Holistic Security Primer: Top of the tip of the iceberg
Holistic security is quint essential for any form of enterprise, be it public or private sector. Achieving holistic security by considering security from the very beginning is probably the best way but it is never seen in practice. Still, holistic security can be achieved in step-by-step fashion if one has understanding of the complete picture.
Earlier this year during a security workshop I heard a presentation by Patrick Donegan of HardenStance on mobile communications security that resonated with my considerations for holistic security. I am writing this article building on this holistic security consideration that can be applied to any system and is thus not limited to mobile networks only.
Securing a mobile network is often considered a job that is purely related to network security only, but is this true? What should be considered when talking about holistic security of a mobile network? The response to these questions will give us an understanding of holistic security for mobile networks. In this short article we look at holistic security considerations for mobile networks.
When considering holistic mobile network security one should consider the following 5 parts:
- Enterprise or IT network
- Mobile network services
- Mobile network itself
- Customers
- Security incidence and response
All 5 of the parts above are interrelated and thus together achieve mobile network security. Let us look at the relation briefly below.
Enterprise network security entails security of procurement, facilities security that includes physical security, human resources associated security, infrastructure and end-devices security and, believe it or not, much more. Fascinating thing is that, like it or not, due to several possible reasons, the enterprise network often ends up connecting with the mobile network (if you say not in your case then it is very likely that you do not know your network). Connectivity between the two networks already should give you some warning but that can be solved. There is much more: do you know who in your company has access to which physical location? What is a given person allowed to access in the enterprise network? What are the permissions to a given person based on HR regulations? What action is taken when a person leaves the company? How are all these activities (physical access, network access, end-device access etc.) managed “together”? How does it work when ease of use and security meet each other in relation with identity management and privileged access?
Allow me to stop here and let you think about how the enterprise security itself could have a huge impact on security of the mobile network.
Now let’s move towards the mobile network services side. The mobile network services constitutes of OSS, BSS, orchestration and any applications or services provided to the customer. As for enterprise security, we should consider security of these services first.
Followed by that, one has to consider security of connectivity between the services and to the network. In general, interface related security can be achieved with standard means, but how about access to these services itself? Identity management, a field in itself, together with security, plays a key role here. How do you access these services for any purpose? How do you make these services flexible to cater for a wide range of usage? How are these services connected to enterprise security? What security is provisioned for API?
Next is the mobile network itself. In today’s mobile network we are talking about a very different set of security than before. One starts with security considerations of a variety of hardware, OSes, virtual machines or containers and then an application on top of all of this. The application on top is the mobile network as we know of. Besides that, what about the TCP/IP stack security? What about the perimeter security? Security for access to network functions, how should it be and how should it be managed? What is the relation with identity management here? What about enterprise access considerations? These are just a few things to think about, as you can very well understand.
Customers associated security relates to security of the device, OS and apps that should cover all aspects of device security including all the things that makes a device smart. After all, a device can access the network and its services as well as impact customer experience. Customer subscription understanding together with adequate authorization and access control also becomes important. Then there are enhanced services with different requirements. How to provide flexible but still adequate security to different customers and thus associated services? How to secure the network from the customers itself?
The final point, security incidence and response, is very often also called as security operations center or SOC. Certainly the term SOC does not fit the purpose we are discussing well, i.e. the purpose here is to monitor and act on security incidences in an intelligent fashion. Where intelligence is in the form of minimizing resources, acting fast and effectively before any attack is successful as well as automation for corrective measures. One would thus call this a automated security incidence response & remediation (ASIRR).
Well, the above is just the very tip of the iceberg when it comes to proper holistic security consideration. There is much more hidden behind each point and then one also has to consider the automated security of complete network lifecycle – which we will cover in the next article.
Anand R. Prasad
Dr. Anand R. Prasad is a global leader and expert in information and cyber security who has delivered security solutions for 5G, 4G, virtualization, SOC, Wi-Fi, mobile devices, enterprise and built GRC processes from scratch.
Anand is Founder and CEO of wenovator LLC, a global provider of cybersecurity services and consulting with top-tier clients right across the telecommunications industry. Dr. Prasad is also a Senior Security Advisor of NTT DOCOMO, providing advise on all aspects of cybersecurity for the company, Advisor to CTIF and Advisory to GuardRails. Prior to which he was Chief Information Security Officer of Rakuten Mobile, the world's leading MNO with the very first cloud-native 4G / 5G network implementation. As CISO of Rakuten Mobile Anand led all aspects of enterprise and mobile network security from design, deployment to operations.
With over 20 years of experience, Anand has also held key roles in NEC, Genista, Lucent Technologies and Uniden. He is an innovator with over 50 patents, a recognized keynote speaker (RSA, GWS, MWC, ICT etc.) and a prolific writer with 6 books and over 50 peer reviewed publications. Anand was the Chairman of 3GPP SA3 where he led the standardization of 5G security. He did his ir (MScEE) and PhD from Delft University of Technology, The Netherlands. He is a Fellow of IET, Fellow of IETE and CISSP. Anand is Editor-in-Chief of the Journal of ICT Standardization and Co-Founder & Co-Editor of Cybersecurity Magazine.
Very nice overview and briefs about that security is a part and parcel of any secure product design and development.