Update nexus: fix conflicts and sync local changes
This commit is contained in:
Shen Wei
@@ -1,77 +1,77 @@
|
||||
# EU-managed-farm_686065589
|
||||
## Introduction
|
||||
|
||||
This page presents all the information for the EU (European Union) managed farm. It's also called DPZ (Data Protection Zone) in OpenText.
|
||||
|
||||
## Background
|
||||
|
||||
Customers like government, insurance and banking in Europe usually have requirements to have a dedicated farm which is isolated on multiple areas.
|
||||
|
||||
1. The support engineers need to live in EU
|
||||
2. The support engineers need to be EU citizen
|
||||
3. The data need to stay within EU
|
||||
4. Combined requirement which is one of below
|
||||
1. 1+3 (Preferred by ITOM SaaS PMs)
|
||||
2. 2+3
|
||||
3. 1+2+3 (Similar to FedRAMP)
|
||||
|
||||
## Isolation considerations
|
||||
|
||||
1. Supporting engineer isolation
|
||||
1. App Ops - EU engineers
|
||||
2. SRE / Network / Infra Ops - EU engineers?
|
||||
3. Cloud Vendor - N/A
|
||||
2. Account & Credentials isolation
|
||||
1. Only allow EU engineers to connect to the infra during operation
|
||||
2. Isolation of authentication (Like SAML, OKTA, those data can be kept outside of EU as long as it's OpenText employee data.)
|
||||
3. Dedicated LZ?
|
||||
4. Dedicated AWS Account
|
||||
3. Domain isolation (optional for EU)
|
||||
1. Dedicated FQDN
|
||||
4. Supporting pipelines (optional for EU)
|
||||
5. Supporting system like PCS (Proactive Customer System)
|
||||
1. Dedicated PCS (The LDAP/SAML need to be in EU as it will keep the customer data.)
|
||||
|
||||
## Required services in Landing Zone
|
||||
|
||||
1. Central Services required for the 1st phase\*
|
||||
(\*1st phase means once it's ready, App Ops can start the work)
|
||||
1. Dedicated AWS Accounts with SAML & OU setup
|
||||
1. LZ Accounts
|
||||
2. App Accounts
|
||||
2. Landing Zone functions
|
||||
1. GW (Shared Account for AMI purpose, Security Account, Central Infra Logging like CloudTrail and AWS Config)
|
||||
2. Core (Network including firewall and TGW)
|
||||
2. Central Services required for the 2nd phase
|
||||
1. Landing Zone functions
|
||||
1. Core (AD/DNS)
|
||||
2. EPO
|
||||
3. Qualys
|
||||
4. ArcSight
|
||||
3. Central Services not required for the 1st & 2nd phase
|
||||
1. Central Monitoring like sitescope
|
||||
2. Central Log analytics
|
||||
3. Artifactory
|
||||
|
||||
## Questionnaire for different functions as data processors
|
||||
|
||||
| **Function** | **Process Customer Data?** | **Access Requirement** | **Compliance Status** | **Gaps to comply** | **Remediation Measures** |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| **AWS Services** | - Yes (depends on the service) | - Supporting function with customer data processing need to be located within EU-boundaries. | - No (AWS support personnel is worldwide) | - AWS doesn’t have an offering to process customer data within EU that meets ECB timeline | - Enable encryption at rest and encryption in transit. |
|
||||
| **Infrastructure - Foundations** | - Yes | - Access control need to restrict the ability to access customer data | - Yes (Infrastructure – Foundations engineers can be worldwide) | - Shared Landing Zone will have | - Choose one of below - Build Dedicated Landing Zone - Define boundaries in those infra accounts and have isolated role for EU and other access. |
|
||||
| **Infrastructure – Backing Services - DBA** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - Yes (Normally the DBA role is played by Application Operations, who works in EU.) | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **Infrastructure – Storage** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - Yes (Normally the Infrastructure - Storage role is played by Application Operations, who works in EU.) | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **Cloud Operations and Level 2 Support** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. Access control need to restrict the ability to access customer data if not required. | - Yes | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **PAAS /SRE** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - No (PAAS /SRE engineers can be worldwide) | - OpenText doesn’t have an offering to process customer data within EU that meets ECB timeline | - Enable encryption at rest and encryption in transit. |
|
||||
| **Customer Support - Level 1 Support** | - Yes | - Supporting function need to be located within EU-boundaries. | - Yes | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **Engineering Support - Level 3 Support** | - No | - OT personnel access: non-restricted assignment to EU persons located in EU. Shared Logs with non-EU staff needs exclude PII. Sharing screen will require customer approval. | - Yes | | |
|
||||
|
||||
## Certifications
|
||||
|
||||
1. Currently it's not expected to cover any Europe certifications.
|
||||
2. Several certifications can be considered in the future.
|
||||
|
||||
## Further considerations
|
||||
|
||||
1. As AWS European Sovereign Cloud is built in progress, which will provide isolation similar to GovCloud. It will be considered as a future phase of migration to provide better service to customers.
|
||||
[https://aws.amazon.com/blogs/aws/in-the-works-aws-european-sovereign-cloud/](https://aws.amazon.com/blogs/aws/in-the-works-aws-european-sovereign-cloud/)
|
||||
# EU-managed-farm_686065589
|
||||
## Introduction
|
||||
|
||||
This page presents all the information for the EU (European Union) managed farm. It's also called DPZ (Data Protection Zone) in OpenText.
|
||||
|
||||
## Background
|
||||
|
||||
Customers like government, insurance and banking in Europe usually have requirements to have a dedicated farm which is isolated on multiple areas.
|
||||
|
||||
1. The support engineers need to live in EU
|
||||
2. The support engineers need to be EU citizen
|
||||
3. The data need to stay within EU
|
||||
4. Combined requirement which is one of below
|
||||
1. 1+3 (Preferred by ITOM SaaS PMs)
|
||||
2. 2+3
|
||||
3. 1+2+3 (Similar to FedRAMP)
|
||||
|
||||
## Isolation considerations
|
||||
|
||||
1. Supporting engineer isolation
|
||||
1. App Ops - EU engineers
|
||||
2. SRE / Network / Infra Ops - EU engineers?
|
||||
3. Cloud Vendor - N/A
|
||||
2. Account & Credentials isolation
|
||||
1. Only allow EU engineers to connect to the infra during operation
|
||||
2. Isolation of authentication (Like SAML, OKTA, those data can be kept outside of EU as long as it's OpenText employee data.)
|
||||
3. Dedicated LZ?
|
||||
4. Dedicated AWS Account
|
||||
3. Domain isolation (optional for EU)
|
||||
1. Dedicated FQDN
|
||||
4. Supporting pipelines (optional for EU)
|
||||
5. Supporting system like PCS (Proactive Customer System)
|
||||
1. Dedicated PCS (The LDAP/SAML need to be in EU as it will keep the customer data.)
|
||||
|
||||
## Required services in Landing Zone
|
||||
|
||||
1. Central Services required for the 1st phase\*
|
||||
(\*1st phase means once it's ready, App Ops can start the work)
|
||||
1. Dedicated AWS Accounts with SAML & OU setup
|
||||
1. LZ Accounts
|
||||
2. App Accounts
|
||||
2. Landing Zone functions
|
||||
1. GW (Shared Account for AMI purpose, Security Account, Central Infra Logging like CloudTrail and AWS Config)
|
||||
2. Core (Network including firewall and TGW)
|
||||
2. Central Services required for the 2nd phase
|
||||
1. Landing Zone functions
|
||||
1. Core (AD/DNS)
|
||||
2. EPO
|
||||
3. Qualys
|
||||
4. ArcSight
|
||||
3. Central Services not required for the 1st & 2nd phase
|
||||
1. Central Monitoring like sitescope
|
||||
2. Central Log analytics
|
||||
3. Artifactory
|
||||
|
||||
## Questionnaire for different functions as data processors
|
||||
|
||||
| **Function** | **Process Customer Data?** | **Access Requirement** | **Compliance Status** | **Gaps to comply** | **Remediation Measures** |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| **AWS Services** | - Yes (depends on the service) | - Supporting function with customer data processing need to be located within EU-boundaries. | - No (AWS support personnel is worldwide) | - AWS doesn’t have an offering to process customer data within EU that meets ECB timeline | - Enable encryption at rest and encryption in transit. |
|
||||
| **Infrastructure - Foundations** | - Yes | - Access control need to restrict the ability to access customer data | - Yes (Infrastructure – Foundations engineers can be worldwide) | - Shared Landing Zone will have | - Choose one of below - Build Dedicated Landing Zone - Define boundaries in those infra accounts and have isolated role for EU and other access. |
|
||||
| **Infrastructure – Backing Services - DBA** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - Yes (Normally the DBA role is played by Application Operations, who works in EU.) | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **Infrastructure – Storage** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - Yes (Normally the Infrastructure - Storage role is played by Application Operations, who works in EU.) | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **Cloud Operations and Level 2 Support** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. Access control need to restrict the ability to access customer data if not required. | - Yes | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **PAAS /SRE** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - No (PAAS /SRE engineers can be worldwide) | - OpenText doesn’t have an offering to process customer data within EU that meets ECB timeline | - Enable encryption at rest and encryption in transit. |
|
||||
| **Customer Support - Level 1 Support** | - Yes | - Supporting function need to be located within EU-boundaries. | - Yes | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
|
||||
| **Engineering Support - Level 3 Support** | - No | - OT personnel access: non-restricted assignment to EU persons located in EU. Shared Logs with non-EU staff needs exclude PII. Sharing screen will require customer approval. | - Yes | | |
|
||||
|
||||
## Certifications
|
||||
|
||||
1. Currently it's not expected to cover any Europe certifications.
|
||||
2. Several certifications can be considered in the future.
|
||||
|
||||
## Further considerations
|
||||
|
||||
1. As AWS European Sovereign Cloud is built in progress, which will provide isolation similar to GovCloud. It will be considered as a future phase of migration to provide better service to customers.
|
||||
[https://aws.amazon.com/blogs/aws/in-the-works-aws-european-sovereign-cloud/](https://aws.amazon.com/blogs/aws/in-the-works-aws-european-sovereign-cloud/)
|
||||
|
||||
Reference in New Issue
Block a user