Now is the time to future-proof security in roaming, writes Francesco Votta, senior product manager for 5G roaming enablement at Deutsche Telekom Global Carrier.
For Deutsche Telekom, the protection of our data, customers and infrastructure from hacker attacks has long been a topic of the utmost importance. We have decades of experience under our belt and are very active in this area, running numerous programmes and services.
Among these initiatives, we set great store by protecting our customers from mobile threats when they roam. Deutsche Telekom Group alone looks after almost 250 million of its own mobile subscribers, and we pride ourselves on our reputation and the stringent application of German telecommunications law, as well as German privacy regulation and the EU’s General Data Protection Regulation.
With the introduction of 5G standalone (SA) in our industry, the needs of our customers are rapidly changing as they embrace entirely new use cases made possible by the technology. Our connectivity services increasingly shift from addressing humans to addressing machines, with the consequence that IoT traffic will also become prevalent in roaming scenarios.
In this environment, we’re evolving towards a world in which the quality of our apps and services must be contextual to the situations our customers face: for example, the connectivity needs of an autonomously driven car are less stringent once it is parked. This implies that quality of experience will become the deciding factor behind any future traffic-routing decision.
A fresh take on roaming
These evolving needs of our customers require a different approach to roaming as well. For example, a ‘best-effort’ roaming scenario will no longer do when you travel in an autonomously driven car or perform an operation on someone remotely.
Roaming therefore needs to be rethought completely to make it even more reliable, flexible and, above all, secure. We must move from a costly and heavy combination of firewalls, security auditing and monitoring to security by design, built directly into the new 5G protocol.
Industry analysis supports our view: market research firm Kaleido Intelligence recently conducted a study in which it found that losses from fraud and security incidents look set to peak at $45 billion globally in 2025 before declining to $36 billion in 2028 as new 5G security measures become more widely used.
At the same time, however, more than 70% of surveyed operators felt only partially prepared for future 5G threats, with also more concern about the Diameter protocol than HTTP/2 threats associated with 5G SA.
Gates and fences
These operator responses give reason to conclude that concerns about security in roaming exist for all network technologies, both current and future. Addressing this therefore needs to become an all-or-nothing scenario moving forward.
Networks worldwide are connected through signalling interworking, a system that was initially designed without any security or authentication mechanisms. Applied to today’s global roaming market, in which an average medium-sized operator has more than 350 roaming partners and a large one may have up to 700, security has become a ‘must’ to protect operators and their subscribers from cybercriminals, fraudsters and hackers.
While 5G SA already has security built into its initial design, this won’t help if any of the previous technologies are not sufficiently protected against cyberattacks, because these earlier generations may, for instance, be used for the same services in areas where 5G SA is unavailable. The risk is high that different types of fraud will simply leak via one of the older protocols, making it like building a gate without a fence to shield your house from intruders.
That’s why we have adopted a comprehensive set of security solutions for roaming that provide security by design. This way, we ensure a state-of-the-art 5G SA security gate, while also providing the strongest possible safeguards when roaming ‘along the fence’ of other technologies.
Security across the board
Our suite of managed security services includes tailor-made solutions for mobile operators that are designed to help them maintain business while reducing complexity in roaming. We aim to decrease our customers’ costs, at the same time as increasing the quality of their cyberdefence systems and helping prepare them for the future.
With our 5G roaming-enablement services, customers can outsource investment and operation of 5G SA roaming, meaning the required security edge protection proxy (SEPP) is owned and operated by us.
In addition to our outsourced SEPP solutions, we can provide hosted SEPP maintenance services, as well as enable composite scenarios that allow operators to choose how to connect roaming partners efficiently. These options will eventually lead to the provision of a Deutsche Telekom-enabled ecosystem for 5G roaming services.
What’s more, we are the only carrier to offer Diameter end-to-end signalling security (DESS) for 4G and 5G non-standalone services, enabling us to guarantee end-to-end authentication of signalling messages, as well as providing constantly updated 4G Diameter firewalls and SS7 firewalls for 2G and 3G.
Recommended by the GSMA, DESS is essential because it guarantees the authentication and in-built integrity of all messages to avoid man-in-the-middle attacks, whereby roaming traffic is fraudulently intercepted and possibly altered.
Implementing a comprehensive security-by-design concept for roaming is initially more multifaceted than just adding 5G security to current measures, as it necessitates the coordinated installation and management of both DESS and all firewalls. But anyone who rolls up their sleeves today to ensure the highest protection across all protocols will reap the benefits in the future as use cases and security scenarios become increasingly complex.
We encourage our industry to take the long view on this issue, as any individual carrier’s independence stops where their customers’ problems begin. That’s why we argue that the time to future-proof security in roaming is now.
