Mitigating threats against telco networks in the cloud

In the telecommunication world, security is not just a necessity—it’s a foundation of trust. Telcos are the backbone for global communication, transporting sensitive data in real time across large networks. Any vulnerability in this critical infrastructure can lead to data breaches, exposing confidential information. With billions of connected devices, from mobile phones to IoT, the potential of misuse of data can seriously impact national security. Protecting the network from threats isn't merely a technical challenge, it's a vital part of the job.

User management, hardening, network security, software integrity, auditing, certificates, and secrets management are some of the areas with a strong emphasis on telco infrastructure. Building on the foundation outlined in our introductory article, this article explores the security needs of telco.

Security expectations in telcos are backed by stringent regulatory requirements enforced by both global and regional standards. Key compliance frameworks include:

• 3^rd generation partnership project (3GPP)
• Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) - France
• Telecom Security Requirements (TSR) - UK
• National Security Agency (NSA) - US

Each framework shares a common objective: Establish robust security measures that safeguard sensitive communications and protect critical infrastructure.

In addition to these global and regional standards, some large telco operators impose group-level security requirements to protect their networks.

Security begins with strong access control

It's better to secure the gates than to deal with intruders inside. In telco networks, where sensitive data and critical operations are at stake, access control becomes vital. Similar to any IT infrastructure, user and password management is crucial in limiting unauthorized access and data misuse.

Apart from using role-based access control (RBAC), techniques like separation of machine-to-machine (M2M) and interactive users help minimize the risks of unauthorized access. M2M users are used for internal communication within the cluster and restricted from external access.

A strict password requirement from telcos warrants the flexibility to set their own password policies, including complexity requirements, password lifetime, reuse, inactivity, and account lockout.

Aligning with telco’s own organizational goals, they need infrastructure to support single sign-on (SSO) functionality with vendor-neutral protocols like Lightweight Directory Access Protocol (LDAP) for integration with external directory services, such as Active Directory. This enables telcos to centrally manage the users, simplifying security administration.

Strengthening the core with system hardening

As the saying goes, a chain is only as strong as its weakest link. It's essential to ensure that every link remains strong. System hardening is a critical step towards securing the telco networks. By addressing vulnerabilities across multiple system components, hardening minimizes the attack surface. In telco environments, where uptime and reliability are important, these measures are essential to ensure uninterrupted service and robust security.

Key parameters of system hardening include:

• RPM hardening: Verifying package integrity to ensure that software installed on systems remains untampered.
• Password hardening: Enforcing stricter policies for password complexity and expiration.
• Boot and kernel hardening: Securing the system startup process and ensuring kernel configurations are optimized for security.
• File and directory permissions: Limiting access to critical files and directories to prevent unauthorized modifications or data leaks.
• SSH hardening: Strengthening remote access protocols by restricting access, disabling unused features, and enforcing the latest encryption standards.

System hardening is not just a one-time process. As a telecom regulatory requirement, a process must regularly scan, assess and fix emerging vulnerabilities, ensuring that the telco networks remain secure. As Common Vulnerabilities and Exposures (CVE) are raised in the field, telco operators must closely monitor them and collaborate with infrastructure providers to promptly address them, prioritizing actions based on severity and relevance.

Network security in telco

A solution without encryption is like living in a glass house where everyone can see everything. Network security is needed to ensure the safe and reliable data transfer across systems. Telco networks hold sensitive personal data like location trace and call records, which must be well protected, but also securely accessible to lawful interception. Regulatory standards like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States impose strict requirements for the protection of personal data with hefty penalties in case of data breach.

The defence begins with the implementation of Transport Layer Security (TLS) to protect network communication from being snooped. Protocols like IPSec further enhance network security by creating encrypted tunnels for communication between two endpoints, reducing the risk of interception, snooping, or tampering with data in transit.

TLS is enabled using certificates, adding another vital layer of protection. Managing certificates, whether self-signed or issued by external Certificate Authorities (CA), remains a painstaking task due to the large number of certificates involved in a typical telco deployment. From setting up the Root CA to implementing the chain of trust, the telco operator looks for flexibility in the certificate configuration, not just limited to configurable expiry but also for functionalities like auto-renewal.

A comprehensive approach to network security includes network segmentation, which divides the network into distinct network zones. For example, Operations, Administration, and Maintenance (OAM) traffic is separated from other traffic classes, such as user data, signaling, or network control. Intra and Inter-zone communication is further secured by using techniques like firewalls and Access Control Lists (ACL). This approach minimizes the potential impact of breaches by isolating critical systems from other areas.

Network security expectations extend deeper into the lower layers of the Internet Protocol, focusing on mitigating risks at the foundational level. For instance, filtering out packets with unnecessary options in IPv4 or extension headers in IPv6 helps address potential vulnerabilities, such as Denial-of-Service (DoS) attacks.

Secrets management

Secrets, such as passwords, tokens, and configuration files, are crucial components of the infrastructure. Sensitive data needs to be protected. Secret management ensures that these values are securely stored and accessed only by authorized entities. Encryption is vital for securing secrets at rest, ensuring that even if storage is compromised, the data remains unreadable and protected.

For added security, some operators mandate to store secrets utilizing the Key Management System (KMS). This approach centralizes secret management outside the application environment, enhancing security. KMS ensures secrets are properly rotated, revoked, and audited, thus minimizing the risk of exposure.

Software integrity in telco

Cloud-native network functions (CNF) that operate as applications on telco infrastructure play a transformative role in modern telco networks by delivering scalable, efficient, and flexible solutions to growing telco needs. CNFs enable network orchestration by dynamically scaling in or out based on varying traffic conditions. The latest images from a central registry are used to deploy the CNF during each scale-out operation.

In a 5G network, key CNFs include access and mobility management function (AMF), session management function (SMF), policy control function (PCF), and user plane function (UPF). UPF, for example, handles data transfer between users and the network, performing vital tasks like packet processing and traffic management. Spyware infection in this network function could result in data leaks, exposing sensitive information to unauthorized entities and posing a severe threat to national security.

This is where software integrity becomes indispensable. It validates software authenticity during installations, updates, and scale-out operations, preventing tampering or unauthorized modifications. Tools like Cosign, for signing CNF artifacts and Sigstore, for verifying signatures, can help achieve this. By safeguarding CNFs, telco operators can ensure their networks remain secure against evolving threats.

The importance of auditing in telco security

"Audit helps ensure that people don’t abuse positions of trust," says Bruce Schneier, a renowned security technologist. The importance of auditing in telco is also discussed in the observability blog, which is part of this blog series.

In the telco world, an audit trail is another crucial regulatory requirement. Auditing provides clear visibility into system activities, ensuring accountability and enabling proactive security measures.

Key events such as user activity and configuration changes must be meticulously logged to create a reliable audit trail. Secure logging mechanisms like append-only restrictions and protection from tampering or deletion ensure log integrity. This not only supports compliance and forensic investigations but also helps trace unauthorized activities, enabling swift corrective actions to safeguard the network.

Collaboration for a secure future

Telco networks are the backbone of global communication, carrying sensitive data that demands strong protection. Ensuring telco security requires a multifaceted approach, from strong access control and system hardening to advanced network security, secrets management, software integrity and auditing. Adhering to global regulatory standards and leveraging advanced techniques like TLS, IPSec and network segmentation are not optional but are essential for safeguarding critical infrastructure.

Security in telco is a continuous journey. It requires constant vigilance, adaptability, and a commitment to protecting the systems. The number of devices connecting to the networks is rapidly growing. With IoT, telco has become the backbone for emerging technologies reshaping industries. From autonomous vehicles to robotic surgeries, the potential impact of telcos on human life is unimaginable.

Telco networks carry enormous responsibility to protect the entire ecosystem. Achieving this level of security is only possible through strong collaboration between telco operators and infrastructure providers. Together, both are on a journey to ensure that the networks remain resilient against emerging threats while meeting the demands of the end subscribers and enterprises.

For more information about our Telco services visit our Telco industry page.

About the author