Security is fast becoming one of the telecoms’ industry’s ‘hot topics’. This reached a new peak in October when the TeleManagement Forum committed to adding a new security layer to the architecture of NGOSS (New Generation Operation Support Systems). But how has this come about? What’s changed so dramatically? And what issues do the new proposals address?
To appreciate the scale of the challenge, cast your mind back 20 years. Back then, before the emergence of the Internet and mobile communications as major commercial forces, the telecoms industry did not see security as a top priority. The wave of liberalisation and deregulation, which dominated the 1980s and 1990s, was only just emerging and monopolies and insular telecoms infrastructures still held sway.
The operating systems, databases, and associated applications, which supported telecoms architectures, operated in a largely secure environment. These were protected from the outside world by a complex combination of access control, identification and authentication mechanisms; network firewalls and intrusion detection systems.
However, this landscape has now changed radically. Today, the threat to telecoms companies and their customers is much more potent.
In the past, many customers took the security of Network Operations and Management Systems for granted. This was largely because it was assumed that the telcos' Network Management System would always run in a trusted environment and that their Management Network would always be dedicated, well demarcated and protected against outside access.
Today's breed of telecoms customer is no longer convinced by these assumptions. More RFPs and RFIs now request a level of security assurance and compliance to IT security standards to be included with vendors' solutions. Some customers are even demanding an audit of the vendors' security maturity and level of compliance.
Coming to terms with a brave new world
The pervasiveness of mobile communications and the Internet is largely responsible for this new security-conscious telecoms environment.
The widespread use of these technologies and the open environment, to which this has given rise, directly exposes applications to the user, making telecoms companies more vulnerable to security breaches.
There is now a broad and growing range of potentially disruptive threats to the integrity of the telecoms solution lifecycle, taking in viruses, human error, equipment failure, rapidly changing technology, and inadequate security specifications.
As a result, the industry has become increasingly aware that security needs to be addressed at the application rather than perimeter or system access level. There is also a growing understanding that companies have to engage more with security issues from the operational and developmental perspective.
Recent incidents and industry initiatives underline the unprecedented demand for security throughout the information and communication technology sector. Telecoms has long been recognised as a prime mover of quality software and services. However, the industry has become increasingly aware that this leadership position will be undermined if it does not make similar forays into security. Over the last two to three years, it has taken steps to address these concerns.
Standard-setting hits its stride
The initial focus was on 'hardening' applications by introducing security controls at key points in the network. Flaws in this approach led to a move towards building secure software systems from the ground up.
The International System Security Engineering Association (ISSEA) created the Capability Maturity Model (SSE-CMM) - a structure for software development, which allows mature system processes to meet the relevant security requirements.
Another recently created standard is the Common Criteria for Information Technology Security Evaluation (CC). This offers users assurance that the end product of a development process whether software module, application or service, is fully secure.
However, these approaches cannot in isolation provide the telecoms industry with an overarching approach to security. Instead, a comprehensive security framework is required to counter the threats facing the telecoms industry.
Such an approach would bring together the disparate models and standards of the past few years and protect the solution lifecycle from "womb to tomb" i.e. from requirement specification through to system disposal. After all, as new security vulnerabilities can occur at any stage of the NGOSS lifecycle, appropriate assurance is required at each stage. This awareness has resulted over the last two to three years, in a push towards the development of common IT security standards. These are needed to combat security threats and provide secure NGOSS across the whole telecoms solution lifecycle.
The mobile communications sector provides a good example of the pressing need for an overarching security infrastructure. It is particularly susceptible to attack. This is not only because of its current attraction for individuals propagating spam and viruses but also because to the vulnerabilities of its applications, its limited footprint and storage capabilities and the directness of its exposure to end users.
If the mobile community adopts a reactive approach to security, it will continue to be menaced by an ever-growing range of threats. The same applies to telecoms as a whole.
Going forward with the TMF
The consensus in favour of defining a consistent approach to telecoms software security is growing. However, there is also a realistic awareness that given the complexity of the NGOSS architecture, it is difficult for stakeholders to seamlessly design and implement overarching security unless a common framework is first evolved.
The TeleManagement Forum (TMF), a global organisation dedicated to operations systems support (OSS) communication management issues has become the driving force behind the move to develop such a framework.
The TMF believes that it is only its implementation throughout the industry will give NGOSS stakeholders assurance that solutions are meeting the macro and micro level security goals common to all of them.
MBT is playing a key role in ensuring that this really happens. The company recently became the first from India to join the core committee of the TMF. As such, it is now helping drive forward the NGOSS security initiative and spearhead the development of standards and architectures to ensure the security of NGOSS systems and applications.
Key objectives of the NGOSS approach to telecoms software security include building software security upfront rather than bolting it on as an afterthought; building end-to-end security collaboratively for all stakeholders and following standards and industry best practices across the telecoms solutions lifecycle.
From the business perspective, the NGOSS security and assurance framework will comprise a cycle of critical activities designed to meet constantly changing customer needs in the emerging information age. This cycle essentially comprises three broad activities:
- Assessment of needs – This would primarily consist of a combination of customer education, threat awareness and vulnerability and business impact assessment. TMF has a role here in leading industry advocacy;
- Delivery of solutions – Based on these needs, the solutions will range from product and systems evaluations. Systems security engineering consultancy, security infrastructure management guidance, security lifecycle support, policy guidelines and so on;
- Development of advanced technologies – this would necessarily involve anticipation of and enabling security in emerging technologies, co-ordinating and sponsorship of research and development and rapid prototyping of security solutions
Bright future ahead
The NGOSS committee of the TMF is confident that the result of all these efforts will be a security-enabled architecture with pervasive security capabilities deployed throughout the NGOSS environment and woven into NGOSS solutions from scratch. In addition, it will allow TMF to fulfil the critical role of overseeing this process and developing its own metrics to measure the security compliance of stakeholders within acceptable NGOSS specifications
We can now look forward with confidence to the emergence of a security enabled architecture covering the whole telecoms environment. At MBT, we believe that achieving this objective will go a long way to combating the many security threats facing the industry today.
Dr. Prem Chand is head of security business in MBT, and chairman of NGOSS security team at the TMF.