How Communications Service Providers can leverage Cloud benefits securely

Over the last decade, telecom operators and network vendors have transformed communications networks from vertically integrated hardware and software systems to software Network Functions (NF) capable of operating on Commercial Off-the-Shelf (COTS) hardware. We now stand at the cusp of the next phase of their evolution to cloud-native functions capable of taking advantage of the benefits of the cloud. By using AWS, communications service providers (CSP) can trade fixed expense for variable expense, benefit from massive economies of scale, stop guessing capacity, increase speed and agility, stop spending money running and maintaining data centers, and go global rapidly. This can lead to an overall reduction in total cost of ownership, faster time-to-market, and increased automation of implementing security best-practices.

When CSPs plan for the cloud, one of the primary considerations is the change in the paradigms around the security of the data that they store in the cloud. CSPs process ever-increasing volumes of data that can include personal data, the security of which is paramount to their business. So, Nokia’s “Telcos, it’s time to value SaaS” Whitepaper is timely. It examines data protection measures in cloud-based offering through the lens of security, privacy, residency, and data sovereignty. It explains the role of the three parties involved – the cloud service provider, the software as a service (SaaS) application provider, and SaaS end-user and how their security measures offer a powerful defense-in-depth approach. It demonstrates how CSPs can lighten their operational security burden while remaining secure to the same degree or more as an on-premises option. Although written for SaaS offerings, its applicability is equally valid for other cloud-based workloads. Whereas the whitepaper covers data protection measures used across the cloud service sector, we want to share the relevant services available to CSPs when using the AWS Cloud.

Data controls and residency With AWS, you control your data by using purposely built AWS services and tools to determine where your data is stored, how it is secured, and who has access to it. Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (AWS KMS) allow you to use encryption keys managed inside or outside the AWS Cloud. AWS Control Tower offers a broad set of governance features including those for data residency.

Data privacy We continuously innovate to raise the bar on privacy controls with services and features including advanced access, encryption, and logging features. We provide a wide variety of best practice documents, training, and guidance that you can use to protect your data, such as the Security Pillar of the AWS Well-Architected Framework. We only process personal data you upload to AWS services under your AWS accounts in accordance with your documented instructions as described in our AWS Data Processing Addendum. We do not use such data or derive information from it for marketing or advertising purposes.

Data sovereignty: Giving customers this sovereignty has been a priority for AWS since the very beginning when we were the only major cloud provider to allow customers to control the location and movement of their data. AWS has pledged to continue offering you the most advanced set of sovereignty controls. You can choose to store your customer data in any one or more of our AWS Regions around the world. You can also use AWS services with the confidence that customer data stays in the AWS Region you select. A small number of AWS services involve the transfer of data, for example, to develop and improve those services, where you can opt-out of the transfer, or because the transfer is an essential part of the service (such as a content delivery service). We prohibit — and our systems are designed to prevent — remote access by AWS personnel to customer data for any purpose, including service maintenance, unless that access is requested by you or unless access is required to prevent fraud and abuse, or to comply with law. If we receive a law enforcement request for customer data, we will challenge it where the request conflicts with law, is over-broad, or where we otherwise have appropriate grounds to do so. We use every reasonable effort to redirect any governmental body requesting customer data to the applicable customer. We will also promptly notify the applicable customer about a request for content if legally permitted to do so. AWS also commits that if, after exhausting the preceding steps, it remains compelled to disclose customer data, AWS will disclose only the minimum amount of customer data necessary to satisfy the request. We also provide a bi-annual Information Request Report describing the types and number of information requests AWS receives from law enforcement. Regions are designed for resilience and survivability. Each Region is comprised of multiple Availability Zones, which are fully isolated infrastructure partitions. To better isolate issues and achieve high availability, customers can partition applications across multiple Availability Zones in the same Region. AWS also offers hybrid cloud storage and edge computing capabilities enabling customers to use compute and storage where it is needed – including in on-premises environments – to help satisfy latency, regulatory, and local data processing requirements.

Security: At AWS, security is our top priority and security in the cloud is a shared responsibility between AWS and our customer. Financial services providers, healthcare providers, and governmental agencies trust us with some of their most sensitive information. You can improve your ability to meet core security, confidentiality, and compliance requirements with our comprehensive services, whether that’s through Amazon GuardDuty or our AWS Nitro System, the underlying platform for our Amazon Elastic Compute (Amazon Elastic EC2) instances. We’ve designed the Nitro System to have workload confidentiality and no operator access. With the Nitro System, there’s no mechanism for any system or person to log in to EC2 servers, read the memory of EC2 instances, or access any data stored on instance storage and encrypted Amazon Elastic Block Store (Amazon EBS) volumes. (For more information, refer to Confidential computing: an AWS perspective.)

Compliance programs: Our technical and organization measures are backed by an industry-leading compliance program that helps you understand the robust controls in place at AWS to maintain security and compliance of the cloud. AWS has achieved numerous internationally-recognized certifications and accreditation, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy information management, and ISO 27018 for cloud privacy. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. We make these reports available to you through AWS Artifact.

Conclusion

Earning customer trust is the foundation of our business and we are committed to understanding and meeting your data protection needs. With AWS, you manage the privacy controls of your data, including how your data is used, who has access to it, and how it is encrypted. Our contracts are written in plain, straightforward language and include commitments that enable you to work to meet legal and regulatory requirements. We are committed to protecting your most critical and sensitive assets by offering the most comprehensive set of services, tooling, and expertise coupled with technical, operational and contractual measures to provide you with the most secure cloud environment.