figure out what is relevant and what is not. Company D also an-

68 nounced, unlike the other three companies, that they felt that Dell Technologies' vulnerability re- ports would come with a significant delay. In their opinion, the information was also poorly struc- tured, and the hyperlinks were often broken, which made it even more difficult to find relevant information. Their direct suggestion was to mirror the vulnerabilities against the customer compa- nies' hardware database and that vulnerability reports would thus only be sent for essential prod- ucts. However, the representatives of company D expressed their satisfaction with the content.

69

6 Conclusions

The topic of the thesis proved to be interesting to me and supported previous empirical observa- tions on the understanding of information security criteria of company employees or companies. I feel I have learned a lot of new things on the functions of client companies, for which I have been working for several years and I also believe that the information gathered from the interviews will help sales representatives, as well as pre-sales engineers, to identify potential sales opportunities related to information security in customer meetings. At Dell Technologies, field engineers play a significant role between sales and the customer, and the knowledge and understanding of cus- tomer needs they convey can play a crucial role in making new purchases. In the early stages of the project, I even thought of implementing work involving technical auditing in client environ- ments, but the bureaucracy and risks required for this type of project proved to be too great.

Answers to first question ”Does your company use a systematic information security manage- ment and development model?” showed that the internal processes of companies and the way to implement security differed very significantly and although the sample size was small, the models of all companies were very different. Company B, whose internal know-how and processes were strong, clearly stood out for its own benefit. For this reason, I see that it is difficult for them to tar- get relevant expertise by Dell Technologies, but all three other companies are potential customers, e.g. For Dell Technologies systems audits or security documentation services that extend the value of “as-built” report.

Second question to the second “Are production systems “hardened” against certain criteria?” question showed that there were references in the internal documents and processes to the crite- ria’s and they were known in every company but only applied by company B, systematically. This correlates with my own observations that in addition to knowledge of the criteria, there are also shortcomings in the business world in their application, which enables Dell Technologies to pro- vide criteria - based security services to businesses.

Only the private sector operator, company B, made it clear that they did not need external exper- tise to harden or test their environment. All three other companies have outsourced services and Company D has an active in-house process to procure external consulting when needed. Compa-

70 nies A and C have also resorted to external consulting and Company C has used cloud security con- sulting, and Dell Technologies has just that specific expertise, so as a conclusion to question three “Have you seen the need for external expertise to improve system security?” it is entirely possi- ble for companies to sell customized service solutions from Dell Technologies ’extensive service portfolio.

Company A emphasizes the importance of hardware fault tolerance and upgradeability, but it is possible that other issues have been overlooked in the response, as the application of security cri- teria was quite loose. The private sector operator, Company D, expressed that the security re- quirements are absolute, i.e., they either exist or do not exist, which helps to show that they are considered in procurement. Company C indicated in its responses that they are clearly aware of the security vulnerabilities of the systems and seek to address them either bypass or upgrade, but they do not play a significant role in procurement, although experts would like to place more em- phasis on security, despite seeing security requirements as a threat to smooth procurement. Com- pany D emphasized that the role of information security in procurement was currently almost non- existent but reported active projects that will change this, and this showed that the importance of information security has been noticed and is being developed.

All companies had noticed security incidents soon and the case of Vastaamo had led to measures, especially in the operations of company D. Company A had introduced a 24/7 SOC service because of certain security breaches, and Company B, in turn, had to deploy many services due to Covid19, which had to be reconsidered for security perspective. This is a strong indication that there are on- going security developments in the world that are leading to at least a discussion within compa- nies. This is not surprising, but the results show that although the sample of companies inter- viewed was small, a few well-known events nevertheless affected their operations. All interviewees felt that Dell Technologies provides sufficient information about vulnerabilities and updates, but there is much room for improvement in its structuring and filtering. Company B most clearly expressed its satisfaction but did not even comment on the breakdown and targeting of the information, while Company D placed considerable emphasis on these. From this it can be con- cluded that even this question "Does Dell Technologies offer enough information about current

71 security vulnerabilities related to the systems you have acquired from them?" viewed in compa- nies from a slightly different angle and e.g., company B did not seem to be affected by the amount of information.

Customers can be said to be quite satisfied with Dell Technologies' reporting of security vulnerabil- ities. Company D provided good feedback that the information does not match their equipment base, so there is a lot of irrelevant information involved but this may be due to out-of-date assets left in the equipment base. To improve this, Dell Technologies should improve the cleaning of hardware stocks to avoid sharing information that is unnecessary for the customer's environment.

Orca’s study presented in chapter 2.3, showed that even a large company like Dell Technologies can have significant vulnerabilities in appliance-based products. Although products are frequently updated during installation, the transition from installation to production can take up to months, during which time new vulnerabilities can occur to a significant extent. For this reason, a system upgrade and at least a basic security assessment should be done before starting production. This approach is also supported by Chapter 1.5 of the dissertation “Security Assessment Process of IT Components for Cloud Infrastructure”, which emphasizes performing an adequate security assess- ment for all new systems at the earliest possible stage.

To summarize the answers and conclusions to the main question of the thesis “Have you seen the need for external expertise to improve system security?” it can be stated that although the sam- ple in the thesis was small, there is clearly a need for external expertise and Dell Technologies sales representatives should consider increasing targeted service sales in a small market area in Finland. Here, however, it must be borne in mind that sufficient know-how must be found inside the house so that any service sales can be carried out in a diverse and professional manner, and that the quality of the work performed can be mirrored against the requirements of the criteria.

72

7 Discussions

The importance of information security and the customer's operating environment cannot be overemphasized in such work. I was entrusted with quite confidential information about the com- panies’ processes and understanding of the criteria, as well as their own internal expertise. It was decided to conceal the spelled interviews of company representatives at an early stage so that they could not be linked to companies and possibly allow malicious actors to take advantage of the issues raised. At the beginning of each interview, I made it clear that the attachments would be classified and that I was bound by professional secrecy on everything discussed, because in ad- dition to conducting the interview as an individual, I also represented Dell Technologies at the same time.

Representatives of Company C expressed that it would have been possible to publish the tran- scripts of the interviews alongside the Thesis, but I still ended up minimizing the risks and conceal- ing the transcripts. This can have an impact on the credibility of the work, as readers of the work will not be able to draw their own conclusions directly from the spelled text, but will have to settle for interview summaries, summary table, and analysis done by me. In other words, "raw data" is not available to outsiders. The social desire for pleasure typical of a thematic interview and the de- sire of the interviewees to show their company in a good light can distort the answers, but I do not see a significant reason for the interviewers not to tell everything or to distort / belittle their mes- sage. In the interviews, I represented them as a service provider with whom all companies had a strong connection and because it is in the best interests of the customer to be as truthful as possi- ble and highlighting negative issues, I have no reason to doubt the reliability of the information in this Thesis.

From the subscriber's point of view, there is no reason to distort the data. In my role, I have acted as an intermediary between the customer and Dell Technologies vendors and sales support for al- most 11 years and now the questions were only targeted and initiated by Dell Technologies. The needs assessment was welcomed and there is a clear demand for such a dialogue. Good coopera- tion begins with taking the customer's needs into account. Although no previous research data was found on the subject, I do not think it diminishes its credibility, as the research data is confi- dential information obtained directly from customers. It appears from the spellings that similar in- formation would not have been relied on by third parties without deeper cooperation with them.

73

Trusting to me the information, I think it tells me about the willingness of companies to cooperate, as well as their trust in Dell Technologies.

The video conferencing was conducted using the Zoom app and only the questions were posed in the app visually, and I did not require anyone to use the camera, nor did I use it myself. After each question, interviewees were asked, “Does anyone have anything to add?” Because in remote in- terviews, it is more difficult to focus on the topic and three of the interviews were conducted by video conference and only one at the client company’s premises. It is questionable whether all the interviewees were fully dedicated to the interview situation or whether they possibly did some- thing else at the same time, that may have weakened their ability to concentrate and thus af- fected the amount and accuracy of the information collected. Considering all the above, however, I do not see that the conduct of the three interviews had affected the amount of information col- lected, as I felt for myself that each participant in the interview was active and devoting the time set aside for the interview to the interview itself.

All interview subjects were sent a spelled interview and asked if they would accept the content of the interview in written form. All parties stated that my spelling was truthful and as such available for the purposes of the work. Although the spelled text omits e.g., sound intonations, expressions, and gestures, as well as relevant pronunciations, etc., I do not think it is relevant in the context of this interview, as the interviews were quite relaxed and confidential, so I have no reason to as- sume that any information was intentionally withheld from me. One of the participants in the first interview had your own academic background and advised me to stick to the original questions for the sake of fairness, although even after the first interview I noticed that the wording of the ques- tions was not perfect. This, too, is ethically correct in my view for the study, as changing the ques- tions as the interview process progressed could have significantly changed the answers of the in- terviewees.

Data mining was also attempted at the end of the dissertation by first translating the spellings into English and then running them through Google and Atlas.ti’s sentiment analysis tool. The tools of both brought up the same things from the interviews that I had manually picked from them be- cause the answers were easy to mirror to the themes of the Thesis. Learning to use sentiment

74 analysis tools could have visualized the data used in this work, but the schedule placed its limita- tions on this. However, the small sample size showed that my own picks matched the weightings picked up by Google’s sentiment analysis tool. Understanding, and proper execution of sentiment analysis would first have had to be adopted to be able to use it reliably and credibly. The remain- ing time to complete the thesis simply ran out.

The thesis sample is relatively small compared to the issue at hand, considering that I alone deal with dozens of client companies. However, it does not diminish the value of the information gath- ered, as the information already gathered through this interview can better serve client compa- nies and understanding their processes can make the work of both me and my colleagues easier. In conclusion, a larger sample (number of companies interviewed) would certainly give a better picture of the overall understanding of companies about security criteria, but it does not signifi- cantly reduce the value of the data obtained in this Thesis. I believe that the interview deepened the professional relationship with the companies involved and that it is good to continue the pro- fessional cooperation going forward.

The amount of data used in this work was relatively small, and it was easy to find roughly the same things in the spellings as with Google’s sentiment analysis tool. When dealing with a larger amount of data, I would see that this or a similar tool would be almost necessary for the smooth structur- ing and review of information. However, this would require significant familiarity with the tools required for it, and thus, if within the time allotted for this work, a more in-depth application of the tools will be excluded from this Thesis.

75

8 Further Study

As far as the development of research is concerned, the first step I see is to ask similar questions for a larger sample, so that more accurate and credible conclusions can be drawn from the data obtained. For its ease, a "survey" type survey could also offer significant benefits due to its ease, but this option excludes accurate information about company-specific processes, etc. It is also nec- essary to determine whether Dell's internal processes are flexible enough so that any sale of secu- rity services does not become too administratively cumbersome, and the benefits outweigh the disadvantages.

76

References

HIPAA compliance checklist - what is HIPAA compliance?. 2020. Retrieved from https://www.atlantic.net/hipaa-compliant-hosting/hipaa-compliance-guide-what-is-hipaa/.

What is the NIST cybersecurity framework?. 2020. Retrieved from https://www.balbix.com/insights/nist-cybersecurity-framework/.

Dell Technologies. 2021a. Dell EMC PowerStore: Introduction to the platform. Dell Technologies.

Dell Technologies. 2021b. Dell EMC VxRail system TechBook. Dell Inc.

Dell Technologies. 2020. ProDeploy suite. 1-7.

Dell Technologies.Our timeline | dell technologies . Retrieved from https://corporate.delltechnolo- gies.com/fi-fi/about-us/who-we-are/timeline.htm.

Eskola, J. & Suoranta, J., 1998. Johdatus laadulliseen tutkimukseen. 2. p. p. Tampere: Vastapaino. Re- trieved from https://janet.finna.fi/Record/jamk.99108224806251.

Finnish Ministry of Foreign Affairs. 2016. Katakri - information security audit tool for authorities - 2015, finland. Finnish Ministry of Foreign Affairs. Retrieved from http://julkaisut.valtioneuvosto.fi/han- dle/10024/74858.

Hirsjärvi, S. & Hurme, H., 2008. Tutkimushaastattelu : Teemahaastattelun teoria ja käytäntö. Helsinki: Gaudeamus Helsinki University Press. Retrieved from https://janet.finna.fi/Rec- ord/jamk.991124564806251.

I. I. Livshitz, P. A. Lontsikh, E. Y. Golovina, E. P. Kunakov & V. V. Kozhukhova.Security assessment pro- cess of IT-components for cloud infrastructure. Paper presented at the - 2020 International Conference Quality Management, Transport and Information Security, Information Technologies (IT&QM&IS), 110- 113. doi:10.1109/ITQMIS51053.2020.9322976.

Isaca, Isaca & Information Systems Audit and Control Association, 2014. Implementing the NIST cyber- security framework. Place of publication not identified: Information Systems Audit and Control Associa- tion. Retrieved from https://janet.finna.fi/Record/jamk.993619612706251.

Limnéll, J., Majewski, K. & Salminen, M., 2014. Kyberturvallisuus. Jyväskylä: Docendo. Retrieved from https://janet.finna.fi/Record/jamk.992420374806251.

Limnéll, J., Majewski, K., Salminen, M. & Samani, R., 2015. Cyber security for decision makers. Jyväskylä: Docendo. Retrieved from https://janet.finna.fi/Record/jamk.992838524806251.

National Institute of Standards and Technology. 2018. Framework for improving critical infrastructure cybersecurity.

Orca Security Inc. 2020. The orca security 2020 state of virtual appliance security. Orca Security Inc.

Pabrai, U. O. 2003. Getting started with HIPAA. Boston, MA: Premier Press, a Division of Course Tech- nology. Retrieved from https://janet.finna.fi/Record/jamk.993616135506251.

PCI Security Standards Council, LLC. 2018. Payment card industry (PCI) data security standard, v3.2.1. PCI Security Standards Council, LLC.

Pokela, A. 2013. Change management competence – key contributor to project success.

S. Bleikertz, T. Mastelic, S. Pape, W. Pieters & T. Dimkov.Defining the cloud battlefield - supporting secu- rity assessments by cloud customers. Paper presented at the - 2013 IEEE International Conference on Cloud Engineering (IC2E), 78-87. doi:10.1109/IC2E.2013.31.

Traficom. 2020. Criteria to assess the information security of cloud services (PiTuKri). Traficom.

77

Understanding difference between cyber security & information security . 2016. Retrieved from https://www.cisoplatform.com/profiles/blogs/understanding-difference-between-cyber-security-infor- mation.

Valli, R. & Aaltola, J., 2018. Ikkunoita tutkimusmetodeihin. 2, näkökulmia aloittelevalle tutkijalle tutkimuksen teoreettisiin lähtökohtiin ja analyysimenetelmiin. 5., uudistettu painos p. Jyväskylä: PS- kustannus. Retrieved from https://janet.finna.fi/Record/jamk.993382224806251.

Valli, R. & Aarnos, E., 2018. Ikkunoita tutkimusmetodeihin. 1, metodin valinta ja aineistonkeruu : Vi- rikkeitä aloittelevalle tutkijalle. 5., uudistettu painos p. Jyväskylä: PS-kustannus. Retrieved from https://janet.finna.fi/Record/jamk.993328004806251.

Voeller, J. G. 2014. Cyber security. Hoboken, New Jersey: John Wiley & Sons. Retrieved from https://ja- net.finna.fi/Record/jamk.993642346506251.

Wikimedia Foundation. 2019. Appliance . Retrieved from https://en.wikipedia.org/w/index.php?title=Ap- pliance&oldid=904031418.

Wikipedia. 2021. Vastaamon tietomurto . Retrieved from https://fi.wikipedia.org/w/index.php?ti- tle=Vastaamon_tietomurto&oldid=19607779.

YLE. 2021a. Psykoterapiakeskus vastaamo asetettiin konkurssiin . Retrieved from https://yle.fi/uu- tiset/3-11790537.

YLE. 2021b. Vastaamon tietomurto näkyy huimana nousuna viime vuoden rikostilastoissa – yksity- iselämää loukkaavasta tiedon levittämisestä yli 21 000 ilmoitusta . Retrieved from https://yle.fi/uu- tiset/3-11927434.

78

Appendices

Appendix 1. Interview Invitation mail

79

Appendix 2. Interview questions in english