Chapter 5
Google Disconnected Cloud Hosted
Allow us to delve into Google Disconnected Cloud Hosted (referred to as GDCH). As previously outlined, GDCH is a component of our sovereign portfolio, accessible from TIER IV datacenters situated in Luxembourg. What security protocols safeguard this platform? And what services does it offer? Proximus and Luxconnect have formed a Joint Venture called ‘Clarence,’ combining ‘Clarity’ and ‘Transparency,’ to host the sovereign cloud in a disconnected mode.
Take the test and find out which cloud strategy best suits your business
Take the test
Physical isolation and encryption
GDCH strictly responds to the three pillars that make up a cloud sovereignty as identified in chapter 4: data sovereignty, operational sovereignty and software sovereignty. That means that GDCH is fully disconnected from the Internet and Google. It only requires a secure connection between the customer’s infrastructure and the GDCH platform. In other words, the platform is fully air-gapped from Google and Internet. It is solely managed and operated by Proximus NXT from our out-of-band management network via our operations center. This ensures the uptime of the platform. Google has no access to the customer environment, not even for support cases. Even more, Google does not know which customers are using GDCH.
Proximus NXT does not have any access to the customer environment or their customer data either. Encryption is a key element in GDCH. Keys are stored at the customer side with no access for Proximus NXT. In case the customer should request the assistance of Proximus NXT with an incident or problem within his environment, temporary access will be requested from the customer. This is to ensure that what happens within their environment is only accessible to the people that should have access. Each access is completely and automatically monitored and documented so the customer will know exactly what is/was done.
GDCH is fully disconnected from the Internet and Google.
Vincent Dock,
Senior strategy manager
at Proximus NXT
Each customer is physically isolated on his dedicated compute stack to ensure the host is only used for the applications and environment of said customer. There is no interaction with other customers who also use the GDCH platform. The different customers are logically isolated on a shared storage for which Proximus NXT performs capacity management.
Because we are talking about dedicated compute nodes, note that initial scoping is quite important to ensure proper sizing of the platform from the start. Proximus NXT has spare capacity on the GDCH platform to provide on-demand and automatic scalability towards our customers.
Secure update management
When a new version of the GDCH is available from Google, Proximus NXT will download the update in a separated air-gapped environment. Proximus NXT will pretest the software on security risks and compatibility. Once the version has passed the testing phase, Proximus NXT will disposition the update to the customer on GDCH. This way, the customer can install the update at his own pace. Aside from the role of cloud service provider, Proximus NXT can assist the customer in an end-to-end way with his journey on the GDCH platform, as well as with governance and security services.
GDCH services
On this hardware, a subset of the google cloud hyperscalers services is offered. This subset consists out of the following features:
- Compute services to run Virtual machines and Kubernetes clusters
- Block and Object storage with back-up services
- Private networking, Load balancing (internal & external), Network security policies and NAT
- Identity and access management, resource manager, key management (HSM) and perimeter security (IDS/IDP.FW)
- Omni Database services for Postgres and Oracle
- The Vertex AI suite with pretrained models for OCR, Speech-to-text, translate and workbench to create your own AI Models
- Operations through logging and monitoring
- Marketplace for 3rd party ISV.
Google is continuously working to expand these features to enrich the customer experience of the platform.
