Together with T-Systems, Deutsche Telekom IT (DTIT) has established an AWS Landing Zone that complies with the DTIT’s high security requirements and standards and simultaneously facilitates the use of the public cloud’s agility.
T-Systems has helped us to accelerate the introduction of the public cloud for applications at Deutsche Telekom by supporting us with implementing a secure AWS Landing Zone that is adapted to our high security requirements.
Since 2018, DTIT has been undergoing an IT transformation program that aims to increase acceptance of agile methods and create digital hubs. This should allow the whole spectrum of public cloud functions to be used for in-house applications. The biggest challenges in the highly regulated Telco business are the comprehensive security requirements and standards, such as Deutsche Telekom's own strict Privacy and Security Assessment (PSA). Within the framework of the project, DTIT wanted to construct a secure and compliant platform for the applications, combining the advanced AWS-native automation and security services with the best practices and standards of Deutsche Telekom for secure system and network operation. Since T-Systems is a proven supplier of solutions which complies with high security requirements and simultaneously maintains the agility of the public cloud, the ICT provider was selected by DTIT as a partner to support and accelerate their project.
For Amazon Web Services (AWS), security is a key focus of every offer in order to allow companies to make the most of the speed and agility of the cloud. AWS integrates comprehensive security controls, effective scaling, transparency, and automated security processes into its cloud infrastructure to create a secure basis for companies to build on. The shared responsibility model (SRM) makes it easy to understand decisions made to protect the unique AWS environment and offers the company access to resources that help them to implement end-to-end security quickly and easily. Companies can choose from many cloud-capable software solutions from AWS and AWS Security Competency Partners in order to fulfill the high standard of data security in the cloud.
T-Systems has constructed an AWS organization system specifically for DTIT. The security guidelines on the accounts are a combination of T-Systems' security standards and an additional level that reflects the specific requirements of the customer.
The basis for this was derived from the central SecOps account from T-Systems. This enables encryption and decryption of S3 data stores based on a classification tag and the use of provided KMS keys. It also makes sure that there are structured IAM roles and password guidelines, and that multi-factor authentication is enforced, as well as ensuring an appropriate protocol (CloudTrail) is present. Access for forensics and audits is also possible. Regional limitations were used with the help of service control policies (SCP) that ensure geographical limitation in line with customer requirements. T-Systems also implements a strict and verifiable process for root-level access. Other AWS services, such as CloudFormation, CloudWatch, and CodePipeline were also central to building, provisioning, and activating this native cloud solution. This solution, provided by T-Systems, has passed the strict Telekom Privacy and Security Assessment.
This solution enables the DTIT AWS DevOps team to work seamlessly in a pre-configured and secure AWS environment and to concentrate on specific requirements. T-Systems then advised and supported DTIT in the highly automated definition, construction, and expansion of their own security guidelines (with CloudFormation stack sets, step functions, and Lambda, provided by the code from the Corporate Gitlab environment). GuardDuty forms part of DTIT's security system, encrypting all existing data using KMS and a dedicated logging and monitoring stack. T-Systems has also implemented a secure interface (using API Gateway) to allow DTIT to order a new AWS account that can be automatically made available through a central cloud management portal.
One of the most important aspects of security is a secure identity foundation. Limiting the number of different identities or users is a recommended best practice for companies of all sizes. The main reason for this, alongside the convenience for the end user, is that it solves the mover/leaver problem. T-Systems was therefore commissioned to support DTIT with the design and setup of a user management system for AWS. As an interim solution, a central user management with IAM in a dedicated user management account was started. On this basis, roles were implemented in the project accounts that facilitate cross-account relationships.
Parallel to this, T-Systems prepared the connection with Telekom Active Directory using the company's own ADFS Farm to take advantage of the company's existing user pool and to avoid the setup of a separate, isolated user management system for AWS. ADFS is the solution used in most companies to facilitate single sign-on with SaaS solutions and the cloud. In DTIT's case, the ADFS serves as a SAML2.0 (Security Assertion Markup Language) provider for AWS. This high-level setup is very simple and is described here in detail.
In summary, the client receives an SAML token from ADFS in-house, which allows them to obtain temporary login information from AWS and to sign in to their AWS account. The permissions for environments will be controlled by groups in the Active Directory – on the ADFS side, a relationship must be established with AWS. The most difficult part of this activity was defining the solution on the customer side (concept), to collect the authorizations, carry out the tests, and go live with the changes. T-Systems has also automated the roll-out of identity providers and roles on the AWS side, and integrated the solution into the application and processes that manage the group.
In terms of connectivity, T-Systems has created a highly secure, centrally managed network environment that is connected with the company network (see T-Systems AWS Direct Connect Case for DTIT). In this way, AWS functions such as VPC end points and VPC sharing were used, as well as other typical functions essential to network security, such as NACL and security groups. T-Systems has also created secure provision templates for projects to simplify the use of the centrally managed network environment. As well as this, a secure standard VPC will be introduced in regions on the whitelist to simplify the introduction to AWS in new projects. All networks will be managed as code (CloudFormation templates) in the central DTIT Gitlab.
T-Systems will continue to support the DTIT client and the Telekom applications, for example through consulting, structured reviews, and Managed Services for containers (EKS, ECS).