Privacy: 10 Facts to handle cross - border data traFFic with - - PowerPoint PPT Presentation

Privacy: 10 Facts to handle cross-border data traFFic with

• Penstack

International + EU + Germany

Daniela Ebert | Open Telekom Cloud Engineer Sebastian Wenner | Open Telekom Cloud Architect

contact

Open Telekom Cloud 2 May 17, 2017

Danie iela la Ebert

Open Telekom Cloud Engineer d.ebert@t-systems.com

Sebas astian ian Wenner

Open Telekom Cloud Architect sebastian.wenner@t-systems.com

OpenStack Summit Boston 17.05.2017 3

Who are the decision-makers? data PriVacy <-> countries? euroPean data PriVacy? self-certificates Vs. Placebo = technical solution needed? encryPtion as a solution for storage? encryPtion as a solution for serVer? solutions of the oPen telekom cloud in the future?

Goals oF this Presentation Which questions should be ansWered?

1 2 3 4 5 6 7

OpenStack Summit Boston 17.05.2017 4

valuation oF risks in € What fines can be charged to a comPany? germany 300.000

Today 25.05.2018

20 Millions

• r up to 4% of the entire

worldwide achieved annual turnover *

*the higher value In the previous financial year

€ €

OpenStack Summit Boston 17.05.2017 5

• PtiMal solutions:
• 1. oPensource
• 2. oPenstack

new iMPact:

• 1. Place oF the stored data = Place oF Jurisdiction
• 2. cloud security – who owns the data

new risks -> new decisions

OpenStack Summit Boston 17.05.2017 6

decision For oPenstack  show stoPPer

it - adMinistrator 1 .role it-security-

• FFicers
• 2. role

data-Protection

• FFicers

show-stoPPer

OpenStack Summit Boston 17.05.2017 7

IT

these decision-Makers need ProoF certificates, solutions, countries

data Protection it-security coMPliance

IT-Security Data Protection Management

contractual / legal inquiries

certiFicates Provide ProoF

returns confirmation if contractual / legal requirements are met contractual / legal inquiries returns confirmation if contractual / legal requirements are met

OpenStack Summit Boston 17.05.2017 8

• Pen telekoM cloud

a saFe harbor For your data but what about iP addresses?

OpenStack Summit Boston 17.05.2017 9

court oF Justice oF the euroPean union announced its verdict *

iP = Personal data eVery cloud contains Personal data

Court of Justice of the European Union (the "CJ CJEU EU") *v. 10 19th 2016, Case C-582/14.

OpenStack Summit Boston 17.05.2017 10

check careFully Provider selection! a saFe harbor For your data

OpenStack Summit Boston 17.05.2017 11

• Penstack =

no access to personal data via provider => wrong statement

German

n law aw (§BDSG) v valid id unt until May 25t 25th 201 h 2018: Delet letio ion of

• f a

a tenant nt coun counts as as acce ccess to p

• person
• nal dat

data

• >

> Mu Must hav ave an „ADV“ ( “ (Auftrag agsdat sdaten enver verar arbei beitungsver sverei einba barung) => => commissio issioning of

• f dat

data processin essing

OpenStack Summit Boston 17.05.2017 12

Ger-Zone

german comPanies and their regulations

ireland- Zone

eu data Protection law -> conFlict GerMan law conflict Valid until may 25th may 2018

OpenStack Summit Boston 17.05.2017 13

OpenStack Summit Boston 17.05.2017 14

data-Protection-oasis ireland is not a solution For GerMan coMPanies!

dublin

OpenStack Summit Boston 17.05.2017 15

http://h /hea eatmap ap.forrest ester ertools. ls.com/# /#

OpenStack Summit Boston 17.05.2017 16

risks by GooGle google has to turn oVer data to the fbi (usa)

GooGle has to hand over data!

OpenStack Summit Boston 17.05.2017 17

risks by GooGle Verdict Pending

verdict PendinG

OpenStack Summit Boston 17.05.2017 18

risks by aMaZon? Weak Points

endanGer- Ment For data

OpenStack Summit Boston 17.05.2017 19

risks by MicrosoFt

• nly Within the eu

without data-trustee-Model

OpenStack Summit Boston 17.05.2017 20

MicrosoFt + GerMan cloud = secure data

data- trustee- Model

OpenStack Summit Boston 17.05.2017 21

Future For eu + international PriVacy-shield usa+eu?

aGreeMents are insecure

OpenStack Summit Boston 17.05.2017 22

• Pen stack
• Pen stack + custoMer security

infrastructure as a serVice

Customers responsibility Cloud Provider responsibility * T-Systems already certified

Applications Data Middleware Operating Systems Storage Virtualization Servers Network

• n-PreMises

Applications Data Middleware Operating Systems Storage * Virtualization * Servers* Network *

iaas

Applications Data Middleware Operating Systems Storage Virtualization Servers Network

Paas

Applications Data Middleware Operating Systems Storage Virtualization Servers Network

saas

OpenStack Summit Boston 17.05.2017 23

the best data Protection … does only exist in GerMany – data ProcessinG?

§ 11 bdsG § 3 bdsG § 9 bdsG § 8,3 bdsG

no Go in GerMany For oPenstack - stGb §203

• 1. Doctor, dentist, pharmacist
• 2. Psychologist
• 3. Lawyer, patent attorney,

notary, accountants

• 4. Accident or life insurance
• 5. Research projects

OpenStack Summit Boston 17.05.2017 25

real certiFicate

certiFications

Open Telekom Cloud 26

tÜv trusted cloud service

(specially for Open Telekom Cloud)

csa star level 2

(specially for Open Telekom Cloud)

iso 9001

Quality management system

iso 20000

Service management system

iso 22301

Business continuity management system

iso 27001

Information security management system

iso 27017

Cloud security

iso 27018

Cloud privacy

Zero outaGe

Certified service process

May 17, 2017

technical solutions

easy = no ProbleM by §

Example Bac ackup up

• 1. Encryption by the customer

 Client + SW + encryption

• 2. Transfer via S3
• 3. Openstack Object Storage

• bJect storaGe service
• bs – encryPtion on/oFF

1. OBS supports Amazon V2 and V4 for authentication. 2. In addition to using the HMAC-SH SHA2 A256 56 algorithm, Amazon V4 introduces user data into signature computing. 3. The header fields introduced in signature computing can be specified by users, notably improving the security of request authentication.

• bs encryPtion - key

1. When accessing OBS, an account must provide a pair of access keys, that is an AK and an SK. 2. The AK and SK support the authentication mechanism of Identity and Access Management (IAM). 3. They are required when OBS is accessed using clients, APIs, or SDKs.

• bs encryPtion - hsM

1. Key Management Service (KMS) uses Hardware Secure Modules (HSMs) to ensure key security, enabling users to easily create and manage encryption keys. 2. Keys are not displayed in plaintext

• utside HSMs, which effectively

prevents key disclosure. 3. All operations performed on keys are controlled and logged, and usage of all keys is recorded, meeting regulatory compliance requirements.

evs encryPtion - hsM

What hat f func unctions

• ns d

does

• es EVS p

S provide? e? EVS provides hard disk resources for ECSs. With EVS, you can: Create an EVS disk. − Create an encr cryp ypted data disk. − Create a non-encrypted data disk.

evs encryPtion - hsM

data erase For a voluMe

If a volume is just created, no index, no data block; if attempt to read data from this new volume, the system will reply “0” directly.

trusted coMPutinG

Future prospects & possible options:

• 1. Solutions for Trusted Boot
• 2. Remote Attestation
• 3. Trusted Compute Pools

what about the biGGer context?

Internet Datacenter Cloud Provider Machine

• Provider
• xx-CIX
• Physical Security
• Operators
• Certification
• Operators
• Encryption
• Security

OpenStack Summit Boston 17.05.2017 37

thank you.

OpenStack Summit Boston 17.05.2017 38

certiFicates / laws / reGulations

• Pen telekoM

cloud ISO 27001 ISO 27017 ISO 27018 ISO 9001 SOC 1 Type 2 Q3 / 2017 SOC 2 Type 2 Q3 / 2017 SOC 3 Type 2 Offen PCI DSS Level 1 Q4 / 2017 CSA-STAR Level 2 Gold ISO 20000 ISO 22301 ISO 14001 TÜV Trusted Cloud Service Zero Outage TÜV Rheinland PSA nach ISO 27001 ESARIS Zertifizierung

certiFicats in 2017