ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feea929082175a2df7332ffbc87fdabb7dd7d4ca
nexus/knowledgebase/csd-wiki/ICSD/EU-managed-farm_686065589.md
weishen 3f2e1765d8 Auto-sync: 2026-04-18 17:09
2026-04-18 17:09:43 +08:00

78 lines
5.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# EU-managed-farm_686065589
## Introduction
This page presents all the information for the EU (European Union) managed farm. It's also called DPZ (Data Protection Zone) in OpenText.
## Background
Customers like government, insurance and banking in Europe usually have requirements to have a dedicated farm which is isolated on multiple areas.
1. The support engineers need to live in EU
2. The support engineers need to be EU citizen
3. The data need to stay within EU
4. Combined requirement which is one of below
1. 1+3 (Preferred by ITOM SaaS PMs)
2. 2+3
3. 1+2+3 (Similar to FedRAMP)
## Isolation considerations
1. Supporting engineer isolation
1. App Ops - EU engineers
2. SRE / Network / Infra Ops - EU engineers?
3. Cloud Vendor - N/A
2. Account & Credentials isolation
1. Only allow EU engineers to connect to the infra during operation
2. Isolation of authentication (Like SAML, OKTA, those data can be kept outside of EU as long as it's OpenText employee data.)
3. Dedicated LZ?
4. Dedicated AWS Account
3. Domain isolation (optional for EU)
1. Dedicated FQDN
4. Supporting pipelines (optional for EU)
5. Supporting system like PCS (Proactive Customer System)
1. Dedicated PCS (The LDAP/SAML need to be in EU as it will keep the customer data.)
## Required services in Landing Zone
1. Central Services required for the 1st phase\*
(\*1st phase means once it's ready, App Ops can start the work)
1. Dedicated AWS Accounts with SAML & OU setup
1. LZ Accounts
2. App Accounts
2. Landing Zone functions
1. GW (Shared Account for AMI purpose, Security Account, Central Infra Logging like CloudTrail and AWS Config)
2. Core (Network including firewall and TGW)
2. Central Services required for the 2nd phase
1. Landing Zone functions
1. Core (AD/DNS)
2. EPO
3. Qualys
4. ArcSight
3. Central Services not required for the 1st & 2nd phase
1. Central Monitoring like sitescope
2. Central Log analytics
3. Artifactory
## Questionnaire for different functions as data processors
| **Function** | **Process Customer Data?** | **Access Requirement** | **Compliance Status** | **Gaps to comply** | **Remediation Measures** |
| --- | --- | --- | --- | --- | --- |
| **AWS Services** | - Yes (depends on the service) | - Supporting function with customer data processing need to be located within EU-boundaries. | - No (AWS support personnel is worldwide) | - AWS doesnt have an offering to process customer data within EU that meets ECB timeline | - Enable encryption at rest and encryption in transit. |
| **Infrastructure - Foundations** | - Yes | - Access control need to restrict the ability to access customer data | - Yes (Infrastructure Foundations engineers can be worldwide) | - Shared Landing Zone will have | - Choose one of below - Build Dedicated Landing Zone - Define boundaries in those infra accounts and have isolated role for EU and other access. |
| **Infrastructure Backing Services - DBA** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - Yes (Normally the DBA role is played by Application Operations, who works in EU.) | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
| **Infrastructure Storage** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - Yes (Normally the Infrastructure - Storage role is played by Application Operations, who works in EU.) | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
| **Cloud Operations and Level 2 Support** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. Access control need to restrict the ability to access customer data if not required. | - Yes | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
| **PAAS /SRE** | - Yes | - Supporting function with customer data processing need to be located within EU-boundaries. | - No (PAAS /SRE engineers can be worldwide) | - OpenText doesnt have an offering to process customer data within EU that meets ECB timeline | - Enable encryption at rest and encryption in transit. |
| **Customer Support - Level 1 Support** | - Yes | - Supporting function need to be located within EU-boundaries. | - Yes | - Since only EU personnel is allowed to work on this, they can only work 8x5, not 7x24. | - Further agreement need to be aligned with customer or additional support is required. |
| **Engineering Support - Level 3 Support** | - No | - OT personnel access: non-restricted assignment to EU persons located in EU. Shared Logs with non-EU staff needs exclude PII. Sharing screen will require customer approval. | - Yes | | |
## Certifications
1. Currently it's not expected to cover any Europe certifications.
2. Several certifications can be considered in the future.
## Further considerations
1. As AWS European Sovereign Cloud is built in progress, which will provide isolation similar to GovCloud. It will be considered as a future phase of migration to provide better service to customers.
[https://aws.amazon.com/blogs/aws/in-the-works-aws-european-sovereign-cloud/](https://aws.amazon.com/blogs/aws/in-the-works-aws-european-sovereign-cloud/)
Reference in New Issue View Git Blame Copy Permalink