The telco cloud's insecure? No, it’s just very different

I sit at perhaps one of the most unique telecom security vantage points. I’m Chief Information Security Officer (CISO) for Rakuten Mobile, responsible for securing the world’s largest fully virtualized Open RAN mobile network. I am also CISO for Rakuten Symphony, with responsibility for ensuring the next-gen networks we build for other MNOs are security-ready.

My background is not in telecoms. Before joining this industry, I was interim CISO for Expedia. Previously I managed high-profile security projects for banking giants like JPMorgan Chase and for the U.S. Department of Defense.

I was brought into Rakuten Mobile because CEO Tareq Amin recognized the company didn’t have a telecom security challenge, but rather a cloud and modern IT security challenge.

Namely, the same challenges CISOs have been solving in other mission-critical industries like e-commerce, finance and healthcare for many years already. Some of my earliest security experience was with the military and defense sectors, where security is the number one priority.

Read most headlines about 5G, telco cloud or Open RAN security and the main arguments seem to disregard this critical reality. Instead, we hear about an explosion of devices! More attack surfaces! A lack of standards!

Honestly, much of the hysteria strikes me as a bit too Chicken Little. It’s a reality we tackled recently on the “Securing Modern Telecom Networks: How to Begin Your Journey” webinar with TM Forum. Rakuten also addresses the topic in its recently released “Definitive Guide To Telco Cloud Security.”

Determining your risk appetite

When designed properly, the truth is 5G isn’t any easier to hack than other cloud-supported workloads. Just like anything else, there are design choices that absolutely impact what challenges will be faced and how they’ll be overcome. It’s a classic case of determining how much risk is acceptable.

More than anything, it boils down to whether operators are ready to roll up their sleeves and manage design, operations, and security risks on their own terms.

For many, this will feel completely unnatural. Of course, nothing about the way 5G has rolled out is natural, so why should securing it be any different?

It comes down to control and business alignment

It’s about taking control and establishing business alignment. It’s about taking what has been learned from other IT sectors like military, banking and tech, and applying it to this technology. Then it becomes about making practical decisions about best approaches to securing chosen operating systems, orchestrators, applications and accompanying interfaces, system and network access, privileged access and automation. These decisions must be weighed against business needs. For instance, do we introduce controls that are “best practice” but do not actually increase security posture and ultimately drive up the technology and operational costs?

At Rakuten Symphony, we’re addressing these realities by using commoditized hardware to run orchestrators and leveraging Intel processors on COTS hardware. Typically, anything proprietary is a non-starter in our eyes with few exceptions. To this end, we don’t have our own security products like firewalls or threat intelligence offerings. We’re consumers of these solutions, the same as any other industry.

Zooming out, on the operator side, we are doing a lot of machine-to-machine security and really making an effort to understand exactly what’s on our network. We’ve whole-heartedly embraced zero-trust initiatives, requiring certificates before something just jumps onto our network. We are crafting segmentation policies, incorporating software-defined networks [SDNs] to move information between different systems and getting down to a nano-segmentation level. Moving to containerized stacks alleviates some of the complexity that would otherwise be associated with this approach.

This post isn’t meant to be a “how-to” so much as a proposal for “how-to-think” about 5G as telecom enters yet another new era. Most importantly, Rakuten wants to be part of a growing chorus of voices that drown out the swirling FUD [fear, uncertainty and doubt] around securing next-gen networks.

The more the voices of those that have successfully secured these networks can speak up about experiences, share knowledge and help lead others, the sooner telecom will be on its way to managing risk while delivering more compelling services than ever.

Want to join the conversation? Check out the replay of the “Securing Modern Telecom Networks: How To Begin Your Journey” virtual event where members of the hacking and mobile operator communities came together for an experience-based discussion about cloud-native and Open RAN network security at scale.

Also, download our new “Definitive Guide to Telco Cloud Security" for the Rakuten Mobile and Symphony security team’s take on a five-step approach for securing modern networks.