OSS/BSS: A Holistic Approach 

Telecom companies today, need to provide a secure and available set of
services to businesses and consumers even as they open up their once closed
operation support systems (OSS) and business support systems (BSS) allowing
customers to pay their bills online, register complaints, book services and
other value-added services (VAS). Today, the cost of a security incident to a
telecom company’s reputation and market image is very high.

However, most telecom companies continue to struggle with security. Digital
security often depends on the perspective of individuals based on their
respective roles and often this perception varies from application developers,
product vendors, IT users and the management. A key lacunae, which makes telecom
infrastructure exploitable is the lack of a holistic/standardised overview of
security and a piecemeal implementation of security measures that are usually
‘technocentric’, with people and practices having not much importance.

For a proper telecom perspective three major security requirements should be
considered.

• Services are reliable and prudent measures have been taken to ensure their
  continued availability
• Security management conforms to global standards and best practices
• Critical business systems (OSS and BSS) are secure and available

OSS/BSS Security

Unlike industries, which rely on manufacturing facilities to produce goods,
telecom companies rely on networks and IT systems to provide services. This
makes the infrastructure susceptible to security risks–primarily related to
availability of customer services and revenue generating components of the OSS/BSS
systems like billing and customer care. Some of the key risks that affect
telecom security are

• User misconfiguration/mistakes
• Lack of a comprehensive practice of building security at the design stage.
  This risk is more when legacy systems are integrated with newer systems
• Impact of malicious code–worms and viruses to their core infrastructure.

• n Existing vulnerabilities in computers, operating
  systems, applications and networks, and the increased complexity of OSS and
  BSS environments.

• Low security awareness and lack of a trained security
  team

The billing process normally involves a call detail record
(CDR) generated at the switch. It is picked up by the billing-mediation system
over a WAN. Also the billing mediation system formats, validates, verifies, and
transfers the CDR to the billing system. The billing system rates, prices and
generates the bill. The billing system, in turn, may refer to a customer
database for customer-specific information.

There are some security issues that arise within the billing
process.

• Maintenance of the integrity of the CDR as it flows from
  the switch, to billing mediation, to the billing system and finally to the
  storage

• Proper configuration at all intermediate applications to
  ensure that the CDR is processed under valid business rules and in an
  appropriate and consistent manner

• Audit trails and logs for end-to-end reconciliation of
  CDRs

• Availability of downstream system in time to avoid CDRs
  of the previous month to arrive with this month’s bill

• Proper authorisation and access control for key
  data-screen menus. In some cases, dual control for updating critical tables.

• Backup of Data

A security program needs to appreciate the end-to-end nature
of security and the need to institute a holistic solution involving technology,
people and process. There are four major constituents to this approach.

Application Security

Each OSS/BSS application has an individual identity, function and importance
and is vulnerable to different threats. It is therefore important to understand
each application, its role in the business process, determine the key risks and
take appropriate security counter measures. In general, security controls apply
to applications like password management, access control, data validations and
back-up/recovery.

Business Continuity and Disaster Recovery

Telecom companies need to ensure that a well-planned and rehearsed business
continuity and recovery plan is in place. The recovery of the OSS and BSS
systems is important and helps to minimize losses in revenues, customer
confidence and the organisation’s ability to compete effectively in the long
term. The key objectives should be:

• Limit the extent of disruption to key business functions
  and processes

• Ensure that the disaster recovery site is functional and
  available

• Develop systems and specifications to ensure adequate
  fault tolerance and redundancy

• Reduce losses during a disaster

• Ensure quick resumption of BSS and OSS systems such as
  fraud and billing mediation

The development of a robust business continuity plan and
disaster recovery plan involves a business impact analysis of business units and
functions to identify critical OSS and BSS systems, processes, and functions.
Disaster recovery is a costly affair for telecom companies and needs to be
budgeted and designed into the solution. Designing for realtime OSS and BSS
recovery is complex and requires expertise.

Disaster recovery is normally built up at each stage of the
architecture including at the exchange level, regional level, and data-center
level. Common recovery strategies that can be employed are:

Backup and Recovery: Data from the primary site
(processing centre) is backed up and transferred to the disaster recovery site.
The system should also be designed to ensure that the users’ and CDR data flow
to the disaster site can continue over alternate paths.

Redundancy: It is used to share the processing load
over more than one application server. In the event of failure of any
application server, the other can act as a backup.

Fault tolerance: This can be built into applications
and servers through the use of multiple processor platforms, server clusters,
dual components, and high availability raid solutions.

IT Infrastructure Security

IT systems and processes form the core backbone on which the organisation
runs. Creating a security framework for the IT infrastructure has two main
components–information security management and network security.

Information Security Management: This comprises a set of
practices and controls, which if properly implemented, ensure minimum
unintentional and intentional security breaches. One of the leading standards
for this is the BS7799.

Network Security Framwork: It comprises security products and
configurations to secure various network elements, servers, links and databases.

Company-wide Deployment and Maintenance

The management of the OSS/BSS environment is a large and complex task. It is
important to adopt a company-wide approach to ensure that all deployments or
modifications of OSS or BSS systems as well as their operations are consistent,
properly implemented and administered. There are three major phases in this.

• Assessment of security requirements and risks faced

• Preparation of model security guidelines and procedures

• Periodic reviews or a compliance audit for proper
  implementation/functioning

As OSS and BSS infrastructures continue to evolve in
complexity and technology, it is imperative for telecom companies to design a
comprehensive framework for securely managing OSS and BSS infrastructure and
deployments with help from internal security teams or expert consultants.

Lucius Lobo

e-security consulting Mahindra-British
Telecom Ltd