Cybersecurity for Communications Service Providers
High-performance Network Traffic
Communications service providers (CSPs) face a difficult challenge in securing their networks. Telecom networks are globally distributed and diverse, encompassing on-premises data centers, public and private cloud deployments, and brick-and-mortar retail locations. These locations often include guest wireless networks and Internet-of-Things (IoT) devices connected to the enterprise wide-area network (WAN).
For a CSP, cybersecurity is of paramount concern. All customer traffic passes through the organization’s data centers, making them a prime target for attack. Point-of-sale (POS) systems in their brick-and-mortar retail locations are also commonly targeted by cyber criminals. CSPs must not only protect the sensitive data entrusted to them in accordance with applicable standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the upcoming PCI Software Security Framework (SSF), but also protect against attacks designed to degrade the services that they provide to their customers. Accomplishing this requires centralized visibility and comprehensive security protection that does not negatively impact network performance and customer experience.
The headquarters network of a communications service provider (CSP) is essential to their operations and contains massive amounts of sensitive information. Payment card and billing information collected from customers flows through and is stored on this network. Customers’ traffic is routed through and processed at the enterprise data centers, providing a wealth of valuable data to any attacker able to gain access. The enterprise must be capable of protecting all of this data and maintaining compliance with applicable regulations.
However, a CSP’s cyber-threat exposure is not limited to data theft. A distributed denial-of-service (DDoS) attack or ransomware infection could knock critical services offline. In doing so, an attacker who has compromised the enterprise network can exploit and misuse internet-connected monitoring devices on the network.
Digital innovation drives many CSPs to expand their WANs to include public and private clouds in addition to existing corporate data centers. Protecting such a heterogeneous network environment requires a fully integrated, comprehensive cybersecurity solution. FortiManager, FortiSIEM, and FortiAnalyzer enable security teams to achieve centralized visibility and control across their network and easily perform compliance reporting. FortiClient and FortiEDR (endpoint detection and response) provide integrated, advanced endpoint security solutions for employee workstations and point-of-sale (POS) systems alike. FortiWeb and FortiNAC provide website security and automatic identification and vulnerability scanning of Internet-of-Things (IoT) devices connecting to the network, with FortiAuthenticator simplifying identity management.
For CSPs, Fortinet solutions ease the burden of securing complex, distributed networks with features such as:
The Payment Card Industry Data Security Standard (PCI DSS) is a major concern for communications service providers (CSPs). With retail outlets scattered across the country, tracking and securing consumer payment card data is complex. Upon the release of the upcoming PCI Software Security Framework (SSF), these requirements will be more strongly enforced, and the complexity of achieving and maintaining compliance will grow.
Achieving and maintaining compliance requires an integrated and intentional approach to compliance. Many organizations attempt to implement security controls specifically to meet regulatory requirements. This often results in a mess of point security solutions with no underlying structure, which provides little or no actual security benefits.
As a company’s network of retail locations expands and PCI requirements grow more complex, it becomes increasingly difficult to achieve the networkwide visibility and centralized management necessary for maintaining and demonstrating regulatory compliance. Digital innovation initiatives add to the burden on IT and security teams as new devices are added to the network and the company’s digital footprint expands to the cloud. This is further exacerbated with the growth of cloud computing, where organizations are required to appropriately secure and control access to protected data processed and stored on cloud infrastructure, which is not under their complete control.
With the Fortinet Security Fabric, CSPs can achieve the centralized visibility and control needed for PCI DSS/SSF and other areas of compliance. The Security Fabric includes 12 Fabric Connectors and over 135 Fabric application programming interfaces (APIs) for out-of-the-box integration with third-party solutions. An open API ecosystem, collaboration with over 30 threat-sharing organizations, and integration with more than 100 third-party vendor products enable painless integration and centralized management of any security solution.
The security integration provided by the Fortinet Security Fabric provides a variety of compliance-focused solutions for CSPs, such as:
Communications service providers’ (CSPs) branch locations need access to fast, reliable, and scalable network connectivity. Frequently, retail locations must perform troubleshooting and repairs for their customers, which requires them to have rapid access to customer data and the ability to perform diagnostic tests that need a stable, reliable network connection.
Deploying this connectivity via traditional multiprotocol label switching (MPLS) lines is an expensive and inflexible solution. In comparison, software-defined wide-area networking (SD-WAN) provides the reliability guarantees of MPLS but operates over a broadband connection. By optimizing usage of multiple transport media, SD-WAN offers faster connection speeds with a lower total cost of ownership (TCO). Optimization of the network infrastructure improves network performance and decreases load at the enterprise data center, increasing operational efficiency. This enables CSPs to meet their service-level agreements (SLAs) while minimizing operational expenditure (OpEx).
One consideration when deploying SD-WAN is that it requires additional security provisions. In order to make full use of SD-WAN’s capabilities, it is necessary to deploy security at the network edge that results in multiple point products. That is unnecessary with Fortinet Secure SD-WAN, an SD-WAN solution that is unlike other solutions on the market, which offers an all-in-one solution for SD-WAN that includes robust SD-WAN threat protection. The built-in next-generation firewall (NGFW) provides security controls for Layer 3 through Layer 7 and industry-leading performance in an appliance with the industry’s first purpose-built SD-WAN application-specific integrated circuit (ASIC) chip. The Fortinet Secure SD-WAN appliance also includes an integrated intrusion prevention system (IPS), providing full traffic inspection at the branch location. This enables traffic to be routed directly to its destination, improving network performance, especially of cloud-bound traffic, without sacrificing security.
Fortinet Secure SD-Branch lays the groundwork for extending branch location security with Fortinet SD-Branch. Fortinet SD-Branch centralizes visibility and management of security infrastructure at branch locations from the internet down to the switching layer. This increases the efficiency of security operations, simplifies security control enforcement and data collection for compliance activities, and improves visibility and security of the enterprise WAN. This enables CSPs to decrease overhead and optimize OpEx. Part of Fortinet SD-Branch, FortiAP wireless access points provide high-performance, secure network connectivity for business and guest networks, while FortiNAC provides automated identification and access control for all devices connecting to the network.
With the reliable and secure network connectivity provided by Fortinet Secure SD-WAN, branch locations can also deploy Voice over IP (VoIP) in place of a separate phone service without concerns about bandwidth consumption, availability, or quality of experience. Here, FortiVoice offers an easily configured and flexible VoIP solution that can be isolated from other business and public Wi-Fi networks using the switching and access control capabilities built into Fortinet SD-Branch. To ensure connectivity in the event of a network outage, FortiExtender offers a 3G/4G/LTE/5G backup solution.
When selecting a networking solution, CSPs require a solution that enables them to meet their performance and security benchmarks, providing features such as:
Fortinet SD-Branch enables CSPs to expand their centralized security visibility and management to branch locations with features such as:
Communications service providers (CSPs) are a common target for malware attacks. A foothold on a CSP’s network is used to spread malware to its customers by taking advantage of their trusted relationship. CSPs need to be able to detect and block malware operating on their networks. However, according to analysis performed by FortiGuard Labs, 40% of new malware detected each day is zero day or previously unknown.
Advanced threat protection requires a multilayered defense, including features such as:
Using data derived from analysis of over 10 billion security events per day, FortiGuard Labs rapidly collects, analyzes, and classifies threats with an extremely high degree of accuracy. It leverages AI and ML to write malware signatures and publish them across the entire Fortinet Security Fabric. The integration provided by the Fortinet Security Fabric across the organization’s network also enables security teams to leverage the latest in security orchestration, automation, and response (SOAR).
The widely distributed networks of CSPs offer many possible avenues for unknown threats to gain access, including public Wi-Fi, mobile devices, and connected Internet-of-Things (IoT) devices. Any suspicious content detected by a FortiGate next-generation firewall (NGFW) is forwarded to FortiSandbox for quarantine and inspection—including decryption of secure sockets layer (SSL)/transport layer security (TLS) content— before it reaches the network. Threat intelligence generated by FortiSandbox is then shared with other security elements via the Fortinet Security Fabric. FortiEDR (endpoint detection and response) advanced endpoint protection provides advanced endpoint protection—with a lightweight footprint—with high-availability guarantees, making it capable of protecting even business-critical systems.
Of course, cyber threats are not limited to external attackers. Using FortiDeceptor, an organization can identify malicious insiders or attackers who have gained access to the network. The user and entity behavior analytics (UEBA) features of FortiInsight help to identify anomalous, noncompliant, or suspicious behavior by endpoints or users that may threaten the business.
Organizations are increasingly embracing cloud services for business-critical data storage and applications, and these resources require robust security. While most cloud service providers offer built-in security settings, they are often incorrectly configured by organizations, leaving sensitive data vulnerable to exfiltration. A common cause of this is misunderstandings of the cloud shared-responsibility model, which outlines the security responsibilities assigned to the cloud service provider, customer, and what is shared between them.
Achieving centralized visibility and consistent security configuration management is also complex in the cloud, with every cloud vendor offering different built-in security controls and interfaces. Securing the cloud requires centralized visibility across on-premises and cloud deployments and security solutions that are designed to provide consistent security and policy management for cloud-based applications across multi-cloud environments.
The first step in securing a multi-cloud network requires networkwide visibility and centralized configuration management. The Fortinet Security Fabric natively integrates with major cloud providers and over 250 third-party security solutions. This enables it to break down the silos between different cloud deployments—offering centralized visibility and enforcement of security policies across the entire network. This centralized control makes it unnecessary for security teams to manually configure the security settings offered by each cloud service provider.
Once full visibility into an organization’s cloud deployment has been achieved, the next step is securing cloud-based applications. Many regulations, like the Payment Card Industry Data Security Standard (PCI DSS), require a web application firewall (WAF). Under PCI DSS Requirement 6.6., a WAF is required in DevOps environments unless an organization performs a full code review upon every modification to an application.
The WAF, as a result, is a vital part of a company’s cloud security deployment. FortiWeb WAF is available as a physical appliance, a virtual machine (VM), or as a Software-as-a-Service (SaaS) offering for cloud-native protection of the organization’s websites, payment portals, and web application programming interfaces (APIs).
Organizations also must manage access to their cloud deployments as a whole. FortiCASB and FortiCWP provide cloud-native access control and workload protection, simplifying visibility and security management across multi-cloud deployments. Finally, FortiGate next-generation firewalls (NGFWs) are available in a cloud-native Infrastructure-as-a-Service (IaaS) form factor, offering scalable security for any deployment environment.
Applications and data storage are not the only cloud-based assets that an organization needs to secure. Organizations are increasingly taking advantage of cloud-based SaaS email solutions such as Google Mail or Microsoft Office 365. FortiMail enables an organization to protect both SaaS and on-premises email deployments with the same email gateway.
In summary, Fortinet adaptive cloud security solutions include the features needed to secure even multi-cloud environments, such as:
Customers expect high performance from their CSP’s networks—whether they are using in-store wireless access at a retail location or waiting for their traffic to be routed through the corporate data center. If security technology decreases network performance, it will negatively impact customer experience.
Securing a CSP’s vast network requires a number of different security elements. If these security solutions are not integrated, security workflows must be managed manually. These operational inefficiencies delay threat detection, prevention, and response, create redundancy, and increase operating expense (OpEx) costs.
CSPs have diverse networks, including on-premises data centers, cloud deployments, and retail locations with internet-connected point-of-sale (POS) systems. Protecting these heterogeneous networks requires networkwide visibility. However, the point security products deployed to protect against sophisticated, multifaceted attacks create silos that impair visibility.
CSP data centers and the POS devices deployed at their retail locations are an attractive target for cyber criminals. Theft of the data on these devices or denial of access to critical services via distributed denial-of-service (DDoS) or ransomware attacks deny access to critical systems, which can harm a CSP’s ability to meet service-level agreements (SLAs). And as digital innovation creates new attack vectors, including guest wireless networks at retail locations and deployment of IoT devices, protecting against these threats becomes increasingly difficult.
CSPs collect payment card and other sensitive data from customers—both at brick-and-mortar retail locations and through online portals. This sensitive data is stored and processed across the organization’s network—both in on-premises data centers and private and public clouds, including Software-as-a-Service (SaaS) applications. Securing this data in accordance with regulatory standards, such as PCI DSS, becomes more challenging as the organization’s network grows in complexity.
CSPs have a number of remote offices that process sensitive user data while onboarding customers and troubleshooting. These branch locations can be a target for attackers trying to gain access to sensitive data or to use them as a stepping stone for access to the headquarters network.
The Fortinet Security Fabric, which offers out-of-the-box integration with over 250 third-party security solutions, enables CSPs to achieve single-pane-of-glass visibility and configuration management for security elements across their network. This enables consistent security policy enforcement, even in cloud environments, while speeding threat detection and response. Tight integration allows CSPs to minimize operational expenditure (OpEx) while meeting SLAs.
Fortinet solutions enable the latest in security orchestration, automation, and response (SOAR) capabilities. This strengthens a CSP’s security companywide and enables these enterprises to scale and address resource constraints by maximizing the effectiveness of available skilled personnel. Centralized security management enables enforcement of policies throughout the network and automated report generation for regulators, the C-suite, and the board.
Threat intelligence generated by artificial intelligence (AI) and machine learning (ML) at FortiGuard Labs is communicated to security devices in real time via the Fortinet Security Fabric. This provides comprehensive protection against known and unknown threats across the network, from an organization’s POS systems to its cloud-based infrastructure.
FortiGate next-generation firewalls (NGFWs), with corroborated performance testing by NSS Labs, offer the industry’s lowest latency. The highly efficient custom FortiGate application-specific integrated circuit (ASIC), as well as the world’s first software-defined wide-area networking (SD-WAN) ASIC, enables Fortinet to provide high-performance security at the WAN edge and throughout the network. Moreover, turning on advanced features such as secure sockets layer/transport layer security (SSL/TLS) encryption inspection does not impact network performance in speed or throughput. In addition, the FortiGate VM series supports packet acceleration technologies such as data plane development kit (DPDK), single-root input/output virtualization (SR-IOV), and Intel QuickAssist Technology (QAT), along with Fortinet virtual security processing unit (vSPU) technology, to deliver the best performance needed in CSPs’ data centers, whether on-premises or in a private or public cloud.