The telecom and communications industry is undergoing unprecedented change. The ever-growing demand for higher connections speeds and lower latency means mobile and fixed-line service providers have had to significantly rearchitect their networks to support new technologies like 5G and IoT as well as wide-scale public projects such as smart cities and autonomous vehicle communication networks.
It’s also becoming clear that service providers are taking different approaches to their new network deployment architectures (and in some cases the same provider is taking different approaches dependent on the deployment). Some have opted to simply upgrade their base stations to support 5G and relied on their existing aggregation and backhaul networks to handle the extra network load. Others have opted for more a cloud-based service approach, allowing telecom operators to make use of the offered services instead of upgrading their existing infrastructure. Further still, many providers are looking at partitioning and sharing a common open access radio network (Open RAN) to reduce installation and maintenance cost while expanding their coverage.
As telecom networks become more critical for communication and infrastructure, this change creates new security challenges and compliance burdens that must be addressed in an integrated and holistic way if they are to be tackled effectively. Not only does a telecom provider have the expected duty of care to protect personal customer information, but they also must secure the communications that flow across their network and to protect the network itself from unauthorized or illegal use.
These security requirements exist at both an industry and regulatory level and typically cover three different aspects of security: namely preventing intrusions, detecting intrusions, and protecting the data itself. While the first two focus primarily on the network itself, the third piece of this puzzle is that of data protection, which aims to secure the data with cryptography as it crosses the network.
While all three of these categories should be applied to critical systems to deliver a robust, layered, and compliant security posture, for many providers’ IT security teams it is the first two that are the best understood and most well-funded. However, not only is data protection a vital pillar, but it is also an increasingly mandated function as well. Regulations such as GDPR and Schrems II in the EU, as well as the requirement for protection of subscriber identity in the 3GPP specification, are getting increasingly specific about the data protection requirements for industries such as telecom. As such, the industry bodies that define standards and protocols for communications are setting more defined parameters for compliance as well. As part of these requirements, hardware security modules (HSMs) are becoming mandatory parts of a trusted cryptographic foundation for data protection in telecommunications.
In any situation, requirements that are necessary but not well-understood risk being relegated to a “check the box” exercise. In the case of data protection, this can not only undermine the impact of those requirements but the overall security posture as well. We know from the Entrust Global Encryption Trends Study that only half of businesses have a consistent encryption strategy. Assuming the telecom industry falls broadly in line with the overall average, this means that while many providers will have some encryption tools in place, there may very well be gaps that could be exploited. This issue is exacerbated by a significant skills shortage within the IT security industry, also reflected in the study. Furthermore, cryptography is specific technology that requires a clear understanding of the underpinning key management. As such, knowledge and experience of this skillset is generally in even shorter supply than the wider cybersecurity industry.
Overcoming these challenges and making the most of the capabilities that a robust and well-implemented data protection solution can deliver requires not just the right technology but also the right partner. Entrust is a leader in cryptography and key management and a provider of certified HSMs. As such, Entrust has not only the depth of experience and breadth of portfolio but also the industry partnerships to enable operators to build data protection and key management into a sturdy pillar supporting a holistic network security strategy.
Look out for further blog posts of this series, where we will be taking a deeper dive into how to secure telecom networks at scale, the challenges of managing encryption across a distributed environment, and the role HSMs play in securing telecom networks. Learn more here.