Policy for security tests (penetration tests) on the Open Telekom Cloud
Customers of the Open Telekom Cloud have the option to test the security of their services and in this setting, to carry out security tests on the customer's instances/resources on the Open Telekom Cloud in compliance with this policy.
Prohibited security tests are any security tests not expressly permitted in this policy. Security tests requiring approval are allowed, provided they have been approved by Telekom prior to the security test being performed. This guideline is conclusive.
Even if executed properly, security tests can result in damage and/or data loss. In this respect, security tests shall be carried out by the customer independently.
General duties of the customer
By carrying out a security test, the customer accepts the following provisions:
- The customer is responsible for compliance with the provisions of this policy by it or a third party attributable to it (e.g., employees, service providers).
- The customer is obliged to have security tests exclusively carried out by authorized, certified, and professionally qualified personnel of the customer or an external service provider who is not directly in competition with Telekom regarding the services to be tested. The customer shall indicate any existing conflicts of interest.
- The customer shall ensure compliance with all applicable legal and industry-specific provisions, including in particular:
- § 202c and § 203 of the German Criminal Code (Strafgesetzbuch – StGB), as well as other provisions of the StGB
- Provisions of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and the EU's General Data Protection Regulation (GDPR)
- Workers' rights and Works Constitution Act (BetrVG)
- Basic right of ensured confidentiality and integrity of information technology systems
- Observance of national and international copyrights, trademarks, patents, names and trademarks as well as other industrial property rights and personal rights of third parties
- In accordance with the statutory provisions, the customer shall be liable for all direct and indirect damage arising from or in conjunction with security tests carried out by it or on its behalf. Possible damage includes in particular data loss, resource consumption, expenses for system restoration, damage to the Open Telekom Cloud platform/infrastructure, or damage to third parties that result from the impairment of its services. In the event of damage, the customer shall be obliged to demonstrate that any damage cannot be attributed to the security tests carried out by it. The customer shall exempt Telekom from all claims by third parties based on the performance of the security test. If the customer identifies or has to identify a risk of this kind of infringement against the agreement concluded with Telekom, it shall inform Telekom of this immediately..
- The customer is prohibited from performing security tests on other publicly offered infrastructures or platforms of the Open Telekom Cloud.
- The customer shall ensure that a security test can be canceled at any time at the request of Telekom.
- The customer ensures that they know and have tested the tools used to carry out the security test.
- Telekom makes every effort to constantly improve its services. If the customer recognizes or believes in a security test
- identify general security problems with the infrastructure or platform of the Open Telekom Cloud, or
- unforeseen consequences occur, in particular disruptions of the Telekom infrastructure
he is obliged to inform Telekom of this without delay:
Germany: 0800 330 44 77
all other countries: +800 330 44 770
The customer provides Telekom with a report with the following information:
- Vulnerability and information of reproducibility
- UTC time stamp for the test activities
The customer grants Telekom, as well as Deutsche Telekom AG and its affiliated companies, a right to use the report.
- Results on general security problems in the infrastructure or platform of the Open Telekom Cloud must be treated as confidential. If legally permissible, the customer and/or third party attributable to it may pass on this information.
- If a security test by the customer triggers the security mechanisms of the Open Telekom Cloud, Telekom shall inform the customer of this. In this case, the customer shall be obliged to inform Telekom of the specific measures of the security test and their termination. Comparable security tests of the customer must be requested through Telekom in the future as security tests requiring approval.
- The customer is responsible for the correct assessment and classification of its security tests. In cases of doubt, the customer shall apply to carry out the security test as a security test requiring approval.
- The customer warrants that it is authorized to carry out the security tests and have the required permission. Furthermore, the customer shall ensure that all those affected have been sufficiently informed.
Permitted security tests
- Security tests on the elastic cloud server (ECS), dedicated host (DEH), bare-metal server (BMS), cloud container engine (CCE, excluding Docker registry)
- Security tests on object storage (OBS)
- Security tests on elastic IP (EIP), elastic load balancer (ELB), security groups, network address translation gateway (NATGW)
- Security tests on the web application firewall (WAF)
- Security tests on the relational database service (RDS), distributed cache service (DCS), document database service (DDS)
- Security tests on the map reduce service (MRS), data warehouse service (DWS), cloud search service (CSS)
- Port and vulnerability scanning
- Perimeter testing
- Configuration and deployment management testing
- Identity management, authorization, authentication, and session management testing
- Input validation testing
- Error handling testing
- Weak cryptography testing
- Business logic testing
Prohibited security tests
- Security tests on the Hypervisor, the Open Telekom Cloud web frontend, the Open Telekom Cloud application programming interface (API) and end points, network time protocol (NTP), and domain name service (DNS)
- Security tests on the shared services data ingestion service (DIS) and cloud container engine (CCE) Docker registry
- Instances/resources outside of the customer's environment
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS or Simulated DDoS, (may be subject to approval.)
- Port flooding
- Brute force attacks (on the platform/infrastructure of the OTC)
- Protocol flooding
- Request flooding (login flooding, API request flooding)
- Social engineering
- Other destructive measures
- Security tests starting from the Open Telekom Cloud on other infrastructures of the customer or third parties, (may be subject to approval.)
- Transfer and/or software components on the target system
Security tests requiring approval
All other security tests not listed above must be requested by the customer and approved by Telekom prior to execution in the following procedure:
- The customer requests the application form from the ServiceDesk, stating their Open Telekom Cloud Tenant ID.
- The customer fills out the application form completely and accurately and sends it to the e-mail address given in the application form at least 7 (seven) days before the planned implementation.
- The decision on the application is usually made within 3 (three) days of submitting the application, insofar that no further inquiries are required. Telekom assumes no liability for approval that is not given or not given on time.