Risk will always be present but demands management, not avoidance. Too often, the calls for hesitation come from incumbent vendors with a financial stake in the status quo.
This time, the answer to the most pressing security requirements will not be found in interoperability standards alone. To compete safely at the speed of the cloud, telecom operators should evaluate industry best practices, collaboration, and innovation, setting the best security and privacy strategies based on individual regulatory and market contexts.
The combination of cloud, open interfaces, virtualization, and the latest generation of mobile standards is causing operators to ask an important and valid question: is this new world secure? Some answers to this question are, unfortunately, misleading. Security in telecom is always a moving target, one that is not solved by industry standards alone. It is solved by a mindset shift, by moving away from hearsay to embracing empirical data and informed viewpoints. The better approach to implementing effective security is based on the principles of clear analysis, innovative thinking, and learning from past experiences.
The path that telecom is on as it modernizes is one that other enterprises and industries have already been pursuing in the cloud, virtualization, and automation — with plenty of learnings to share. Over 15 years ago, enterprises began to move data and applications into the public cloud and make more use of open interfaces and open-source software. While today this seems like an inevitable trend, many enterprise CIOs initially resisted the move, raising concerns about security.
No compromise on security
For CEOs and CFOs, the prospect of cost savings, more scalable business models and a faster rate of innovation is compelling. The potential for a competitive edge (and the realization that new rivals were already reaping the rewards) put pressure on both CIOs and cloud vendors to come up with a solution that worked to satisfy both objectives: a modern, dynamic business with no compromise on security.
Embrace the change
Today the same arguments against cloud and open networks are happening in telcos. The telco industry, in general needs to be less skeptical. It needs to be an industry embracing change instead of resisting it, and an industry that encourages innovation and progress. Excessive concerns about the security of unfamiliar technologies, calls to delay adoption “until security standards are complete,” will result in telcos giving up ground to rivals. Many times the calls for hesitation comes from certain stakeholders who would prefer the change not to happen.
Standards are important guardrails for the industry, not the answer to all challenges
Standard Architecture and Security – At the center of telco standards there is the 3GPP, and at the center of that for security are GSMA/NESAS, ITU, IETF, and many others. These organizations together define a standard architecture and security framework for how mobile networks work, to avoid operators (or vendors) creating unique and non-interoperable equipment.
Actual Implementation Makes Difference – The standards do address security, but the actual implementation is what really makes a huge difference from one network to the other. Regardless of how detailed the standards are, operators must roll up their own sleeves and do their own homework to define the implementation framework for their network’s cyber security, resilience, and trust.
Layers of Defenses around Architecture – This is not just about security posture, vulnerability assessment, threat modeling, security operations, and governance/risk/ compliance or GRC. This is about building the layers of defenses around the standard reference architecture that operators adopt.
Standards and Vulnerability – In a similar way, Rakuten understood early on that no single reference architecture or standard for Open RAN can address every possible vulnerability and detect every possible threat. Even for a closed vRAN solution on a private cloud, the standards will not specify how to implement the security it recommends. The standards do define protocol and interface specifications and interoperability framework, they do also serve as a reference for implementation, but they alone do not specify the “how.” And that’s what the industry is struggling with today.
Our Pragmatic Approach – Our approach has been a pragmatic one, driven by our early adoption of the “new ways of building networks” and the lack of any reference implementation of a successful nationwide, Open RAN, cloud-native network deployment. In order to achieve our objectives, we had to leverage 21st-century technologies for our 21st-century networks with the utmost resilience, privacy, user and data integrity in mind. To this end, we are building on defense, finance, ecommerce and telco industry standards to protect the entire system.
Continuous Audit – Operators have always had to implement more than what is specified in any technical standard, to address the true spectrum of security challenges: process, technology, and people. Operators also have to continuously audit posture and correct deviations and drifts. By the time a standard is ratified, new vulnerabilities would have been identified, and new attack vectors would’ve been developed and that is why we strongly believe in a pragmatic, dynamic, and always on cyber security framework to help identify, respond, and recover from vulnerabilities or compromises to systems.
Best of Breed Tech & Operations – Our philosophy has been focused around leveraging best of breed in tech and operations. We fully adopted cloud and virtualization for the cost and operational benefits they bring, we fully adopted Open RAN for the flexibility and choice it provides, and we are relentlessly automating our network with a vision to achieve a level 4 autonomous network. At the same time, we’ve developed the security framework leveraging telecom and non-telecom standards and best practices, such as 3GPP, GSMA/NESAS, NIST, ITU, IETF, ISO, and others.
Security Before
One approach to security has been characterized as “security through obscurity” — proprietary techniques known only to a small few, and therefore, in theory, reducing the attack surface and the possibility of a compromise. Telecom has traditionally felt protected by the sorts of closed, proprietary systems this gave rise to, that were hidden behind traditional perimeter-based security and access. Traditional telecom still has the posture and behavior of an enterprise before the rise of the mobile worker and remote access.
We already know this approach can lead to unexpected consequences, both from the simplicity of password/ credentials compromise that leads to total internal access, or the very advanced cyber breach cases that we hear about. Vulnerabilities encountered today are more commonly shared across all industries, open source communities and enterprises.
Key Points
- Proprietary/closed systems are not always equal to secure systems.
- Open, interoperable technology stacks are not equal to un-secure systems.
- Every digital system, HW or SW, is vulnerable and potentially compromisable.
The recent log4j compromise is a very good example of an open-source vulnerability that needed to be immediately addressed by everybody, including telecoms. Rakuten Mobile immediately went into response mode:
(1) We ran a cyber security incident to detect/prevent attacks, and breaches, and determine our attack surface.
(2) We installed new controls on our intrusion prevention systems and our web application firewalls to block attacks.
(3) We installed new rules to monitor outbound communications for any evidence that we have been compromised.
(4) We monitor runtime for any new software executions/installs on the network.
(5) We run vulnerability scans across our network to find where Log4j is installed.
(6) We also received communication from several vendors about their state and next steps to secure their systems.
Our next steps involved patching: We immediately identified vulnerable libraries of log4j that were internally accessible. We worked with the business and app owners to prioritize development to safeguard our assets and fix the vulnerability. This is what security looks like in a modern software-driven telecom network.
An openly better approach
By one standard, a house can be “secured” with a padlock on the front door, but securing the front doors while windows are wide open turns the whole property insecure. As telecom increasingly turns to software to achieve innovative solutions, lower cost, and greater speed and flexibility, it can also adopt the most up-to-date, proven practices in securing networks. When a vulnerability in open source software is identified, the whole community of experts rush to fix it. This collective mindset is foreign to some industry players. In the enterprise world, embracing this approach has been the norm for decades.
Let us be clear about how cloud-native networks and open interfaces present both a different security challenge and a solution. By definition, open interfaces increase the potential entry points for attack on a telecom network (we call this the attack surface). But what they also do is increase the speed and the number of resources that can be brought to bear on protecting against, identifying, neutralizing and recovering from attacks. In this light, the recent German BSI recommendations on security in Open RAN networks are entirely reasonable, providing a list of vulnerabilities that should be addressed. Operators must be responsible for their own implementation of security and privacy, appropriate to their regulatory and market context.
Telecom regulators have much to gain from the ability of open, cloud-based networks to enable:
- Greater innovation, due to network disaggregation.
- A more granular trust in supply chain. Best practice from other industries, particularly enterprise IT.
- And a widely available resource and technology capability system that should make a network using Open RAN and cloud more secure than legacy networks.