Hwee Ming Ng, Red Hat, Abhilash Vijayakumary, Red Hat Telco over Cloud is rapidly changing the telecommunications industry landscape by introducing cloud computing, virtualization paradigms and software approaches already in use and mature in traditional IT environments. While designing the cloud solutions for telco infrastructure understanding its information security risks and mitigation strategies are critical. Legacy approaches are inadequate, this session intends to help the operators to build and approach a telco cloud solution with the right cloud security knowledge. In this session we intend to explain the principle technologies of telco cloud based systems and strategies for safeguarding/classifying data, ensuring privacy and ensuring compliance with regulatory agencies for telco operators. We will also describe the role of encryption in protecting data and specific strategies for key management as well as how to select an appropriate solution to specific business requirements which are in well alignment with cloud based business continuity / disaster recovery strategies. We will also compare baseline and industry standard best practices by doing risk assessments of existing and proposed cloud-based environments. Additionally, presentation will focus on specific technologies like virtual firewalls, security zones, virtual tenant networks and their mapping to various use cases/challenges which an operator faces while designing the telco cloud.

2. Securing the Telco Cloud
June 2017
Ng Hwee Ming Abhilash S V
Principal Technologist Cloud Solution Architect, Red Hat
APAC Office of Technology, Red Hat

3. THE CHANGING LANDSCAPENETWORK
SONET/TDM
WIREDWIRELESS
Gig-E
IPv6
IP
5G
NFV
WiFi/WiMax
Video
SDN
Hosted&
managed
Longdistance
(IXC)
Local(LEC)
Data(LECorIXC)
Video(MSO)
Security Storage
Voice Music Payments
Video Gaming
HYBRID CLOUD ENVIRONMENT
APPLICATIONSDEVICES
Handset/RJ45/Modem
CELL PHONESMARTPHONE PC/TABLET IoT/M2M
OLD LANDSCAPE
NEW LANDSCAPE

4. TELCO CLOUD SERVICES - PATHWAY TO NEW SERVICES
Enterprise
Telco Cloud
IaaS / PAAS
Branch Office
vCPE
Business Network
Services
V-EPC
GiLan
Cloud RAN / vRAN
MPN
Mobile Private
Network (MPN)
Media &
Gaming
Services
vCDN
IoT
SD-WAN
SD-WAN
SD-WAN
Internet
Mobile
Users
Devices

5. - NFV & SDN are disrupting the way telecom networks are going to be
built and managed becoming the foundation of modern networking
- Virtualization & Cloudification are key technologies to enable NFV
- Sharing resources is a major concern for security
- Cybersecurity national agencies want to define guidelines to ensure this
new foundation is secure before allowing mass roll-out of sensible
network functions e.g. Lawful Intercept capable VNFs
- NFV & SDN can also be a way to mitigate more efficiently security threats
- Bottom line is that security can slow down or even block NFV deployment

6. TELCO CLOUD INFRASTRUCTURE - RISKS
RISKS
POLICY
RISKS
GENERAL
RISKS
VIRTUALIZATION
RISKS
NON-CLOUD
SPECIFIC
RISKS
CLOUD
SPECIFIC
RISKS
LEGAL
RISKS

7. WHO IS LOOKING AT IT ? THE MAJOR NFV SECURITY
STAKEHOLDERS

8. FRAMEWORKS FOR CLOUD COMPUTING
• ISO/IEC 27017:2015 Information Technology-Security Techniques-Code of
Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud
Services
• Organization for Economic Cooperation and Development-Privacy and Security
Guidelines
• Asia-Pacific Economic Cooperation Privacy Framework
• EU Data Protection Directive

9. BUILD CLOUD WITH SECURITY STANDARDS
• ISO/IEC 27001:2013
• ISO/IEC 27002:2013
• ISO/IEC 27017:2015
• SOC 1/SOC 2/SOC 3
• NIST SP 800-53
• PCI DSS

10. KEY SECURE CLOUD DESIGN PRINCIPLES
Protections to enable trust
Cross Platform Capabilities
Access, Administration,
Resiliency
Delegate or Federated Access
Secure and Ease of Access &
Adoption
Identification, Authentication,
Authorization, Administration,
Auditability
Elastic, Flexible, and Resilient,
supporting multitenant platforms
Multi level protection- Network, OS,
Application Security
1
2
3
4
5
6
8
7

11. CLOUD SECURITY - A LAYERED APPROACH - WHY ?
• Multitenancy
• Loss of Control
• Network Topology
• Logical Network Segmentation
• No physical endpoints
• Single Point of Access
PERIMETER NETWORK
PHYSICAL RESOURCES
HYPERVISOR
TENANT NETWORK
HOST OS
APPLICATION
DATA

12. CLOUD SECURITY - A LAYERED APPROACH -
INFRASTRUCTURE
• Infrastructure Layer
• VM attacks, Virtual network, Hypervisor attacks, VM-based rootkits
• Virtual switch attacks
• DoS attacks, Colocation
• Insecure Interfaces and APIs
• Denial of Service

13. CLOUD SECURITY - A LAYERED APPROACH -
APPLICATION PLATFORM
• System and resource isolation
• User level permissions
• User access management
• Protection against Malware, Backdoors and Trojans

14. CLOUD SECURITY - A LAYERED APPROACH -
SOFTWARE
• Data segregation
• Data Access and Policies
OWASP Top 10 Security Threats
• A1- Injection
• A2- Broken Authentication and Session Management
• A3- Cross-site Scripting(XSS)
• A4- Insecure Direct Object References
• A5- Security Misconfiguration
• A6- Sensitive Data Exposure
• A7- Missing Function Level Access Control
• A8-Cross-Site Request Forgery
• A9- Using Components with Known Vulnerabilities
• A10- Unvalidated Redirects and Forwards

15. COMMON PITFALLS - CLOUD SECURITY APPLICATION DEPLOYMENT
• On-Premises Does Not Always Transfer(and Vice Versa)
• Not All Apps are "Cloud-Ready"
• Lack of Training and Awareness
• Lack of Documentation and Guidelines
• Complexities of Integration
• Overarching Challenges

16. CLOUD DATA STORAGE, SECURITY & THREATS
TYPES OF STORAGE
• Volume Storage, Object Storage, Structured, Unstructured, Information Storage and
Management, Content and file storage, Ephemeral storage, Content Delivery Network, Raw
Storage, Long-Term Storage
DATA SECURITY
• DLP: Data Leakage Prevention or Data Loss Protection, Encryption, Obfuscation,
Anonymization, Tokenization, Masking
THREATS
• Unauthorized usage/access, Liability due to regulatory noncompliance, Denial of Service and
Distributed denial of service, Corruption, modification and destruction of data, Data leakage
and breaches, Theft or accidental loss of media, Malware attack or introduction, Improper
treatment or sanitization after end of use

17. CLOUD DATA STORAGE - ENCRYPTION &
SANITIZATION
• Data In Transit (Data In Motion)
• Data at Rest
• Cryptographic Erasure
• Data Overwriting

18. CLOUD DATA STORAGE - KEY MANAGEMENT &
ACCESS CONTROLS
Common Approaches to Key Management
• Remote Key Management Service(KMS)
• Client Side Key Management
IAM and Access Control
• Provisioning and deprovisioning
• Centralized directory services
• Privileged user management
• Authentication and access management

19. AUTOMATION USE CASES - SECURE CLOUD
Automation Starts with Notifications. When a vulnerability is detected:
• Its severity is assessed
• A security patch or an interim solution is provided
• This information is entered into a system
• Automated email notifications are sent to predefined accounts in a straightforward process
Areas for automation:
• Telco Cloud Orchestration
• Predicting failures
• Analysing Service Failures & Protecting SLAs
• Security Patch applicability
• Creation of tracking records and their assignment to predefined resolver groups, in-case of
matching
• Change record creation, change approval, change implementation
ANSIBLE
AUTOMATE
PROCESSES &
DEPLOYMENTS
ManageIQ
DELIVER SERVICES
ACROSS HYBRID
CLOUD

20. AUDITING THE CLOUD INFRA/SERVICES
• Internal Audit
• External Audit
CLOUDFO
DELIVER SERVICES ACROSS
YOUR HYBRID CLOUD
Hybrid Cloud Management
Self-Service Provisioning
Policy-driven Compliance

21. Summary
• Telco cloud is complex in terms of security
• Take a holistic layered approach towards security
• Automation is key
• Security is a continuous exercise

22. Thank You
Questions ?
hwng@redhat.com
nhweemin
asv@redhat.com
amAbhilash