In February this year Swedish network equipment and services vendor Ericsson published a white paper—Guiding principles for security in a networked society—that looked, from the outside, like the firm’s first significant public statement on network security. While other vendors, NSN and Alcatel-Lucent in particular, have made security prominent in their discourse for some time, Ericsson has tended more towards circumspection.
The white paper set the scene for a greater visibility of security in Ericsson’s messaging during Mobile World Congress, with the firm now clearly keen to join the wider discussion. And the first notion that Jonathan Olsson, security specialist, Ericsson group function technology, wants to dismiss is the suggestion that the firm’s historically low profile in the space does not reflect a lack of activity, hightlighting its long-time work in security standardization. “We consider security crucial to instill trust in networks for individuals, businesses, and society. Our view is security needs to be integrated in all aspects, from secure product development practices and creating network architecture to designing operational processes and managing operations,” he says.
“In the last couple of years we have seen a much bigger interest from operators in the security area,” Olsson says. “The threat landscape is developing at a really rapid pace and is being discussed at higher levels. It’s getting attention from CEOs and CTOs. We think it is great that this topic is now high on the industry agenda.”
Just how that threat landscape is developing is a source of much debate at the intersection of the security and telecom industries. While Olsson’s observation that emphasis has shifted from attacks that were often recreational in nature to well organised undertakings motivated by financial gain seems reasonable enough, there is still a sense within the industry that the threat is at times inflated by some organisations that might have security solutions to sell.
“Scaremongering is one of the worst enemies we have,” says Olsson. “We need to be realistic about what the threats are in the mobile network environment and create awareness of how those threats are evolving. We have to make sure we’re keeping pace with the development of the threats so we can provide the solutions that are needed.”
Approaches to risk will vary. If an attack has a very high probability but a low likely impact then operators will tend to invest less in mitigating it than they would for a threat that has moderate probability and a high impact. What is important is that a thorough risk assessment is carried out, Olsson says; an area in which Ericsson is clearly looking to position itself as a service provider. “Sometimes it helps to have an external party come in, look at your network and your process to identify which assets that are most at risk or most valuable,” he says.
As is the case with most elements of their business, different operators are at different stages in their approaches to security. “Some operators have been very security conscious for a long time and have been at the forefront of this drive for security in the networks,” Olsson says. “Whereas others are just now starting to understand the business relevance of security.”
The move to LTE changes the game for mobile operators, however. Attackers have a far wider and more comprehensive understanding of IP than they do ATM and TDM networks, he says. And the mobile industry need only look to the enterprise and IT communities to get some idea of what it might have to face.
With this in mind it has tended to be the larger operators, which also have established fixed networks and enterprise service arms, that have led the field in network security, Olsson says. Nonetheless, he says, Ericsson has encountered an increased security awareness and interest from MNOs, in general, to understand the security implications of the LTE architecture in order to implement appropriate security strategies.
LTE is not the only high profile technology shift ongoing in the industry at the moment, nor the only one that could have far reaching implications for network security. Olsson highlights virtualization of core node functionality as one example. “Today we build core nodes knowing exactly what hardware it will be running on, knowing that we have hardware-rooted security and that we can optimise the software for that environment,” he says.
“When you start virtualizing network functions you don’t know what hardware you’re running on, or what kind of capacity has been allocated to the virtual machine, so you need to create awareness of that fact in the application. It has to take into consideration the dynamic or elastic environment that it might be working in—and the security in the execution environment, as well.”
Moreover concerns remain about applications running in datacentres serving many tenants, he says. “One of the most important aspects of the cloud environment is the segmentation, isolation, containment, and compartmentilization of different tenants,” he says. “They need to be separated in such a way that, if one tenant is attacked or experiences some sort of outage, the other tenants running in that cloud are not affected. Nor should a tenant be able to break free from their containment to interfere with other tenants.”
As the telecoms industry inches towards virtualization there is intense debate about the need for telco-grade and standards-based equipment. And there are similarly-themed debates happening in security circles, Olsson says. In particular Ericsson is keen to see the industry coalesce around a 3GPP initiative called Security Assurance Methodology (SECAM); a set of standards that aims to establish security requirements not just for products but for product development processes.
Olsson explains: “One of the challenges in the industry today is being able to provide assurance that your products meet a certain level of security quality. It’s one thing to say that you have implemented one or other security functions but how do you know if you have implemented them correctly and ensured they are sufficient to mitigate risks?
“There really isn’t an industry standard that enables vendors to show some sort of complicance with these basic security requirements from a development point of view. That’s one of the things that we are aiming at with SECAM,” he says.
One key change that the initiative could usher in is a shift from vendors being required to provide security certification on a per-product basis to a situation in which, “accreditors will verify a 3GPP manufacturer’s overall capability to produce products that meet a given set of security requirements,” Ericsson has said.
There are benefits to be derived for both customer and supplier, Olsson argues. SECAM would enable operators to understand different levels of security inherent in products form different vendors—“so they can compare apples with apples”—while giving those vendors an established set of requirements that they must meet. “We hope it’s going to be the standard for every vendor in the telecom space,” Olsson says, although he stops short of suggesting that it might become a requirement.
The Ericsson perspective on the alternative reflects an organisation that has long held standards close to its heart. In its February white paper, the firm wrote: “There is a real risk that uncoordinated global efforts in this area will lead to a diverging set of security requirements, which would jeopardize not only interoperability but make security that much more complex to guarantee. Global standards and best practices are fundamental to the efficient handling of threats—especially those that originate across national borders—as well as to building economies of scale, avoiding fragmentation and ensuring interoperability.”
Mobile network security is a complex technical problem but it may prove to be the case that mobilising and marshalling the many stakeholders required to produce the best response of which the industry is capable will prove a sterner task. Olsson hints that some operators are struggling to ensure that all key parties are pulling in the same direction internally, never mind participating in the creation of a coherent, industry-wide effort.
Such programmes can be unwieldy purely by dint of their size and individuals and organisations that represent threats to network security tend to be nothing if not nimble. “One of the real challenges is that security is asymmetric in nature,” Olsson says. “As an attacker I just need to know of one vulnerability but as a defender I need to try and protect everything. Attackers are becoming more innovative and that means we have to be more innovative in the the type of defences that we implement,” he says.
And revealing the kind of grudging admiration that foes on either side of the battle line can sometimes have for one another, he adds: “It’s the innovation from both sides that keeps it so interesting.”
With Amazon and Google launching smart home initiatives, have the telcos missed out on their chance to cash in on this market?
Total Voters: 62