TalkTalk strengthens access control ahead of strict new cybersecurity rules
Recent times have seen a growth in cyber threats facing the telecommunications industry. Indeed, the sector is responsible for complex and critical national infrastructure, meaning the impact of any successful attack is likely to be both significant and widespread, says Mark Warren, product specialist, Osirium.
To combat the threat landscape, the Telecommunications (Security) Act 2021 (TSA) was introduced by the UK government to improve the resilience and security of telecoms infrastructure to ensure it maintains availability during emergencies, such as cyberattacks.
Under the TSA, the government, with the support and guidance of the National Cyber Security Centre (NCSC), retains the ability to implement regulations and recommendations designed to improve the resilience of telecommunications providers.
Under these new regulations, enforced by Ofcom, UK telecoms companies can face fines of up to 10% of turnover or £100,000 a day if they fail to follow industry guidelines to protect their networks against cyberattacks. To avoid such penalties, providers must take action to secure their data and the critical functions that allow networks and services to be operated by March 2024.
Leading UK telecoms and broadband provider TalkTalk set its sights on building the required security posture well in advance of the 2024 deadline.
The firm resultantly recognised that user account management would be a key challenge that would require addressing. Indeed, many of the recommendations considered for TSA compliance include management of privileged access to services and devices that are components of critical national infrastructure.
The logic is simple: the fewer people who have privileged access within an organisation, the better protected it is.
Resultantly, TalkTalk recognised that user account management would be a key challenge that would require addressing. To achieve compliance, both now and into the future, it would need to ensure that:
- The right people were members of the right groups;
- Access permissions were correctly linked to these groups for new starters;
- Permissions were updated when staff moved between teams or left the company.
To achieve these goals, the company needed to find a solution that enabled it to reduce its attack surface through the tight control of user access to critical services and devices.
User workstations are a significant entry point for attackers, with many laptops and desktop systems to manage. TalkTalk’s challenge was to remove powerful access rights from those who didn’t legitimately need them, without interfering with the work of users such as software developers and engineers who did.
Further, the company also sought to eliminate the need to manually create users and update groups, a process that was time consuming and prone to errors.
To reduce its attack surface, TalkTalk turned to privileged access management (PAM) a solution capable of determining which systems and services users can access, and with what privilege level.
It became clear that user management would need to be a priority as ongoing staff changes significantly impact the Access Control team. For this reason, the firm also looked to embrace Osirium Privileged Process Automation (PPA).
PPA is a secure flexible framework for automating IT and business processes. Manually creating users and updating groups is time consuming, and errors can occur. With PPA, this is done automatically, reducing the load on the Access Control teams and improving security.
Although it can be standalone, TalkTalk used its integration capabilities to connect PPA with its HR system. When the HR team now adds a new starter, the necessary user accounts and appropriate groups are created automatically. Similarly, the identity store is automatically updated when someone moves between teams or leaves the organisation.
“Manually creating users and updating groups is time consuming, and errors can occur,” says Brent Alldred, principal security architect at TalkTalk. “The last thing you want is someone to have too much access by being in the wrong group or not having enough access to do their work.”
Another focus area was improving the processes for updating user workstations (laptops and desktops), which would include the removal of local admin rights from some teams that historically had these enabled.
At the same time, however, certain user groups still require privileged access to undertake critical work-related tasks. Software developers, for example, need administrative level changes in order connect to development environments.
Having chosen to adopt Osirium PAM and PPA, TalkTalk in turn considered Privileged Endpoint Management (PEM) as a solution capable of addressing this.
PEM allows organisations to remove local administrator rights from users, while at the same time enabling them to have escalated privileges only for specific processes and executables. By running PEM in “Learning mode,” TalkTalk can roll out PEM on a team-by-team basis, creating policies for before turning on enforcement mode to reduce any impact on the user’s work.
Working with the TalkTalk team over several years has shown how important privileged access security is for securing critical infrastructure. With these solutions, the telco has been able to achieve the following:
- Secure critical infrastructure by ensuring that the right people have the right access permissions to do their work, when they need them (and only then).
- Remove local admin rights from some teams that historically had these enabled, using privileged endpoint management.
- Automate tasks such as updating systems when a new starter joins, someone moves teams or leaves the organisation, reducing the load on the access control team and improving the accuracy of the process.
Further, TalkTalk has also realised the business benefits of looking beyond the traditional view of security systems. In using modern, secure technologies and techniques, the company has been able to transform how it operates, demonstrated by the automation of access management.
Indeed, not only has the telco been able to improve compliance, but these solutions have also helped it to drive down business risks and operational costs.
Moving forward, it is anticipated that TSA will continue to expand its scope to further improve cyber security and resilience in critical national infrastructure. Future evolutions may include a requirement for programmatic updates to network infrastructure by 2025, for example something that TalkTalk would be well placed to manage through Osirium Automation.
Find out more about Osirium’s suite of privileged access management (PAM), Privileged endpoint management (PEM) and automated IT operations solutions here.
The author is Mark Warren, product specialist, Osirium.