Skip to main content
fremverk
  1. Services/

Protect

Security, identity, and compliance for EU-sovereign cloud infrastructure

Service line
Table of Contents

Security is architecture, not an add-on
#

We don’t bolt security on after the fact. Every platform we build has security integrated from the first line of code: in the infrastructure, in the pipelines, and in the identity layer.

Security
#

Secure by design
#

  • Policy and delivery controls — Open Policy Agent (OPA) or Conftest guardrails in the delivery path, with optional Checkov, Trivy, Gitleaks, Semgrep, and OWASP ZAP where the workload risk or delivery model calls for them
  • Host security — Conditional server protection for Linux and Windows workloads that run on VM-based or higher-risk runtimes
  • Compliance as code — Policy defined in code, supported by T Cloud Config and drift review to catch and flag out-of-band infrastructure changes
  • Continuous compliance — Record, search, and evaluate resource configurations against defined rules to ensure policy expectations are met

Network and data protection
#

  • Zero-trust networking — Least-privilege network paths, Kubernetes network policies where relevant, and perimeter controls aligned to the approved ingress model
  • Zero-trust identity — Least-privilege access and role-based access controls
  • DDoS protection — Added for exposed internet paths when distributed denial-of-service (DDoS) risk and the exposure model justify it
  • Encryption — At rest and in transit across all services
  • Secrets management — Key and secret handling through Data Encryption Workshop (DEW) Key Management Service (KMS) and Cloud Secret Management Service (CSMS), with rotation and runtime retrieval patterns

Identity
#

Your users shouldn’t notice the migration. We integrate with your existing identity provider and add a T Cloud-hosted identity layer when the target operating model requires it.

Microsoft Entra ID integration
#

  • Keep your existing identity provider with no disruption to user workflows or single sign-on (SSO) configurations
  • Architecture kept modular so identity can be moved or split later if jurisdiction, control, or operating-model requirements change
  • Start with Entra federation. Add Authentik when you need full identity infrastructure sovereignty, fewer third-party control-plane dependencies, or a T Cloud-hosted identity layer under your own operating boundary

Authentik — T Cloud-hosted identity option
#

  • Added when a T Cloud-hosted identity layer is required, using a dedicated platform identity boundary rather than the default shared runtime
  • Passkeys, full multifactor authentication (MFA), conditional access, policy and risk-based authentication, and user lifecycle management
  • Complete Security Assertion Markup Language (SAML) and OpenID Connect (OIDC)/OAuth 2.0 support for clean integration with existing and new services

Included in These Paces

This service is included in the following packaged offers:

Perform Accelerate
Let's talk