Introduction
In today's fast-changing environment, establishing and nurturing trusted business relationships is challenging, especially when the collaboration is mandated by ever-growing set of laws and regulations. While there is no easy way to catch up to the trust level of a business partnership that was built over decades, there is a way to increase the base level of trust among all the players in an industry, through transparency and certifications.
With the new Loire release of the Gaia-X Digital Clearing House, as well as the Gaia-X Policy Rules and Labelling Criteria that accompanies it, we can now do just that, on a massive scale.
This is a story of our journey through it.
Case study: Gaia-X Compliance for the Open Telekom Cloud
The Open Telekom Cloud (OTC) is a public cloud platform (based on OpenStack) developed by T-Systems, primarily aimed at European and global businesses. It offers a wide range of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) solutions, enabling companies to run and manage their IT infrastructure on the cloud with high security, compliance, and flexibility.
Loire release of Gaia-X Trust Framework focuses on Cloud Services and their adherence to various national and international standards. With the Open Telekom Cloud's extensive IaaS, PaaS and SaaS offering, as well as the number of existing certifications, this match-up was too good to pass up on.
Object Storage Service (OBS) of Open Telekom Cloud, a highly secure, reliable and scalable storage solution, will be the focus of this article, however the learnings can be applied to a wide variety of services, with minimal changes. Object Storage Service has already been used successfully in various data ecosystems, for example by the Copernicus Data Space Ecosystem, where it is used for storage and performant processing of massive amounts of satellite data.
Rest of this article explains in detail what is necessary to achieve Gaia-X Compliance for Cloud Service. However, while we had to go through this process as the first movers in the fields, you can take the easy path through Gaia-X Compliance through our T-Systems Digital.ID product and the related Advisory services. To learn more, click here.
Necessary ingredients
Digital signatures
All statements we will be making about the Cloud Services offered by the Open Telekom Cloud, as well as about T-Systems itself, need to be signed using a digital signature associated with the T-Systems. This ensures the authenticity and integrity of data, preventing malicious actors from making false claims about the services they don't own.
In the Loire release, the following types of digital signatures are allowed:
- Qualified Electronic Signature (QES) - A digital equivalent of a handwritten signature, with the same legal force. Applicable to a natural person.
- Qualified Electronic Seal (QESeal) - A digital equivalent of a company seal, with the same legal force as a handwritten signature or the seal of a legal entity. Applicable to a legal person.
- Extended Validation (EV) SSL - A type of a certificate most used to ensure secure web-based communication, but can also be used for signing, in case the certificates above are not available. Applicable to a legal person.
All three of these can be obtained from our own Qualified Trust Service Provider - Telekom Security. To learn more about them, click here.
Existing certifications
Gaia-X Policy Rules and Labelling Criteria for Cloud Services introduces a set of more than 50 criteria which draw inspiration from existing certification schemes - the purpose of the Gaia-X Labeling Criteria was not to create a competing scheme, but rather to provide a neutral framework that can be satisfied by multiple schemes, increasing adoption.
While none of these schemes will guarantee compliance with all the Labeling Criteria, they make the process much easier. The existing certification schemes recognized by the Labeling Criteria are:
- SecNumCloud
- BSI C5 Type 2
- ISO/IEC 27001
- CISPE (GDPR, Infrastructure & IaaS)
- EU Cloud CoC (GDPR, XAAS)
- SWIPO
- TISAX
- CSA CCM
As long-time players in the field, T-Systems and the Open Telekom Cloud already have several of the certificates above, most notably the EU Cloud Code of Conduct and BSI C5, which makes the process simpler.
Understanding of the Gaia-X Ontology
To properly describe a service, for example the Object Storage service of the Open Telekom Cloud, there are several types of information that need to be provided:
- Legal - This includes links to relevant documents, including the Terms and Conditions, Data Processing Agreement, Service Description, as well as the links to available certifications, involved parties and applicable jurisdictions.
- Technical - This includes descriptions of the technical properties of the services, as well as the infrastructure that is enabling it, if any. In case of the Object Storage service, for example, these would describe the location of the datacenter, minimum and maximum object sizes as well as the API interface used to manipulate the data.
- Organizational - This includes descriptions of the legal entities that are owning, manufacturing and maintaining the services, their identities as well their adherence to Gaia-X Terms and Conditions
Exact details of what information needs to be provided for all these segments and in which format is defined by the Gaia-X Service Characteristics repository.
What an incredible journey! Just about a year ago, Gaia-X launched its first release, and T-Systems was the first to bring it to the market as Digital Clearing House Services. Today, we have a range of fully compliant services ready for customers to buy. This is what I call the operationalization of trust!
Roland Fadrany, Chief Operating Officer - Gaia-X European Association for Data and Cloud AISBL
Bringing it all together
With the necessary understanding under our belts, the actual Compliance process is straight-forward but might require a few tries to get right.
To begin with, we need to determine which entities of the ontology are necessary for a particular service we're trying to obtain the Gaia-X Compliance for. Easiest way is to start from the ontology of the actual service, and then branch out to all dependencies, most of which will be reusable across multiple services offered by the same provider.
Next, after the main entities have been identified and the data for them collected, it is necessary to structure information in the form of a Verifiable Credential - a machine-readable collection of statements made about an entity, that is digitally signed, and as such, tamper proof. For reference, in case of the Object Storage service (OBS) of the Open Telekom Cloud, we ended up with 30+ Credentials.
With the credentials in hand, next step is to make it official - all of them individually need to be signed using one of the recognized digital signature methods described before. Signing a Credential and sharing it means being legally liable for the content within, so take your time ensuring the data you are sharing is correct.
Lastly, all the Credentials you have just created need to be collected in a single "envelope", which is in the world of sovereign digital identities called a Verifiable Presentation. And now we’re ready!
Becoming Compliant
The long journey is finally at the end - with the Verifiable Presentation ready, we have all the information in one place, in the format that is machine readable and automatically processable.
Last step is to submit it to the Loire compliance service operated by an official Gaia-X Digital Clearing House node. While T-Systems fulfils that criterion, trust in federated environment only comes from mutual recognition. As such we will use another Digital Clearing House node, like the one operated by the Gaia-X Lab team themselves, found on https://compliance.lab.gaia-x.eu/main/docs/
Since we are aiming at the highest level of compliance that is automatically verifiable, we will select Label Level 1 and upload our Verifiable Presentation. After 10 or so seconds, 40 criteria get validated, some of them with 1000s of individual comparisons and checks. The result is a Gaia-X Compliance credential, which you can see on the link below: https://dih.telekom.com/.well-known/gx-compliance/24.06/open-telekom-cloud/obs
The output Label Credential shows all the inputs provided, the criteria that were successfully evaluated and the resulting label level.
This Credential can then be stored in your Credential Wallet, exchanged with other participants as a means of building trust, or promoted in a service marketplace, as a way of making your service easily accessible to the market.
The #OpenTelekomCloud of Deutsche Telekom AG meets Gaia-X standards and firmly stands for a united and independent Europe – even in the cloud. With the help of T-Systems and the Data Intelligence Hub, we have achieved this goal together, in the spirit of freedom, fraternity, and progress. In this way, we are creating a secure and sovereign environment. Based on cutting-edge technologies we are fostering trust and collaboration across Europe and beyond.
Daniel Fussy, Security Compliance Manager, T-Systems International GmbH
Conclusion
While the process, as described above, might seem daunting, the technical aspects of Compliance are already taken care of by T-Systems and its Digital.ID solution. If you bring your own certification documentation and can prepare a brief description of your services, Gaia-X Compliance Label is just around the corner!
