Creating an effective automated security ecosystem in private cellular: ingredients for success
Creating an effective automated security ecosystem in private cellular: ingredients for success
Setting up and maintaining a private cellular network can feel like doing a jigsaw puzzle with 10,000 pieces – and those puzzle pieces are scattered over 15 different tables.
Flipping back and forth between 11 different screens to manage the assets from 11 different router providers was par for the course at a utilities company that approached us a few months ago. That was in addition to their solution interfaces for firewall management, CMDBs, SIEMs, SIM provisioning, Mobile Device Management solutions and more. It was no wonder, they told us, that they could barely get to security policy setting and enforcement, certainly not in any detail. Those needed the big picture, and that picture was badly fragmented.
What pieces make up the asset management and security ecosystem for a private cellular network? Why is it so complicated to orchestrate everything – and what would you need to actually have a clear view of your enterprise cellular network?
Let’s take a look.
Device Onboarding and SIM card provisioning
SIM cards make cellular go ‘round. But SIM cards aren’t plug-and-play. First comes the all-important task of provisioning: registering your SIM card identifiers in your cellular core and in associated databases.
Adding a new device is usually an operational need, and today, it requires effort from the networking or the IT team, which makes no sense in scale. In addition, the effort in some cases is even bigger as it requires the core vendor or the network operator’s assistance. While. Plugging SIM identifiers into your cellular core’s database (if it has an interface) or sending lists of identifiers to your cellular core provider (so they can do the manual work). Either way, the time it takes from opening a package of SIM cards to actually using them in devices is usually longer than you would like – and the more you scale your network, the more troubling an awkward process and the resulting time lag becomes. The pain is even bigger when it requires different processes and different platforms than those used on the IP network.
Asset management and orchestration
Private cellular networks can support a tremendous number of connected devices – and types of devices. From tablets and other mobile workforce devices to sensors and monitoring equipment, to SCADA systems, to fleets of autonomous guided vehicles… and that’s just the tip of the iceberg.
Effective security and asset management necessitates keeping track of every single one of these devices, along with what SIM card is currently inside it.
In some organizations, this is done manually with a simple spreadsheet. Enter the device identifier and the SIM card identifier, and you’re done. Well, that’s if you have a single device. When your assets number in the hundreds or thousands, just the initial creation of the asset logging spreadsheet can take days, or even weeks. And we’re not even talking about updating the spreadsheet when a SIM card is changed.
CMDB (configuration management database) solutions, especially those with some kind of automated asset discovery, can make keeping track of assets easier – although it largely depends upon the type of asset. Due to the lack of cellular-ready devices in many industries, often non-cellular assets are connected to your private cellular network through a cellular router. CMDBs cannot see behind routers, and so your ability to track large swaths of your assets may again depend on lots of manual work.
Keeping track of your individual assets is necessary for effective network operations and security. But it’s not enough. You also need to be on top of software updates for your routers and connected devices, to head off any downtime that could result from an undeployed bug fix or a security breach facilitated by unpatched vulnerabilities.
MDM (mobile device management) solutions address this issue at scale for mobile devices. Through an MDM platform, you can monitor your devices and software, check that they are up to date and run software updates at scale.
Router management and orchestration solutions enable you to check that your router software is up to date and orchestrate newly released updates to all routers. Additionally, they help manage which devices are assigned to which routers.
Spreadsheets, CMDBs, MDMs, router management solutions… the fragmented (and often manual) nature of asset management and orchestration in a private cellular ecosystem makes it that much more complicated to design and implement security policies for network assets.
Strong asset management is the foundation upon which you can build security policies. Then the devices and systems that implement the policies come into play: firewalls, Access Control Systems, and configurations of the cellular core itself are all instrumental in setting segmentation policies and blocking unpermitted network traffic and interactions that shouldn’t take place.
Also critical for network security are SIEM (security information and event management) solutions. These alerting tools gather information from all products and platforms used by the network and present them to one central location so security teams can easily consume and respond.
Because private cellular networks have different topology, identifiers and data structures than conventional enterprise networks, even gold standard security systems and controls are usually inefficient or insufficient in securing them.
Where private cellular ecosystem management needs some help
Let’s say that you find out about a software bug that is relevant to some of the surveillance devices your organization uses. The manufacturer is working on a patch, but in the meantime, you want to create a policy that restricts certain types of traffic to those devices. What do you need to do this?
Well, first you need to check which surveillance devices have the problematic software. So, you open up your MDM, find that brand of surveillance device, check the software version of each, and list the identifiers of the vulnerable devices.
Now search your asset tracking spreadsheet or CMDB for the device identifiers and note the associated SIM card identifiers. If all asset tracking is manual in your organization, you’ll have to hope that no one changed the SIM card within any of these devices and forgot to update the spreadsheet. (Your chances of running into that problem are a little lower with a CMDB, but it’s not unheard of, depending on if and how the CMDB explores your network and updates itself.)
You can now use the resulting list of SIM card identifiers to create a traffic-restricting policy. Phew – finally!
If these surveillance devices are actually non-cellular-ready devices connected to your network through a router, things get more complicated. You’ll probably need to go into your router management system to find what routers these devices are connected to, and often, you won’t be able to find this information at all unless it was manually registered. If you use multiple router providers, you may need to go through multiple interfaces until you track down the routers in question.
Then you need to define the policy that restricts traffic to the surveillance device. But what if you can only define policies on the router level (what is usually the case with standard network security tools)? What other devices are connected to that router? Will restricting traffic to them present an operational obstacle?
Suddenly the unprecedented scale of assets enabled by private cellular networks seems like a liability.
How to create an effective, coordinated private cellular ecosystem
What if all of these systems were coordinated by one centralized solution – and you could find all this information from a single pane of glass? Even better, what if the solution itself could track the connection between SIM cards and devices, so you knew it was always up to date? Search for the SIM card and immediately see its current device and all relevant details. And what if it could even see behind routers and identify the individual non-cellular-ready devices connected to them?
It would also be wonderful if this centralized solution could use its big-picture view and detailed, automated, machine learning-based visibility to define security, operational and alerting policies – and then send them to the firewalls, the SIEMs and other network cybersecurity tools.
If you had access to a solution like this, it wouldn’t matter how many platforms and assets were contained in your private cellular network. One screen, one search – and all the information you need for security and asset management is right there in front of you, useable immediately to create and implement security and operational policies.
OneLayer was created to provide this level of private cellular ecosystem visibility and orchestration. Every day we see organizations that were throwing up their hands now feeling in control of their private cellular security and asset management.
One organization that springs to mind is a large manufacturer with multiple sites and thousands of devices per site. They were working with a Nokia cellular core together with a ServiceNow CMDB, MultiTech for router management, a Palo Alto firewall and Splunk as a SIEM (among other solutions and platforms). When this manufacturer was first in contact with us, the time required from provisioning a new asset to setting policies on it was SEVERAL MONTHS. Several months just to get a private cellular asset fully set up.
Once OneLayer gave them the big-picture visibility and a centralized place to orchestrate and automate the actions of different parts of their private cellular ecosystem, the time to full deployment of a new asset (including setting policies!) dropped to a few days.
So smooth coordination and orchestration of your private cellular ecosystem is possible – as long as you get all 10,000 pieces of your puzzle on the same table.
To learn more: https://onelayer.com/product/