Cybersecurity
With the advent of The Telecom Security Act (TSA) in the United Kingdom, and the Network and Information Security Directive 2 in the EU (NIS2), to name just two major demands on today's operator, a security first mindset is essential.
Operators MUST now enrich their security and ensure compliance and control within the operation or face serious consequences, indeed, which could be argued as potentially terminal. Compliance is not optional, and the time to act is now.
CORTEX is supporting the biggest and most complex operators today, and for some, this is most important in the security centric use cases, automating and orchestrating world class Network security and regulatory compliance.
Telecommunications providers are identified as critical national and international infrastructure. As such, security for the modern telco is not just important, it’s a binding, strategic imperative.
Relevant legislative examples include but are not limited to the Telecommunications (Security) Act 2021 (TSA) being the relevant UK regulation and the Network and Information Security Directive 2 (NIS2) and The Digital Operational Resilience Act (DORA) similarly in the EU. In addition, GDPR, the DPA, POPIA, and CCPA, affecting the EU members, UK, South African and the US geographies, respectively, add additional regulation and compliance in respect of PII (Personally Identifiable Information) particularly sensitive PII, making safe and secure operating conditions very challenging.
Information must be secured, networks must be secure, and defences must be raised much higher. For the modern operator this means there is no escape from automated and orchestrated defences against increasingly organised attackers including rogue states.
Useful resources
- https://www.legislation.gov.uk/ukpga/2021/31/contents/enacted
- https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
At the Order Capture phase, automated defences are critical. Any business must take care to secure the user interface against bad actors and Order Capture is a particularly high risk penetration opportunity for both the Customer and the Operator.
Any business must take care to secure the user interface against bad actors, and Order Capture is a particularly high-risk penetration opportunity for both the Customer and the Operator.
Kiosk/terminal access in a retail outlet, automated password rotations for the terminals and the users, and EAC devices for staff, are all candidates for automation in store.
Integrated checking for existing customers, extensive corroboration between data sets from credit reference agencies, data already stored by the operator and decision making systems for mobile app or other web based applications are all necessary to provide robust defences.
Applying changes to the Network Configuration must only be performed by authenticated and authorised individuals. The access rights of these individuals must be only sufficient for them to perform their assigned role.
Access rights to the network must be reviewed on a regular basis and where no longer needed must be revoked or removed. Access credentials such as passwords must meet company policy in terms of strength and currency.
Management of the product catalogue that is used as part of Order Decomposition and Catalogue Management uses cases must be restricted to authenticated and authorised users to prevent malicious modifications that could adversely affect the service definition. All changes to the product catalogue should be version controlled and undergo a structured release management process.
The Order Processing and Interconnect use cases require interfacing with external entities through agreed data exchange mechanisms.
Security measures must be in place to ensure that communication is being made with the appropriate recipient and that the exchanged data is suitably encrypted, especially if it contains user PII.
The Order Processing and Interconnect use cases require interfacing with external entities (suppliers, partners and other operators) through agreed data exchange mechanisms.
Security measures must be in place to ensure that communication is being made with the appropriate recipient (for example, by the use of server and client authentication certificates), and that the exchanged data is suitably encrypted, especially if it contains user PII.
The visibility and configuration of these security measures should also be restricted to appropriate users.
Access Management, User Access Management and Electronic Access Control provide the functionality to both specify and subsequently audit the assignment of access rights to people and systems.
Measures should be put in place to validate the recipient of these access rights, as well as the recipients’ need for them, before they are granted.
All use of the access rights should be tracked. Regular audits should be performed to revalidate both the recipient, and the recipient’s continued need for the granted rights, and where appropriate, rights should be revoked or removed. These are good candidates for security automation.
Regular audits should be performed to revalidate both the recipient
The recipient’s continued need for the granted rights, and where appropriate, rights should be revoked or removed. These are good candidates for security automation.
From a cybersecurity perspective, the Resource Compliance and IT Compliance use cases focus on ensuring that the systems comply with company security policies: for example, that their software and firmware versions are at the appropriate levels; that their configurations are in line with relevant standards; that user accounts are configured with the minimal set of capabilities; and that anti-virus and anti-malware scanning occurs.
With each of these types of checks, discrepancies should be documented, reported and resolved as quickly as possible; note that the resolution of a discrepancy may involve changing the configuration of the affected resource, or of other network elements or applications depending upon the nature of the selected resolution.
Resource Compliance and IT Compliance use cases focus on ensuring that the systems comply with company security policies: for example, that their software and firmware versions are at the appropriate levels and that their configurations are in line with relevant standards
Applied to the organisation’s employees’ assets, the same principles apply. Provision of laptops, phones and access to software platforms (Resource Allocation) all comes with some risk, so if this too is not governed with the appropriate security measures, bad actors can prevail and once a breach is successful, this can quickly spread to the organisation more widely and very quickly.