My job at a telecommunications equipment provider is to provide
’security’ to networks that are sold to our customers. The main
problem I’ve faced since I started this job 8 months ago is, how does
one define ’security’ in a telecom network? Not only that, but how
does one convince customers that spend millions of dollars on
sophisticated network equipment to spend additional cash on
’security’? After all, the common expectation the average consumer has
when they purchase technology is that the technology won’t “hurt”
them; the technology is secure by default! So why wouldn’t a CTO or
other executive responsible for orchestrating the purchase of a new
network hold the same expectations for the deployed network?
As I’ve struggled more and more with this issue in my job, I’ve
started to realize that security should be delivered in multiple
parts: it should be built into network components (meaning, the
individual components in the network should be secure), the networks
should be built securely (meaning, the communication paths between
components should be secured in direct correlation with the risk the
network exposes to the operator, and the network should be operated
securely (meaning, the network should be carefully managed during
operation to proactively address security issues that arise).
Now while the above concepts are described in pretty much any security
text (and certainly were ingrained deeply as I was earning my master’s
degree), quantifying them in context of an actual network that is
deployed given the constraints that are facing operators has been
anything but a textbook activity!
Once these components of a secure deployment are characterized, it’s
easier to understand and make a case for which components can be
’sold’ to a customer and which they can reasonably expect to exist in
the networks by default. Of the layers above, it is clear that
security of the individual network components is a fundamental
function of the component itself and cannot be packaged or otherwise
marketed seperately (think of the OpenBSD philosophy on security).
Building the network securely can clearly be considered a function of
the network deployment process itself. If a customer has purchased
network deployment or integration services, it is clearly ridiculous
to expect them to pay an additional cost to make sure that the
integration team deploys the network securely.
Therefore, managing the network securely as part of the ongoing
operation of the network provides the greatest opportunity for
realizing revenue from ’security’. Secure network management provides
ample opportunities for security services in the form of policy
development, periodic spot checks to assess network security posture,
security monitoring services, supply chain management (from a security
perspective) and numerous other possibilities.
