CISO Roundtable: Telecoms on the Virtualisation/Cloudification Journey
During the first day of International Cyber Expo 2022 (27th September), Digital Security by Design sponsored a roundtable with 10 senior cybersecurity professionals, from CISOs to Lead Cyber Security Engineers, to explore the challenges and opportunities that arise as telecom networks, vendors and operators migrate their systems and applications to virtualised and cloudified platforms. What follows is a summary of some of the insights that emerged from this discussion.
Towards Virtualisation and Cloudification
The advancement of the telecoms industry from old, physical infrastructures towards cloudification and network virtualisation varies substantially from one organisation to the next. Although some may be fully cloud-based today, others continue to rely heavily on wired networks and on-premise data centres. This is largely dependent on the type of applications that are created, and their workloads. Modern technologies that utilise blockchain and AI, for example, are more likely to be developed in the Cloud, compared to legacy systems. Regardless, whether by choice or not, there was a general consensus in the room that at some point or another, a portion of all enterprises would inevitably operate in the Cloud. It may not be with one’s core network equipment, but it could be introduced through HR, finance or other supporting departments.
Our society is heavily data centric. Indeed, in 2017, research showed that 90% of all data generated in the world had been created in the two preceding years. That’s 2.5 quintillion bytes of data, a day. Fast-forward almost 5 years later, taking into account the growth of the Internet of Things (IoT) and a pandemic that instigated a shift towards remote working, you can understand why many telcos have been pushed to their capacity. In order to accommodate the colossal influx of data, many needed and still need a means to increase bandwidth and scale. Cloud and virtualisation provide this benefit, if not yet considered a necessity.
As one attending CISO purported, “telcos should start calling themselves ‘datacoms’ because data communications is where everything is moving to”. Take the voice channel; voice is decreasing as people no longer use it as frequently, and/or it is being folded within data channels. Consumers are demanding greater data bandwidth as opposed to voice calls and SMS. In light of this, telcos must adapt. A participant offered the banking space from a decade ago as a comparison for what we are likely see in the years to come.
Back then, disruptors such as Monzo and Starling, were able to spin up quickly because they were not tied down to a mainframe in a data centre. Utilising data only, they were able to leverage cloud services to move quickly and be more agile. Today, the telco industry will likely meet the same fate – just look at the number of cloud-native video conferencing platforms that prospered over the pandemic.
Nevertheless, the participants raised a number of challenges that may explain the relatively slow adoption of cloud computing within the sector.
Challenges to Cloudification
Firstly, is the issue of decentralisation as endpoints within one’s protective environment begin to disappear and move elsewhere. More importantly, the data that is being stored and transferred is boundary-less. However, the rules and regulations that govern it are not; they are largely nationalised. Over the last three to five years, different countries and regions have brought in data localisation laws or data sovereignty rules. For instance, through GDPR, the European Union has requested that all data collected on its citizens stay within European borders. In the United States, similar demands are being made with the California Consumer Privacy Act (CCPA). As more people become aware of data privacy and security, its geolocation has increasingly been prioritised by regulators. Therefore, creating additional complexities for organisations and in some cases, a decision to repatriate from the cloud altogether; choosing instead to play safe and keep data within their own data centres, in their own control.
Interestingly, though with the intention of protecting data, these regulations may be due for some adjustments. One participant shared a conversation he had with a telco in Poland, who was disappointed to hear that copies of his organisation’s data were not secretly stored abroad. You see, having all of the company’s data within the country and a belligerent neighbour (Russia), did not bode well for them. Perhaps a tongue-in-cheek anecdote, but it does raise serious concerns of potential data disruption.
Another challenge is simply the operational risk and cost of transforming an entire infrastructure, made up of technologies – routers, amplifiers, microprocessors etc. - patched together in an intricate network. And as the saying goes, “if it ain’t broke, don’t fix it”. Plus, there is a significant skills shortage; there are few people who know how to build cloud technologies and also specifically understand the ins and outs of the business in question.
Last but not least, is the challenge of cybersecurity. Embarking on a virtualisation project, and particularly, a cloudification one, is no easy feat and it is high risk. A single telco Cloud likely has to sustain numerous vendors, with lots of different infrastructure. Yet, it’s not just one cloud needed, but multiple; many of which may link to a third party. That is a lot of moving parts, all with their own unique set of security policies and standards, managing masses of sensitive data. Fortunately, the industry is hyper aware of the risk and do actively take steps to protect the data. Nevertheless, roundtable chair, Professor Lisa Short, questions this approach, likening it to a piece of chocolate.
Professor Short explained: “It’s a bit like the soft and hard centre of a piece of chocolate. At the moment, we are continually adding protective layers on the outside of data which is fairly gooey. Most cybersecurity solutions are about hardening the outside and preventing intrusion. But, if you bite on the chocolate, the soft core - or data - oozes out.”
What if we were to change our mindset slightly and begin by hardening the core? What if we can go down to the source of insecurity and build security in by design with network operators, who are supporting our critical network infrastructures? If the centre is hardened, you can continue to add protective layers to stop intrusions, but the added benefit is that the data won’t leak out when it’s bitten into.
That is exactly what the UK government endeavours to introduce through the UKRI Digital Security by Design initiative, in cooperation with the University of Cambridge, Arm and other industry players. The approach starts with hardware security, using prototype CHERI extensions in an Arm processor to overcome critical vulnerabilities.
In doing so, the telecoms industry can combat some of the very issues that are slowing them down. One of which is by providing organisations a good basis for compliance with the recently established Telecommunications Security Act, requiring operators to put more security measures in place. Moreover, the vast majority of customers expect that telecoms operators will take the necessary precautions to keep their data safe. Failing to do so is not only a breach in responsibility but of trust, and could be detrimental on a commercial front. Conversely, building security in by design can have huge branding advantages in the same way Apple benefits from having ‘secure’ devices. Finally, having security in-built rather than an addition, helps create a stronger business case for one solution over the other. It is clear security is important but when it comes down to costs, it is not always prioritised.
Granted, this is easier said than done but if the industry hopes to succeed in the years to come, whilst warding off the ever-present cyber threats, something must change. What better way to do so than by tackling the problem at its core.
What are the next steps?
Granted, this is easier said than done but if the industry hopes to succeed in the years to come, whilst warding off the ever-present cyber threats, something must change. What better way to do so than by tackling the problem at its core. Organisations interested in testing out this new technology can do so by applying to Digital Security by Design through the Technology Access Programme (TAP).
The Programme has already welcomed 30 companies, each of whom have been given the opportunity to experiment with the Morello Board and for those with less than 250 employees, receive £15,000 in funding. Application to TAP opened on 11th of January 2023; successful companies will then be onboarded in Spring 2023.