Hopefully no one…
The time has come where we can no longer trust anyone. Our subscribers must now be validated and verified continuously. With fraud increasing in many areas, a subscriber may not be who we think they are, and their behaviors may tell us that, but we still should be verifying everyone.
NIST published in one of their blogs “Never trust, always verify.” This is the basic concept behind something called Zero Trust, or ZT. The idea behind ZT is to implement verification checks everywhere within a network, and not at the network edge. This means internally checking and verifying everything as if we are expecting an insider threat.
Usually this gets done at the network layer, but it should apply everywhere within the enterprise. Employees should constantly be verified, and their behaviors be validated as well. If there is unusual activity by an employee, it could mean they have had their credentials compromised and a hacker is using their identity. If their usage of the telecom services has changed, that’s a good indicator that they have been compromised.
Subscribers should be verified in the same way. Not only should their credentials be verified, but their behaviors as well. If they suddenly show unusual activity or if they suddenly begin using services they haven’t used before, verify. It’s a classic sign of fraudulent activity and your fraud management system should detect this but take it a step further and verify all activity no matter how innocent it is.
That is what ZT is about. It’s not something you buy. It’s not a product. It’s a concept that gets implemented throughout the enterprise. The good news is you don’t have to implement ZT 100% right away. There are stages of maturity defined by NIST beginning with the standard approach using what you have, and gradually adding more and more capabilities until you reach an advanced stage of ZT. If you think you already have ZT implemented, add more.
ZT is more than a concept for carriers to implement. It is now becoming part of global policy. Governments around the world are citing ZT in their cybersecurity strategies, requiring carriers to demonstrate they are implementing some form of ZT in their networks and services. We will be hearing more and more about ZT as regulators get more involved in a company’s security posture, but the good news it you can begin now with what you already have, and expand as budget allows.
Author – Travis Russell, Head of the Cybersecurity Office, Oracle Communications.