How telecoms operators can face today’s security challenges

Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece, Stanley Mesceda, High Speed Encryption expert at Gemalto, looks at how operators can better protect themselves from security breaches at the start of the SDN era. 

According to the latest Breach Level Index report, so far this year there have been close to 900 data breaches worldwide that compromised nearly 246 million records across all sectors, including the telecommunications industry. With the latest reports showing that the technology space accounts for almost 20 per cent of all data records stolen, the reality is that even the bigger players with more money to invest in security are not necessarily better protected.

In particular, recent years have seen the reputation and bottom line of telecommunications operators – including Vodafone and Korea Telecom- suffer the effects of security breaches. This is of special concern now that software-defined networking (SDN) is on the rise. Like many new technologies, though SDN provides flexibility and efficiency for operators, its focus has not been on security. SDN, like any network can be attacked at each network component. So what can telecoms companies do to protect their networks and the data that travels through them? It’s time to decide what is and isn’t an acceptable level of risk.

The security challenges of deploying SDN

The new reality is that conventional data protection is outdated. Simply putting up a wall around the data and standing watch is no longer enough. While many operators are successfully implementing new security practices to protect themselves against cyber-attacks, the Openflow standard does not specifically call these out, allowing for grey areas of interpretation and in effect providing no governance around the security of the network.

Early versions of the standard required SDN network devices to use TLS encryption and certificate authentication. However as a result of the latest standards, this has been watered down to be an optional requirement – making SDN less secure by default. A further challenge is that the OpenFlow standard relies on implementation teams knowing about industry best practices for managing authentication certificates, public key infrastructures and encryption keys. However, not all do.

By default, SDN is meant to be configurable and interoperable with various open standards/vendors. Not implementing best practice could have a negative effect on all architectures, which have multiple network components, including control and data planes. By accessing the control component, hackers have the ability to re-configure a network and re-route user data streams. Therefore, operators should aim to layer security solutions from multiple vendors to reduce the risk of one vendor data breach compromising the whole network or system.

Preventing cyber-attacks in an ever changing environment 

When looking at SDN or cloud based services there is a clear need to have an efficient security plan in place from the start. Security and network teams need to work closer together to understand how best to create trustworthy routes and enable networks to scale in a secure fashion.

The first step is to accept the fact that at some point a breach will occur. The key is to ensure it’s a secure breach by encrypting sensitive data, thus protecting it throughout its whole lifecycle, no matter where it is, and ensuring sensitive information is worthless to the attacker should a breach occur. However, encryption alone is only part of the solution. In order to protect SDN networks, operators require multiple layers of security assurance including increased traffic control, multi-factor authentication, and dedicated appliances.

Additionally, operators will need to trust those network devices and know that their policies have been digitally signed and not tampered with. Hackers can easily gain access to data via a network device that is either poorly configured or is left with default credentials. Hardware Security Modules (HSM’s) can be used to provide that route of trust to securely generate, store and manage the cryptographic keys used for data encryption so they are only accessible to authorised personnel. Investing in a standards-based enterprise key management strategy will enable operators to limit access to keys, define how those keys are issued and distributed, and provide protections for them as they are stored.

A new mind set for SDN security

Traditional security strategies have focused on physical security, but with SDN operators are no longer plugging in cables. Now, breach protection is about making sure the software running on the network devices is validated and the configuration changes are authorized by the operator. Fortunately these new approaches are based on well-established principles- such as controlled access and data confidentiality- and on the use of tools including encryption, authentication and key management.

With threats changing daily, meeting the minimum legal requirements is no longer enough. Operators need to be continually vigilant and take a multi-layered, dynamic approach to data security which will allow them to be safe in the knowledge that their network is protected, whether or not a breach occurs.

Stan Mesceda is the Product Line Manager at Gemalto for the SafeNet High Speed Encryption (HSE) products focusing on encryption solutions that meet commercial WAN and MAN requirements from 10Mbps to 100Gbps and beyond.  He is an experienced security professional with roles ranging from engineering and operations to program and product management.  With a focus on encryption products since 2001, Stan has worked on ASIC developments, Smart Card technologies, and High-Speed Encryption devices.  Several products have achieved the highest level of security certifications in their respective fields. Stan is a graduate of the Rochester Institute of Technology (RIT) and the William E. Simon Graduate School of Business (University of Rochester).