Improving Security Management for Mobile Operators

By Christos K. Dimitriadis, Ph.D., CISA, CISM Mobile operators are organizations that provide telecommunication services over a cellular interface. The mobile industry initially consisted of infrastructures that provided voice and very limited data services through mobile phones. Modern mobile operators provide a wide range of multimedia data services, including video-on-demand and mobile Internet access. This transformation created new demands in service provision, requiring enhanced versions of supporting services such as charging, billing, roaming, interworking and addressing, along with the necessary security services for protecting information confidentiality, integrity and availability. As a result, the infrastructure of modern mobile operators consists of a number of heterogeneous systems that host critical information in many forms and are usually handled by complex information technology (IT) governance systems. This article aims to present existing problems in the security management systems of mobile operators, as captured by extensive security assessments conducted in a number of major operators. It presents difficulties in the implementation of international IT governance and security management standards, focusing on sharing experiences and proposing solutions to existing security issues in the specific environment of mobile operators, following the fundamental principle that security in practice is based on the knowledge we have regarding the vulnerabilities applied in a specific environment. 3 The Mobile Operator’s Environment The multitude and magnitude of systems that process or store critical or legal sensitive data in combination with the fast infrastructure upgrades define an environment with important challenges for managing security. Figure 1 presents a simplified overview of a mobile operator’s infrastructure. A typical third-generation (3G) mobile operator’s infrastructure, based on the Universal Mobile Telecommunications System (UMTS), consists of three main components: the UMTS Terrestrial Radio Access Network (UTRAN), the core network and the corporate network. The UTRAN is a collection of systems (including the antennae and their controllers, among other systems) that provide access to the subscribers through their mobile phones. The mobile core network serves traffic switching and signaling for voice and data mobile connections, linking the UTRAN with other voice and data networks, including the Internet. The mobile core network hosts a number of critical systems, including the gateways for voice and data service provision, as well as databases that hold subscriber data. All of these systems contain sensitive corporate or subscriber information. The corporate network indicatively hosts the billing system, which collects call detail records (CDRs) from various core network components—usually through a billing gateway, the enterprise resource planning (ERP) system, the fraud detection system, the data warehouse system, systems for subscriber management and customer relations, and other systems supporting the business functions of the mobile operator. Most of these systems handle critical