White lines run between groups of people

Telekom IT: agile and secure in the public cloud

T-Systems has supported Deutsche Telekom IT in implementing security solutions on the public cloud AWS

Implement specific security requirements quickly

WS logo

Together with T-Systems, Deutsche Telekom IT (DTIT) has established an AWS Landing Zone that complies with the DTIT's high security requirements and standards and simultaneously facilitates the use of the public cloud's agility.

Customer benefits

  • Time saved by setting up a T-Systems Landing Zone and baseline for AWS. Doing this allowed DTIT to concentrate on its specific requirements and to generate added value for in-house applications.
  • The DTIT benefits from the expertise at T-Systems in the implementation of security solutions on AWS. In this way, the specific security requirements could be implemented faster and cloud-native capabilities used wherever possible.
  • High-level security and improved ease of use through the implementation of Federation with Corporate Active Directory via ADFS.
  • Centrally controlled shared networks as well as templates for isolated networks that facilitate fast innovations and prototyping. The integration of company-wide backend systems, which are essential for launching solutions, is also made possible by this.

T-Systems has helped us to accelerate the introduction of the public cloud for applications at Deutsche Telekom by supporting us with implementing a secure AWS Landing Zone that is adapted to our high security requirements.

Torsten Jester, Senior Manager DTIT Cloud Center of Excellence (CCoE)

Comprehensive security requirements and standards

An open laptop and a smartphone lying on a table.

Since 2018, DTIT has been undergoing an IT transformation program that aims to increase acceptance of agile methods and create digital hubs. This should allow the whole spectrum of public cloud functions to be used for in-house applications. The biggest challenges in the highly regulated Telco business are the comprehensive security requirements and standards, such as Deutsche Telekom's own strict Privacy and Security Assessment (PSA). Within the framework of the project, DTIT wanted to construct a secure and compliant platform for the applications, combining the advanced AWS-native automation and security services with the best practices and standards of Deutsche Telekom for secure system and network operation. Since T-Systems is a proven supplier of solutions which complies with high security requirements and simultaneously maintains the agility of the public cloud, the ICT provider was selected by DTIT as a partner to support and accelerate their project.

The challenge

  • The construction of an AWS Landing Zone that allows the DTIT to provide isolated AWS environments for in-house applications and simultaneously maintain control over security and compliance.
  • The merging of the Active Directory from Telekom with AWS to facilitate the central management of the identity pool and single sign-on in AWS for Telekom employees, in a way that complies with the security guidelines and standards of Deutsche Telekom AG.
  • The construction of a highly secure, centrally managed network environment that is ready to be connected with the company network – as well as to provide secure deployment templates for the respective projects.

Security with AWS

An orange and a blue rope with a karabiner in their loops

For Amazon Web Services (AWS), security is a key focus of every offer in order to allow companies to make the most of the speed and agility of the cloud. AWS integrates comprehensive security controls, effective scaling, transparency, and automated security processes into its cloud infrastructure to create a secure basis for companies to build on. The shared responsibility model (SRM) makes it easy to understand decisions made to protect the unique AWS environment and offers the company access to resources that help them to implement end-to-end security quickly and easily. Companies can choose from many cloud-capable software solutions from AWS and AWS Security Competency Partners in order to fulfill the high standard of data security in the cloud.

T-Systems as a partner

T-Systems can look back on years of experience in the provision of solutions that comply with high security requirements and simultaneously make use of the agility of the public cloud. The telecommunications company offers the following:

  • comprehensive cloud consultation and engineering for AWS – beyond the whole application stack.
  • specific cloud security knowledge, including AWS-certified security specialists.
  • security-tested applications that run on AWS (compliant with the security requirements of the AWS framework).
  • highly automated security and compliance evaluations for an entire AWS environment.
  • Managed Services with a strong focus on security and compliance. They use the newest and best security and compliance tools for AWS and proactive 24/7 support, including integration with the Telekom Security Operation Center (SOC).

It is for these reasons that DTIT chose to work with T-Systems. Their expert knowledge and experience with the security requirements of Telekom also contributed to this decision.

We look forward to your project!

We are happy to provide you with the right experts and to answer your questions about planning, implementation, and maintenance for your digitalization plans. Get in touch!

Construction of an AWS Landing Zone

Setup of an AWS Landing Zone

T-Systems has constructed an AWS organization system specifically for DTIT. The security guidelines on the accounts are a combination of T-Systems' security standards and an additional level that reflects the specific requirements of the customer.

The basis for this was derived from the central SecOps account from T-Systems. This enables encryption and decryption of S3 data stores based on a classification tag and the use of provided KMS keys. It also makes sure that there are structured IAM roles and password guidelines, and that multi-factor authentication is enforced, as well as ensuring an appropriate protocol (CloudTrail) is present. Access for forensics and audits is also possible. Regional limitations were used with the help of service control policies (SCP) that ensure geographical limitation in line with customer requirements. T-Systems also implements a strict and verifiable process for root-level access. Other AWS services, such as CloudFormation, CloudWatch, and CodePipeline were also central to building, provisioning, and activating this native cloud solution. This solution, provided by T-Systems, has passed the strict Telekom Privacy and Security Assessment.

This solution enables the DTIT AWS DevOps team to work seamlessly in a pre-configured and secure AWS environment and to concentrate on specific requirements. T-Systems then advised and supported DTIT in the highly automated definition, construction, and expansion of their own security guidelines (with CloudFormation stack sets, step functions, and Lambda, provided by the code from the Corporate Gitlab environment). GuardDuty forms part of DTIT's security system, encrypting all existing data using KMS and a dedicated logging and monitoring stack. T-Systems has also implemented a secure interface (using API Gateway) to allow DTIT to order a new AWS account that can be automatically made available through a central cloud management portal.

Active Directory Federation

Active Directory Federation

One of the most important aspects of security is a secure identity foundation. Limiting the number of different identities or users is a recommended best practice for companies of all sizes. The main reason for this, alongside the convenience for the end user, is that it solves the mover/leaver problem. T-Systems was therefore commissioned to support DTIT with the design and setup of a user management system for AWS. As an interim solution, a central user management with IAM in a dedicated user management account was started. On this basis, roles were implemented in the project accounts that facilitate cross-account relationships.

Parallel to this, T-Systems prepared the connection with Telekom Active Directory using the company's own ADFS Farm to take advantage of the company's existing user pool and to avoid the setup of a separate, isolated user management system for AWS. ADFS is the solution used in most companies to facilitate single sign-on with SaaS solutions and the cloud. In DTIT's case, the ADFS serves as a SAML2.0 (Security Assertion Markup Language) provider for AWS. This high-level setup is very simple and is described here in detail.

In summary, the client receives an SAML token from ADFS in-house, which allows them to obtain temporary login information from AWS and to sign in to their AWS account. The permissions for environments will be controlled by groups in the Active Directory – on the ADFS side, a relationship must be established with AWS. The most difficult part of this activity was defining the solution on the customer side (concept), to collect the authorizations, carry out the tests, and go live with the changes. T-Systems has also automated the roll-out of identity providers and roles on the AWS side, and integrated the solution into the application and processes that manage the group.

Secure central network

A multicolored slinky in an octagon.

In terms of connectivity, T-Systems has created a highly secure, centrally managed network environment that is connected with the company network (see T-Systems AWS Direct Connect Case for DTIT). In this way, AWS functions such as VPC end points and VPC sharing were used, as well as other typical functions essential to network security, such as NACL and security groups. T-Systems has also created secure provision templates for projects to simplify the use of the centrally managed network environment. As well as this, a secure standard VPC will be introduced in regions on the whitelist to simplify the introduction to AWS in new projects. All networks will be managed as code (CloudFormation templates) in the central DTIT Gitlab.

T-Systems will continue to support the DTIT client and the Telekom applications, for example through consulting, structured reviews, and Managed Services for containers (EKS, ECS).

About APN partners

With a presence in over 20 countries, T-Systems is one of the world-leading manufacturer-independent providers of digital services with a headquarters in Europe. The Telekom subsidiary offers everything in one package: from the secure operation of legacy systems and classic ICT services and the conversion to cloud-based services, down to new business models and innovation projects in the Internet of Things. T-Systems is part of the AWS Partner Network (APN) and an Advanced Consulting Partner of AWS.

Further information

About Deutsche Telekom IT GmbH

DTIT is the in-house IT service provider for Deutsche Telekom AG. DTIT is responsible for the design, development, and operation of all the group's own and transferred IT systems to support the business processes of Deutsche Telekom AG. DTIT creates user-friendly web portals with intelligent self-service functions, which form the basis for an integrated, cross-channel customer experience with the brand Telekom Magenta.