 Good so Yeah, checking the time zone. Good afternoon. Hello everyone Welcome you here in the presentation about security and privacy So we want to talk a bit about today What do you need to take into account if you want to run open stack and across borders with customers across borders and Yeah, also having multiple sites exchanging data back and forth so doing cross-border traffic and Looking at the United States looking at the European Union looking at Germany in special where we are coming from Yeah, and the international scene in general gives you a lot of headache and And today we want to give a bit of context. What do you need to take into account? when you're doing that where are the pitfalls and also some some Yeah steps how to to mitigate that Some words about ourselves Daniela. So my name is Daniela Ibad. I'm working for these systems for more than 10 years and I was in the open telecom cloud team as an engineer and I Take care of our platform and today we're here in Substitution of our colleague who went seriously ill and unfortunately can't take this presentation So Sebastian and me we are trying to do our best to Transport the message. Yes. So keep your open tomatoes and all that Save so maybe we can't answer all your questions But we will really do our best to stand in for Daniel who should do the presentation today Good some words about myself Sebastian when I'm one of the open telecom cloud architects doing this now since two and a half years We are building up this open telecom cloud a public cloud run out of Germany by Deutsche telecom In a partnership together with war way Yeah, and yeah being part of it since day zero I Designed and build a lot of it that we we are running now today Goals of this presentation. So what should be answered today? So give you an understanding who are the decision-makers. So What are the stakeholders to whom do you need to talk if you you are talking about privacy and Yeah, all the the security relevant topics in In the context of a public cloud Then data privacy versus country. So legislation is not common not in every country and especially not Between Europe and in the United States and also not within Europe. So what are the difference? What do we need to to think about what do we need to take into account here? Then digging a bit deeper on on European data privacy. So what is happening in the European Union? as I don't know how deep you are involved in the topic and how much you are aware about that So then Certificates, so I mean all the clouds out there out there are Certificated and have some fancy certificates that they can show you Are they worth the paper that they are printed on or not? And is it just a placebo or what technical solutions may be needed and Then digging a bit deeper in the the technical implementation. So what encryption solutions for storage out there? what for server and also then Showing a bit of what we are doing in that area. So what solutions in the open telecom cloud are there? Yes, let's get started so This whole game about Yeah, data privacy Is changing? So if you look at today and speaking of today, this is a not so Yeah, how to to put it? The risk is low. So I mean maximum fines that you can get around 50 to 300,000 euro If you are a big company, I mean that doesn't bother you that much But looking a bit in the future and GDPR so the European data protection regulation is upcoming and then we are talking about Really other dimensions of a fine that you can face So there you we talk about 20 million's maximum or even four percent of your annual Worldwide turnover and that really hurts so Keeping that in mind and and thinking about what that means for you Really changes also the way that you need to have a look at data privacy and security To be on the safe side if you are exchanging data across countries So that is really a risk to your company and a risk to your customers If you are not getting it right So I said there are new risks that need new decisions. So what ways are out there to to mitigate that and Also as we we heard in the keynotes Using open stack and using open source, especially Nowadays become more common and and really the standard So if you want to do it secure if you want to do it right You're not looking for a commercial product So you are looking for an open source product because you know or can can have a look into it and know what's ongoing and What is beneath? But also doing that and and using open source and open stack there This brings new impacts that you you need to take care of so one point is the place of your estication so if You are doing data over in the European Union and the data is stored in the European Union Then the place of your your estication is also in the European Union. So That is one thing that that changes the game. So you can't just say I'm American company So that doesn't bother me if the data is stored over there Then you have to talk to the local guys And then also if you are doing cloud and just using a cloud Then the big question is who owns the data? so who is really responsible for your data and and That these these questions we are trying to to answer and and and Giving a bit more inside on Yes Decision for open stack. So given the fact You decided or you convinced your your managers to go with open stack So you you took that decision and and you want to move forward Then just out of a sudden these guys appear here. So you will suddenly face a Security officer and you will face a data protection officer Which have a completely different opinion about what you want to do and what you are allowed to do if you're doing this open stack thing and Yeah, they have really a completely different mindset that you need to be able to answer and Most of the times they do not even care about Technical details what they want to see is a sheet of paper that proves before a court This cloud or this cloud provider that we are going with is certified And they are doing things right and I can trust them and and really this is the input that you need to have at hand if you Yeah, go down that path So either doing it on your own you need to be compliant to all these Certificates or to to these requirements or if you're choosing an external provider Then you need to have that at hand. So you need to prove Data protection so the data that is stored in the cloud is protected. It's not accessible by anyone Even the operators and I will come to that later IT security is done, right? So everything is is protected, but also we are compliant to Really these these different laws that are out there and and that are Making your life harder than it should be or maybe not. I mean, it's it's not a bad thing. It's it's Protecting your customers data and protecting your data. So It's it's really a valuable thing what makes it so complicated is that everybody is doing a difference So that is the really the pain that that we are facing here Yes, so what we need is a safe harbor so just playing a bit with These words even though safe harbor is is no longer existent by by now But but it is the starting point that we are talking about so for a long time if you wanted to do Business between the European Union and the United States safe harbor was the the fundamental agreement that we had between These two areas to to exchange Personal data so everything that is person related like my name my birth date my address everything is Personal data and once that is being exchanged. We need a Agreement between the states how to do that in a secure way so that companies can rely on that What do you think about an IP address is an IP address a Personal data most probably you would say no, but Going to court Sorry The the European in court decided otherwise So they said an IP address is personal data. Just a moment, please so in October 2016 The court of justice of the European Union as it is named They decided this that even an IP address is personal data so once you you store IP addresses or Do your examination on IP addresses? You are handling Personal data and that is an important fact that you need to know so Even the what seems to be the easiest and more most basic things in the cloud Puts you at the point where you're handling personal data, and then you need to to be aware of that and do things, right? So bottom line of it so as it starts with these little things so check carefully Which cloud provider you are selecting so that you are having a safe harbor for for your data And and continuing that So most of the time also you would then say okay, even if I do the IP thing, right? I do not have access to personal data as I do not look into Yeah, what the customer is doing and then can't access it That is a wrong statement. That is fundamentally wrong in the terms of how Court is seeing it in jurisdiction so for example in in Germany by by German law so By up well it up until 2018 until we have GDPR They have a statement That you must have an ADV and that is one of the wonderful German word creations that you can have Which is a Auftrags Daten verarbeitungs vereinbarung? so that We we have in English. It's called commissioning of data processing So that you have an allowance by the customer to Automatically handle their data Means in the the actual daily doing that this Pro gives you really hard times how you have to handle certain things So even if you have an operator operating your cloud, they may not be in the position to Modify user access rights because that would put them in the position that they could yeah Give themselves the identity of a customer and by doing that accessing the customers data So they must not be allowed to be even able to change these identity things so that They could impersonate a customer That has to be something that is completely automated and can can only be triggered by an external system So who's controlling the controller or he was controlling the operator? so I mean at some point in time you need to be able to do it there must be somebody who's able to do it but Having these additional layers in your operations to to do it right and to be compliant to these Laws is really an important fact that you you need to take care about Yes, then Looking a bit in the European Union So European Union is not European Union as for example Germany does things fundamentally different than for example Ireland is doing I mean you heard that many Companies are hosting in Ireland So why are they going to Ireland? Why are they not going to Spain or wherever? because Ireland is Really an island within it actually is but also in terms of Security it is an island where you can do much more things than you can do in in the rest of the European Union So this is a very nice article. I found so it's by the Irish Times and They are telling you that Ireland is the in the top three you EU countries undermining data privacy and Also the the sentence at the bottom Ireland is one of the EU top three offenders for undermining data privacy rules according to the analyzers of League Brussels documents so They are even even saying that about themselves. So that is really a problem that we are seeing there and Look who's already there in in Ireland. So I mean Microsoft is is one of the the most famous examples and Looking ahead of time. I mean 2018 GDPR is hitting us and are they prepared to handle that change? Mars and McCain Fitzgerald is saying no they aren't And that will really give a hard time to all of these These companies that are doing their hosting business in Facebook Sorry in Ireland like Facebook like Twitter like Microsoft like Google like AWS like Salando They are all Hosted there and I mean you saw 4% of the annual Turnover that that they do and that is really a lot so they have to do a lot of work to to be prepared for what is upcoming and Forester has a a nice heat map produced They privacy and data protection by country So if you look at that Europe mostly is green and the United Kingdom with Ireland has an exclamation mark United States Russia I mean the only thing that is behind is just China so Really there there is a a problem that that needs to be solved that needs to be taken into account If you want you to do Or protect your data in the the daily business So and here if you want to to look it up on your own heat map forest at tools comm There you can can find the heat map and then and check on your own or dig in deeper for some more details Yeah, and and who is affected by it or who was already affected by it Look at the big players and and let's face it. So Google is one of them So the FBI issued Google to to turn over their Or hand over their data to to the FBI It is happening and it has happened before and it will happen again So Google is one of the the companies affected by it The the verdict is pending and then they are Handing over emails to the the FBI Amazon so I mean we heard yesterday Snowden speaking and and having Snowden speaking up and and Releasing all these things to the public And also the the recently leaked documents about Amazon are showing that that also Amazon is interacting with the Yeah, let's say lawful in inception that we are facing. So also Amazon is not a secure harbor for your data So so they are handing over data to to the NSA in that case That we we were facing here Microsoft Again, Microsoft Microsoft in especially in Ireland they they wanted to be on the secure side and said okay Look, we are in Europe with Europe legislation It didn't have them also there the NSA Try to get hold of encrypted messages that Microsoft is handling on their own so Really the the problem is there What is the way out how can we we handle that as a first of Microsoft is partnering in Germany with Deutsche Telecom as a data trustee model Doesn't have to be Deutsche Telecom I mean it happens luckily for us that we are doing it in in in Germany But Microsoft choose us as a data trustee. What does that mean? They are running their Asia and an office 365 in in our data centers in Germany and they handed over the complete service to to us T systems To run their business for them Turning that around what does it mean if? US Law or NSA FBI is coming to them and telling them. Hey, I need access to your data They can say that is very nice that you demand that from me, but actually Don't go to me and demand it from me. Please go over to Germany demand it from T systems because They are owning the day or they are running it for me and they have access to the data I do not even have access to that data. So if you want the data See you them and and try to get it out of there and As far as the the current discussion is going it seems to be the the only model that tries or seems to to be be doable in in in terms of Going to court and saying I do don't have access or I don't want to hand it out to you because you are really Going out of the the American Jurisdication and and going to another company and and another country and and Trying to to do it there, but they are the data is protected by German privacy laws And and I think that is really the The big differences that we have there I can even tell you a nice quote here Built on Microsoft's trusted cloud principles of security privacy Compliancy and transparency the Microsoft cloud Germany brings data Residency in transit and at rest in Germany and data replication across German data centers for business continuity Tomkey Microsoft Azure so really that was their way to to protect their data and That was a first off and and let's see how things evolve in the next year until we we see GDP are coming then active and alive Where are we today, I mean as as already said the Safe harbour agreement was was killed by the European Union That it is no longer valid and We had to quickly come up with a replacement for for safe harbour to still enable Companies doing business between the European Union and United States The replacement was the privacy shield Even though it looks very similar to what we had before with safe harbour still there are some Basic differences main threat is that if you do not comply you may get thrown out of the list of Compliant companies that are allowed to do data exchange of personal data But nevertheless, it is Too large extent similar to what we had before with safe harbour and That not being enough it is threaded from different directions To not being valid anymore. So I mean on the one hand side We we have a gender European Union testing it and and putting it to to court and and seeing if it is Enough to to be compliant with European Data privacy demands that we have on the other hand side We have Donald Trump now being the president of the United States It just jeopardizes things that are happening there He already had one What was it called He said already that Data from non-US people is not that Protect worthy than it is from US citizens. So In other words, it's not so important to to protect data from from the European Union or from from companies from the outside and So privacy shield being killed by Trump is not one of the things that is so unrealistic So and and if that would happen Where's the basis how we can exchange then data in the future? So really that is one of the things and and also the As said that the European Union targeting it at it. So, yeah, it's complicated and and we really need to pay attention So what can we do to make things better? Help ourselves So looking at a cloud provider and then coming back to to what we are doing here with OpenStack and Also to to the options that we have I mean if you're doing it on premise It's your own stuff. You can need to take care of it You can do all the things that you want But if you go with a cloud provider, then it's really important to keep in mind What do I have under control and what do I don't have under control? so looking at The the infrastructure as a service in terms of data privacy. This is the more or less perfect model so you get a Environment up to the the upper edge of virtualization You take care of the operating system the middle where the data the applications That is all yours. So there you you can really influence what you are doing What is happening on term in terms of encryption? If you are moving up the layer if you're doing platform as a service if you are doing software as a service This gets more complicated Then you really need to pay attention as said before which cloud provider do I choose is he doing things right? Looking so bit of marketing slide forgive me. I need to put that in so we also do need to do a bit of advertising for us So Germany is really strict on doing all these things in terms of data protection. So we we have a lot of Protection rules and then also talking to customers. They say I always have a lot of discussion about cloud security But if I tell them I do it with no to telecom the discussion just ends because They trust us Microsoft trusts us so doing it in in a secure fashion is really one of the Important things and being able to prove that to the customers is one important part, but even I mean Something that you might not be aware of here in the United States that they are even Complete groups of people that are not allowed To do cloud business because of the data that they are handling doctors dentists Psychologists lawyers and and really being able to to to handle also this data This is is really a problem that that needs to be solved Said before you need a certificate to prove that and and having a certificate is also really a Point of trust and if you look at normal website certificates there you have a certificate authority that you trust and Doing that also applying this principle to to the way that you are doing security and Certification for a cloud provider puts this to a whole new level So you need to have not only does a certificate certificate, but also somebody who is Taking care of that so a certification authority Telling you that the one who is doing the certificate for you is doing it, right? Otherwise you could just go to eBay or Amazon and buy a very nice easel 2000 whatever certificate Printed out hang it to your entry hall and then you're good to go No, this is really the point You need to have trust worthy certificates and and that will bring trust also to your customers What is important just to to do a quick run through it and that is just part of what we are doing here so we we have to trust at cloud service so TÜV is is a big deal in in in Germany and in Europe so that is the Institution that is standardizing and then even watching after our cars So that everything is secure there and and they are really testing and validating also cloud security CSA star as the the cloud security, which is more the the international thing Is a 9,000 for for standard quality management that we are doing and service management For the the data center in general But also looking at the 270 17 and 18 which is cloud security and cloud privacy That are important Maybe one thing also here zero outage what you might not have heard of that is one thing that T systems is doing in in regard to You're trying to run a complete infrastructure without a outage So that is a industry standard that we are just trying to establish Applying that to a cloud You would say I I don't care about outage because my my application is so scaled That this is a complete different game But also here at the outer edge of your application there you is the thing that you want to achieve zero outage for your customers Yes, I think that is enough for the theoretical tile part of it Moving over to some technical solutions and having Danila telling you a bit about What implementations we are doing on our cloud and and how we implemented some things to to protect your data Yeah, so let's have a look at our open telecom cloud, which is our public cloud We are presenting here and yeah, let's have a look at the Security aspect and at what kind of implementations we have here. Hopefully that works for me. No, that was the wrong direction So Let's start with the easy one If you have the backup case This is I think one of the simple cases where you have no no problem With a security loss on Because the customer is able to encrypt its data by its own and he can transfer it to the object store and start there So the the customer is the owner of of the data He knows the keys and the provider has no no access to The data so that's a simple use case and the data is safe For the object storage Amazon introduced some some algorithm to Yeah to encrypt the data and We have also implemented that on our cloud. So the OBS encryption is one of the features We do offer and and customer can can use them Next slide just shows how to access the object storage and how to work with the encryption keys, so Yeah, do you have your account? Name and you have an access key and you have a secret access key. So I Think that's that's a well-known That's straightforward I help you that's that's why no That's that's for the OBS and the the key management We are we are doing here as we have a box hardware secure module this is storing the keys and Yeah, it's a black box and it Yeah, it meets all all the requirements for for compliancy and security and It's considered to be secure We do not have access to it It's just a a black box and and if we try to to let's say open it and access the keys It will just explode and self-destruct not really but A kind of yeah, it will be wiped so we do not have access to the data Nothing. This is really a These appliances are out there and and this is the the common way how to to really handle keys by the customer We will talk a bit about it in the outlook what what other solutions are there, but at the moment This is the way to securely store The the keys in the data center So another thing our platform provides is to to encrypt the data disks That means you can if you create a data disk So this is an example from our dashboard, of course, this is also available via API You can choose if you want to have an encrypted disk or not This slide shows while creating a disk itself, but you can also choose While you're creating a VM if you want to have your Data disk encrypted or not I need to admit that the boot disks are not encrypted by so at at the moment. Yeah, that's only applies for data disks currently and Yeah, another thing is of course the data is encrypted nice the customer can access it but what happens if the customer does Give the volume back. Is the data really erased that that's one of the the big questions and Yes, it is there is a distributed key Heshtable and data region at the bottom and if this Metadata is being deleted all the data is not accessible anymore So this ensures that if the disk is Deleted if the hash table is deleted the data is gone You cannot access it And just adding on that what just comes to my mind also in terms of physical security No media carrier is leaving our data center in a intact way, so If we are decommissioning servers, there's a big shredder where all hard disks all flesh Components whatever are destroyed before they are leaving the data center. So there's one way in and no way out so even Not to lose data by transporting servers or whatever doing with it If it is in the data center and if it had customer data on it, it won't leave the data center in a Secure way or if it's broken we get replacement part by the supplier and the Disk that we are using will be destroyed afterwards So this is what we are currently doing, but we have of course plans or further plans And in the soon future one of them is a solution for trusted boot That means we want to use the the TPM from Intel to to ensure that Yeah, the the VMs are booted in a trusted mode Second one is that we want to have remote attestation as I stated earlier these keyboxes within us and They it's in our data center. So with the remote attestation we allow the customer to store the keys at at their data center at their keybox that that's one of the next steps and We want to establish trusted compute pools to the to do or to allow geofencing Yeah, these are this is the upcoming Features we want to talk we want to realize Yeah, the next and the last slide for today is Yeah, if we put that all in a bigger context, what Do you need to look at? Yeah, if we start at the bottom at your VM at your machine you need to ensure that you have an encryption that you have the encrypted disks and that your VMs are Secure that they boot secure that they have security Parameters apply it. Yeah One step above you need to look at your cloud provider Your cloud provider should be certified. He should apply to the the security rules and to The certifications which are out there and your cloud provider should also have operators which are Skilled and which are aware and which are certified as well. That's I think a really important point and One step above if you look at the data center It's it's not just physical security as Sebastian stated by destroying disks or by having access control It's it's all to the human beings again, which should be aware of security risks, which have to be skilled which have to be trained and Because if somebody wants to do something evil and There and want to I don't know destroy your computer. It will be possible and Yeah, last not but not least you have the internet and There of course you have your provider, but Even if you everything is secure From the machine the provider and the data center and then you come to the internet you need to make sure that you have Encrypted traffic because and otherwise All the other things do not make sense. Yeah, so it stacks together So even if you are not paranoid they are spying on you And and to tell you one last story before we close here Encryption of the traffic is very important but what if VPN is too mainstream for you and On the last fair that we were talking to a consultant They told me a very nice story about one customer that is really paranoid and to to mitigate the problem of VPN and I mean look at the leaks what came out what NSA and FBI is able to spy on you The customer is running his own private tour network to to do Me they are doing multinational business and have road barriers out there and to connect them They are running access nodes on on various different clouds to to run their own private tour network So let's say Darknet as a service How secure access for for his near sales people to the internet and to Trustworthy information. I mean they are also doing business with the military. So they really have information they have to protect and That was their solution to overcome also The the dark and mean internet where they might spy on you. So Think of all the layers where your data might be at risk and and make them secure Good. Thanks for your attention. Thanks for being here and We are around here if you have some further questions or in the marketplace before That day you can find us and talk to us. Thank you. Yeah, thank you