The problem congstar faced was that they needed a platform to perform analysis of various anonymized data. To be able to check different approaches to the data it was necessary to efficiently store large amount of data in a safe and secure manner and to have access to a broad set of tools for Data Transformation and Machine Learning functionality (like EMR, Athena, Glue, SageMaker and other). As such, the solution needed to be flexible and agile and enable fast-paced development of various components on the AWS platform while making no compromises in data security and data privacy.
The goal was to leverage AWS automation and security services, by following AWS best practices and to build a product which complies with Deutsche Telekom’s rigorous DTAG Privacy and Security Assessment (PSA
) requirements. Since T-Systems has a proven track record of delivering PSA compliant products, they were contacted by congstar as a partner to help them with this task.
The developed security solution, or configuration baseline was deployed from a central SecOps account in the T-Systems AWS Organization. It enabled the ability to encrypt and decrypt S3 Data Storage based on a classification tag and using deployed KMS keys. It also ensured that structured IAM Roles and Password Policies exist, MFA enforcement is enabled and logging of all critical components of the AWS infrastructure (including VPC flow logs and various other AWS API calls) is operational. Region restrictions were applied with IAM Permission Boundaries, which ensured geographic spread was contained.
Other AWS Services such as CloudTrail, CloudFormation, CloudWatch and CodePipeline were also central in building, deploying and enabling this cloud native solution.
Due to the success of this solution and the continued need to evolve their development environment for further use cases, one AWS account proved to be too restrictive for congstar. That’s why T-Systems extended the solution to a landing zone which allows multiple hardened AWS accounts for isolating the different workloads and environments. By following the least privilege principle T-Systems added a central place for user management. That way the security stance of the solution is further strengthened and gives even more flexibility to Congstar to widen their AWS horizon.
By mid-2018, the solution delivered by T-Systems gained PSA approval and went into production. It now provides integrated security as a code straight from T-Systems CI/CD pipeline. This solution enables the congstar DevOps team to work seamlessly, in an enterprise-grade, pre-configured and hardened AWS Account managed by T-Systems.
Results and Benefits
The successful collaboration of the two Deutsche Telekom subsidiaries, as well as the agility this solution provided, ensured congstars solutions hosted on AWS delivered a broad range of new key business figures like for example improved customer offer calculations. Furthermore, with T-Systems AWS congstar was able to drastically improve the time for the provision of new infrastructure, compared to the previous on premise solution, which allowed optimization of costs and time for the implementation of new use cases.
Based on customer feedback, T-Systems will continue to develop their security portfolio on top of the AWS platform to fulfill congstar’s appetite for more innovation, including taking the directions of micro-services, machine learning and successfully being well-architected on AWS.
congstar, a second brand of Deutsche Telekom GmbH and headquartered in Cologne, provides prepaid and postpaid mobile phone services as well as DSL and VDSL complete connections. The success of congstar since its market launch in 2007 is due to the combination of excellent D-Netz quality, favorable prices and flexible contract terms. More than 4.5 million customers now benefit from this. congstar products and services regularly receive awards.
You can read more about congstar and their services here (German only).