Spotlight on Tech

Rise above FUD and embrace an openly better approach on telco security!

By
Rabih Dabboussi
Chief Revenue Officer
Rakuten Symphony
February 23, 2022
14
minute read
Security doubts shouldn’t stand in the way of innovation and transformation. Risk will always be present but demands management, not avoidance. Too often, the calls for hesitation come from incumbent vendors with a financial stake in the status quo. This time, the answer to the most pressing security requirements will not be found in interoperability standards alone. To compete safely at the speed of cloud, telecom operators should evaluate industry best practices, collaboration and innovation, setting the best security and privacy strategies based on individual regulatory and market context.

The combination of cloud, open interfaces, virtualization and the latest generation of mobile standards is causing operators to ask an important and valid question: is this new world secure?

Some answers to this question are unfortunately misleading. Security in telecom is always a moving target; one that is not solved by industry standards alone. It is solved by a mindset shift, by moving away from hearsay to embracing empirical data and informed viewpoints. The better approach to implementing effective security is based on the principles of clear analysis, innovative thinking and learning from past experiences. The path that telecom is on as it modernizes is one that other enterprises and industries have already been pursuing in cloud, virtualization, and automation — with plenty of learnings to share.

Over 15 years ago, enterprises began to move data and applications into public cloud and make more use of open interfaces and open source software. While today this seems like an inevitable trend, many enterprise CIOs initially resisted the move, raising concerns about security.

But for CEOs and CFOs, the prospect of cost savings, more scalable business models and a faster rate of innovation was compelling. The potential for a competitive edge (and the realization that new rivals were already reaping the rewards) put pressure on both CIOs and cloud vendors to come up with a solution that worked to satisfy both objectives: a modern, dynamic business, with no compromise on security.

Today the same arguments against cloud and open networks are happening in telcos. The telco industry in general needs to be less skeptical. It needs to be an industry embracing change instead of resisting it, and an industry that encourages innovation and progress. Excessive concerns about the security of unfamiliar technologies, calls to delay adoption “until security standards are complete,” will result in telcos giving up ground to rivals. Many times the calls for hesitation comes from certain stakeholders who would prefer the change not to happen.  

Standards are important guardrails for the industry, not the answer to all challenges

At the center of telco standards there is the 3GPP, and at the center of that for security is GSMA/NESAS, ITU, IETF and many others. These organizations together define a standard architecture and security framework for how mobile networks work, to avoid operators (or vendors) creating unique and non-interoperable equipment. The standards do address security, but actual implementation is what really makes a huge difference from one network to the other. Regardless of how detailed the standards are, operators must roll up their own sleeves and do their own homework to define the implementation framework for their network’s cyber security, resilience and trust.  This is not just about security posture, vulnerability assessment, threat modeling, security operations and governance/risk/compliance or GRC. This is about building the layers of defences around the standard reference architecture that operators adopt.

In a similar way, Rakuten understood early on that no single reference architecture or standard for Open RAN can address every possible vulnerability and detect every possible threat. Even for a closed vRAN solution on private cloud, the standards will not specify how to implement the security it recommends. The standards do define protocol and inter face specifications and interoperability framework, they do also serve as a reference for implementation, but they alone do not specify the “how.” And that’s what the industry is struggling with today.  

Our approach has been a pragmatic one, driven by our early adoption of the “new ways of building networks” and the lack of any reference implementation of a successful nationwide, Open RAN, cloud native network deployment. In order to achieve our objectives, we had to leverage 21st century technologies for our 21st century networks with the utmost resilience, privacy, user and data integrity in mind.

Operators have always had to implement more than what is specified in any technical standard, to address the true spectrum of security challenges: process, technology and people. Operators also have to continuously audit posture and correct deviations and drifts. By the time a standard is ratified, new vulnerabilities would have been identified, new attack vectors would’ve been developed and that is why we strongly believe in a pragmatic, dynamic and always on cyber security framework to help identify, respond, and recover from vulnerabilities or compromises to systems. Our philosophy has been focused around leveraging best of breed in tech and operations. We fully adopted cloud and virtualization for the cost and operational benefits they bring, we fully adopted Open RAN for the flexibility and choice it provides, and we are relentlessly automating our network with a vision to achieve a level 4 autonomous network. At the same time, we’ve developed the security framework leveraging telecom and non-telecom standards and best practices, such as 3GPP, GSMA/NESAS, NIST, ITU, IETF, ISO and others.

Security before

One approach to security has been characterized as “security through obscurity” — proprietary techniques known only to a small few, and therefore, in theory, reducing the attack surface and the possibility of a compromise. Telecom has traditionally felt protected by the sorts of closed, proprietary systems this gave rise to, that were hidden behind traditional perimeter-based security and access. Traditional telecom still has the posture and behavior of an enterprise before the rise of the mobile worker and remote access. We already know this approach can lead to unexpected consequences, both from the simplicity of password/credentials compromise that leads to total internal access, or the very advanced cyber breach cases that we hear about.

Vulnerabilities encountered today are more commonly shared across all industries, open source communities and enterprises. The recent log4j compromise is a very good example of an open source vulnerability that needed to be immediately addressed by everybody, including telecoms. Rakuten Mobile immediately went into response mode:

  • We ran a cyber security incident to detect/prevent attacks, breaches, and determine our attack surface.
  • We installed new controls on our intrusion prevention systems and our web application firewalls to block attacks.
  • We installed new rules to monitor outbound communications for any evidence that we have been compromised.
  • We monitor runtime for any new software executions/installs on the network.
  • We run vulnerability scans across our network to find where Log4j is installed.
  • We also received communication from several vendors about their state and next steps to secure their systems.

Our next steps involved patching: We immediately identified vulnerable libraries of log4j that were internally accessible. We worked with the business and app owners to prioritize development to safeguard our assets and fix the vulnerability. This is what security looks like in a modern software driven telecom network.  

What I’m trying to explain with these examples is the following:  

  • Proprietary/closed systems are not always equal to secure systems.
  • Open, interoperable technology stacks are not equal to un-secure systems.
  • Every digital system, HW or SW, is vulnerable and potentially compromisable.

An openly better approach

Let us be clear about how cloud-native networks and open interfaces present both a different security challenge and a solution.

By definition, open interfaces increase the potential entry points for attack on a telecom network (we call this the attack surface). But what they also do is increase the speed and the number of resources that can be brought to bear on protecting against, identifying, neutralizing and recovering from attacks.

In this light, the recent German BSI recommendations on security in Open RAN networks are entirely reasonable, providing a list of vulnerabilities that should be addressed. CSPs must be responsible for their own implementation of security and privacy, appropriate to their regulatory and market context.  By one standard, a house can be “secured” with a padlock on the front door, but securing the front doors while windows are wide open turns the whole property insecure.

As telecom increasingly turns to software to achieve innovative solutions, lower cost, and greater speed and flexibility, it can also adopt the most up-to-date, proven practices in securing networks.  When a vulnerability in open stack is identified, the whole community of experts rush to fix it. This collective mindset is foreign to some industry players. In the enterprise world, embracing this approach has been the norm for decades.

Telecom regulators have much to gain from the ability of open, cloud-based networks to enable:

  • Greater innovation, due to network disaggregation.
  • A more granular trust in supply chain.
  • Best practice from other industries, particularly enterprise IT.
  • And a widely available resource and technology capability system that should make a network using Open RAN and cloud more secure than legacy networks.

Rakuten’s security blueprint

No digital system can be guaranteed as 100% secure. Rather than looking for guarantees, security is about limiting the attack surface, limiting vulnerabilities anywhere and everywhere, including (amongst others):

  • Continuous upgrade and patch of operating systems, network functions software and operations.
  • Vetting the supply chain and supplier processes.
  • Using security frameworks and audits such as IS0 27000x, NIST, NESAS and others.
  • Leveraging standards and other best practices.
  • Implementing always on security operations.
  • Defining a detailed GRC platform and controls that address technology, people and processes.
  • Conducting continuous security assessment, vulnerability detection, penetration testing and 3rd party audits.

At Rakuten we believe that we defined a best practice for the new breed of networks, born from experience of running the world’s first and largest truly open mobile network. To stay secure we ask ourselves the following questions:

  • Are we “vulnerability free”? A more enlightened approach is to assume there is no such thing. Instead, we have focused on establishing the strongest possible defences, vigilance and restoration technologies and methods.
  • Have we learned and are we still learning? Yes, both directly, with our partners, and as part of collaborative industry working groups.
  • Do we continue to implement security solutions? Yes, making continuous improvements against a continuously evolving threat. The only effective approach to take.
  • Process, People, and technology are central to our approach.
  • We work with the underlying standards and best practice from all areas, not just mobile network standards, but enterprise and regulators.

Operators, governments and regulators should not expect groups such as the O-RAN Alliance to address the entirety of real-world security issues. Nor can 3GPP, public cloud providers, NESAS, NIST, IETF, TOGAF/ITIL and others. It is for the operator, working with the best experience from all industries, to address this.

Securing data at rest and in transit in a modern network is not going to be, nor has it ever been, defined by standards. It will be defined by industry-wide best practice and an openness to external solutions. It will be defined by real world experience of running a secure, open network and sharing that experience with others.

In conclusion

In the area of security, standing still is a much riskier strategy than moving forward.

The primary remit of telecom industry standards bodies was and is to ensure basic interoperability of equipment between network operators. The details of security implementation (the HOW) were rightly left as an implementation question, allowing vendors to innovate and differentiate. Best practices should be shared in relevant communities and Rakuten is keen to participate and contribute. The increasing use of software, open source, cloud and other developments have already redefined what security means, and telcos and regulators already need a more modern approach for identifying and minimizing risk. Tapping into accumulated expertise from the early adopters of modern networks and the broader IT enterprise world outside the industry would be a good start.

Security

This article is authored by Rabih Daboussi, Chief Revenue Office Rakuten Symphony who has been a driving force behind the transformation taking place in telecom, constantly advising and discussing network evolution strategies, technology roadmap and fit, and security and resiliency topics as mobile operators embark on the next wave of transformation.