2. PUBLIC
Overview
Telco cloud computing is a term used to describe the cloud-based services and infrastructure provided by
telecommunications companies or Telcos. New-age technology like Telco Cloud empowers CSPs (Cloud Service
Providers) to gain the highest levels of agility, flexibility, and scalability. But shifting to a next-generation cloud
architecture can be a double-edged sword.
3. PUBLIC
Need for Cyber Risk Assessment/
Possible Cyber Security Risks
The adaption of new technologies such as SDN (Software
Defined Networks), APIs (Application Programming
Interfaces), and DevOps increases the number of connected
devices and services, thereby expanding the attack surface,
potentially exposing the Telco Cloud to more cyberattacks. A
typical telco cloud infrastructure can be shown as below
diagram: cloud computing is a term used to describe the
cloud-based services and infrastructure provided by
telecommunications companies or Telcos. New-age
technology like Telco Cloud empowers CSPs (Cloud Service
Providers) to gain the highest levels of agility, flexibility, and
scalability. But shifting to a next-generation cloud
architecture can be a double-edged sword.
4. PUBLIC
Based on architecture, I see possible below risk domains which need to have a cybersecurity risk control measures
in place for a robust telco cloud infrastructure.
• Internal IT domains (e.g., corporate apps, e-mail, web browsing, social media)
• Support systems (e.g., OSS/BSS, Management and Network Orchestration (MANO) systems)
• Customer-facing domains (e.g., channel portals, websites, call centres)
• Network domains (e.g., VNFs, servers, routing, transport, base stations, IoT devices)
Or broadly speaking, the risk domains in telco cloud architecture can be classified into 4 domains: Users, systems,
data and assets.
Need for Cyber Risk Assessment/
Possible Cyber Security Risks
5. PUBLIC
Approach
Zero Trust Concept
Zero Trust is an approach where access to data, networks
and infrastructure is kept to what is minimally required
and the legitimacy of that access must be continuously
verified.
A zero Trust architecture is best visualized as seven pillars
that are measured across 4 maturity levels and integrated
across an enterprise. This can be illustrated in figure aside.
Zero Trust Optimal Maturity
Governance
Identity
Observability
Devices
Networks
Applications
Data
Automation
Fig: Zero Trust Pillars
6. PUBLIC
Pillars of ZT
ZT Maturity Level
Traditional Initial Advanced Optimal
Identity
• On-premises Identification, Authentication,
Authorization, and Accountability (IAAA),
with identities authenticated by single-
factor authentication (SFA) in most
enterprises
• Multi-factor authentication (MFA) is introduced alongside
self-managed and hosted identity stores. Access rights
now expire, triggering automated reviews, although
manual identity risk assessments still persist.
• IAAA performed as a combination of
federated and on-premises systems,
with identities authenticated by MFA
• Identities authenticated using MFA for initial
access and then continually validated throughout
the user’s session
Device
• Device compliance with limited visibility and
manual asset management
• All physical assets are tracked, and limited device-based
access control and compliance enforcement begin to take
shape. Protection measures are partially automated,
initially moving away from manual processes
• Most devices have compliance
enforcement mechanisms with
automated methods employed to track
assets
• Continually monitored and validated device
security posture, with asset and vulnerability
management integrated across all environments
Network
• Network architectures have large
perimeters and are macrosegmented with
internal/external traffic explicitly encrypted
• Critical workloads begin to be isolated network
capabilities are adjusted to manage more applications and
dynamic configurations are introduced to parts of the
network. Encryption becomes more widespread and key
management policies get formalized.
• Much of the network defined by
ingress/egress microperimeters and
microsegmentation; all traffic to internal
applications encrypted
• A zero trust network access (ZTNA) controller
authenticates connection requests from endpoints
based on policies; all network traffic is encrypted
Application
• Remote application access governed by VPN
and traditional firewalls that block traffic by
port, protocol, destination and source
addresses
• Some mission-critical workflows begin to incorporate
integrated protection measures, and applications become
accessible over public networks, strictly to authorized
users,
• Remote on-premises applications access
by VPN with some application access on
the cloud; active connections tracked
and monitored using stateful firewalls
• Identity-based access control with direct access to
applications; web application firewalls inspecting
application layer traffic using dynamic policies
Data
• Data at rest stored on-premises
unencrypted, with inconsistent manual data
categorization
• Automation is introduced for data inventory and access
control, to a limited extent, strategies for data
categorization begin, and some data stores become highly
available. Some data is encrypted in transit, implementing
initial centralized key management policies.
• Data at rest encrypted and stored in
cloud or remote environments, with a
combination of manual and static
methods used to categorize data
• All data at rest encrypted and data categorization
enhanced by machine learning
Observability
• Limited data and log inventories prevent a
holistic view of the enterprise network, with
static attributes used for observing user
activity
• Limited automation is introduced for monitoring network
activities, with a basic framework for real-time threat
alerts and responses beginning to take shape.
• Most data and logs are inventoried, with
manual analysis of aggregated user
activity
• All access events are analyzed for suspicious
activity, with user visibility centralized via user and
entity behavior analytics (UEBA).
Analytics and
Automation
• The organization relies on manual
administration of systems, networks,
devices, and application environmental
changes
• Basic data analytics and automation of simpler tasks
commence, paving the way for a more robust, data-driven
security approach.
• Basic automation of device provisioning
and change workflows; applications can
inform network and system devices of
changing state
• Fully enforced automated security policies and
administration; device and network configurations
automated using infrastructure as code and
continuous integration/continuous deployment
(CI/CD) models
Zero Trust Pillars and Associated Maturity Level Matrix:
7. PUBLIC
Conclusions (1/2):
The ZT Assessment of a telco cloud network/infrastructure can be summarized in below parameters.
Identity and Access Management : Provides enhanced Identity Governance
Identity should be used as key component of policy creation.
Access Policies should be based on identity and assigned attributes.
Multi-Factor Authentication
Network Segmentation or Micro-segmentation: Breaking a network into smaller isolated segments and restricting
access between them which limits the impact and reduces the attack surface.
Pushing and executing unified access control policies based on micro-segmentation.
Achieving adaptive dynamic access control based on the trust evaluation of traffic characteristics and context.
Using label systems or virtual IPs to define business traffic, establishing an identity centric dynamic access control
model.
8. PUBLIC
Conclusions (2/2):
Data Protection: Using encryption and other security measures to protect sensitive user data. This includes
protecting data at rest, in transit and in use.
Continuous Monitoring and Analytics : This involves use of real time threat detection and response capabilities
to identity and mitigate. Use of machine learning and behavioural analytics and other advanced techniques,
automation of configuration audit and compliance validation task for network resource.
Policy Enforcement : This involves Policy and controls to govern access to data and resource. It includes access
control and application security.