Open Telekom Cloud for Business Customers

Shared Responsibility

Trusting cooperation in the cloud business

Shared Responsibility in Cloud Computing

Making work easier is a central promise of cloud computing. That's why the Open Telekom Cloud constantly ensures that the extensive resources are professionally installed and operated in data centers, that sufficient capacity is available at all times for the elastic needs of cloud users, and has these efforts checked and certified by independent auditors.
However, when it comes to the availability, integrity and confidentiality of data and systems that users operate in the cloud, they rely on a trusting cooperation with the cloud provider. In the cloud business, this cooperation is known as "shared responsibility". This article explains what this means for both partners.

Shared Responsibility in Cloud Computing

Responsibility has many faces

Users want reliable service availability, compliance and security. Not just the operator of the cloud platform, but all involved parties are needed to ensure the reliable operation of all cloud applications. Various responsibilities arise from the operation of applications in the cloud, including security objectives such as availability, integrity and confidentiality, but also other compliance challenges such as legal requirements for data protection or contractual regulations when using licensed software. Other typical aspects for the assumption of responsibility are the control of costs, access to the underlying cloud resources and the protection of the platform. Inevitably, only those can take responsibility over areas over which they can exercise control. So who takes care of what?

Shared Responsibility Model

Responsibility of the cloud provider

Deutsche Telekom ensures the fundamental security of the cloud. To this end it comprehensively protects data center locations and the resources operated therein - through both technical and organizational measures. Deutsche Telekom also assumes responsibility for the technology base: it ensures that the console, API and platform are available. This includes ensuring that customers within the selected region have access to virtualized and real cloud resources, that the internal data center network is running smoothly and that the Open Telekom Cloud management services can be used.

Shared Responsibility

As is common with other clouds, the Open Telekom Cloud utilizes the concept of shared responsibility. Simply put: Each party involved in a cloud service is responsible for its sphere of influence. An example illustrates this: To set up an Elastic Cloud Server, Open Telekom Cloud provides a virtual machine via a hypervisor. Users populate it with an initial operating system image, assign networks and data storage to it, and connect it to the Internet. Users then install their applications on this VM.
The provider is responsible for supplying the hypervisor, networks, storage and images. However, the user is responsible for the appropriate combination of resources or the operating system installed in this way, together with the installed libraries, tools or application software. This also includes, for example, the regular installation of security patches and updated software versions. The Open Telekom Cloud supports its users with this by providing regularly updated images and offering repositories for updates. However, since the Open Telekom Cloud has no contractual insight into the virtual servers, it is up to the user to take advantage of these offers.

Using platform services

A key argument in favor of the cloud is the high availability of services. However, a prerequisite for this is that all parties involved must make their contribution and also use the services. So what happens in the unlikely event of a server failing at the infrastructure level? Each region of the Open Telekom Cloud consists of several Availability Zones (AZs). The Open Telekom Cloud ensures that its services are available in at least one AZ of a region. This is explained in detail in the section on Service Level Agreements (SLAs) in the service description.
In order to also connect the redundant resources in the respective data centers with users on the Internet, cloud users have a comprehensive set of tools at their disposal. Auto Scaling Groups, for example, detect when the load on a server increases to such an extent that another server should be started. Load balancers, on the other hand, distribute load and requests across multiple servers, ideally in different AZs. In some services, such as the Object Store (OBS), the distribution of data across multiple sites is already built in.
Therefore, the shared responsibility is that the Open Telekom Cloud provides these platform services as a provider, whereas it is the users' task to also use these offers.

Creating safety together

Security in particular is a sensitive area that is optimally achieved together. Here, too, the Open Telekom Cloud provides many services, such as Security Groups (SG) to protect individual servers, Firewall-as-a-Service (FWaaS), which takes care of entire setups, or the Web Application Firewall (WAF), which filters out harmful content at the application level. Key Management Service (KMS) gives users the option to store special credentials in dedicated hardware, for example to encrypt data volumes. Again, it's up to users to take advantage of the services offered, such as defining roles in identity management and assigning them to the appropriate users.
Overall, the principle applies that the Open Telekom Cloud assumes responsibility for the documented functioning of the cloud services. For example, the virtualization of the ECS instances ensures the separation of individual workloads. However, if a bare metal service is used, the cloud provider guarantees exclusive use of this server, but it is then up to the cloud user to ensure effective separation of any virtualization used.

Technology and processes

Experienced IT experts know that holistic security consists not only of technology, but also of agreements and reliable processes. This compliance with industry-standard regulations and recommendations is documented by the Open Telekom Cloud's certifications according to many market and industry-specific standards. Examples are the ISO 2700x certifications for security management or the TISAX certification for IT applications in the networked automotive industry.
For example, these certifications document, how the Open Telekom Cloud ensures that no unauthorized persons gain access to its data centers, that only trained and selected personnel perform maintenance, or how the energy and climate supply is regulated.

Users are responsible for applications

The design of an IT setup beyond the building blocks of infrastructure and platform services is inevitably the responsibility of the cloud user. This already starts with an architecture suitable for the cloud and continues in the regular operation of the applications, for example via regular backups, with the help of Cloud Backups and Recovery (CBR), or compliance with relevant data protection regulations. To support this, the Open Telekom Cloud provides extensive documentation of the services as well as best practices, training and certification for users.
However, the user is responsible for this as the operator of his application. This also includes protection against the spread of malware or other misuse of the platform to the detriment of others. The Open Telekom Cloud supports these measures with additional offers such as a secure e-mail service, anti-DDoS services or the provision of repositories with the latest updates.
In addition to the technical aspects, it is also up to the user to set up organizational measures, for example to operate an active information channel via which he receives up-to-date information. The same applies e.g. to the legally compliant licensing of software.

Managed Services

Cloud computing clearly separates the tasks and responsibilities of IT systems and resources along the boundry of application logic and the underlying platform and infrastructure.
Nevertheless, application-related cooperation duties remain. Since these are application-specific, as the provider of a generic platform the Open Telekom Cloud is only able to provide indirect support. Users who do not want to take over the operation of their applications or parts thereof themselves can consider the service of managed services. Many offers are available on the market as a standardized cloud solution. In particular, other T-Systems units offer such managed services. They are very familiar with the diverse requirements of application operation and the characteristics of the cloud platform.

Managed Services
24/7 Service
Take advantage of our consulting services!

Our experts will be happy to help you.

We will answer any questions you have regarding testing, booking and usage – free and tailored to your needs. Try it out today!

Hotline: 24 hours a day, seven days a week 

0800 33 04477 from Germany
+800 33 04 47 70 from abroad
  • The Open Telekom Cloud Community

    This is where users, developers and product owners meet to help each other, share knowledge and discuss.

    Discover now

  • Telefon

    Free expert hotline

    Our certified cloud experts provide you with personal service free of charge.

    0800 33 04477 (from Germany)

    +800 33 04 47 70 (from abroad)

    24 hours a day, seven days a week

  • E-Mail

    Our customer service is available free of charge via E-Mail

    Write an E-Mail