5. About the Security in Altinn

On this page:

5.1 About Information Security in Altinn

Digdir is obligated to maintain responsibility for information security according to the Personal Data Act § 1, cf. GDPR Article 32. Information security includes:

• Ensuring confidentiality; protection against unauthorized access to the information.
• Ensuring integrity; protection against accidental alteration of the information.
• Ensuring availability; making sure that adequate and relevant information is accessible.

Furthermore, Digdir is required to comply with the requirements for processing activities as stipulated by relevant laws and regulations. Additionally, the data processing will be carried out according to current system documentation and other procedural descriptions for Altinn. Documentation on this is available upon request for, among others, the Data Protection Authority and the Privacy Appeals Board.

ASF has committed to actively maintaining an understanding of relevant threats and risks, and to maintaining adequate security measures based on a decided level of risk. An overview of measures is updated in the registry of processing activities for Altinn.

Furthermore, each service owner must manage the access their own employees/consultants have to information in the documentation about the Altinn solutions and in the service dialogue between the service owners and ASF. Access should be governed according to service necessity.

In the agreements with several of our subcontractors for Altinn II, it is required that they comply with their own processes and routines from their ISMS. Regarding Altinn 3, Microsoft Azure complies with a number of national and international standards and is audited by third parties.

Rules have been implemented to support a secure development process, and we have also introduced automatic tools to further support achieving secure code of good quality. Privacy and security assessments are conducted for all new requests for needs. All bug fixes and changes are checked for security vulnerabilities both logically (function) and technically (code). Fixes and changes that may have a security risk are security tested using recommended techniques before deployment to production. We engage third-party consultants periodically for security testing of major changes and review of existing functionality.

Risk assessments are conducted related to new functionality in the solution and when introducing new tools and systems for use in development or management of the solution. It is required that the providers for system operation and application operation of Altinn II also perform regular risk assessments, as well as in changes related to the solution. For Altinn 3, Digdir conducts risk assessments itself and uses hired security consultants as needed. Hired development and management resources also contribute.

Regular security audits of the Altinn solution, both Altinn II and 3, are carried out. Service owners in Altinn can request to be presented with security audits showing how Altinn handles the service owner’s data, and also have the opportunity to request further security audits. Security-related information may be subject to special restrictions regarding access and dissemination, which the service owner must comply with, including that the information may be classified according to the Security Act.

5.1.1 Risk Assessment

As mentioned above, Altinn is subject to strict security requirements. Risk assessments are made and updated continuously. Risk mitigating measures are implemented to reduce risks.

Also, for cloud operation of Altinn, analyses of risks and vulnerabilities have been conducted, with corresponding risk mitigating measures. In the following, we will discuss risks with a focus on the end-user’s privacy.

5.1.1.1 Integrity and Confidentiality

Threats to the integrity and confidentiality of the end-user’s personal data already exist in Altinn II, which is operated and managed “on-prem” using private suppliers. With cloud operation of Altinn by an international cloud provider, we have assessed that the risk profile does not change.

There is a certain risk that the cloud provider or its subcontractors have unauthorized access to data in the solution, which could be exploited by a high-capacity threat agent.

However, there are significant advantages for the integrity and confidentiality of using a reputable cloud service provider like Microsoft, as such a provider has significantly greater capabilities in working with information security than smaller, local, suppliers with significantly fewer resources and means.

5.1.1.2 Availability

Regarding the availability of the data, Microsoft Azure has a high service level and uptime. However, the standard terms contain provisions that the provider can shut down its services or terminate the agreement on very short notice.

This risk would entail that, theoretically and contractually, there is a possibility for change related to the availability of the end-user’s personal data, even if the daily service level could be better than already established national operational solutions.

However, we also assess that a large international cloud service provider depends on trust and availability of its solutions and the customer’s data. And that the provider will go to great lengths to ensure very good availability.

5.1.1.3 Right to Information and Access (Transparency)

It is Digdir through ASF that will handle the registered individual’s right to information and access to data for which we are responsible for processing.

Service owners will handle the registered individual’s right to information and access to data in their services, for which the service owners are responsible for processing. The standard terms of cloud providers generally include provisions that the provider will support such requests from the customer. Therefore, we do not see that the risk of breaches of the registered individual’s right to information and access will increase with the cloud operation of Altinn.

5.1.1.4 Correction, Modification, Limitation, and Deletion

As is the case for information and access, it is still Digdir through ASF that will handle the registered individual’s rights related to this. And in most cases, Altinn will have to refer the end-user to the public entity that is the source of the basic data information that Altinn uses, or the service owner for the individual service in Altinn.

We cannot see a greater risk of breaches of the registered individual’s right to have their personal data corrected, modified, or processing limited.

5.1.1.5 Linking of Datasets

Regarding the improper linking of datasets, the risk for this will not increase in principle – as it is still ASF and the service owners who will control this.

5.1.1.6 Specific Aspects of Cloud Services

Entering into a contract with an international cloud service provider means a large foreign company as a contractual party. This has consequences for the agreement that is entered into, which largely consists of standard terms.

This is relevant because the law and principles of interpretation of another country often must be applied in the contractual relationship. Digdir’s agreement with Microsoft is subject to Irish law. This introduces interpretation risk, process risk, and practical limitations in our ability and willingness to legally pursue breaches of the agreement.

5.1.2 Risk Mitigating Measures

Digdir has introduced increased and partially new risk mitigating measures. The introduction of such measures, and the continuous monitoring and control of them, will be subject to the agency’s routines and processes, including our internal control regime.

The risks and the risk mitigating measures are more thoroughly described in separate risk assessments and security documentation for Altinn 3, with possible action points.

5.2 Benefits for the Registered Individual’s Privacy

Cloud operation of Altinn will also entail positive consequences for the registered individual’s privacy. More efficient digital solutions enable the improvement of data minimization, as well as even easier access to updated and correct information from data sources. Solutions for access control, authorization, and consent for data sharing can also be improved and achieve greater reuse in the public sector, including in interaction with the private sector.

The use of powerful processing capabilities and scalability in the cloud, coupled with lower costs associated with utilizing such flexibility, also enables privacy-friendly measures in the digital service being established.

It will also become much faster, easier, and less costly to configure environments up and down as needed, ensuring that at all times, only the necessary number of technical environments containing data are maintained.

It is also the case that Microsoft, like the other major cloud service providers, uses technology and standard software that is generally easier to update with patches for vulnerabilities than a more proprietary developed solution.

Microsoft also lives off selling trust services and is therefore highly concerned with the security of its solutions and the customers’ data – even though they take legal reservations to operate globally with an acceptable legal risk. They will generally have greater expertise and capacity to further refine their solutions and services to meet a threat landscape that is constantly changing, compared to, for example, local operational providers that exclusively operate in Norway.

Microsoft Azure is also certified according to a very large number of national and international standards, including in accordance with the adequacy decision, and is regularly audited by third parties – where reports are also made available for the customers.