Play It safe with HPC

In this article you will read about, 

• the challenges high-performance computing (HPC) poses for companies in terms of IT security and data protection,
• the HPC application scenarios for which special legal and technical requirements apply
• and how companies can use HPC resources securely and on demand from the public cloud.

Anyone who believed that once the EU’s General Data Protection Regulation (GDPR) came into force that this was as comprehensive as such regulations could get for companies was proved wrong at the end of April 2019 when the new Trade Secrets Act (GeschGehG) came into force in Germany. It obliges companies to take appropriate measures to protect their trade secrets. Just one example of the complex and volatile IT security and data protection challenges that companies face. 

And these challenges certainly don’t diminish in the high-performance computing (HPC) environment. On the contrary, companies generally resort to HPC to solve particularly complex problems not only in a particularly short time, but also in a particularly secure manner. For example, when it comes to product development or the processing of personal data, for example in medicine. In an interview, Max Guhl and Alfred Geiger – both cloud, HPC and supercomputing experts at T-Systems – explain how companies can meet these challenges without neglecting IT security and data protection.

Alfred Geiger: Basically, these are the same challenges that generally exist in the use of software, infrastructure and platforms in cloud environments. For example, processes with personal data are often difficult to outsource for compliance reasons. But in the multilayered HPC environment, the complexity of requirements increases even more when you look at applications such as machine learning or big data. These usually require a pseudonymization or anonymization of data and entail corresponding efforts by IT departments. 

Max Guhl: An end-to-end view of the entire effect chain is crucial: from the network connection of the public cloud to the communication between the systems to encryption, there must be no weak points anywhere – and this without impairing the performance of the systems. This aspect is particularly important in the HPC environment.

Max Guhl: The protection of personal data is highly relevant in the medical field. A good example from the HPC environment is genome research, in which very intimate data is processed with the aid of machine learning and big data analytics. Or intellectual property: The protection of trade secrets generally affects all areas in which, for example, virtual prototypes are tested with the help of HPC resources. This process is used in the automotive industry, among others, but also in other companies in the mechanical engineering sector. Algorithms, program codes, documentation and plans also fall under the protection of know-how. In all these cases, encryption has to be used and the employees trained accordingly.

In the automotive sector, it should also be noted that automobile manufacturers and suppliers who want to transfer computing and storage tasks to the clouds of IT service providers are only allowed to commission TISAX3-certified service providers. And finally, there are four levels of secrecy in the public authority environment, ranging from "only for official use" to "top secret," which require corresponding measures defined by the legislator.  

Alfred Geiger: Legislation is a good keyword, because it de facto restricts the possibilities of European companies when choosing a cloud provider. Let's take the CLOUD Act: The US law gives the US government the right to access the personal data of suspects in the event of an investigation – no matter where they are stored in the world. US cloud providers are bound by this law, even if they operate data centers on European soil. 

What does this mean for companies? Under these regulations, US hyperscalers are not allowed to use certain data encryption methods if they are so good that neither the US government nor the cloud provider itself would be able to access data. But if someone wants to use such encryption or has to use it due to legal regulations such as the GDPR, cloud resources from US hyperscalers are ruled out from the outset. 

Alfred Geiger: There are a lot of advantages, particularly compared to hosting, private cloud or dedicated systems that are installed on-premises. For example, the IT resources don’t require high one-time investments and companies are not tied to specific runtimes because they can use the pay-as-you-go approach and scale almost indefinitely. Customers benefit from shorter development times and more flexibility than is possible with an on-premises solution. Of course, this requires effective accompanying measures to achieve the best possible IT security level.

Alfred Geiger: In order to establish end-to-end security, a package of three interrelated measures is essentially required. The keywords here are VPN, Infiniband and encryption.

Max Guhl: First, a valid VPN access to the systems in the cloud is required. So even the path to the cloud must be secured. Secondly, the servers must be connected to each other via Infiniband networks to ensure that data traffic doesn’t pass through nodes from other, shared environments. So, you don't have any possible points of attack at this point. And third, the data being processed in the cloud must also be fully encrypted.

Alfred Geiger: We don’t view these three security aspects in isolation, but rather offer our customers the complete package with the Open Telekom Cloud and assume end-to-end responsibility for it.

Max Guhl: This end-to-end responsibility can only be implemented by a provider that operates within the European legal framework. US hyperscalers inevitably fail here because of the CLOUD Act. Smaller European cloud providers, on the other hand, cannot assume end-to-end responsibility either, because they generally only offer hosting solutions in the HPC area and not genuine Elastic Cloud computing that scales on a large scale. With the Open Telekom Cloud, we can offer more IT security than other cloud providers.

Alfred Geiger: On the one hand, there is our long experience with numerous customer projects in the field of HPC and supercomputing. On the other hand, we are constantly adding to and expanding our security portfolio. The Security by Design principle required by the GDPR is an integral part of our solutions. In 2017, we also established the Telekom Security division, under the management of Dirk Backofen, which deals exclusively with IT security issues. Many experienced experts from the high-performance computing environment also work there to assist companies with all questions relating to IT security in this environment.