How APIs are accelerating digital transformation for telcos but also present security issues

The telecommunications operating model has become much more complex in recent years and is undergoing tremendous change. Like most verticals, telcos and communication service providers (CSPs) are looking to accelerate their digital transformation initiatives to connect with partners and customers more effectively and expand their businesses by creating a broader digital platform.

Facing narrowing margins, telcos are looking for ways to innovate and differentiate themselves in the market, says Filip Verloy, technical evangelist, Noname Security. But to achieve faster growth, telcos must focus on building stronger partnerships and integrations with digital service ecosystems. Such partnerships will enable them to become a marketplace to sell their own products, as well as non-telco services, thereby increasing revenue and enhancing customer experience.

How APIs are powering third-party data exchange

Imagine paying for additional services directly with your telco bill, such as parking, or charging your electric car. This kind of interconnection and opening-up of back-end services is powered through application programme interfaces (APIs) which enable a third-party to exchange data. Another example is Belfius and Proximus who launched a service last year to Belgium customers Beat a personalised, modular monthly subscription that, for the first time, provides a combined banking and insurance offering with a telecoms package.

To successfully connect with their partner ecosystems, telcos must move away from single-use features towards reusable systems that not only drive down costs, but avoid redundancies and downtime. They need to enable both internal and external developers to consume APIs more easily while helping them to deliver APIs in a more secure way.

However, although the telco industry was one of the first to take an active interest in APIs, carriers have not fully capitalised on the business opportunities APIs present. Now as web and mobile technologies continue to evolve, it has become essential for every telco to develop a serious API publishing programme. Consumers increasingly expect telco services to be embedded into a range of platforms, mobile devices, web browsers and games consoles.

To open up services for reuse across multiple ecosystems, telcos and CSPs are looking to collaborate via open APIs, enabling them to build more adaptable and robust solutions, while reducing complexity, costs and timescales for integration projects. To this end, many telcos have signed an Open API Manifesto. It recognises that by using and endorsing a suite of common industry Open APIs, a number of growth and efficiency opportunities can be unlocked.

The Manifesto underscores the importance of interoperability and standardisation and, to date, 133 CSPs and technology ecosystem participants have signed it. According to Lester Thomas, chief systems architect at Vodafone Group: “A critical advantage of platforms and APIs is that they provide an evolutionary path from the current telco operating model to the future Network-as-a-Service model.”

5G, IoT and telco edge cloud are enabling innovation 

As the global telecom API market continues to expand, it is expected to be worth around US$1.2 trillion (€1.21 trillion) by 2030, according to Precedence Research. Another key factor driving this growth is the deployment of 5G technologies and IoT networks.

5G and IoT need an open API network to bring critical use cases to market. APIs help to bridge the gap between mobile operators and IoT developers. But for IoT applications to scale accordingly, telcos need to make network data accessible and consumable for application developers who aren’t 5G experts. There are a lot of companies who want to explore 5G use cases, but who aren’t experts in the telecom or networking space.

Here, an API-based platform will enable an ecosystem of non-telco partners to build 5G-dependent applications. For example, if you have 100,000 IoT sensors in the field and just 2% of them are reporting network errors, it’s a tremendous amount of work to diagnose those errors. But with APIs in the underlying network, the application can automatically get QoS data, analyse it, and take appropriate action. This enables the secure exposure of network services with third-party applications via APIs and provides an integration layer that connects the application to the operator’s network.

5G offers improvements in latency, speed, and bandwidth, but that means we will also see more devices on the network which will open new models of interaction and data processing via APIs.

Today, telcos are looking at Kubernetes as an edge platform to help with the move to cloud-native functions and the adoption of various open-source edge projects, because of the large developer ecosystem behind Kubernetes. Telco edge cloud locations provide 5G connectivity, but telco back-end services remain centralised. These are consumed by the edge via APIs and this needs to happen securely.

However, there is an acute problem with Kubernetes and cloud security today. APIs are often one of the weakest links in cloud infrastructure management because they are usually at the heart of the control plane that handles configuration of cloud infrastructures and applications. The Shadowserver Foundation recently scanned 454,729 Kubernetes servers, finding that more than 84% were accessible via the internet, thus providing a cracked door into the corporate network.

Telco API security is a legitimate concern

To this point, traditional telco equipment is inherently insecure. It was designed to be hosted behind vault doors. One of the key concerns around opening telco APIs for calls and messaging to developers is malicious and fraudulent usage. Therefore, while telcos need to engage third parties and digital ecosystems to build new services and revenue streams, their core networks are not built for this. Recent cyber security incidents demonstrate how vulnerable telcos, and their customers, are to a wide variety of threats including DDoS, ransomware and SS7 attacks, as well as attacks that exploit vulnerabilities in APIs and web servers.

As outlined above, IoT has exploded in terms of its application with connected devices, creating more entry points in the process. Not all of these points are properly secured, and this leaves user, client and company accounts exposed. For example, in 2019 the BBC reported an API flaw in the mobile app of India’s Bharti Airtel. This potentially exposed customer data, including mobile number and IMEI numbers, of around 300 million Airtel customers.

Filip Verloy

Other telcos have suffered similar API flaws. In 2017, T-Mobile USA announced it had notified 2.3 million customers of a risk that a subset of their personal information had been exposed by an identity and access management flaw in the APIs presented when customers were accessing their accounts via T-Mobile’s website. Recent Noname Security and 451 Research found that 41% of organisations had an API security incident in the last 12 months. Of those, 63% involved a data breach or data loss.

The scope of the potential API attack surface in telcos’ modern application and cloud infrastructure is huge. Our research highlighted those large enterprises, on average, have more than 25,000 APIs connected to or operating within their infrastructure.

Ultimately, the digital transformation of telcos relies on APIs and apps moving to public clouds, which unfortunately exposes APIs to cyber security risks. As telcos look to expand their services and integrate and engage with their digital ecosystem, API security will be paramount to protect them against such attacks.

The author is Filip Verloy, technical evangelist, Noname Security.

Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus

RECENT ARTICLES

Phoenix Tower International gains investment from Grain and BlackRock

Posted on: March 29, 2024

Phoenix Tower International (PTI) has announced that Grain Management (Grain), through its flagship funds, and BlackRock, through a fund managed by its Diversified Infrastructure business (BlackRock) have made an investment

Read more

Connectbase expands baltic connectivity with Bitė partnership

Posted on: March 28, 2024

Connectbase has announced the addition of Bitė to its ecosystem. This partnership marks a step forward in enhancing connectivity options within the Baltic region, providing a link between local and

Read more