Shared Responsibility

Deutsche Telekom ensures the fundamental security of the Open Telekom Cloud. This begins with all-encompassing IT governance. Here, for example, the information security management system (ISMS) and associated processes and methods are defined to ensure and continuously improve information security in the company. Open Telekom Cloud also has the effectiveness of its ISMS confirmed by independent external auditors through ISO27001 certification. Further information on the Open Telekom Cloud's certifications can be found here. 

Furthermore, it is the responsibility of the Open Telekom Cloud to ensure the security of the infrastructure. The security of the infrastructure in turn is divided into the physical infrastructure (data center) and the Infrastructure-as-a-Service (IaaS) services of Open Telekom itself. Here, the data center locations and the resources operated in them are comprehensively protected - by both technical and organizational measures. Further information on the physical security of the Open Telekom Cloud data centers can be found here.

Deutsche Telekom also assumes responsibility for the technology base (infrastructure security, platform security and application security of the Open Telekom Cloud components): It ensures that the console, API and platform are available. This includes ensuring that customers within the selected region have access to virtualized and real cloud resources, that the data center-internal network is running smoothly and that the Open Telekom Cloud management services can be used.

The Open Telekom Cloud also takes further comprehensive measures in the areas of identity and access management (IAM) and audits. IAM describes the concept of identity management. This is implemented at all of the above-mentioned levels (infrastructure, platform and application security) to ensure physical access control to the data centers on the one hand, but also logical access controls to the system components in the back end. This ensures that only authorized employees are granted access to required components, and that these are monitored and logged. This prevents employees from accessing customer data.

All the above measures of the Open Telekom Cloud are regularly audited by independent external auditors and their effectiveness confirmed - for example, by the Service Organization Control 2 (SOC2) standard for comprehensive control of security, availability, integrity, processing, confidentiality and data protection. Further information on the audit reports of the Open Telekom Cloud can be found here.

As is common with other clouds, the Open Telekom Cloud uses the concept of shared responsibility. Simply put, each party involved in a cloud service is responsible for its sphere of influence. Please note that the shared responsibility model varies depending on the type of cloud service model.

Infrastructure as a Service (IaaS) provides virtualized computing capacity, storage, and sometimes network components to the cloud user for their own management. The cloud user can install his own guest operating systems as he wishes. This gives him control over the overlying platforms, applications and data. With Platform as a Service (PaaS), the cloud user does not have access to the operating system and hardware, but can obtain standardized interfaces provided by the cloud provider. Typical examples are databases or development environments. Software as a Service (SaaS) provides the cloud user with applications in the cloud. Access to underlying layers is no longer possible.

An example from the IaaS model illustrates this: To set up an Elastic Cloud Server, the Open Telekom Cloud provides a virtual machine (VM) via a hypervisor. Users equip it with an initial operating system image, assign networks and data storage to it and connect it to the Internet. Users then install their applications on this VM.

The provider is responsible for providing the hypervisor, the networks in and up to the cloud, storage and images. However, the user is responsible for the appropriate combination of resources, network access to the cloud or the operating system installed in this way together with the installed libraries, tools or application software. This also includes, for example, the regular installation of security patches and updated software versions, but also general authorization management, backup and restore and monitoring of the VM. 

The Open Telekom Cloud supports its users by providing regularly updated images and offering repositories for updates. However, as the Open Telekom Cloud has no insight into the virtual servers under the terms of the contract, the user is responsible for making use of these offers.

A key argument in favor of the cloud is the high availability of services. However, all parties involved must make their contribution and also use the services. So what happens if a server fails at the infrastructure level - for whatever reason? Each region of the Open Telekom Cloud consists of several Availability Zones (AZ). The Open Telekom Cloud ensures that its services are available in at least one AZ of a region. This is explained in detail in the section on Service Level Agreements (SLAs) in the service description.

In order to also connect the redundant resources in the respective data centers with users on the Internet, cloud users have a comprehensive set of tools at their disposal. Auto scaling groups, for example, detect when the load on a server increases to such an extent that another server should be started. Load balancers, on the other hand, distribute load and requests across multiple servers, ideally in different AZs. In some services, such as Object Store (OBS), the distribution of data across multiple sites within a region is already built in. 

The shared responsibility is therefore that the Open Telekom Cloud as provider makes these platform services available, whereas it is the users' task to also use these offerings and configure them accordingly.

Security in particular is a sensitive area that is optimally achieved together. Here, too, the Open Telekom Cloud provides many services, such as Security Groups (SG) to protect individual servers, Firewall-as-a-Service (FWaaS) as a security layer for subnets, or the Web Application Firewall (WAF), which filters out harmful content at application level. Key Management Service (KMS) gives users the option to encrypt sensitive data using dedicated hardware, such as data volumes or OBS storage. Users are also responsible for using the services offered to define roles in identity management (IAM), for example, and assign them to the appropriate groups and users. Here, the Open Telekom Cloud already offers predefined roles, but users can also create user-specific authorizations depending on the requirements profile.

Overall, the principle applies that the Open Telekom Cloud assumes responsibility for the documented functioning of the cloud services. For example, the virtualization of the ECS instances ensures separation between individual workloads. However, if a bare metal service is used, the cloud provider guarantees the exclusive use of this server, but it is then up to the cloud user to ensure effective separation of any virtualization used.

Experienced IT experts know that holistic security consists not only of technology, but also of agreements and reliable processes. This compliance with industry-standard regulations and recommendations is documented by the Open Telekom Cloud's certifications according to many market and industry-specific standards. Examples are the ISO 2700x certifications for security management or the TISAX certification for IT applications in the networked automotive industry.

These certifications document, for example, how the Open Telekom Cloud ensures that no unauthorized persons gain access to its data centers, that only trained and selected personnel perform maintenance, or how the energy and climate supply is regulated.

The design of an IT setup beyond the building blocks of infrastructure and platform services is inevitably the responsibility of the cloud user. This already starts with an architecture suitable for the cloud and continues in the regular operation of the applications, for example through regular backups, for example with the help of Cloud Backups and Recovery (CBR) or compliance with relevant data protection regulations. To support this, the Open Telekom Cloud provides extensive documentation of the services as well as best practices, training and certification for users.

However, the user is responsible for this as the operator of his application. This also includes protection against the spread of malware or other misuse of the platform to the detriment of others. The Open Telekom Cloud supports these measures with additional offerings such as a secure e-mail service, anti-DDoS services or the provision of repositories with the latest updates.

In addition to the technical aspects, it is also up to the user to set up organizational measures, for example, to operate an active information channel via which he receives up-to-date information. The same applies, for example, to the legally compliant licensing of software.