Full list of services

Leveraging privileged access management, various clouds and their users can be helped in a controlled fashion. When planned properly, the strong access rights are protected in a way where the malicious users have more difficult access to the privileged accounts decreasing breaches, while the correct users see benefits of simpler access to the various cloud services.

When moving to the cloud, agility and speed is the key and as a result management of privileged users may be initially be seen as a burden. These may include root or admin accounts, privileged user accounts, service accounts, application accounts or domain admin accounts. The burden is often initially ignored resulting in privileged rights being shared throughout different organizations and companies with eg. the cloud service provider, application developers, system integrator, internal developers etc. As the amount of different clouds and privileged users grows the management of these become a very time-consuming or less secure practice. Additionally, accounts with higher access rights than regular users, or privileged accounts, are frequently misused in breaches.

It is often impossible to run a separate security audit for each production release. Most companies have an increasing number of services, applications and components listening to the network and available for partners, customers, employees and virtually to everyone. While this is great for business, the complexity or the exposed systems have gone - or will soon go - through the roof. A bug bounty program can help you manage the complexity in an agile manner - and we can run it for you.

A bug bounty program does not completely replace the need for more traditional assessments or security engineering work, but it cost-effectively complements them.

For your distinct need, we provide two models for running the bug bounty program.

Private Bug Bounty Program:

Our expert team helps to define the digital boundaries where external hackers are allowed to operate. It can be a single application or a network of hundreds of targets.

Our expert team with proved skills and track record in successful bug hunting starts going through digital space and searching for anything a malicious actor could use.

Once weakness is found and confirmed, we report it to you using the method most suitable for you.

We help respond to the flaws by providing Nixu’s competences. Regardless of the need – we are here to help.

And we keep on going as long as our contract remains in effect.

Amendment of the Act on Strong Electronic Identification and Electronic Trust Services in Finnish legislation, put in force 1st of July 2016, requires service providers of strong electronic identification and signature to assess their compliance and deliver proof of compliance to the Finnish Communications Regulatory Authority (FICORA).

We are a certification authority approved by FICORA and provide customers with electronic identification and trust service assessments. We are an excellent partner for assessments, as we also have extensive experience on many other security frameworks.

Our specialists support building your cloud environment according to recommendations provided by the vendor as well as our own experience derived from working with various cloud technologies and being a member of the Cloud Security Alliance (CSA). With our help you can rest assured that your cloud services are built securely to ensure proper business outcomes and continuity.

With ramping up Infrastructure or Platform as a Service several services can be utilized quickly by several parties to decrease time to market. However, taking into account all security recommendations that are relevant for all parties for all services may be cumbersome. Nonetheless, in case these are not addressed properly, the end result may be a sub-optimal solution security wise. These may be costly and time consuming to address later on in the service lifecycle, possibly leading to downtime for the business and in the worst case scenario losing critical business data and reputation.

We can help assess the relevant risks for different cloud providers be it a technical assessment or administrative risk based approach to ensure that all the relevant measures and controls are in place to protect your business. Furthermore, we can help you assess that the certifications that the cloud providers have are relevant to you and cover relevant operations. When taking into use new cloud services we help ensure that the services are safe to use.

As companies have started adopting cloud at an increasing pace, several cloud providers have started providing specific services for different business units be it HR, Sales, Finance or Marketing. The benefits of these new solutions are often invaluable, however prior to moving business critical operations and data to the cloud these providers should have sufficient security measures in place.

We help organizations draw up a Cloud Security Framework to support their transformation based on methods we have developed over the years as well as utilizing knowledge developed with Cloud Security Alliance. The result of the Cloud Security Framework is a model, which identifies and mitigates the risks through safe processes covering e.g. vendor lock in, necessary controls, permitted data, and availability.

Generally, organizations have a cloud strategy or an idea on what cloud services to use and for what use cases. The benefits of the use case are generally well drawn out and compared to costs of implementing the cloud services. However often the risks associated with the use case may not be well defined if at all. This may result in making decisions based on an incomplete business case and in the worst case ending up in a difficult situation to remediate all the risks.

When moving to the cloud, we help you ensure that the relevant risks are identified and can be addressed accordingly. Our specialists can utilize different threat modeling frameworks to help define which one is most relevant for your business. We have vast experience in conducting threat modeling and analysis for products and services. The main benefit of Threat Modelling is to identify relevant threats and risks to provide valuable information for rational security investments and decisions.

When taking into use cloud services or building them yourself a generic model for security investments is made across the project without clear visibility on what the real threats and risks are. Therefore, it may be challenging to see the whole picture and whether the investments are reasonable and provide the appropriate value for that specific use case.

The Collaborator Security Audit Service provides customers possibility to verify that security status of their partners and collaborators does not create unacceptable risks, the contractual requirements for security are followed and that the processes and security governance of collaborators is sound and according to industry best practices. Nixu auditor will identify business critical assets, which are exposed to collaborators, and either verifies that contractually agreed security controls are protecting these assets or that the assets are protected based on industry best practices.

We also assess the compliance of identification and trust services. A legislative amendment that entered into force in 2016 requires all service providers providing strong electronic identification and electronic signatures to perform a compliance assessment and submit the assessment result to the Finnish Communications Regulatory Authority. The providers of identification devices, identification services and identification brokering services are all considered to be service providers. Requirements are largely based on the EU eIDAS regulation and commonly applied standards, such as ISO 27001.

We help you achieve compliance with the new EU Generic Data Protection Regulation (GDPR) quickly and cost-efficiently. Our Consent Management as a Service enables you to outsource tedious management of consent and GDPR compliance, so you can keep your focus on developing your digital business services. Additionally, our unique experience with digital identity, privacy management, and user authentication helps you harvest the benefits of digital business transformation faster.

Cloud Controls Matrix (CCM) developed by Cloud Security Alliance is a set of criteria aimed at providers of cloud computing services. The key principle is to provide users of cloud services transparency as well as assurance on the security of cloud service providers. CSA STAR certification can be obtained on top of ISO 27001 certification.

In the modern world, security plays a crucial part in overall product quality. We help you to embed cybersecurity into your DevOps by applying security controls, practices, and security testing technology. We support your journey in incorporating security to DevOps sprints and to your CI/CD pipelines. We will also enable visibility into your product security quality by creating security coverage dashboards that visualize the security state of your product.

Our unique experience on digital identity management and user authentication helps you to achieve digital business transformation fast. Lousy user experience with passwords is killing many innovative digital services - it doesn’t have to be so. Multitude of gradual user identification and authentication choices are available from Social Media logins to one-time passwords and risk-aware authentication. Authentication linked to a customer’s Digital Identity harnesses the customer data into the use of business. With easier customer on-boarding and login you can rapidly improve your digital sales.

Conducting a DPIA supported by Nixu ensures a reliable, verified process with input from multi-skilled team of technical and legal privacy experts. The process goes beyond the mere identification of risks and includes suitable mitigation measures for your organization. Nixu's method is comprised of use case and process workshops with technical and legal points covered. We draft data flow maps to bring clarity to the processing activities, conduct a full assessment of risk with all expertise areas covered and produce a comprehensive DPIA report. The DPIA results will be methodically reported including a specific description of processing with additional data flow maps, an expert assessment of the necessity and proportionality of processing, a full and compliant assessment of risk to individuals and legal, technical and organizational measures to address the risk. DPIA report will deliver you the proof of compliance required for authorities and organizational partners.

Nixu’s Data Protection Officer (DPO) as a Service ensures your organization’s designated DPO has extensive legal, technical and managerial privacy expertise. Your tailored DPO will be accessed through one main contact backed up by a multi-skilled team, guaranteeing availability also during holiday seasons and yearly flu epidemics. The DPO will handle and coordinate expert non-operative GDPR tasks such as contact with authorities, privacy training, DPIA specialist advice, reviews of accountability documentation and managing of data breaches. This specialist service stays up to date with privacy legislation and ensures you have the right items on your organization's privacy steering group.

With us you can be innovative. And secure. New Payment Service Directive, PSD2, is forcing banks to evolve rapidly into open banking. It enables a whole new marketplace for new innovative financial service providers. PSD2 as well as GDPR bring challenges in meeting requirements for risk based security management, continuous security monitoring and incident reporting. With our help, you can focus on innovative services and leave the security requirements to us. We help you in building secure digital platforms as well as making sure you are compliant with both PSD2 and GDPR.

Be it evaluation of your defensive capabilities or delivery of a new industrial environment, we will help you with testing the security controls of your ICS environment as well as your capability to react to a security incident. Depending on the scope, our services vary from ICS-environment security assessments as part of a desktop exercise to state-sponsored attack simulations on supply-critical utilities.

We provide the right types of identity and access solutions for organizations helping leverage made investments and expanding these solutions and processes as well as helping figure out new ways of working when taking into use new cloud services or helping with a hybrid cloud environment. In an optimal situation this is done with minimal visibility to the end user. Our goal is to ensure that the right people get the right access to the right resources at the right times for the right reasons, enabling the right business outcomes. This is especially valuable with cloud transformations.

People in general have become accustomed to quick usability of services from their consumer-driven cloud experiences, which has driven business cloud services to offer quick and easy adoption. Therefore, cloud services are adopted across organizations at an increasing pace.

However, this may lead to a situation where the cloud ecosystem is scattered across multiple organizations with difficulty in controlling access to the services. Due to the agile nature of cloud the identity of users’ needs to be addressed properly to facilitate service lifecycle. Additionally, there generally are challenges when migrating from one cloud to another or getting multiple clouds working seamlessly together be it within the organization or with external partners or customers.

Nixu Incident Response Service takes the responsibility of handling incidents from the point when Customer contacts Nixu to the point where the incident has been resolved and business is back to normal. The objective of the service is to help Nixu’s customers efficiently react and handle security incidents.

Successful incident response starts from the preparation and training of people to identify potential security incidents. A lot of the preparation involves Customer’s personnel and they are also the ones who will see the first signs of security incidents. This is why successful incident handling cannot be completely outsourced. To ensure that Customer and Nixu are prepared to incidents, know how to work together and that Customer’s key persons know how and when to use the service, Nixu’s Incident Response service includes service start-up project.

After the service has been initiated by the customer, Nixu’s Lead Incident Handler takes over leading the incident handling and ensures that Customer’s business is restored back to normal.

Your safety and continuity is our top priority. As a result, we are ready to take the lead in developing and maintaining the security of your ICS environment. In addition to implementing relevant security policies, guidelines, and technical controls, we will benchmark the security of your environments with industry standards and work together with you to make sure that your security is optimized to the relevant threat landscape and your risk appetite. Our highly experienced professionals have vast security backgrounds in ICS environments, especially in the oil & gas and nuclear industries.

We provide you with an information security team as a service. We will coach your team and secure your information. We will lead your information security and make sure that everything works. We do not simply write security guidelines based on identified risks, we push matters forward by giving instant feedback. We also employ proven models to guarantee that processes and people perform as expected. Once we have secured your operations, we will attack you aggressively to see how your defenses will hold. In addition to testing your systems, we will test your personnel using social hacking.

IoT devices are becoming smarter by the day. The data gathered from devices is used to make significant business decisions. The ability to trust the data coming from devices as well as fast, secure, and reliable software update delivery is necessary. Our job is to ensure that the integrity of your device components, software, and data is solid. Additionally, we make sure that tampering with your device components or reverse engineering your software functionality will be close to impossible. We will also ensure that your IoT platform can tolerate hostile devices and data poisoning.

For the past decade, Nixu has designed state-of the art security frameworks for connected devices, including low-energy products as well as back end systems, such as IoT platforms. Our solutions include secured communication, PKI, protected device key storage, secured multirole fleet management, as well as other advanced protection and verification services. For device protection, we always utilize the most suitable hardware encryption options, such as trusted execution environments and hardware security modules.

We will help you to design, create, and maintain a secure ecosystem, and enable a better customer experience, all without security trade-offs. We are happy to support our clients to move toward award-winning IoT solutions (https://www.nixu.com/fi/node/3866).

One of our services is ISO 27001 certification audits. The ISO 27001 certification is suitable for all organizations that care for their information security, particularly those that wish to prove to third parties that they are following secure practices. ISO 27001 focuses on the security management system. We also offer the opportunity to combine other frameworks – such as CSA STAR, VAHTI, Katakri and PCI – in the same inspection.

The best practices of cloud computing services are also described in standards ISO 27017 and ISO 27018. Officially, it is not possible to obtain a certification against these standards, but, in the context of the ISO 27001 certification, Nixu Certification Oy can provide the customer a statement of its compliance with these controls.

Katakri refers to the set of National Security Auditing Criteria that serve to evaluate an organization’s ability to protect classified information of authorities. Katakri is also used as a tool in conducting corporate security audits. Katakri consists of three subdivisions: T for security management, F for physical security and I for information assurance. While an official Katakri approval requires the assessment of all three subdivisions, an inspection body can issue a statement on an assessment that covers only a certain part of operations.

Nixu offers cybersecurity and privacy education services to all organizations from management to technical specialists in order to ensure they have the needed skills and knowledge to protect critical data and systems and implement new digital services securely. We at Nixu want to foster motivation and individual ability to detect cyber risks and act securely. Our services include cyber simulation exercises, online self-study courses, workshops, trainings and cybersecurity campaigns.

At the core of our Cyber defense service is Nixu Cyber Defense Center where our cybersecurity specialists and systems monitor, contain and remediate security threats on your behalf 24/7. We protect your core processes and people and provide you with ability to detect early and react quickly. Nixu Cyber Defense Center offers return-on-investment tools for non-technical business owners who want to secure the continuity of their trade. It creates value by offering security that your customers trust. Unlike basic security tools such as virus software, we can monitor your whole information ecosystem. Our team hunts for threats, monitors data and alerts from customer environments, and flags anomalies. Our response team leads the investigation whenever there is a recognized threat.

Nixu Multi-Factor Authentication (Nixu MFA) service is the easiest way to reduce the risk of identity theft and data leakage. Nixu MFA supports most industry standard authentication protocols, thus enabling wide service coverage for your on-premises and cloud services.

For user enrollment, user only needs to securely authenticate to Office 365 and then scan QR-Code with mobile app. No inbound firewall changes to the internal network are required; neither any VPN tunnels are needed between the services. Only outbound connectivity is required from your network. Deployment does not require any on-premises servers. You only install connectors that perform second-factor request via the secure connection to Nixu MFA. Read more »

PCI DSS Onsite Assessment is the assessment service for all parties that store, process or transmit cardholder data. We have experience in assessing different organization types such as large retail chains, small cafés, global service providers, payment gateways, airlines and banks. We don’t only assess, but help the customer in achieving and maintaining compliance as well.

The service is designed to be effective and cause minimal disruptions to the organization’s day-to-day operations. The assessment is divided into phases: Scoping, Documentation Review, Technical Tests and Site Visits, Interview and Observation sessions, Reporting and Closeout meeting. Each phase is carefully designed to guarantee a successful assessment with minimal disruptions.

PA-DSS services are intended for all vendors that develop payment applications. We can help in preparing for the validation, in remediating the non-conformities and in performing the actual validation. The PA-DSS validation service results in a validated payment application that is listed on PCI Security Standards Council’s web page. In addition, we provide a PA-DSS Preparation service that includes training, gap-analysis and a roadmap for achieving the validation. We also provide ongoing support as part of the Nixu Catalyst compliance management and support service.

PCI Preparation service is the initial step to PCI compliance. We train customer’s key personnel to understand PCI and its requirements. We focus on minimizing the customer’s PCI environment so that compliance can be achieved more cost effectively. The most important outcome of the service is a roadmap that contains clear tasks to be performed in order to become compliant. For each task, a cost estimate is provided and responsibilities defined. The roadmap can be further refined to become a project plan.

The next step after the PCI Preparation phase is usually remediation phase. We support this phase, and help ensure that compliance can be maintained also after the assessment.

Before launching your product onto the market, it is crucial to test the product for vulnerabilities. Our penetration testing service helps you to verify the security quality of the product, thus minimizing the possibility of a security breach that may affect many of your customers. Nixu’s penetration testing service varies based on your needs, from security assessments based on industry standards all the way to a hacker attack simulation – digital and physical. Our professionals will help you to define the right level of penetration testing assignment, based on the relevant threat landscape. Be it a web application or a trusted execution environment, our penetration testers are ready to attack your systems.

Our privacy support service offers privacy specialists to run your privacy program development. It will be tailored according to your organization's needs. Privacy support covers scheduled tasks, ad-hoc questions and crisis management. Continuous privacy support offers expertise at hand for everyday privacy issue, robust support at a crisis situation and expertly managed annual privacy program. A nominated privacy specialist will head the service, backed up by a multi-skilled team of cybersecurity, technology, IAM and legal experts. The service typically includes specialist ad-hoc advice for your DPOs, a team ready to assist in data breach cases and development of your privacy management capabilities.

For customers with product security teams, Nixu offers coaching services as well as major security incident exercises based on realistic scenarios created through threat modeling exercises and penetration testing activities. Our goal is to ensure that your company has the necessary security controls and practices in place to handle massive security breaches and to minimize the incident impact.

SCADA systems are the heart of industrial environments and are therefore a sweet spot for an attacker. Our role is to provide you with the capabilities to withstand a cybersecurity attack without compromising the core processes of your environment. Our services include technical and process-related projects to ensure a sustainable result for your organization.

We improve software development methods by introducing new security-enhancing elements in existing development methods, such as Scrum. These elements can be tailored to customer needs. Some of the elements we have introduced in the past include threat workshops, exploratory reviews and developer coaching in secure practices. We provide internal support and guidance for the development team, sparring with the team to ensure a secure software delivery.

Provided as a continuous service, secure software development not only steers the developers in a single project’s information security issues, but also helps improve their architectural solutions and software development processes. Individual projects can be supported by assessing the maturity of the developer team’s security solutions and practices. These assessments provide observations that are relevant also to the organisation's other development projects.

Providing the best customer experience is key to achieving customer intimacy. Our digital identity services enable you to get the most from advanced identity management solutions in order to provide your customers with functionalities such as fleet management without tradeoffs in customer experience, security, or privacy.
The digital identity service includes technology evaluations, implementation, maintenance, and feature development to enable the most secure device management via secured communication.

To support your various application and product development models, we offer security verification from traditional web applications assessments to automated vulnerability scanning services and bug bounty programs. Our Security Engineering experts can also help you to assess the required level security and support your developers improving application and product security. This enables you to ensure that security improvement costs are directed where they are most needed. We also conduct audits in accordance with a multitude of information security standards, recommendations and requirements.

Applying security as part of your design and product development enables your products to be capable of avoiding and withstanding security breaches. Our goal is to tailor a security framework within your existing product development process that meets your industry standards. We utilize known methodologies such as BSIMM, SAMM or Microsoft SDL, which include a variety of security controls and activities such as threat modeling, business impact assessments, code reviews, and more.

The national requirements for information security levels constitute a tool which helps different parties meet the requirements of national information security acts. These requirements apply to the Finnish state administration and its service providers.

Nixu has piloted and provided definitions for the Finnish government's information security levels and ICT contingency planning requirements. We have performed information security level audits for the state administration and formulated operational plans for achieving desired security. With regard to the private sector, we have incorporated the information security level requirements into our customers' compliance management systems.

How do you know which risks and threats you should look at when developing digital applications and platforms? Using threat modelling best-practices, our experts can help you to understand where you should focus your efforts in order to protect customer data and prevent security breaches. Threat assessment done early on, in the architecture design and planning phase, helps to ensure that necessary privacy and security requirements are met cost-efficiently.

As the industrial internet gains momentum, Nixu will support you in ensuring that the innovations created by your vendors do not jeopardize the safety and continuity of your production environment. We will help you to request vendors for security product standards, maintenance, and remote access capabilities to meet your industry best practices and standards. Depending on our client’s industry, we utilize the most recognized security standards and recommendations such as IEC62443, NIST, IAEA, ISO27002, NERC CIP, and more.

Nixu provides vulnerability management capabilities for the company CISO. We will determine your vulnerability level and tell you how resilient your information systems and networks are against common threats. Our experts analyze discovered vulnerabilities and give recommendations how to address them.

Our experts keep you posted about current and upcoming vulnerability and attack trends so you can proactively prepare and act on protecting your environments. Nixu translates technical vulnerability data to executive decisions on information security.