Open Gateway

Frequently Asked Questions

Why Security by Design?

sSDLC processes save time, save money, and provide data protection. sSDLC (security Software Development Life Cycle) is the method by which security is established from the development phases. This process can be automated using static code analysis tools (DAST), and dynamic code analysis tools (DAST). In addition to these automations, security in communications (TLS protocols) and authentications flows will always be ensured.

What is SAST?

SAST stands for "Static Application Security Testing". It's a technique for information security that allows for evaluating the security of an application without the need to run it, in other words, statically. SAST is used to analyze the source code of an application and detect possible vulnerabilities in its design and programming. This technique is useful for identifying security issues in an early stage of the application's development, which allows for correcting them before the application is deployed or published. Some examples of issues that SAST can detect include: SQL injections, cross-site scripting (XSS), security vulnerabilities in password storage, and others. SAST is a valuable tool for software development and information security teams, as it allows them to identify and correct security issues in an early stage, which reduces the risk of exploiting vulnerabilities and protects confidential data and information.

What is DAST?

DAST stands for "Dynamic Application Security Testing". It's a technique for information security that allows for evaluating the security of an application while it's running, in real-time. DAST is used to detect vulnerabilities in web applications, such as SQL injections, cross-site scripting (XSS), and others. These dynamic tests are performed through an application scan that simulates a malicious attack against the application.The goal of DAST is to identify and fix vulnerabilities before attackers can exploit them. This allows developers and information security teams to take measures to protect the application and the data it handles.

Why security in the digital communications (HTTPs with TLS 1.2 y TLS 1.3)?

Secure protocols are communication standards that provide a secure method for transmitting information between systems. Examples of secure protocols include SSL/TLS, SSH, and IPSec. While TLS 1.2 is still a secure option for data transmission on the web, it's recommended to use TLS 1.3 to take advantage of the security and performance improvements. Many web services have already updated to TLS 1.3, so it's important to ensure your website and services are updated to use this newer version.

Why are authentication flows important?

Autentication Flows are effective way to ensure the security of online transactions, as they enables users to authenticate securely without having to enter their credentials on an application's website. Additionally, they are an efficient way to manage authentication requests, as push notifications speed up the process and reduce the likelihood of errors.

What is Personal Data?

Personal data is any information related to an identified or identifiable natural person. An identifiable natural person means any person whose identity can be determined, directly or indirectly, by an identifier such as a name, Phone number, IP address, an identification number, location data, etc.

How is Telefónica protecting end-users' data and personal information in the scope of Open Gateway?

Open Gateway services are built as part of Telefónica Kernel, a platform that protects access to the company's data and its telco capabilities.
Telefónica Kernel has been built with a privacy-by-design approach providing a high level of privacy protection for customers and end-users data in a digital way. This means that the system applies directly the privacy requirements abstracting this complexity to the developer.

Is Privacy Management part of CAMARA Open Gateway initiative or is it just needed for end-users connected to Telefónica network?

For Telefónica, privacy by design is one of the essential aspects to be considered in our products and services, from their ideation to their creation. To ensure that approach but also keeping developer-friendly APIs, Telefónica, is promoting the standardization of a Privacy Framework in CAMARA with the others Telco´s companies Working hard to simplify the application of the privacy requirements in our systems.

How are Privacy requirements impacting Open Gateway end-users' user experience?

In Open Gateway, we work to create user frictionless experiences which means the user doesn't need to interact with different apps to conclude any process. For that purpose, In Telefónica, we decided to directly gather privacy legal requirements through interfaces designed with an understandable language to give the customer real control of the digital experience.

How are Privacy requirements impacting developers' effort on consuming Open Gateway services?

Open Gateway offers a framework to automatically manage the privacy. With this approach, Telefónica Kernel will help the developer to comply with the privacy requirements such as the information duty or the legal basis gathering and revoking.

As a developer, do I need to integrate into my application the whole user´s privacy preferences management process?

No, Telefónica manages users' privacy preferences directly with them through our own channels and in our own systems (i.e., Telefónica Transparency Center), including the lawful basis managements, such us the capture and revocation of users' consent.

What is OIR or Open Internet Regulation?

Applicable since 2016, Regulation (EU) 2015/2120, of the European Parliament and of the Council of 25 November 2015, laying down measures concerning Open Internet access (known also as Net Neutrality Regulation, Open Internet Regulation or “OIR”).

Which are OIR main statements?

OIR grants end-users the right to access and distribute lawful content and services of their choice via their Internet Access Service. The Regulation also enshrines the principle of non-discriminatory traffic management for those Internet Access Services, allowing reasonable traffic management. Finally, it defines the conditions for the provision of “Specialised Services”, different from the Internet Access Services.
The Regulation is applicable to electronic communication service providers – ISPs such as Telefonica.

In which countries does OIR apply?

it applies through the European Union and, for the moment, in the United Kingdom too.

Which are the differences between an Internet Access Service and a Specialized Service?

Internet Access Service (IAS) means a publicly available electronic communications service that provides access to the Internet (Internet delivers a “best effort” performance), and thereby connectivity to virtually all end points of the Internet, irrespective of the network technology and terminal equipment used.
Specialized Services (SS) are services optimised for specific content, applications or services, or a combination thereof, where the optimisation is necessary in order to meet requirements of the content, applications or services for a specific level of quality. The have to meet two conditions:

  1. SS cannot be provided to the detriment of IAS quality.
  2. SS cannot be provided as a substitute of IAS or a sub-Internet access offer.

SS are not subject to the business and pricing models' restrictions as the IAS.

Has QoD Mobile been approved by any NRA (National Regulatory Authority)?

Regulation does not require an ex ante authorisation in relation to commercial practices, traffic management practices or specialised services.

What NaaS APIs are subject to the OIR?

Only those APIs which involve connectivity in Telefónica network are subject to the OIR. Only the connectivity service provided in answer to the API call may be subject to the OIR. Other capacities provided by the APIs are not subject to the OIR.

Any questions?