A security checklist for cloud-based business support systems
Before considering moving their customer-facing processes, such as billing, into the cloud, operators should take a closer look at physical and logical security needs. Netcracker Technology’s Samuel S. Visner, security director, and Scott Sykes, senior director, Global Security Organisation, report for VanillaPlus.com.
- Both physical and logical security are vital and should be managed in tandem
- Rigorous asset management must be part of an overall security plan
- Governance, risk and compliance are critical to the security of an enterprise’s technology environment
As operators begin or continue their digital transformation journey to reap benefits such as improved customer experience, improved operational efficiencies, lower costs, increased revenue and faster time to market, they are making the cloud a major factor in this process.
This consideration exists because moving applications and functions into the cloud can help deliver significant cost savings for operators, allowing them to focus on their core business rather than on IT operations. One key area at which operators are looking for this migration to the cloud are their business support systems (BSS), which consists generally of critical customer-facing functions such as revenue management and customer relationship management.
Because the BSS is tasked with managing customer data, any deviation in its deployment and day-to-day operations is justifiably scrutinised, especially when operators move those services into a cloud environment. But questions remain on how to secure information that might exist only in the cloud and how to ensure it remains safe in a world becoming 5G-enabled.
Physical and logical security
There are several cloud-based options for operators considering the move of BSS into the cloud – public, private and hybrid – but today, many telcos are still undecided about the best path forward. A mix of attitudes and approaches makes that decision all the more complicated, but it essentially boils down to how comfortable operators are with allowing sensitive data to be processed and stored off-site.
Securing BSS functions and data involves various steps at multiple layers to ensure that personal information is not vulnerable to exploitation (theft), attacks on their integrity, or even ransomware. A critical layer that can’t be overlooked is the data centre or centres where these systems are hosted. Whether a data centre is owned and operated by a telco or a hosting partner, physical security at that facility has to be taken seriously.
This consideration includes securing physical access to the facility by employees, as well as visitors; keeping a close eye on equipment that is coming into the data centre or being decommissioned and removed (i.e., rigorous asset management); managing environmental controls as well as alerts and alarms; and ensuring redundancy and backup power for all key systems.
In addition to the physical lockdown required in a data centre environment, in the case of cloud-based applications and data, operators must ensure logical security is also tightly controlled. This includes ensuring segregation of their data from that of other tenants, and controlling which employees and visitors are allowed to access what resources. This can get tricky if users are located in different geographic locations, as they may have restrictions on where they have access based on where they are based.
Beyond this, monitoring of both the physical and logical domains can’t be an afterthought. This monitoring includes keeping track of account creation as well as cancelling accounts, much like pieces of server equipment are decommissioned at the end of life.
Monitoring also encompasses looking for red flags, such as suspiciously large data downloads or anything else that is out of the norm for a particular user or users. Such monitoring, which is part of an enterprise’s governance, risk, and compliance (GRC) programme, is vital to the overall security of any enterprise’s technology environment.
Contemporary security solutions offer approaches to provide a unified approach to logical and physical security systems visibility and management. For example, the National Institute of Standards and Technology’s National Cybersecurity Centre of Excellence has published a practice guide (and reference architecture) for the energy industry to unify the security management of physical, IT, and operational systems, an approach worth considering for any industry working across logical and physical domains.
Safe and sound
Operators considering the cloud for BSS and customer data have a lot to consider as they undergo digital transformation. Working with a trusted partner and solving their business challenges can make it easier for operators to focus on their customers rather than their IT operations.
The resulting secure environment will allow operators to enjoy increased scalability and the ability to handle peak traffic spikes, consolidation of systems, CAPEX and OPEX savings, and ultimately grow their lines of business and services.
The authors are Samuel Visner, security director, and Scott Sykes, senior director, Global Security Organisation
About the authors
Samuel Visner the director of the National Cybersecurity Federally Funded Research and Development Centre (MITRE), sponsored by the National Institute of Science and Technology. He also serves as the Ssecurity director for Netcracker Technology Corporation and as a member of the Cyber Council of the Intelligence and National Security Alliance and the Cyber Committee of the Armed Forces Communications and Electronics Association.
Scott Sykes is the senior director of Global Security Organisation at Netcracker Technology, in Boston, and a former board member of the Virginia Cyber Security Partnership, in Richmond, VA.