BraindumpMeeting Notes on Infrastructure and Cloud Strategy Discussion
Summary:
- Team members discussed the status of the product catalog session for tomorrow, which was initially thought to be canceled but will proceed as planned.
- The digital capability and process gap assessment project is ongoing, with a completion target set for the end of July.
- Telkom has adopted a hybrid cloud model with workloads on PCX One Cloud, AWS, and Azure, but is shifting towards more CapEx projects due to high OPEX.
- Current OPEX budget issues are impacting cloud strategy, leading to some workloads being kept on-premises.
- There is ongoing work on disaster recovery capabilities between data centers, emphasizing switched-over capabilities for critical systems.
- Security practices involve centralized identity and access management with compliance to multifactor authentication and ongoing pen testing for applications.
- Internal audit is actively engaged in reviewing infrastructure and compliance with various regulations, including POPIA.
Content:
Good morning, Blessing, I heard you not too well. I'm surprised to see you in the meeting. Sorry, you're breaking up a bit. Sorry, you're breaking up a bit, but if you can just start the recording for us. Okay. Joti may not attend, but we will continue. I've got all the notes with me. I'm just waiting for Foisman to join. Okay. And then, yeah, then I will start. Foisman is the lead of the infrastructure and the security part. And the Cobas one thing, I know it gets hectic sometimes. Good morning, Joko. I see Joko is joining us.
I know it gets hectic sometimes. I've sent you so many links, you know. So what I'm going to do, I will just send you one email with all the links consolidated. Okay, perfect. Perfect. So that, yeah, you don't go around, around. Did you see that the product catalog one for tomorrow is canceled? No, it's not canceled. Maybe not. So Joti and myself from our side, we need to cancel that session for tomorrow morning, please. Why? May I ask? Because it's the SDs. Yes. Yes. No, no, no. Talk to Ari. What happened? She called me. She said she wanted us to cancel it.
Then I spoke to her and with Impor also. Impor said, no, we cannot cancel that session because it makes sense. You know, we need to have it. The SDs. We are still going to have there to be, but Impor said, yeah, we need it. We cannot cancel it. And then Joti agreed on it. I think it was on Monday or Tuesday. No, okay. I just spoke to her this morning. So maybe we missed this a lot. Okay. I think everybody is here. Let's start. We can sort that out. Okay. Okay. Team, I'm just going to record.
Oh, I'm just going to record the session. Let me start with the recordings. Maybe Joti, maybe Kopas just to... because some team members are new here. I just want to lay a foundation. Then I'll hand back to you. Then I'm going to drop here. Yes, please. Please do that. Okay. Thank you, guys. I'm here, Blessing, if anybody was looking for me. Sorry, I was wrapping up on the other side. Thanks. Take a good one. Team, the new guy is here that have not been on this session. This is a Telkom digital capability and process gap assessment, which is being conducted by the A1L digital team.
Yaakov and Kopas is here. So it's a project from where we are. We are sitting on third week. I know most of the team here is also part of the APS transformation that is currently happening. Just to answer your question, this is a separate, parallel process. Both projects are not linked here. So we had a kickoff with Lunga on the 3rd of June. And what's happening right now, we've been meeting with the MEs, etc. It should be completed by end of July. So I think that's it from my side, Kopas. Then I can drop off on my side so that I can focus on the notification.
Thanks. Thank you, Blessing. Okay, I'm going to continue. The section focuses on infrastructure and some security questions around that. As Blessing mentioned, we are busy with an assessment to look at the future and especially around digital capability. So from infrastructure view, and please take the question on because I do not know your exact roles and assist as we go through some questions. What I want to start off with is, what is your cloud strategy? Are you actively moving towards cloud adoption? And what is the cloud penetration and use versus on-prem? So what's your strategy between on-prem and cloud and where are you?
If somebody can take that. Can anybody assist with that question? I didn't hear that, Kopas. Sorry, Blessing was just calling me. Oh, okay. Oh, Blessing is still busy in the background. Yes, yes, yes. He said he shared with you some documents. Yeah, okay. Yeah, he just wanted to make sure that, you know, if you've forgotten that I've said, he's shared with you some documents. No, no, no. I can proceed with your question. Okay, so I want to start off with your cloud strategy versus on-prem and how much has you adopted a cloud strategy for the infrastructure and going into the future for Telkom?
Yeah, so I'll firstly say that we have a hybrid model where we've got cloud workloads as well as on-prem, yeah? And we mostly, our workloads are sitting on PCX one cloud. And we also have workloads that are sitting on AWS as well as Azure. So is there a strategy to move towards more cloud use? Yeah, so it was the strategy, but as, you know, companies have... Sorry, did we lose her? Hello, sorry, sorry. My network just dipped. Okay, okay, come back. Yes. Yeah, can you hear me? Yes, yes, please continue. Okay, so I was saying that, yes, it was a strategy that, and I'm saying was, but recently from a financial point of view, the company is seeing that there's a lot of OPEX that... And therefore, there's a strategy to, you know, use CapEx more.
And if you, you know, you would appreciate that there's more, if you go cloud, you only would then use OPEX. So currently, our OPEX budget is being lowered because there's a lot of that that is being used. So we are encouraged to now start doing CapEx projects. We had tried with our financial accounting to say, if we do have a, you know, that FR16 to say, you know, if we have a lease of five years, are we able to do CapEx? But we've failed a lot in that regard. And that's an issue for us. So I would say, yes, that was the thing we have pushed a lot of workloads on the cloud, especially the ones that we had to do refreshes and so forth.
But with that in mind, we have now, as Blessing was saying, a new BSS transformation that we are doing where we are doing on-prem. So it's like, you know, based on what is happening in the company, you would push other, you know, the cloud, but now we're doing on-prem as well so that we can balance that. So that's what I'll say. When you do on-prem, are you using internal cloud? Yeah, you might call it internal cloud because obviously, we're using virtual machines and, yeah, you might call it that, yes. Yeah, but you want to buy the hardware.
So when you use BC1 cloud, is that also OPEX on your side? Correct. It is OPEX because BCX is an entity on its own. And that environment, they do, you know, sell it to other external customers. So yes, we're using OPEX. When you're doing cloud, so that's now, we can split that if we need to for what you use on-premise cloud, your internal cloud, or whether you use BCX. Are you using virtualized operating systems, dockers, containerization? Yeah, so containerization, we're using it on the existing BSS application. In the one that we are building for, we'll also use containerization, but it's not so big.
But we are using, I think, applications that we have as SaaS are using Docker. For instance, the Alibaba one, but mostly we're using just the plain VMware for most of the applications that are sitting on BCX1 cloud. So not fully using Kubernetes and virtualized operating systems? Yeah, not fully. And that also then depends on the application. So in the one that we have right now, the BSS existing one, 9.C, only one module out of that is using Kubernetes. The rest are just infrastructure as a service. Yeah. And then in the transformation one, there is some Huawei Kubernetes that's going to be used.
So that's important, obviously, from assessment that we're talking about because, you know, that's your future architecture. So what you are saying for the Huawei BSS migration, you are going to focus to go on-prem and use some of those as, I want to say, internal cloud. Yes. Okay. And some of the applications then provide ability to do Kubernetes. Correct, yes. Okay. Okay. That's quite interesting. It's different than what I expected, that you're moving back on-prem, but I understand the argument. Yeah, yeah. So it's a, from a telcom perspective, the OPEX budget is very, very high and they would like to bring it down a bit.
And that's the reason, otherwise. Yeah, that's interesting because it leads to another question we actually had on the list, is how integrated are your infrastructure approach to the business and the finance teams? And it sounds to me like you are talking. Of course, definitely. We have a very strict way of, you know, having solutions approved. So they look at, you know, the budget, what is it going to cost and whether you have gotten any discounts from whatever vendor and why are you using OPEX and not CapEx? So all the way. So that question is answered.
So finance has specific targets that you're going to align to. Are you doing reviews on what is idle, what can be decommissioned, merging some of the stuff to optimize? Definitely, we do that because we also have another financial initiative called cost optimization. So we have decommissioned a lot, but you can imagine that you are decommissioning because it's end of service life on the infrastructure, but the application, if it's still needed, it's then, you're actually migrating it to somewhere else, not necessarily that you are, you know, you are getting rid of that application. There's a few where we are decommissioning infrastructure that we're not migrating it somewhere else.
In terms of application, more improvement needs to be done. And we've tried to do that. As we try to migrate the infrastructure side, we look at whether the functionality can be somewhere else. We've done that with EDI. They're still writing code because some of these things are so old that there's no source code anymore. So they're still looking at the functionality and say, okay, so how do we then rewrite this functionality to work somewhere else, whether we are moving it to SAP or anywhere else, that's been done. But I'm not, I don't think it's done at a very bigger level, you know, in terms of writing, looking at all the functionalities of all applications, because I think there's a lot of applications and saying in the existing ecosystem, which one can then... that functionality.
But from an infra, those that we are migrating, we do ask those kind of questions, whether there is functionality somewhere else or not. If not, then we just migrate it to either to a, you know, PCX one cloud. Yeah. Okay, thank you. So one of the buzzwords running in infrastructure is whether you run infrastructure as code and apply the principles that have been applied to code actually all the time. Do you have a centralized storage of all the infra that you have, all the versions that you use? Are you managing it together with delivery pipelines?
So how do you manage the infrastructure picture overall that you have? Not really at that level. not really at that level. So we have our CMDB where all our infra is sitting, but it's not integrated as you know, infra as a code where you're able to see that, no, not at all. So, but we've got a Flexera and CMDB and SAP. SAP, we put EUDs there, but servers and software thereof is sitting on Flexera in our CMDB. That's managed by PCX. Okay. All right. Thank you. Let's talk a bit about disaster recovery. From my days, if you don't know, I was also there.
I'm also an ex-Telco. There was always some disaster recovery plan, well, the link between the data up here and Belleville. Are you still having a proper data recovery, disaster recovery ability between two centers? Correct. We're still also using hard DPS for this BSS, the new one, the BSS transformation. We are using hard DPS data center, but for most DRs are between Belleville and Centura. Is there a switch over capability for continuity or is that a sort of offline DR and you will have to do a lot of things to get that data in production? Not at all.
So we do have switched over capabilities for the 9C existing 9C BSS that we have. Some are still that, you know, it depends on, so obviously we look at, let's start with the critical system first and see how much automation from a DR point of view we can do. We do that, but some of them are still, you know, like if it's a class, so we've got classifications of an A, B critical. Yes. So if it's a C, we'll do backup and restore. No problem, you know, whatsoever. That makes sense. Okay, thank you. I'm gonna move a bit to security.
To what extent is identity access management and privileged access management implemented? I'll give it over to Costa, that one. Okay, please. Thanks, Carson. Good morning. Hope you can hear me clearly. Yes. So yeah, identity is governed centrally and we do mandate that all solutions at the cloud or on-prem be integrated to our identity providers, which is Active Directory. From an authentication perspective, Active Directory and intra-ID, we are actually in the middle of also sort of transitioning to intra-ID, but we still have Active Directory on-prem. As well as from a process perspective, we also have other identity management solutions such as Sekulula or popular known as Samepoint, as well as our privileged access management, which is CyberArk.
Are you enforcing that on all new things coming in like the new BSS? So all new solutions we are enforcing, but also even the legacy ones because of some audit findings also going backwards to make sure that they also comply with the authentication and access cabinet cameras. Okay, so the auditors are also on your back to ensure that. Multifactor authentication, how much is that enforced or is that more a application level issue? It is also enforced. We have got two approaches. For most of the new solutions, it is, we are trying to make sure that everyone goes through SSO so that it becomes easy to authenticate once a user is authenticated on the PC, then they can just access everything else.
But for some of the legacy, because of legacy challenges, then it becomes application-based, but also it is also enforced for all applications, especially the critical ones. We are also having that same issue where we need to comply. So we've got a lot of legacy where there is no MFA, but the critical systems that are mission critical and business critical, we are also going backwards to enforce MFA. And from a solution perspective, we do have cases, actually right now we're actually going to roll out hardware-based tokens that are going to be used in places where we cannot enforce or where we cannot have users using mobile as their cell phones, such as in contact centers and call centers and some of the stores where you can't have mobile phones.
Oh, so you limit access there. Do you know to what extent is your multi-factor applicable to the stores like Transact and those applications? So if I'm logged onto the network with my PC, can I access or do you have a multi-factor there as well? So in stores, that's what I was talking about. That is what we are actually testing. It's actually in the testing phase right now where we're also going to be enforcing MFA at an application level. So MFA is then like sounds like work in progress in some areas. Yes. Okay. When there are any changes or any of the application, is anybody doing application security testing?
Check if you can get in. Is there anybody trying to go past the security? Is there a team in Telkom looking at that or maybe somebody contracted? Yes, we do have a team that's sitting in group information security that handles our pen testing. For almost all our solutions, we have to go through them and find out if they have capacity for testing, but we find the specific cases like when we are dealing with PCI compliance where we also just go through external third parties to handle that for us because of certain regulatory requirements. But as we do have a team that is dedicated for pen testers, it's in a group.
So, Constantine, they provide the service from a group level to all the units. Yes. Okay, okay. If there's an issue of capacity where they don't have the capacity, then we go in and they can then tell us and say, okay, you can go and find a third party and then follow the rest of the process. Is there anybody doing active... Colbert, you have a question. Yes, please. I can't always see. I sit with my questions. Go to someone, please, go ahead. No problem, no problem. Go ahead. On security testing on the app when we are to commission it into production.
That is also done by our group security team. And as Costa is saying, failing which if they don't have capacity, we do then get a third party to do those for us. Thanks. Okay, yeah, so I was... Thank you. Are you doing or anybody outside doing active penetration testing for you? Is that part of this? Is that different? No, it's a different team or function that does sort of like our threat intelligence as well. Also looking at some of the external tools or external facing applications and actively just check for open ports and so forth.
But yeah, they also do that active one team. That's like a team of professional hackers that come to you. Yes. Is that continuous or is that somebody you get from time to time? No, it's often on group or that team. So it's an established function. So I guess my next question will then mean it's probably also the group one. Do you have a security operations center or event management if there's an attack on Telkom that somebody will handle and take that over? Simon, you have your hand up if you want to take this one. Thanks, colleagues.
Yeah, I wanted to just add on your previous question, Colbert, to say, other than above the penetration tests that are performed from an offensive security point, we also conduct vulnerability scans and the vulnerability scans, they come in two folds. There's an external vulnerability scan that focuses on our web facing applications. And that is done on a monthly basis. Well, in fact, the web scans, they are done twice a month. And then we also then have the internal vulnerability scans, which are done monthly. So I'm just saying we do perform those penetration tests, but also on a continuous basis, we run those vulnerability scans.
And again, that service is provided by the group security. All right. Okay, thank you. Can I go back to event management? What happens if there's an attack on Telkom that you pick up? Is there somebody dedicated center dedicated to manage that? Yes, I think I can take that one as well. Please. So for any incident that happens at Telkom, it is managed at a group level by the same team, which is the information security team at a group level. And the primary objective for that is because any incident, even if it happens at the BU level, it has an impact on group from a reputation point of view and also a financial point of view as well, a financial damage point of view.
So then group security will lead that investigation with the assistance of CIMS. So if the incident is from CSP, then our CIMS from CSP will be the one that will coordinate meetings, troubleshooting, bringing in external stakeholders at the problem and respond appropriately to the incident. Within Telkom then, our security services, they are mainly outsourced to BCX, which is our sister company. So whenever then there is an incident, particularly a security incident, then BCX then will always be pulled in to provide insight from the security tools that they are using in order for us to contain the incident, understand it and be able to respond effectively to it.
Okay, so that's like a type of a service that BCX is providing to the CSP unit. Well, you can say CSP even though they are providing it to group. Okay. But because we are a BU, then we benefit from that. Okay. But maybe let me also just add to say, there's also a bi-monthly table top, what do they call it, table exercise where we simulate the incidents to say, should we experience an incident, how should we go about responding to it? So internally then, and again, that's driven at group security, but with the involvement of all BUs to say, let's practice on how we should respond should an incident happen, bringing all relevant teams into that table top exercise.
I've got that for it, but yes, it's a simulation. Okay, that might link up to what I'm trying to get to. So internally in Telkom between or among the groups, so BCX, OpenSurf, CSB, are your networks separated? Is there isolated areas to sort of ring fence sensitive parts of the network? So if I'm in your network, am I in or is it open from once you're in the network or are there segmentation inside? There is segmentation, Corbis. From the VLANs are different, there's management, there's also data. We have also the web tier, so they are very separated.
They are segregated and it's very difficult even when we want to do assessments in terms of getting data to see, like as an example, Microsoft can come and say, can I scan your environment to see what VMs you have? It's very difficult for us to do that. That... Segregation. So we then find ourselves having to do manual pair, VLAN, and so forth. So we are very segregated. OK. So the network is segregated. The rest will depend on how well applications are isolated when they communicate. Correct. That's why we have to do a lot of firewall applications because per port, per way that application is sitting to somewhere else, there's so many firewall applications that we have to do.
OK. Do they impact application performance having to go through all these firewalls? Not necessarily, no. Unless that firewall port is closed. Otherwise, when the application goes through and that application works, it works. Thanks. OK. Actually, at the last question now, I guess Jyoti has joined. What's the status of POPIA compliance? Are you monitoring data of customers flowing in and out of the network? Yeah, we do, but I'll give it to Q to elaborate. So when it comes to POPIA, we manage it. We have a CRMP compliance risk plan that we align with it. So that CRMP, it takes the provisions or the requirements from the POPIA and then we translate it then into business context to say, what does each requirement mean to us as a business?
And what do we have in place to align or to, yeah, well, to align with that requirement? So that is an existing more of a risk register document that is in place. But over and above that, then when it comes to POPI, we also cover it through risk assessments if there is any project that is happening. So for example, if there is BSS, we'll have an interest on how personal information will be protected if it will be shared with external parties, how will that be done in relation to the POPI requirements? So basically, those are the processes that we have when it comes to POPI at alignment.
Okay, thank you. A question, just a quick question around that. Typically, if your data is hosted in the cloud and it's in country, you do encrypt that data if it's sensitive data one. And number two, what happens if the data is hosted outside the borders of South Africa? Do you need regulatory approval for that? So if the data is outside South Africa, well, to your best point, yes, there is that encryption requirement that must be implemented and proof provided that that encryption technology has been implemented. But then if we host our data outside South Africa, maybe, for example, AWS, which is a hosting platform outside South Africa, what we require is an attestation of compliance, which is a proof that they have implemented all the necessary controls on their environment to make sure that our information is protected.
Okay, thank you. When it's encrypted, you are taking it as compliant that the data cannot be accessed and it's allowed to go effectively out of the country. That's an interesting one. Maybe, let me try to respond correctly, but that's just not the only assurance that we will get that our data can be sent outside. So whenever there is a third party that is engaged from a contractual and legal point of view, there's always some, you know, contracts that bind each party and highlights responsibilities when it comes to protecting information or personal information. So that will be the first point from a contractual point of view.
But also then from an application level or layer, that's where then the encryption technologies will have to be implemented, which also then goes to the other point that I've mentioned, which is an attestation of compliance or spoke type 2 audit report that confirms the security controls that have been implemented by that particular third party in protecting our information. Last question from my side. So is internal audit looking at infrastructure on a continuous basis and giving you reports on where they see risks and changes you have to make? Yeah, they do. They do. We've got another audit that's just come in about the cloud, but that's not the only thing.
They do do that. But it starts as an audit, and then if there is any findings, they do give us to make sure that we close those gaps. But those are not the only audits, obviously, that we go through. Are there regular annual kind of COVID audits done? There's regular audits that are done, yes. Okay. And that's based on the COVID framework? I'm not sure, Jyoti, on whether they are based on which framework, yeah. Okay, thank you. Thanks. Okay, I'm through the questions. I don't know if there's anybody else that wants to add, ask. I've got a few questions on infrastructure.
Please go ahead. How do you manage the lifecycle of infrastructure, like end-of-life, etc.? Do you replace equipment based on your end-of-life or technology? If your infrastructure technology changes, do you do swap-outs, etc.? What is the basic framework? Fully depreciate and then write off that equipment and purchase new equipment? Or to take advantage of new technologies, you do work on swap-outs with vendors? So BCX is our partner in terms of infrastructure management in general. So we do have a risk management group in BCX that does that. So if something is end-of-service life or end-of-life, we will know about it and we'll log a risk as well.
It will depend on the budget. So going back to financials, whether we can be able to get the budget to refresh, that's based on a business case and all that. So it's still that way. Okay. Going into BCX one cloud has helped us a lot because we don't have to worry about end of life. It's their business to make sure that they have a business case, you know, done to refresh. So that has helped us a lot. But in terms of on-prem solutions that we still have and that are end of life, we do go through that business case to do that.
So swap outs would maybe happen in BCX per se, where, you know, they help us with that. But there will always be, yeah. But the BCX cloud is infrastructure as a service. You pay a monthly fee. Correct, yes. Okay, and your own infrastructure is CapEx or OPEX? Our own on-prem infrastructure is CapEx. Okay, and then how do you, do you only use BCX cloud or Azure, AWS services? We use AWS and Azure as well. Do you have a proper FinOps practice that understands the financial implications of the cloud kind of cost model? No, no, we don't.
And is your strategy to increase your cloud presence in terms of moving more and more into kind of cloud infrastructure over the next few years? I was explaining to Corvus that because of the financial constraints right now, the finance right now is to use more CapEx than OPEX. So even in the BSS transformation, we are using CapEx, so we are doing on-prem other than the, you know, going into more cloud. Yeah, it makes sense because you don't want to just jump into the cloud without understanding the FinOps side. And you need to build a good FinOps practice to do that.
Yeah, yeah, and which we don't have. Right. Okay, that was the only questions I had. Corvus, I don't know if you have anything else? No, I think we've covered and it's recorded. So if that's done, I think, Jaku, Wenzel, anybody else? Nothing from my side, thanks. Okay, then we're done. Thank you, everybody. Thank you very much for your time. Thank you. Thank you, Jim. Thank you. Thank you. Thanks. Thank you. Thanks.
- Team members discussed the status of the product catalog session for tomorrow, which was initially thought to be canceled but will proceed as planned.
- The digital capability and process gap assessment project is ongoing, with a completion target set for the end of July.
- Telkom has adopted a hybrid cloud model with workloads on PCX One Cloud, AWS, and Azure, but is shifting towards more CapEx projects due to high OPEX.
- Current OPEX budget issues are impacting cloud strategy, leading to some workloads being kept on-premises.
- There is ongoing work on disaster recovery capabilities between data centers, emphasizing switched-over capabilities for critical systems.
- Security practices involve centralized identity and access management with compliance to multifactor authentication and ongoing pen testing for applications.
- Internal audit is actively engaged in reviewing infrastructure and compliance with various regulations, including POPIA.
Content:
Good morning, Blessing, I heard you not too well. I'm surprised to see you in the meeting. Sorry, you're breaking up a bit. Sorry, you're breaking up a bit, but if you can just start the recording for us. Okay. Joti may not attend, but we will continue. I've got all the notes with me. I'm just waiting for Foisman to join. Okay. And then, yeah, then I will start. Foisman is the lead of the infrastructure and the security part. And the Cobas one thing, I know it gets hectic sometimes. Good morning, Joko. I see Joko is joining us.
I know it gets hectic sometimes. I've sent you so many links, you know. So what I'm going to do, I will just send you one email with all the links consolidated. Okay, perfect. Perfect. So that, yeah, you don't go around, around. Did you see that the product catalog one for tomorrow is canceled? No, it's not canceled. Maybe not. So Joti and myself from our side, we need to cancel that session for tomorrow morning, please. Why? May I ask? Because it's the SDs. Yes. Yes. No, no, no. Talk to Ari. What happened? She called me. She said she wanted us to cancel it.
Then I spoke to her and with Impor also. Impor said, no, we cannot cancel that session because it makes sense. You know, we need to have it. The SDs. We are still going to have there to be, but Impor said, yeah, we need it. We cannot cancel it. And then Joti agreed on it. I think it was on Monday or Tuesday. No, okay. I just spoke to her this morning. So maybe we missed this a lot. Okay. I think everybody is here. Let's start. We can sort that out. Okay. Okay. Team, I'm just going to record.
Oh, I'm just going to record the session. Let me start with the recordings. Maybe Joti, maybe Kopas just to... because some team members are new here. I just want to lay a foundation. Then I'll hand back to you. Then I'm going to drop here. Yes, please. Please do that. Okay. Thank you, guys. I'm here, Blessing, if anybody was looking for me. Sorry, I was wrapping up on the other side. Thanks. Take a good one. Team, the new guy is here that have not been on this session. This is a Telkom digital capability and process gap assessment, which is being conducted by the A1L digital team.
Yaakov and Kopas is here. So it's a project from where we are. We are sitting on third week. I know most of the team here is also part of the APS transformation that is currently happening. Just to answer your question, this is a separate, parallel process. Both projects are not linked here. So we had a kickoff with Lunga on the 3rd of June. And what's happening right now, we've been meeting with the MEs, etc. It should be completed by end of July. So I think that's it from my side, Kopas. Then I can drop off on my side so that I can focus on the notification.
Thanks. Thank you, Blessing. Okay, I'm going to continue. The section focuses on infrastructure and some security questions around that. As Blessing mentioned, we are busy with an assessment to look at the future and especially around digital capability. So from infrastructure view, and please take the question on because I do not know your exact roles and assist as we go through some questions. What I want to start off with is, what is your cloud strategy? Are you actively moving towards cloud adoption? And what is the cloud penetration and use versus on-prem? So what's your strategy between on-prem and cloud and where are you?
If somebody can take that. Can anybody assist with that question? I didn't hear that, Kopas. Sorry, Blessing was just calling me. Oh, okay. Oh, Blessing is still busy in the background. Yes, yes, yes. He said he shared with you some documents. Yeah, okay. Yeah, he just wanted to make sure that, you know, if you've forgotten that I've said, he's shared with you some documents. No, no, no. I can proceed with your question. Okay, so I want to start off with your cloud strategy versus on-prem and how much has you adopted a cloud strategy for the infrastructure and going into the future for Telkom?
Yeah, so I'll firstly say that we have a hybrid model where we've got cloud workloads as well as on-prem, yeah? And we mostly, our workloads are sitting on PCX one cloud. And we also have workloads that are sitting on AWS as well as Azure. So is there a strategy to move towards more cloud use? Yeah, so it was the strategy, but as, you know, companies have... Sorry, did we lose her? Hello, sorry, sorry. My network just dipped. Okay, okay, come back. Yes. Yeah, can you hear me? Yes, yes, please continue. Okay, so I was saying that, yes, it was a strategy that, and I'm saying was, but recently from a financial point of view, the company is seeing that there's a lot of OPEX that... And therefore, there's a strategy to, you know, use CapEx more.
And if you, you know, you would appreciate that there's more, if you go cloud, you only would then use OPEX. So currently, our OPEX budget is being lowered because there's a lot of that that is being used. So we are encouraged to now start doing CapEx projects. We had tried with our financial accounting to say, if we do have a, you know, that FR16 to say, you know, if we have a lease of five years, are we able to do CapEx? But we've failed a lot in that regard. And that's an issue for us. So I would say, yes, that was the thing we have pushed a lot of workloads on the cloud, especially the ones that we had to do refreshes and so forth.
But with that in mind, we have now, as Blessing was saying, a new BSS transformation that we are doing where we are doing on-prem. So it's like, you know, based on what is happening in the company, you would push other, you know, the cloud, but now we're doing on-prem as well so that we can balance that. So that's what I'll say. When you do on-prem, are you using internal cloud? Yeah, you might call it internal cloud because obviously, we're using virtual machines and, yeah, you might call it that, yes. Yeah, but you want to buy the hardware.
So when you use BC1 cloud, is that also OPEX on your side? Correct. It is OPEX because BCX is an entity on its own. And that environment, they do, you know, sell it to other external customers. So yes, we're using OPEX. When you're doing cloud, so that's now, we can split that if we need to for what you use on-premise cloud, your internal cloud, or whether you use BCX. Are you using virtualized operating systems, dockers, containerization? Yeah, so containerization, we're using it on the existing BSS application. In the one that we are building for, we'll also use containerization, but it's not so big.
But we are using, I think, applications that we have as SaaS are using Docker. For instance, the Alibaba one, but mostly we're using just the plain VMware for most of the applications that are sitting on BCX1 cloud. So not fully using Kubernetes and virtualized operating systems? Yeah, not fully. And that also then depends on the application. So in the one that we have right now, the BSS existing one, 9.C, only one module out of that is using Kubernetes. The rest are just infrastructure as a service. Yeah. And then in the transformation one, there is some Huawei Kubernetes that's going to be used.
So that's important, obviously, from assessment that we're talking about because, you know, that's your future architecture. So what you are saying for the Huawei BSS migration, you are going to focus to go on-prem and use some of those as, I want to say, internal cloud. Yes. Okay. And some of the applications then provide ability to do Kubernetes. Correct, yes. Okay. Okay. That's quite interesting. It's different than what I expected, that you're moving back on-prem, but I understand the argument. Yeah, yeah. So it's a, from a telcom perspective, the OPEX budget is very, very high and they would like to bring it down a bit.
And that's the reason, otherwise. Yeah, that's interesting because it leads to another question we actually had on the list, is how integrated are your infrastructure approach to the business and the finance teams? And it sounds to me like you are talking. Of course, definitely. We have a very strict way of, you know, having solutions approved. So they look at, you know, the budget, what is it going to cost and whether you have gotten any discounts from whatever vendor and why are you using OPEX and not CapEx? So all the way. So that question is answered.
So finance has specific targets that you're going to align to. Are you doing reviews on what is idle, what can be decommissioned, merging some of the stuff to optimize? Definitely, we do that because we also have another financial initiative called cost optimization. So we have decommissioned a lot, but you can imagine that you are decommissioning because it's end of service life on the infrastructure, but the application, if it's still needed, it's then, you're actually migrating it to somewhere else, not necessarily that you are, you know, you are getting rid of that application. There's a few where we are decommissioning infrastructure that we're not migrating it somewhere else.
In terms of application, more improvement needs to be done. And we've tried to do that. As we try to migrate the infrastructure side, we look at whether the functionality can be somewhere else. We've done that with EDI. They're still writing code because some of these things are so old that there's no source code anymore. So they're still looking at the functionality and say, okay, so how do we then rewrite this functionality to work somewhere else, whether we are moving it to SAP or anywhere else, that's been done. But I'm not, I don't think it's done at a very bigger level, you know, in terms of writing, looking at all the functionalities of all applications, because I think there's a lot of applications and saying in the existing ecosystem, which one can then... that functionality.
But from an infra, those that we are migrating, we do ask those kind of questions, whether there is functionality somewhere else or not. If not, then we just migrate it to either to a, you know, PCX one cloud. Yeah. Okay, thank you. So one of the buzzwords running in infrastructure is whether you run infrastructure as code and apply the principles that have been applied to code actually all the time. Do you have a centralized storage of all the infra that you have, all the versions that you use? Are you managing it together with delivery pipelines?
So how do you manage the infrastructure picture overall that you have? Not really at that level. not really at that level. So we have our CMDB where all our infra is sitting, but it's not integrated as you know, infra as a code where you're able to see that, no, not at all. So, but we've got a Flexera and CMDB and SAP. SAP, we put EUDs there, but servers and software thereof is sitting on Flexera in our CMDB. That's managed by PCX. Okay. All right. Thank you. Let's talk a bit about disaster recovery. From my days, if you don't know, I was also there.
I'm also an ex-Telco. There was always some disaster recovery plan, well, the link between the data up here and Belleville. Are you still having a proper data recovery, disaster recovery ability between two centers? Correct. We're still also using hard DPS for this BSS, the new one, the BSS transformation. We are using hard DPS data center, but for most DRs are between Belleville and Centura. Is there a switch over capability for continuity or is that a sort of offline DR and you will have to do a lot of things to get that data in production? Not at all.
So we do have switched over capabilities for the 9C existing 9C BSS that we have. Some are still that, you know, it depends on, so obviously we look at, let's start with the critical system first and see how much automation from a DR point of view we can do. We do that, but some of them are still, you know, like if it's a class, so we've got classifications of an A, B critical. Yes. So if it's a C, we'll do backup and restore. No problem, you know, whatsoever. That makes sense. Okay, thank you. I'm gonna move a bit to security.
To what extent is identity access management and privileged access management implemented? I'll give it over to Costa, that one. Okay, please. Thanks, Carson. Good morning. Hope you can hear me clearly. Yes. So yeah, identity is governed centrally and we do mandate that all solutions at the cloud or on-prem be integrated to our identity providers, which is Active Directory. From an authentication perspective, Active Directory and intra-ID, we are actually in the middle of also sort of transitioning to intra-ID, but we still have Active Directory on-prem. As well as from a process perspective, we also have other identity management solutions such as Sekulula or popular known as Samepoint, as well as our privileged access management, which is CyberArk.
Are you enforcing that on all new things coming in like the new BSS? So all new solutions we are enforcing, but also even the legacy ones because of some audit findings also going backwards to make sure that they also comply with the authentication and access cabinet cameras. Okay, so the auditors are also on your back to ensure that. Multifactor authentication, how much is that enforced or is that more a application level issue? It is also enforced. We have got two approaches. For most of the new solutions, it is, we are trying to make sure that everyone goes through SSO so that it becomes easy to authenticate once a user is authenticated on the PC, then they can just access everything else.
But for some of the legacy, because of legacy challenges, then it becomes application-based, but also it is also enforced for all applications, especially the critical ones. We are also having that same issue where we need to comply. So we've got a lot of legacy where there is no MFA, but the critical systems that are mission critical and business critical, we are also going backwards to enforce MFA. And from a solution perspective, we do have cases, actually right now we're actually going to roll out hardware-based tokens that are going to be used in places where we cannot enforce or where we cannot have users using mobile as their cell phones, such as in contact centers and call centers and some of the stores where you can't have mobile phones.
Oh, so you limit access there. Do you know to what extent is your multi-factor applicable to the stores like Transact and those applications? So if I'm logged onto the network with my PC, can I access or do you have a multi-factor there as well? So in stores, that's what I was talking about. That is what we are actually testing. It's actually in the testing phase right now where we're also going to be enforcing MFA at an application level. So MFA is then like sounds like work in progress in some areas. Yes. Okay. When there are any changes or any of the application, is anybody doing application security testing?
Check if you can get in. Is there anybody trying to go past the security? Is there a team in Telkom looking at that or maybe somebody contracted? Yes, we do have a team that's sitting in group information security that handles our pen testing. For almost all our solutions, we have to go through them and find out if they have capacity for testing, but we find the specific cases like when we are dealing with PCI compliance where we also just go through external third parties to handle that for us because of certain regulatory requirements. But as we do have a team that is dedicated for pen testers, it's in a group.
So, Constantine, they provide the service from a group level to all the units. Yes. Okay, okay. If there's an issue of capacity where they don't have the capacity, then we go in and they can then tell us and say, okay, you can go and find a third party and then follow the rest of the process. Is there anybody doing active... Colbert, you have a question. Yes, please. I can't always see. I sit with my questions. Go to someone, please, go ahead. No problem, no problem. Go ahead. On security testing on the app when we are to commission it into production.
That is also done by our group security team. And as Costa is saying, failing which if they don't have capacity, we do then get a third party to do those for us. Thanks. Okay, yeah, so I was... Thank you. Are you doing or anybody outside doing active penetration testing for you? Is that part of this? Is that different? No, it's a different team or function that does sort of like our threat intelligence as well. Also looking at some of the external tools or external facing applications and actively just check for open ports and so forth.
But yeah, they also do that active one team. That's like a team of professional hackers that come to you. Yes. Is that continuous or is that somebody you get from time to time? No, it's often on group or that team. So it's an established function. So I guess my next question will then mean it's probably also the group one. Do you have a security operations center or event management if there's an attack on Telkom that somebody will handle and take that over? Simon, you have your hand up if you want to take this one. Thanks, colleagues.
Yeah, I wanted to just add on your previous question, Colbert, to say, other than above the penetration tests that are performed from an offensive security point, we also conduct vulnerability scans and the vulnerability scans, they come in two folds. There's an external vulnerability scan that focuses on our web facing applications. And that is done on a monthly basis. Well, in fact, the web scans, they are done twice a month. And then we also then have the internal vulnerability scans, which are done monthly. So I'm just saying we do perform those penetration tests, but also on a continuous basis, we run those vulnerability scans.
And again, that service is provided by the group security. All right. Okay, thank you. Can I go back to event management? What happens if there's an attack on Telkom that you pick up? Is there somebody dedicated center dedicated to manage that? Yes, I think I can take that one as well. Please. So for any incident that happens at Telkom, it is managed at a group level by the same team, which is the information security team at a group level. And the primary objective for that is because any incident, even if it happens at the BU level, it has an impact on group from a reputation point of view and also a financial point of view as well, a financial damage point of view.
So then group security will lead that investigation with the assistance of CIMS. So if the incident is from CSP, then our CIMS from CSP will be the one that will coordinate meetings, troubleshooting, bringing in external stakeholders at the problem and respond appropriately to the incident. Within Telkom then, our security services, they are mainly outsourced to BCX, which is our sister company. So whenever then there is an incident, particularly a security incident, then BCX then will always be pulled in to provide insight from the security tools that they are using in order for us to contain the incident, understand it and be able to respond effectively to it.
Okay, so that's like a type of a service that BCX is providing to the CSP unit. Well, you can say CSP even though they are providing it to group. Okay. But because we are a BU, then we benefit from that. Okay. But maybe let me also just add to say, there's also a bi-monthly table top, what do they call it, table exercise where we simulate the incidents to say, should we experience an incident, how should we go about responding to it? So internally then, and again, that's driven at group security, but with the involvement of all BUs to say, let's practice on how we should respond should an incident happen, bringing all relevant teams into that table top exercise.
I've got that for it, but yes, it's a simulation. Okay, that might link up to what I'm trying to get to. So internally in Telkom between or among the groups, so BCX, OpenSurf, CSB, are your networks separated? Is there isolated areas to sort of ring fence sensitive parts of the network? So if I'm in your network, am I in or is it open from once you're in the network or are there segmentation inside? There is segmentation, Corbis. From the VLANs are different, there's management, there's also data. We have also the web tier, so they are very separated.
They are segregated and it's very difficult even when we want to do assessments in terms of getting data to see, like as an example, Microsoft can come and say, can I scan your environment to see what VMs you have? It's very difficult for us to do that. That... Segregation. So we then find ourselves having to do manual pair, VLAN, and so forth. So we are very segregated. OK. So the network is segregated. The rest will depend on how well applications are isolated when they communicate. Correct. That's why we have to do a lot of firewall applications because per port, per way that application is sitting to somewhere else, there's so many firewall applications that we have to do.
OK. Do they impact application performance having to go through all these firewalls? Not necessarily, no. Unless that firewall port is closed. Otherwise, when the application goes through and that application works, it works. Thanks. OK. Actually, at the last question now, I guess Jyoti has joined. What's the status of POPIA compliance? Are you monitoring data of customers flowing in and out of the network? Yeah, we do, but I'll give it to Q to elaborate. So when it comes to POPIA, we manage it. We have a CRMP compliance risk plan that we align with it. So that CRMP, it takes the provisions or the requirements from the POPIA and then we translate it then into business context to say, what does each requirement mean to us as a business?
And what do we have in place to align or to, yeah, well, to align with that requirement? So that is an existing more of a risk register document that is in place. But over and above that, then when it comes to POPI, we also cover it through risk assessments if there is any project that is happening. So for example, if there is BSS, we'll have an interest on how personal information will be protected if it will be shared with external parties, how will that be done in relation to the POPI requirements? So basically, those are the processes that we have when it comes to POPI at alignment.
Okay, thank you. A question, just a quick question around that. Typically, if your data is hosted in the cloud and it's in country, you do encrypt that data if it's sensitive data one. And number two, what happens if the data is hosted outside the borders of South Africa? Do you need regulatory approval for that? So if the data is outside South Africa, well, to your best point, yes, there is that encryption requirement that must be implemented and proof provided that that encryption technology has been implemented. But then if we host our data outside South Africa, maybe, for example, AWS, which is a hosting platform outside South Africa, what we require is an attestation of compliance, which is a proof that they have implemented all the necessary controls on their environment to make sure that our information is protected.
Okay, thank you. When it's encrypted, you are taking it as compliant that the data cannot be accessed and it's allowed to go effectively out of the country. That's an interesting one. Maybe, let me try to respond correctly, but that's just not the only assurance that we will get that our data can be sent outside. So whenever there is a third party that is engaged from a contractual and legal point of view, there's always some, you know, contracts that bind each party and highlights responsibilities when it comes to protecting information or personal information. So that will be the first point from a contractual point of view.
But also then from an application level or layer, that's where then the encryption technologies will have to be implemented, which also then goes to the other point that I've mentioned, which is an attestation of compliance or spoke type 2 audit report that confirms the security controls that have been implemented by that particular third party in protecting our information. Last question from my side. So is internal audit looking at infrastructure on a continuous basis and giving you reports on where they see risks and changes you have to make? Yeah, they do. They do. We've got another audit that's just come in about the cloud, but that's not the only thing.
They do do that. But it starts as an audit, and then if there is any findings, they do give us to make sure that we close those gaps. But those are not the only audits, obviously, that we go through. Are there regular annual kind of COVID audits done? There's regular audits that are done, yes. Okay. And that's based on the COVID framework? I'm not sure, Jyoti, on whether they are based on which framework, yeah. Okay, thank you. Thanks. Okay, I'm through the questions. I don't know if there's anybody else that wants to add, ask. I've got a few questions on infrastructure.
Please go ahead. How do you manage the lifecycle of infrastructure, like end-of-life, etc.? Do you replace equipment based on your end-of-life or technology? If your infrastructure technology changes, do you do swap-outs, etc.? What is the basic framework? Fully depreciate and then write off that equipment and purchase new equipment? Or to take advantage of new technologies, you do work on swap-outs with vendors? So BCX is our partner in terms of infrastructure management in general. So we do have a risk management group in BCX that does that. So if something is end-of-service life or end-of-life, we will know about it and we'll log a risk as well.
It will depend on the budget. So going back to financials, whether we can be able to get the budget to refresh, that's based on a business case and all that. So it's still that way. Okay. Going into BCX one cloud has helped us a lot because we don't have to worry about end of life. It's their business to make sure that they have a business case, you know, done to refresh. So that has helped us a lot. But in terms of on-prem solutions that we still have and that are end of life, we do go through that business case to do that.
So swap outs would maybe happen in BCX per se, where, you know, they help us with that. But there will always be, yeah. But the BCX cloud is infrastructure as a service. You pay a monthly fee. Correct, yes. Okay, and your own infrastructure is CapEx or OPEX? Our own on-prem infrastructure is CapEx. Okay, and then how do you, do you only use BCX cloud or Azure, AWS services? We use AWS and Azure as well. Do you have a proper FinOps practice that understands the financial implications of the cloud kind of cost model? No, no, we don't.
And is your strategy to increase your cloud presence in terms of moving more and more into kind of cloud infrastructure over the next few years? I was explaining to Corvus that because of the financial constraints right now, the finance right now is to use more CapEx than OPEX. So even in the BSS transformation, we are using CapEx, so we are doing on-prem other than the, you know, going into more cloud. Yeah, it makes sense because you don't want to just jump into the cloud without understanding the FinOps side. And you need to build a good FinOps practice to do that.
Yeah, yeah, and which we don't have. Right. Okay, that was the only questions I had. Corvus, I don't know if you have anything else? No, I think we've covered and it's recorded. So if that's done, I think, Jaku, Wenzel, anybody else? Nothing from my side, thanks. Okay, then we're done. Thank you, everybody. Thank you very much for your time. Thank you. Thank you, Jim. Thank you. Thank you. Thanks. Thank you. Thanks.