Securing networks in an automated world
Increased security, reduced costs and enhanced network visibility are just some of the benefits of adopting automation in networking. Gareth Wilmer investigates this and looks at what’s causing some of the resistance against it
WannaCry, DDoS attacks, ransomware, botnets – the world has become unhappily familiar with such terms in the past few years. This has come about as cyberattacks have grown in sophistication alongside the surge in number of connected devices, with some of the latest wave hitting record-breaking sizes in 2018.
At the same time, carriers and other organisations are undergoing major digital transformations as they move towards technologies such as SDN, NFV and 5G. This is triggering greater network automation, calling for new ways of running security alongside these technologies.
The transformation from legacy environments to “programmable, horizontally abstracted, open-partner ecosystems” means that “service providers have to build security-oriented thinking into every aspect of their ecosystems”, says Daniel Bar-Lev, director in the office of the CTO at the MEF industry association.
After identifying needs for security services caused by rising deployment of SD-WANs and use of NFV, the association is starting a project with its members in the area of security-as-a-service (SECaaS) under its MEF 3.0 framework. In line with this, Bar-Lev foresees the opportunity for a whole new market segment opening up for service providers specialising in WAN-oriented security services.
“Securing SD-WAN services running in NFV environments is a challenge that will only grow in scale and complexity,” adds Bar-Lev. To date, he says, security work has often been focused within service providers’ IT groups rather than their networking departments, but he emphasises the need to move towards development of security throughout the organisation.
Bar-Lev highlights that automation can reduce the attack surface by lessening the opportunity for human-associated vulnerabilities. But, he notes, the flip side is that automation can spread vulnerabilities rapidly in a hyperscale environment. “Automating security in a WAN service provider environment is very much more complex than what we have been accustomed to until now. Service providers are clearly working towards a DevOps approach where they deal with security enhancements in real time.”
Chris Richter, VP of global security services at CenturyLink, explains that the pace of change as activities become more automated in the move towards technologies such as SDN, NFV and 5G is such that carriers have to change their overall processes to keep up. “Changes to IP and the network core are central to that transformation, and there’s a security transformation that goes hand in hand with that,” he says.
In line with this rising automation, Richter says CenturyLink is therefore going through a transition both to aid its own business and that of its customers. “I talk to many CIOs who are struggling with the challenges of moving to automated networks,” says Richter.
“They’re faced with having to upgrade all their infrastructure and are under pressure to reduce their networking costs. In doing so, they have to make a decision about where their security controls are going to reside.” A key way for carriers to aid with this, says Richter, is to help their customers move to cloud-based security, reducing the cost and complexity of the overall security framework.
“That’s what drove us to create a new security model that was compatible with technologies such as NFV and SD-WAN,” says Richter.
CenturyLink is also moving to enhance automation in security itself and is offering automation in some of its security controls, but customers need to opt in to get this. “Not everybody trusts automation, so we give customers a choice,” says Richter. “As we begin to trust technology more, there’ll be more automation in the backbone.”
Carriers, meanwhile, note the benefit of having to build in security from the start with the new raft of technologies. “From a security perspective it’s actually good, because it forces network designers to think first and then build,” says Stefan Schröder, a security expert at Deutsche Telekom. “That gives us as security experts a good opportunity to be included in the design to make sure that we have designed for security and privacy right from the start.”
And Orange, for example, is also following a principle of “security by design”, says Yves Bellego, director of European networks at the company. This could help in areas such as mitigating potential increased risk in the use of more open-source processes in the industry.
One way that Orange is dealing with this is by working within the industry in open source communities and standardisation bodies. This may also help in, for example, bolstering security mechanisms for 5G, where network slicing is set to lead to new interfaces with new types of player and bring its own security issues, says Bellego.
Virtualising workloads, meanwhile, calls for central coordination of security policies and for having controls virtualised and able to expand along with workloads, says Brian Rexroad, VP of security platforms at AT&T. He points out that identity and access management are “significantly more complex” in this environment, so there is a need to change in line with this and alter the philosophy around network architecture.
But he emphasises that this is a step-by-step process, and is about learning over time to ensure a thorough understanding of what works. “The entire network infrastructure isn’t changing to virtualised overnight,” he says.
The dynamic changes in the network that SDN and NFV enable mean that sometimes additional security controls will be needed, but there is a big upside in being able to automate many functions based on a known event and moving to automate security, says Lee Field, associate director of solutions architecture at Verizon Enterprise Solutions. “Let’s say, for instance, we see ‘known bad’ traffic or actors,” he says. “We can automate change into the core of the network... to proactively defend against it.”
One big thing that Verizon has done in recent years, says Field, is to look at how data gleaned from the company’s core network can be better used to defend its own and customers’ infrastructure – capitalising on the oversight offered by its extensive global IP network and its in-depth tracing of cyber-threats over the years.
Carriers are also looking to launch alliances to deal with the new breed of threats. Telefónica, for instance, has just teamed up with Etisalat, Singtel and SoftBank to create a Global Telco Security Alliance, allowing the members to share intelligence on threats and security capabilities to help protect enterprises. The alliance is also open to bringing in new members over time.
“The collaboration between partners within the alliance helps to bring different views on security and allows [us] to share intelligence such as tested technologies,” says Pedro Pablo Pérez, CEO at Telefónica’s cybersecurity unit, ElevenPaths.
CenturyLink’s Richter agrees that interaction will be important. “One way that we as carriers will be able to battle that traffic is by working together and communicating more transparently,” he says. “That way, we can keep the internet as clean as possible of malicious traffic.”
While working with enterprise customers, a key requirement that CenturyLink itself keeps in mind is the need to cooperate with other carriers to ensure network-agnostic security controls, he adds. Richter points out that about 90% of the company’s SD-WAN customers use more than one carrier to ensure diversity, so accommodating this is important.
Something that might, meanwhile, aid inter-carrier security in future is blockchain technology. Indeed, Colt Technology Services and PCCW Global, along with blockchain start-up Clear, recently ran a proof of concept to show how the use of blockchain can slash inter-carrier settlement times from hours to minutes in a reliable way.
“This is a good example of how Colt is looking at emerging technologies to try and not only automate processes but also find a secure way in which to do so,” says Ashish Surti, chief information security officer at the company. “Blockchain by its very DNA is inherently secure, and as a business Colt is investigating how blockchain and other technologies can be used to ensure that security is a major pillar of everything we do.”
As security itself becomes more automated, meanwhile, there may be challenges resulting from a more hands-off approach.
But Christian Wollner, head of product management for mobile world at Deutsche Telekom International Carrier Sales & Solutions (ICSS), explains one way this might be managed effectively. For instance, on the mobile side the company operates firewalls for SS7 and SMS, and uses automated algorithms to carry out this screening efficiently and in real time – but this also ensures that experts at Deutsche Telekom double-check traffic patterns.
“This enhances the level of security because we know that ‘the other side’ uses human intelligence as well,” says Wollner.
Jay Coley, EMEA director of security at Akamai, flags up a different challenge – that, for instance, automated provisioning could push carriers’ customers into new pricing during a surge in traffic from a DDoS attack.
“Akamai can help by mitigating threats at the access layer of the internet rather than at the core, potentially preventing large amounts of traffic aggregating in the core,” says Coley.
Ultimately, cutting off threats as quickly and cleanly as possible clearly offers a huge upside for carriers. “Defending earlier protects the network and performance,” says Verizon’s Field.
“Think forward to being able to use machine learning and AI to make these decisions, and we have some real potential to implement self-defence through automation on a carrier-grade scale.”