In the following, we present the individual components of the Open Telekom Cloud and its security concept in detail.
- Operation in the high-security data center
- Extensive tests of hard- and software
- Defence against cyber attacks
The hardware: Standard with alternatives
Like all cloud service providers, T-Systems and Deutsche Telekom are dependent on hardware manufacturers. For the Open Telekom Cloud, T-Systems is sourcing highly standardized servers and network components from Huawei, but also from Western manufacturers.
Technologically, all servers are based on the so-called x86 architecture. They use processors and graphics cards from US technology partners (Intel® and NVIDIA). Huawei has secured the supply of servers and their components by means of long-term export licenses.
In view of Telekom's multi-vendor strategy, T-Systems, unlike other cloud providers, does not rely on proprietary server architectures. The technical approval of alternative servers of other manufacturers has been completed. These servers are to be used in the forthcoming expansion of the Open Telekom Cloud. We are thus implementing a dual-vendor strategy in this area as well in order to avoid critical dependencies on individual suppliers.
The software: Open and innovative
As part of the innovation partnership, Huawei delivers the cloud operating system Huawei OpenStack Distribution, a central software component of the Open Telekom Cloud. However: It is based on OpenStack, an open source software for private and public cloud platforms. An international community is constantly developing OpenStack further. As a software project providing an Open-Source architecture for cloud computing OpenStack is used by many international cloud providers.
T-Systems and Huawei are working in partnership on the further development of the OpenStack platform to continuously improve the function and security of the Open Telekom Cloud. T-Systems experts are reviewing all (security) fixes and new functions. Only after they have been approved will they be integrated into the operation of the Open Telekom Cloud and - in accordance with the principles of the international developer community - fed back into the open source community.
In this way, T‑Systems makes a decisive contribution to improving and securing the free OpenStack technology. At the same time, this process ensures that the Open Telekom Cloud is not too far removed from the community solution at its core and that independent third parties can check code at any time. The Open Telekom Cloud is certified by the OpenStack Foundation in accordance with the latest version of the standard (https://www.openstack.org/marketplace/public-clouds/deutsche-telekom/open-telekom-cloud).
A change of software partner is therefore still possible, even for the core technology of the Open Telekom Cloud.
The operating model: Exclusively made in Europe
Only T-Systems employees manage the Open Telekom Cloud. The servers are located in a high-security twin-core data center of Telekom in Magdeburg and Biere (Saxony-Anhalt). T-Systems experts control operations from Hungary (Budapest). Huawei supplies the necessary servers. However, it has no access to hardware or software of the cloud platform during the operating phase.
When setting up the infrastructure in the data center, T-Systems uses a German service provider in some cases, as is customary in the industry. The company and its service staff are certified by T-Systems and undergo regular security checks. Maintenance work and the decommissioning of hardware is carried out exclusively by T-Systems employees. Used data processing media are destroyed on the grounds.
The installation, commissioning and maintenance of the Open Telecom Cloud software is carried out exclusively by T-Systems employees. Controlled remote access and the implementation of a strict need-to-know principle ensure that only a few, selected and appropriately trained employees have access. All administrative access to the cloud infrastructure is documented and automatically checked for suspicious activities and anomalies.
Questions and problems of customers are dealt with exclusively by T-Systems in so-called first and second level support. Huawei experts provide video conferencing support only when needed in third level support. However, they have no access to the production platform or customer data. Both the analysis and the installation of software fixes are handled by T-Systems employees.
Security: Top from start to finish
The security concept of the Open Telekom Cloud includes all three levels: Operation, hardware and software. All new products and hardware components are subject to the Telekom PSA (Privacy and Security Assessment) procedure. The procedure ensures that all projects for the development and introduction of new technologies and products meet the high standards of technical security and data protection.
Like the hardware, T-Systems' security experts also subject every feature extension and every software update to a thorough review. Before it can be installed in the live system, it must prove its error-free functioning in an encapsulated testing environment.
All security measures implemented during the Privacy and Security Assessment are documented in the Open Telekom Cloud security and data protection concept. The Telekom security and data protection team updates this concept regularly. It also conducts regular security tests, so-called penetration tests, to check the security status. Tests by independent Red Teams complement the security checks.
In addition, the cloud platform is checked for weak points, compliance and suspicious network communication continuously from inside and outside using an external tool. Among other things, Telekom's Security Operation Center monitors the logging data for suspicious activities. This means that the data flow is analyzed and correlated with events to identify potential attacks. In the event of an attack, the SOC immediately takes countermeasures.
Independent auditors regularly put the security concept of the Open Telekom Cloud through its paces. Independent audits check compliance with the security mechanisms on an annual basis (SOC/C5 and ISO2700x). The Open Telekom Cloud meets the requirements of the DSGVO and has the following certificates and seals of approval, which are regularly checked by independent auditors: TDCP 1.0, Trusted Cloud, CSA Star Certification, TISAX.
The users: Full control over their own data
The Open Telekom Cloud is an infrastructure offering (IaaS, Infrastructure as a Service). Users put together their own infrastructure for the needs of their applications. Data in the customer's application is generally secured using encryption. T-Systems itself technically separates customer data from each other to prevent access to third-party data. The same processes are used as in all other clouds (e.g. virtualization via hypervisor). In addition, customers can configure various security mechanisms (Anti-DDoS, WAFaaS, Security Groups, Key Management Service) themselves.
Do you have questions?
We answer your questions about testing, booking and use - free of charge and individually. Try it! Hotline: 24 hours a day, 7 days a week
0800 33 04477 from Germany / 00800 33 04 47 70 from abroad