Reliance Jio CISO cautions telcos on 5G risks, urges more funds in cyber security
The telco is not going to provide you any protection so therefore if you want to save your data from getting stolen from your mobile you're asked to download an antivirus software on your mobile.
Indian telecom operators need to make more investments in ensuring that security is built into all of their products, especially in the 5G scenario, Reliance Jio's chief information security officer, Brijesh Datta tells ET's Danish Khan. Edited excerpts...
How 5G can help us combat/ tackle security-related issues in India when it comes to networks?
One major problem that you would notice these days both for consumers and for enterprises - let's take I want to give the consumer a SIM and you were to use that for data connectivity at home and similarly let's take I want to give a connection to an enterprise and I want you to ask you to prepare yourself these days, most people build their protection themselves.
These technologies are already there in the cloud space. Now with NFV it becomes very simple for a network operator to give that functionality to the network itself.
In the era of modern hardware, if I were to give that functionality to enterprises, which might have different requirements, I would have to buy different kinds of hardware to cater to an individual need, however, if one were to use virtualization technology I can give services like firewall on demand to an enterprise, parental controls on demand with policies that can be controlled, and all of that can be virtualized. These all will come with 5G.
Similarly, with 5G we keep hearing about a massive number of sensors with IoT. For example, if an industry has got 100,000 sensors, and all connected to a platform that manages them. A telco comes in here to protect those sensors.
How crucial has it become for telcos to invest in security solutions to tackle all these threats. So we have seen a lot of hack happenings globally, telcos are being affected, so how do you see telcos currently combating your threats and what steps are required to shield yourself from future more sophisticated hacks or threats in the coming months.
Telcos usually have to protect a number of fronts where customer data resides. For example, one has to protect the channel itself, the network, and the infrastructure, which is the billing and customer care systems. We telcos are fortunately are at the forefront of security, primarily because we are heavily regulated and there is a lot of private information there. So there are a lot of controls in every telco, without exception, for example, to protect gains to volumetrics attacks - we got DDoS which the only telco can provide. Besides that, we have a number of controls to protect customer data as well.
Going further as I said, we are going to offer more products as close to the customer as possible which is called at the other network edge and that is where virtualization comes in. For instance, you would have seen Jio offers most of the content like videos on clouds on a CDN which are very close to the customer. Similarly, going further, we will be in a position to offer security controls to our customers as close as possible and from the network area. So, that is the forward part that I've seen in 4G which is going to be a help.
Do you see the need to increase awareness about security threats among customers
You must have heard that we've already along with CERT have launched cyber swachchta exercise. Jio is very prominent in that. Anytime we get an alert that there is some customer's SIM is infected, we send out alerts along with certain 'please visit website' content and download whatever malware controls you need and tools also. So, we are doing our bit to increase awareness towards customers. That is one and secondly for, let's take you talked about protecting customers, one more very important point that customers need to be aware of going further is when you have IoT devices invading your homes. Then, there will be other connected devices. You can imagine the kind of private information that will be available out in the open. If you have IoT within your homes which are all hackable devices, or potentially hackable, then customer awareness becomes crucial for them to understand that they need to have full control over what they are going to offer.
Presently, you've seen a lot of privacy features happen where people will give away their information then they accept to give away whatever you want of your personal data, your contacts etc. But this is going to increase dramatically once you have IoT invading at homes with wearables sensors etc.
With increased focus on enterprise segment, do telcos need to up their game to support enterprises with their services and with required security?
This is the beauty of having an NFV and SDN. For instance, let's take a typical enterprise which has its own firewall and own mail servers and if it gets attacked right now, not all volumetric attack, its main servers will get flooded, what does it do? Some human has to go and put a rule in its own firewall, tomorrow, with NFV and SDN coming in we will be in a position to offer a similar virtualized service which can be controlled by the system administrator, and the touch of a button you can mitigate any attack only to his mail server for instance, so these offerings are called as clean pipe services.
They are already there, people have come out with propriety technologies but with standardization, which is going to come through
5G, it's going to become easy for us and it's going to be a good proposition for telcos to offer to enterprises.
Do you also think that regulators should also look at the security aspect when they define 5G/ regulations for 5G?
Yes, I think security will be a very important part as it has been. For example in the erstwhile IMT standards, and there is 2020 itself 2G/3G security groups are already working a lot in full recognition of the fact that with any new technology comes a lot of risks, so it's going to be there, it's going to be part of the standard itself and definitely it is going to be in the regulations.
What are the trends in that sector?
The latest trends are changing. Earlier we used to have people who used to hack for increasing their own reputations, script kitties, how to make a point, these days it is mostly about money. And, it is going to increase more and more. For example, the first avatar we have seen of ransomware where a hard disk gets encrypted, the second thing we saw recently, where Uber had to pay out money to release their data. This is a trend that is going to go up because the underground has realized that this is a good way to make money. So, one needs to be now very careful because now you will have a lot of resources pumped in into cybersecurity threats.
We need to be putting more and more money towards making sure that security is built into all our products. 5G's bandwidth will easily flood servers. Earlier, in case you want to launch a volumetric attack, you will need to harness the power of a botnet of 10,000 odd servers because an individual really has that kind of bandwidth at its disposal. Imagine with 5G you have every individual going around with 1 Gbps worth of bandwidth at his disposal. The servers are not scaling with the same power. So, those attacks will become more and more drastic. These things need to be looked into very closely. Now, our investments and security really need to go up.
How important partners are for telcos in the security space? And do you take the partner-led approach to combat threats?
You see what's happening now is more and more of telcos are getting virtualized. Now the difference between IT and telco is reducing. Earlier, 15 years back we used to have cross-connect switches or exchanges, now everything is IT system/ server. For example, the compute notes, the storage notes, the networking notes, they are all same. You talk about Amazon cloud, Google cloud or a telco infrastructure. Ten years down the line everything is going to be similar. So, the skill sets needed are getting more and more common. So, it makes perfect sense now for us to leverage the existing skills that are on cloud service providers, security service providers who are helping clouds, to work together with telcos and secure infrastructure.
How 5G can help us combat/ tackle security-related issues in India when it comes to networks?
One major problem that you would notice these days both for consumers and for enterprises - let's take I want to give the consumer a SIM and you were to use that for data connectivity at home and similarly let's take I want to give a connection to an enterprise and I want you to ask you to prepare yourself these days, most people build their protection themselves.
The telco is not going to provide you any protection so therefore if you want to save your data from getting stolen from your mobile you're asked to download an antivirus software on your mobile. If you want to use your laptop and connect dongle to a SIM card, you must have your own anti-virus and own firewall on. If I were to ask the consumer to protect himself, yes, he can do that, he cannot depend on the telco, for instance, to provide him with stuff like network protection or parental control. You have a family and you want to keep that kind of functionality, that you don't want anybody to misuse, what do you do? Now the modern-day 5G technologies like NFV and SDN can really help.
These technologies are already there in the cloud space. Now with NFV it becomes very simple for a network operator to give that functionality to the network itself.
Similarly, with 5G we keep hearing about a massive number of sensors with IoT. For example, if an industry has got 100,000 sensors, and all connected to a platform that manages them. A telco comes in here to protect those sensors.
Imagine having to build a security control in every sensor. It becomes a mammoth effort because it would drastically increase the cost of that sensor and one does not want that. A telco can use NFV to quickly offer the right kind of protection which is flexible. You talk about firewalling, malware control, load balancing, intrusion protection - all of that can be offered by the network itself with the technology that is going to come with 5G.
How crucial has it become for telcos to invest in security solutions to tackle all these threats. So we have seen a lot of hack happenings globally, telcos are being affected, so how do you see telcos currently combating your threats and what steps are required to shield yourself from future more sophisticated hacks or threats in the coming months.
Telcos usually have to protect a number of fronts where customer data resides. For example, one has to protect the channel itself, the network, and the infrastructure, which is the billing and customer care systems. We telcos are fortunately are at the forefront of security, primarily because we are heavily regulated and there is a lot of private information there. So there are a lot of controls in every telco, without exception, for example, to protect gains to volumetrics attacks - we got DDoS which the only telco can provide. Besides that, we have a number of controls to protect customer data as well.
Going further as I said, we are going to offer more products as close to the customer as possible which is called at the other network edge and that is where virtualization comes in. For instance, you would have seen Jio offers most of the content like videos on clouds on a CDN which are very close to the customer. Similarly, going further, we will be in a position to offer security controls to our customers as close as possible and from the network area. So, that is the forward part that I've seen in 4G which is going to be a help.
Do you see the need to increase awareness about security threats among customers
You must have heard that we've already along with CERT have launched cyber swachchta exercise. Jio is very prominent in that. Anytime we get an alert that there is some customer's SIM is infected, we send out alerts along with certain 'please visit website' content and download whatever malware controls you need and tools also. So, we are doing our bit to increase awareness towards customers. That is one and secondly for, let's take you talked about protecting customers, one more very important point that customers need to be aware of going further is when you have IoT devices invading your homes. Then, there will be other connected devices. You can imagine the kind of private information that will be available out in the open. If you have IoT within your homes which are all hackable devices, or potentially hackable, then customer awareness becomes crucial for them to understand that they need to have full control over what they are going to offer.
Presently, you've seen a lot of privacy features happen where people will give away their information then they accept to give away whatever you want of your personal data, your contacts etc. But this is going to increase dramatically once you have IoT invading at homes with wearables sensors etc.
With increased focus on enterprise segment, do telcos need to up their game to support enterprises with their services and with required security?
This is the beauty of having an NFV and SDN. For instance, let's take a typical enterprise which has its own firewall and own mail servers and if it gets attacked right now, not all volumetric attack, its main servers will get flooded, what does it do? Some human has to go and put a rule in its own firewall, tomorrow, with NFV and SDN coming in we will be in a position to offer a similar virtualized service which can be controlled by the system administrator, and the touch of a button you can mitigate any attack only to his mail server for instance, so these offerings are called as clean pipe services.
They are already there, people have come out with propriety technologies but with standardization, which is going to come through
5G, it's going to become easy for us and it's going to be a good proposition for telcos to offer to enterprises.
Do you also think that regulators should also look at the security aspect when they define 5G/ regulations for 5G?
Yes, I think security will be a very important part as it has been. For example in the erstwhile IMT standards, and there is 2020 itself 2G/3G security groups are already working a lot in full recognition of the fact that with any new technology comes a lot of risks, so it's going to be there, it's going to be part of the standard itself and definitely it is going to be in the regulations.
What are the trends in that sector?
The latest trends are changing. Earlier we used to have people who used to hack for increasing their own reputations, script kitties, how to make a point, these days it is mostly about money. And, it is going to increase more and more. For example, the first avatar we have seen of ransomware where a hard disk gets encrypted, the second thing we saw recently, where Uber had to pay out money to release their data. This is a trend that is going to go up because the underground has realized that this is a good way to make money. So, one needs to be now very careful because now you will have a lot of resources pumped in into cybersecurity threats.
We need to be putting more and more money towards making sure that security is built into all our products. 5G's bandwidth will easily flood servers. Earlier, in case you want to launch a volumetric attack, you will need to harness the power of a botnet of 10,000 odd servers because an individual really has that kind of bandwidth at its disposal. Imagine with 5G you have every individual going around with 1 Gbps worth of bandwidth at his disposal. The servers are not scaling with the same power. So, those attacks will become more and more drastic. These things need to be looked into very closely. Now, our investments and security really need to go up.
How important partners are for telcos in the security space? And do you take the partner-led approach to combat threats?
You see what's happening now is more and more of telcos are getting virtualized. Now the difference between IT and telco is reducing. Earlier, 15 years back we used to have cross-connect switches or exchanges, now everything is IT system/ server. For example, the compute notes, the storage notes, the networking notes, they are all same. You talk about Amazon cloud, Google cloud or a telco infrastructure. Ten years down the line everything is going to be similar. So, the skill sets needed are getting more and more common. So, it makes perfect sense now for us to leverage the existing skills that are on cloud service providers, security service providers who are helping clouds, to work together with telcos and secure infrastructure.
0 comments: