The need for network security is ubiquitous in today's business environment. Yet, despite it being part of day-to-day operations, network security is often perceived the same as buying insurance; service providers know they need to improve their security, but the ROI is not immediately apparent until a security breach occurs – at which point the need for strong security becomes extremely important.
Fortunately, this perception is starting to change. New standards initiatives are being established and there is now a clear business case for an integrated, TeleManagement Forum (TMF) Next-Generation Operations Support System (NGOSS) based solution that enables service providers to bolster network security and identity management. At the same time, service providers can reduce operating expenses and improve and automate workflow productivity operations like password management and aging policies.
Financial losses that result from even localized network outages are significant for both the service provider as well as its customers. Lost revenues from downtime are estimated at $2,200 per minute for service providers, and could run as high as $6.45 million per hour for some end-enterprise customers such as large financial services retail brokerage firms . We are all aware of outages that result from catastrophic events, such as fiber cuts or floods. However, outages can also be caused by more innocuous actions. In the case of one large carrier network, a junior operator was able to inadvertently gain unauthorized access to a network element (NE) and mistakenly changed the parameters, resulting in a disruption of network services for several hours. These types of incidents are not malicious, but rather caused by employee error that is often the result of an inexperienced employee not following proper procedures.
Compounding the situation is the fact that networks are becoming larger and more complex, consisting of many network elements from multiple vendors. Each vendor provides different levels of access security that supports different default settings, maximum number of users and proprietary access control schemas. Further complexity occurs because networks are still comprised of legacy equipment that may not have sophisticated on-board security or the memory and processing power required to maintain individual user identities. The result is that service providers need to create security management groups that manage and maintain user access to devices, provide administrative functions of policy management and user password rotation, as well as forensic investigation of security breaches. These network devices also tend to have coarse-grain security policies with only a few classes of users being defined. Without fine-grained restrictions, individual users are often allowed to perform risky command sequences that are beyond their job scope.
“The lack of effective identity management in networks and the use of multiple usernames and passwords leaves organizations vulnerable to threats from disgruntled employees or those who might inadvertently gain un-authorized access to NEs,” says Matt Beiser, Senior Security Sales Specialist with IBM Tivoli Security Solutions. “The resulting financial loss, and loss of reputation and confidence in service provider networks, is considerable and has led to a number of industry initiatives to promote greater interoperability and to seek a technology and platform-independent solution.”
As network service providers seek to reduce the risk of outages as well as comply with new and emerging initiatives and standards such as the TMF Single-Sign-On (SSO) Catalyst initiative and the ANSI T1.276-2003 and ATIS-PP-0300074.2006 (Guidelines and Requirements for Security Management Systems) standards, new security solutions are emerging that address access security across a service provider's revenue-generating network.
The pain of password management
Traditional password management is complex, expensive and marginally effective as a security measure, making the management of network passwords a “weak link” in the security chain. All too often access passwords for NEs in some carrier networks are never changed from the default set by the manufacturer, leaving the network vulnerable to access by anyone who might be familiar with the environment.
Some equipment does not support a user account per individual, resulting in the creation and management of user group accounts and frequent group password rotation. For example, a typical network user has on average, a minimum of 20 different user accounts and passwords on various individual systems. With no way of ensuring a uniform userID/password combination, users can often forget their password/user name combinations, leading to frequent password reminders and resets. Adding to the problem is the fact that uniformity of password complexity does not exist in telecom network gear; resulting in passwords that are chosen based on how easy they are to remember rather than their security strength.
Meanwhile, there are significant costs associated with password management. The enforcement of a quarterly password aging policy for a service provider with 20,000 NEs results in 480,000 annual passwords at an estimated OPEX cost of $4.8 million. Because of this, systematic password rotation is often non-existent or piecemeal at best.
Until now, there were few options available to better automate network access to reduce the complexity of network administration and the risk of human error. In the past, solution providers frequently resorted to in-house development of password management scripts – a process that was expensive, time-consuming, device specific and often unreliable. Although millions were being spent on improved security administration there continued to be a lack of basic and consistent security practices. The result: network access that was essentially unmanaged and was determined by who you knew rather than level of responsibility.
Security simplified
Today, single-sign-on tools are available that enable carriers to secure access in a more integrated, consistent and automated fashion. In doing so, carriers can reduce OPEX by streamlining the process of managing passwords for multiple users across all network elements from multiple manufacturers.
“The ability to manage all elements of a network is key,” says Beiser . “Anything that can be done that reduces the cost of managing NEs and making security a consistent and reliable process is a focus for service providers.”
Furthermore, single-sign-on tools designed for telecom networks can be integrated into traditional identity management systems that cover a PC user's access to websites, business applications and servers – providing a unified solution across telecommunications and large enterprise domains. These solutions work to tighten controls on NE administrator access and access privileges through integration. Automated password management consistently imposes strong password policies and regular changes across the entire network. Controls are imposed uniformly across all networking equipment by the service provider regardless of equipment limitations, resulting in one secure solution integrated into the existing corporate identity management solution.
The process differentiates user accounts from NE accounts and establishes unique credentials for each individual on the network operations staff. Network access is determined by proxy with single-sign-on and command filtering where privileges are matched with user function. In addition, centralized log management and auditing functions enables the tracking of network events and problems back to a specific user.
These solutions allow for network-wide policies with consistent permission levels. It also provides the ability to readily determine who is doing what on the network, where and at what time. This targeted approach assigns appropriate levels of privileges to network operators or alternatively, restricts each user's account to a specific set of commands as well as facilitates rapid intervention as issues arise. This is in contrast with the traditional approach where entire workgroups often share the same command authorizations.
Beyond these benefits, centralized security approaches can limit individuals to specific command sets; for example, not allowing novice users to access commands beyond their job function. This provides network devices that only support coarse-grained security policies with the fine-grained command control that they are lacking, and even prevents random telnet access to devices. Furthermore, these approaches also offer centralized logging: collecting and storing forensic information about which users accessed which devices, at what time and what commands were performed. This provides administrators and operators with the concrete, convenient and centralized information required for root cause analysis of incidents that was not previously available.
Finally, these solutions will ensure compliance with a growing number of standard security related industry requirements, including SOX; ANSI T1.276-2003; TMF NGOSS and others.
Improved Identity management, improved security, easier administration
In summary, today's single-sign-on security solutions enable service providers to strengthen network security while at the same time reduce the burden and costs associated with identity and access administration and management. Security solutions are one of many systems encompassed within a service provider's broader identity and access management policy and framework. Over the long term, the goal should be to integrate the system with a broad, organization-wide password management, single-sign-on initiative. Any solutions implemented in the short and medium terms should have a clear business case with a positive ROI while pointing service providers towards that long-term goal rather than act as a barrier to network-wide integration.
ABOUT THE AUTHOR:
Sergio Pellizzari, Chief Solutions Architect
As Chief Solutions Architect for Nakina Systems, Sergio Pellizzari has responsibility for Nakina Systems' future product roadmap and works closely with customers to understand their needs and how Nakina Systems' expertise can solve their operational issues.
Sergio has over 20 years of Telecom industry experience starting in the field working at Bell Northern Research and Nortel Networks. Sergio was involved in the infancy of Nortel's highly successful line of HiCap and Metro Optical products. Sergio led design and architectural teams delivering management solutions for all Optical products and was involved in unifying management solutions of newly acquired products or those affiliated through joint-ventures.
Sage Research, Cost of Downtime (includes SLA penalties)
RHK, The Coming Era of Absolute Availability , May 2003.
Nakina Systems studies with tier-one service providers. |
