Protecting Cloud-native Data Flows for Lawful Intelligence

Digital cloud with a shield and lock

Communication service providers (CSPs) realize significant agility and cost benefits from cloud and edge deployment models made possible by cloud-native network architectures. Edge computing consumes data close to its source, avoiding the latency and bandwidth requirements of data backhaul. Public clouds provide elastic capacity on demand while eliminating infrastructure requirements for headroom and redundancy. Cloud-native infrastructure across these modalities facilitates modernized practices such as DevOps and continuous integration/continuous delivery, which contribute further to CSPs’ operational efficiency.

Moving workloads from secured on-prem facilities to public clouds or relatively unprotected edge locations requires a re-conception of security measures. In these cloud-native networks, the perimeter disintegrates, leaving network functions potentially exposed. Physical isolation of equipment may also no longer be possible. Regulatory privacy requirements for lawful interception regarding mediation and control traffic, as well as the intercepted communications themselves, bear particular consideration to ensure compliance.

Moving Outside the Locked Data Center

Traditional CSP environments provide substantial security advantages for lawful interception platform deployments. The facilities themselves are physically secure, with measures such as access control and video surveillance. Beyond those general measures, the lawful interception platform may be secured further, as in a locked cabinet, and it may also be behind strict zero-trust firewalls, if not completely air-gapped, preventing direct access from the internet.

Physical control over the equipment makes it possible to ensure that only cleared individuals have physical access to it, eliminating a large number of potential security exposures. Firewalls protect these systems, and best practices call for all connections to be initiated from the lawful interception platform itself, providing additional isolation.

Virtual private networks (VPNs) or encrypted tunnels are typically used to communicate between law enforcement agencies (LEAs) and CSPs. In this traditional network scenario, sensitive traffic can be passed over fiber to a VPN gateway in the same locked cabinet as the lawful interception platform in the clear, without exposure to outside entities. The underlying operating systems on this equipment can be locked down and hardened for their specific roles, without security exposures from extraneous services.

By contrast, none of these protections are available when lawful interception deployments are extended to include the edge or cloud. Moving network functions outside traditional data centers, CSPs must maintain their security postures in less-controlled environments.

Control over Visibility and Physical Access

As CSPs realize the opportunities for cost savings and low-latency services, they push resources farther out to the network edge. That shift requires increased reach in the deployment of lawful interception services, and the increased footprint carries increased protection requirements. Particularly at small sites far out on the network edge, equipment may be physically vulnerable, compared to traditional controlled facilities.

Those same CSPs stand to gain significant cost, scalability, and related advantages by making use of infrastructure-as-a-service (IaaS) from public cloud providers. In those topologies, administrators at the cloud provider rather than the CSP have physical access to systems, and control over that access. From a regulatory standpoint, CSPs must adapt to these circumstances, including providing auditable protections of these systems in the absence of physical isolation.

Likewise, the containerized workloads in cloud-native environments use the operating system provided by the underlying infrastructure, making it impossible to lock it down for the limited needs of a lawful interception platform. The containers inherit the security exposure and attack surface of the underlying environment, and CSPs sacrifice system-specific hardening capabilities.

Looking to an Ecosystem Approach

The lack of physical control over the environment in edge and cloud deployments means that lawful interception data must not pass over the wire in clear text, i.e., unencrypted – even over a direct connection between two systems. Still, real-world lawful intelligence platforms must communicate with a wide range of network elements, both provisioning them with sensitive information and receiving sensitive information from them. That requirement illustrates the need for truly pervasive encryption in lawful interception traffic flows.

Those encrypted interactions require all of the network elements that touch lawful intelligence functions to be capable of handling the encryption in use, and many will need to be upgraded to do so. CSPs need a structured approach to mitigating the complexity and risk on that path to interoperable encryption, including optimized security, vendor flexibility, and future-readiness. SS8 is providing industry leadership on that front, working across the ecosystem to add encryption where it is lacking, remove vulnerabilities from older encryption methods, and upgrade to the most current protocols, such as TLS 1.3.

Longstanding industry relationships are invaluable in this effort, as is the granularity of those relationships, which typically extend to multiple product teams at each equipment maker. Collaborations are a key means for SS8 to aid the ecosystem according to best practices the company has developed over more than two decades of leadership in lawful intelligence. Those relationships provide a mature foundation for CSPs to build on as they modernize and secure their networks to take full advantage of the edge and cloud.

About Dr. Cemal Dikmen

Dr Cemal Dikmen Blog Head Shot - SS8 Networks

 

As SS8’s CTO, Cemal plays an integral role in the company’s strategic direction, development, and future growth. A renowned expert and thought leader in the legal compliance and communications analysis domain, he has been a frequent speaker at various industry conferences over the past 10 years. Cemal holds BS, MS, and PhD degrees in Electrical Engineering. You can learn more about Cemal on his LinkedIn profile by clicking here.

 

About SS8 Networks

As a leader in Lawful and Location Intelligence, SS8 helps make societies safer. Our commitment is to extract, analyze, and visualize the critical intelligence that gives law enforcement, intelligence agencies, and emergency services the real-time insights that help save lives. Our high performance, flexible, and future-proof solutions also enable mobile network operators to achieve regulatory compliance with minimum disruption, time, and cost. SS8 is trusted by the largest government agencies, communications providers, and systems integrators globally.

Intellego® XT monitoring and data analytics portfolio is optimized for Law Enforcement Agencies to capture, analyze, and visualize complex data sets for real-time investigative intelligence.

LocationWise delivers the highest audited network location accuracy worldwide, providing active and passive location intelligence for emergency services, law enforcement, and mobile network operators.

Xcipio® mediation platform meets the demands of lawful intercept in any network type and provides the ability to transcode (convert) between lawful intercept handover versions and standard families.

To learn more, contact us at info@ss8.com.

Tweet Us @SS8       Follow Us LinkedIn

SS8 Newsletter

LATEST WEBINAR

THE DATA SILO DILEMMA FOR LAW ENFORCEMENT

How to Ingest, Filter and Query 5G Volumes

Webinar Presented by Kevin McTiernan

CLICK HERE to watch!