We already know how to secure telco cloud, so let’s get to work

When I came to telecom after decades securing global financial, e-commerce and defense systems, one thing struck me immediately: this all looks awfully familiar.

As CISO for Rakuten Mobile, I’m responsible for securing its open, automated network in the cloud. Upon joining, I wasted no time implementing cloud security concepts that have been known and proven in other complex cloud architectures for many years.

So I was confused sitting on a security-themed panel at Open RAN North America hearing that MNOs need to slow transformation because the next generation of networks are not secure enough to deploy. (Light Reading has a great recap of the session here.)

Yes, telecom workloads are mission critical. But I’ve also secured cloud workloads where people’s bank accounts were at stake. Finance is one of the most conservative industries I’ve ever worked in but they’ve been powered by the cloud for many years now.

My old client, the Department of Defense, just signed a $9B cloud contract with AWS, Google, Microsoft and Oracle.

Other industries aren’t waiting to transform and neither should we.

Standards should be an enabler, not an enemy

On the panel, it kept coming up that the standards for Open RAN aren’t ready. The Open RAN ecosystem was painted as some wild west that’s going to come shoot holes in your network because operators can’t be trusted to secure their systems.

Rakuten believes deeply in standards. Nagendra Bykampadi on my team is co-chair of the O-RAN Alliance working group dedicated to security. The work they’re doing is important–but it absolutely should not be an impediment.

That’s why it disappoints me to see security being used as a cudgel by those seeking to slow progress. The suggestion seems to be that until security in 5G and Open RAN are 100% standardized that deployments should be sidelined.

Standards help our industry. At Rakuten Mobile, we have proceeded with them to increase our security posture where it makes sense and established security controls when gaps are identified.

I come from industries that don’t have the benefit of standards bodies. Businesses in these industries had big goals and faced tough market pressures. The answer was to analyze security risks and plan accordingly. After all, security doesn’t happen on a piece of paper.

Someday, O-RAN Alliance’s security standards will get to a point where they are deemed “ready.” When that happens, they will still only account for 20% of what I need to think about when securing a cloud-based telco network.

These are not new problems

Many of the challenges I’m hearing concerns about are not new. They are simply new to telecom.

This is a fantastic thing for our industry. We get to move quickly because of all the hard work other industries have put in as they pursued digital transformation.

Fundamentally what makes 5G or Open RAN harder to secure than previous generation mobile networks is the adoption of cloud that accompanies them. It doesn’t matter if it’s public or private, cloud brings security risks.

The risks are uncomfortable. They are potentially more severe than any MNOs have previously faced. So we must prepare for them. That starts with owning your own system design and implementation, independent of any promise made by any vendor.

Frankly, the idea that any major operator would allow its network to be taken down by some rogue, non standards-based Open RAN code is just unrealistic. Every MNO will have its own, custom, unique security strategy. It will be based on things like region, business goals and risk appetite. It certainly will not hinge on blindly trusting that an Open RAN vendor has sufficiently integrated security standards.

“Meet the market or you become roadkill”

I’ve certainly had more eloquent turns of phrases in my day. But I’m not a marketer so on the security panel, I said it like I see it.

Telecom’s biggest challenge isn’t security, it’s business acceleration. I exist and CISOs at other MNOs exist to help our businesses go as fast as they need to as safely as possible. We most certainly do not exist to tell them to slow down.

Slowing down is how you become roadkill.

I recently presented in a virtual telco cloud security event hosted by TM Forum where we covered strategies for securing 5G and Open RAN networks. You can register to catch the replay here.

This content is sponsored by Rakuten Symphony.

John Carse is Chief Information Security Officer for Rakuten Symphony and Rakuten Mobile, where he also leads IT Engineering & Operations for the world’s first and largest truly open mobile network. In this role, John leads a modern approach to next-gen telecom network security for Rakuten Mobile and Rakuten Symphony customers, leveraging more than three decades of experience, which most recently included serving as interim-CISO for Expedia Group and leading establishment of JP Morgan Chase’s Global Security Operation Center.