Traditional approaches to telecom security are not cutting it, so why do some telecom professionals continue to think that traditional approaches to security will work in the future? One problem with traditional approaches is that they make incorrect assumptions about security ─ assumptions that lead to failure.
It’s time to stop and rethink how to build and operate secure telecom networks to avoid creating difficult-to-secure 5G architectures that will be nearly impossible to fix or replace later.
Existing Architectures Complicate the Ability to Apply Patches
Most technology vendors try to build secure hardware and software and follow sound security policies as they develop their products. Just a quick glance at the security advisories from a variety of vendors show that at least five of them reported important vulnerabilities in their products in February 2021. This spate of reported vulnerabilities provides the first hint that there are faulty assumptions at play.
A comprehensive approach to security cannot be built on component security alone. But surely, must security not start with vendors? That’s true, and most vendors tend to quickly release patches for reported vulnerabilities. But what’s the benefit of quickly released patches when the components, which are deployed in an end-to-end solution, cannot be patched because of differing solution dependencies or inadequate resources to implement the patches?
The situation can rapidly devolve further if vertical stack providers, which use other vendors for components in their vertical stacks, do not supply the component patches in time. At that point, simple component security has no meaning in itself.
Once the patches are supplied, the operational capacity of CSPs can limit their ability to patch their environments within 14 days of a critical patch. Most service providers, it seems, struggle to patch their environments twice a year. If service providers can switch to a SecDevOps operational model, it will help patch system faster and shift to a position of strength. SecDevOps alone, however, is not enough.
Shifting to a Proactive Position of Strength
Communications service providers need a new approach. At VMware, we call this new approach intrinsic security for telecom networks. It is neither a product nor a solution. Rather, it is a strategy for taking advantage of your infrastructure, architecture, and control points in new ways and in real time so that you can shift from a reactive security posture to a proactive position of strength.
It is about using what you have in new ways to help unify your security and network service teams; accelerate how they identify risk; enable them to automate patching without service disruption; and empower them to prevent, detect, and respond to threats with the right context and insight. This approach assumes that the next critical vulnerability will be announced today and assumes that exploits using it will be directed at your network.
Isolate, Abstract, and Automate: Traits of an Intrinsic Approach
Here’s a summary of the key characteristics of intrinsic security:
- Build a horizontal platform architecture that lets you deploy multi-vendor solutions on the platform. This architecture lays the foundation for a consistent approach to security by providing the basis for proper separation and segmentation, which limit the blast radius of an exploit. Using separate vertical stacks makes security exponentially more difficult.
- Use the abstraction layer of virtualization and avoid bypassing abstraction layers as much as possible. A major advantage of virtualization is the abstraction between hardware and an application’s operating system. The virtualization layer lets you automate patching without service disruption. Bypassing the abstraction layer with technologies like CPU pinning and SR-IOV makes patching of independent components much more difficult without disrupting a service.
- Use an API-driven, software-based overlay network solution to foster the kind of programmatic automation that is impossible with traditional SDN concepts created for underlay automation. Use this network architecture to implement proper segmentation and firewalls between services, devices, the management control plane, and management system access.
- Implement orchestration tools to automate as many operational procedures as possible to avoid human error and configuration mistakes.
- Build a zero-trust management access solution that properly secures the management plane for both internal and third-party access.
- Use security tools like VMware Carbon Black that can analyze behavior of both users and components at cloud scale over time and undertake automated responses.
- Select VNF and CNF vendors that make public their vulnerabilities so their customers can take appropriate actions and mitigations as quickly as possible. There is no security in obscurity.
At its core, intrinsic security is built into the infrastructure and the network to focus defenses in the right place at the right time. Future blog posts will delve into the key characteristics of intrinsic security for telecommunications infrastructure and 5G networks.
Previous Blog Posts and Papers on Telecom Security
This blog post is part of a continuing series of posts on security for telecom infrastructure and networks. Here’s a list of previous blog posts on security:
- Adapting to a Changing Landscape and Shifting Requirements with Built-in Security
- Evolution in Principle: Emerging Wireless Security Threats and the State of Cybersecurity
- To Take Full Advantage of 5G Investments, We Need to Think Differently about Network Security
In addition, see our high-level solution overview titled Protect infrastructure with built-in measures and our technical white paper titled Intrinsic Security for Telco Clouds at the Dawn of 5G: An Integrated Approach to Helping CSPs Meet Emerging Security Standards.