Finnish Tax Administration builds citizens’ trust with a more secure cloud platform

“We need everyone to trust us. If our people don't trust us, if our companies don't trust us, then we can’t do our job properly.”

Mikko Hakuli is reflecting on the importance of customer trust. As the Chief Security Information Officer of Verohallinto, the Finnish Tax Administration, he knows how crucial it is when it comes to the protection and handling of sensitive data.

The Finnish Tax Administration, where Hakuli has worked for almost two years, is renowned for a digital approach to taxation that enjoys widespread popularity both locally and abroad.

But after a year where global cyber attacks have grown dramatically as an indirect result of COVID-19, the secure use and storage of private data is, now more than ever, a priority for an organization like the Finnish Tax Administration and its millions of customers.

The stakes are high. “If something bad happens,” Hakuli says, “that trust will go away very quickly and that's something that we really want to avoid.”

Protecting millions of citizens

Active since 1809 but in its current shape since 1970, the Finnish Tax Administration serves more than five and half million Finnish citizens and some 300,000 businesses. The administration handles vast amounts of private data that is then digitally processed for taxation.

“Every piece of information that comes to us is considered confidential and we cannot disclose it,” says Jarkko Levasma, Chief Information Officer at the Finnish Tax Administration. “We have a wide selection of different data per customer, and that means that we have to pay a lot of attention to security in every field.”

Failing to adequately protect all this information could have catastrophic effects on the organization. “In a privacy sense, losing that data would create serious problems for our customers,” Levasma adds. “If compromised, it could be used for identity fraud and many similar illicit activities.”

As the organization researched solutions in early 2018, the Finnish Tax Administration first considered taking on-premises security measures. However, it soon became clear that these could not provide the administration with the analytics capabilities it required, hence the decision to move to the Microsoft Azure and Microsoft 365 E5.

“Even with regards to back-office tools, we realized that having an on-premises solution will soon no longer be an option and everything will move to the cloud,” he says. "We, as an agency and Finland as a country, can't do much to stop this development, so it's better to be prepared for it. And a couple of years ago, we decided to move to a cloud-first strategy.”

Mitigating risks through the cloud

The Finnish Tax Administration started adopting Microsoft 365 E5 and its security solutions in late 2018 and has been working to implement the other Microsoft tools since the fall of 2019.

Operations take place on Azure, which is proving crucial in several fields.

“For us, GDPR is all about knowing, managing, and mitigating risks and using Azure, we successfully identified, assessed, and mitigated all those risks concerning our customers and [ourselves],” says Levasma.

“We made a good choice with our Microsoft products, because a priority for us was obtaining a more safe and secure cloud,” says Hakuli. “We now feel much more reliable as a result.”

Microsoft tools are also helping to detect potential threats and identify false positives.

“Until a few years ago, if we received an alert for a potentially nasty virus—a malware in our laptops—it could take days before we could establish for sure if it was a false positive,” Hakuli explains. “Nowadays, having Microsoft products such as Cloud App Security and Defender for Endpoint makes the triage much faster, down to ten or fifteen minutes.”

With triage time reduced, the Finnish Tax Administration is now using the precious minutes and hours saved to further configure the Microsoft portfolio, allowing its security systems to continuously improve.

Pioneering digital operations in Finland

Alongside pursuing a digital approach to data protection, the Finnish Tax Administration has also been promoting an organization-wide cultural shift away from the traditional security models.

“There has been a huge change over the last 11 years that I've been with the Tax Administration in the security field,” says Levasma. “We started from the fact that our security meant denying people several actions, but now we’re rather interested in finding a way to do them securely.”

“Of course, security is much more than just the technology, and so educating and training the personnel is something we’ve always done and nowadays do more frequently.”

Behind this cultural change is the need to approach security with a holistic, zero-trust mentality that the agency considers crucial to its success.

“If we want to use Microsoft products and make things simpler for our end users, we have to embrace the whole Microsoft concept, how it puts together Microsoft 365 E5, Azure and all the other products,” says Hakuli. “This way we can make things much easier for our users.”

This, he adds, has not been just a technical achievement for the agency. It has also meant overcoming the necessary compliance and governance hurdles related to general data protection regulation (GDPR) and data protection. “We’re proud to have built a cloud environment where we can actually use confidential information,” he says. “That’s a priority for us, especially due to the legal requirements associated with GDPR.”

As it looks ahead, the Finnish Tax Administration is hoping to inspire other institutions to embrace the cloud and digitize its operations. 

“The Finnish Tax Administration is generally regarded as being on the front line of digitization,” concludes Levasma.

“And we have been building an automated and user-friendly environment where taxation is easy for our customers.”