Privacy: 10 Facts to handle cross - border data traFFic with oPenstack International + EU + Germany Daniela Ebert | Open Telekom Cloud Engineer Sebastian Wenner | Open Telekom Cloud Architect
contact Sebas astian ian Wenner Danie iela la Ebert Open Telekom Cloud Architect Open Telekom Cloud Engineer sebastian.wenner@t-systems.com d.ebert@t-systems.com Open Telekom Cloud May 17, 2017 2
Goals oF this Presentation Which questions should be ansWered? 4 self - certificates Vs. Placebo = technical solution needed ? 1 5 encryPtion as a solution for Who are the decision - makers ? storage? 2 6 encryPtion as a solution for data PriVacy <- > countries? serVer ? 3 7 solutions of the oPen telekom euroPean data PriVacy ? cloud in the future? OpenStack Summit Boston 17.05.2017 3
valuation oF risks in € What fines can be charged to a comPany ? € 20 Millions or up to 4% of the entire worldwide achieved germany annual turnover * 300.000 € Today 25.05.2018 *the higher value In the previous financial year OpenStack Summit Boston 17.05.2017 4
new risks -> new decisions oPtiMal solutions: 1. oPensource 2. oPenstack new iMPact: 1. Place oF the stored data = Place oF Jurisdiction 2. cloud security – who owns the data OpenStack Summit Boston 17.05.2017 5
decision For oPenstack show stoPPer show - stoPPer it - 1 .role 2. role adMinistrator it - security - data - Protection oFFicers oFFicers OpenStack Summit Boston 17.05.2017 6
these decision - Makers need ProoF certificates , solutions, countries IT-Security Management Data Protection returns confirmation contractual / contractual / returns confirmation if contractual / if contractual / legal inquiries legal inquiries legal requirements legal requirements IT are met are met certiFicates Provide ProoF data Protection it - security coMPliance OpenStack Summit Boston 17.05.2017 7
a saFe harbor For your data but what about iP addresses? oPen telekoM cloud OpenStack Summit Boston 17.05.2017 8
iP = Personal data eVery cloud contains Personal data court oF Justice oF the euroPean union announced its verdict * Court of Justice of the European Union (the "CJ CJEU EU") *v. 10 19th 2016, Case C-582/14. OpenStack Summit Boston 17.05.2017 9
a saFe harbor For your data check careFully Provider selection ! OpenStack Summit Boston 17.05.2017 10
oPenstack = no access to personal data via provider => wrong statement German n law aw (§BDSG) v valid id unt until May 25t 25th 201 h 2018: Delet letio ion of of a a tenant nt coun counts as as acce ccess to p o person onal dat data -> > Mu Must hav ave an „ADV“ ( “ (Auftrag agsdat sdaten enver verar arbei beitungsver sverei einba barung) => => commissio issioning of of dat data processin essing OpenStack Summit Boston 17.05.2017 11
eu data Protection law - > conFlict GerMan law conflict Valid until may 25th may 2018 Ger - Zone ireland - Zone german comPanies and their regulations OpenStack Summit Boston 17.05.2017 12
OpenStack Summit Boston 17.05.2017 13
data - Protection - oasis ireland is not a solution For GerMan coMPanies! dublin OpenStack Summit Boston 17.05.2017 14
http://h /hea eatmap ap.forrest ester ertools. ls.com/# /# OpenStack Summit Boston 17.05.2017 15
risks by GooGle google has to turn oVer data to the fbi (usa) GooGle has to hand over data ! OpenStack Summit Boston 17.05.2017 16
risks by GooGle Verdict Pending verdict PendinG OpenStack Summit Boston 17.05.2017 17
risks by aMaZon? Weak Points endanGer - Ment For data OpenStack Summit Boston 17.05.2017 18
risks by MicrosoFt only Within the eu without data - trustee - Model OpenStack Summit Boston 17.05.2017 19
MicrosoFt + GerMan cloud = secure data data - trustee - Model OpenStack Summit Boston 17.05.2017 20
Future For eu + international PriVacy - shield usa+eu? aGreeMents are insecure OpenStack Summit Boston 17.05.2017 21
oPen stack + custoMer security infrastructure as a serVice oPen stack on - PreMises iaas Paas saas Applications Applications Applications Applications Data Data Data Data Middleware Middleware Middleware Middleware Operating Systems Operating Systems Operating Systems Operating Systems Virtualization Virtualization * Virtualization Virtualization Servers Servers* Servers Servers Storage Storage * Storage Storage Network Network * Network Network * T-Systems already certified Customers responsibility Cloud Provider responsibility OpenStack Summit Boston 17.05.2017 22
the best data Protection … does only exist in GerMany – data ProcessinG? § 11 bdsG § 3 bdsG § 9 bdsG § 8,3 bdsG OpenStack Summit Boston 17.05.2017 23
no Go in GerMany For oPenstack - stGb §203 1. Doctor, dentist, pharmacist 2. Psychologist 3. Lawyer, patent attorney, notary, accountants 4. Accident or life insurance 5. Research projects
real certiFicate OpenStack Summit Boston 17.05.2017 25
certiFications tÜv trusted cloud service (specially for Open Telekom Cloud) csa star level 2 iso 27001 (specially for Open Telekom Cloud) Information security management system iso 9001 iso 27017 Quality management system Cloud security iso 20000 iso 27018 Service management system Cloud privacy iso 22301 Zero outaGe Business continuity management system Certified service process Open Telekom Cloud May 17, 2017 26
technical solutions
easy = no ProbleM by § Example Bac ackup up 1. Encryption by the customer Client + SW + encryption 2. Transfer via S3 3. Openstack Object Storage
obJect storaGe service obs – encryPtion on/oFF 1. OBS supports Amazon V2 and V4 for authentication. 2. In addition to using the HMAC-SH SHA2 A256 56 algorithm, Amazon V4 introduces user data into signature computing. 3. The header fields introduced in signature computing can be specified by users, notably improving the security of request authentication.
obs encryPtion - key 1. When accessing OBS, an account must provide a pair of access keys, that is an AK and an SK. 2. The AK and SK support the authentication mechanism of Identity and Access Management (IAM). 3. They are required when OBS is accessed using clients, APIs, or SDKs.
obs encryPtion - hsM 1. Key Management Service (KMS) uses Hardware Secure Modules (HSMs) to ensure key security, enabling users to easily create and manage encryption keys. 2. Keys are not displayed in plaintext outside HSMs, which effectively prevents key disclosure. 3. All operations performed on keys are controlled and logged, and usage of all keys is recorded, meeting regulatory compliance requirements.
evs encryPtion - hsM What hat f func unctions ons d does oes EVS p S provide? e? EVS provides hard disk resources for ECSs. With EVS, you can: Create an EVS disk. − Create an encr cryp ypted data disk. − Create a non-encrypted data disk.
evs encryPtion - hsM
data erase For a voluMe If a volume is just created, no index, no data block; if attempt to read data from this new volume, the system will reply “0” directly.
trusted coMPutinG Future prospects & possible options: 1. Solutions for Trusted Boot 2. Remote Attestation 3. Trusted Compute Pools
what about the biGGer context? • Provider Internet • xx-CIX • Physical Security Datacenter • Operators • Certification Cloud Provider • Operators • Encryption Machine • Security
thank you. OpenStack Summit Boston 17.05.2017 37
certiFicats in 2017 certiFicates / laws / oPen telekoM reGulations cloud ISO 27001 ISO 27017 ISO 27018 ISO 9001 SOC 1 Type 2 Q3 / 2017 SOC 2 Type 2 Q3 / 2017 SOC 3 Type 2 Offen PCI DSS Level 1 Q4 / 2017 CSA-STAR Level 2 Gold ISO 20000 ISO 22301 ISO 14001 TÜV Trusted Cloud Service Zero Outage TÜV Rheinland PSA nach ISO 27001 ESARIS Zertifizierung OpenStack Summit Boston 17.05.2017 38
Recommend
More recommend