Telco managed cybersecurity: incorporating cloud native application security

While the move to cloud native is a top priority for many enterprises, it introduces new security risks. There are individual solutions that minimise this risk, but a unified platform can offer a holistic approach. Telcos could strengthen their offerings by incorporating such platforms into their managed security services.

Telcos have entered the enterprise cybersecurity space

Many telcos are attempting to take on the role of digital transformation partners to enterprises through subsidiary companies such as BT Global Services, Orange Business Services, T-Systems and Telefónica Tech. Rather than just providing networking, these telcos offer products and services (managed or professional advisory) across various IT domains such as cloud, digital workspace to support hybrid working, IoT, data analytics and cybersecurity. In this article we look at telco cybersecurity services for enterprises.

Many telcos now offer managed Secure Access Secure Edge (SASE), a term coined by Gartner to describe a collection of security solutions combined with SD-WAN into a single platform delivered from the cloud and managed centrally. SASE offerings typically include Firewall as a service (FWaaS), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG), which we cover in more detail in our article on SASE.

SASE ultimately secures access to workloads. This is important in the context of the move away from traditional hub and spoke network architectures to more decentralised networks, a trend which has been accelerated by the rise in hybrid working. Telcos have partnered with SASE vendors and are enhancing their solutions by offering a managed service layer (see more detail on what partner solutions telcos have deployed in our April 2023 Telco Cloud Tracker update). A managed service is particularly attractive for enterprises that lack the internal resource or desire to manage their security in house and prefer to outsource management to partners such as telcos that can leverage their IT and networking expertise and large workforce.

There is a growing need to protect cloud native applications

Providing secure networking through managed SASE is a valuable proposition and a natural cybersecurity entry point for telcos, however, those looking to provide a more extensive security service should consider supporting enterprises to develop, deploy and manage cloud native applications securely, too. In other words, rather than just protecting the perimeter and access to cloud applications, security services should also cover the applications themselves.

Moving business application workloads to the cloud is a key priority for most enterprises. Gartner predicts that 95% of new application workloads will be developed using cloud native principles by 2025. However, many enterprises don’t fully understand cloud native. A 2022 survey from OutSystems found that only 47% of IT decision makers and leaders surveyed truly understand cloud.

See how STL can help you grow your enterprise revenues

Our Growing enterprise solution covers how operators can adopt B2B2X business models to address changing enterprise needs in 5G, private networks, IoT, analytics and more.

Book a demo

The gap between the aspiration to migrate to cloud and the capability to develop cloud native applications carries two main risks:

a slower cloud native application adoption than predicted, or
the development of cloud applications that are poorly configured, exposing the enterprise to security risks. For example, cloud applications may be deployed with misconfigurations e.g. excessively permissive cloud access, which can be exploited and lead to a security breach. According to Fugue’s ‘State of Cloud Security 2021’ report, 36% of cloud professionals say their organisation has suffered a cloud data breach in the past 12 months with the main cause being cloud resource misconfiguration.

There is a clear need to support enterprises, particularly small and medium enterprises (SMEs) that typically have less resource than larger players, to develop ultra secure cloud native applications.

Telcos should address cloud native application security challenges with a holistic platform

Cloud security suffers from a similar problem that can be found throughout the cybersecurity market: a plethora of independent security solutions from different vendors that all address a slightly different niche. Gartner has once again coined a term for an application that combines various solutions into a single platform, Cloud Native Application Protection Platform (CNAPP).

The exact solutions included in each CNAPP product vary between vendor, but they all include:

Cloud Security Posture Management (CSPM)

CSPM solutions continuously monitor the cloud environment to identify and remediate cloud misconfigurations to mitigate risk and uphold compliance standards. CSPM solutions not only offer visibility and alerts but also aid remediation, either through fully automated remediation or by providing remediation guidance to security professionals.

Infrastructure as Code (IaC) Scanning

To reap maximum benefit from the cloud, many cloud workloads manage and provision cloud compute resource through code rather than manual processes. Infrastructure requirements are specified, and workloads can be dynamically deployed to any servers that meet these requirements. However, IaC can introduce vulnerabilities through misconfigurations which can cause widespread security risk if vulnerabilities are propagated across many workload deployments. IaC scanning solutions analyse IaC builds and identify misconfigurations and assist in their remediation.

CloudInfrastructure Entitlement Management (CIEM)

A CIEM manages and controls access to resources in the cloud based on a user’s permissions, privileges and entitlements. These access rights are applied across all cloud environments from a central control point and ensure the least privilege principle is upheld, i.e. users are only allowed access to the minimum system resources and authorisations that they need to perform an action.

CloudWorkload Protection Platform (CWPP)

Secure a wide range of cloud workloads, for example, containers, virtual machines and serverless functions. Similarly, to CSPM platforms, CWPP’s monitor, detect and remove threats and vulnerabilities, however CWPP’s monitor the software itself whereas CSPM platforms monitor for cloud misconfigurations and compliance issues.

CNAPP aims to provide end-to-end security for cloud native applications throughout their lifecycle, from development to production. Applied correctly, CNAPP truly supports DevSecOps (see figure 1).

Figure 1: A CNAPP contains security solutions that together address the entire application lifecycle

Similar to the benefits of SASE, CNAPPs offer the advantage of consolidating multiple security solutions into a unified platform. This provides organisations with a single pane of glass management, reducing complexity and improving the efficiency of security teams. Additionally, CNAPPs secure a wide range of cloud workloads, including containers, virtual machines, and serverless functions across any cloud infrastructure, allowing organisations to maintain continuous visibility in a heterogenous environment. Finally, through constant threat monitoring throughout an application’s lifecycle, from development to production, organisations can enhance their overall security and confidently embrace cloud technologies while mitigating risks.

SASE and CNAPP are complementary and together provide a robust defence

SASE and CNAPP address different aspects of cloud security and together provide a comprehensive and robust security framework. While CNAPP provides application-level security for cloud native environments, SASE focuses on network-level security and connectivity. CNAPP secures cloud workloads, while SASE secures the access to them, as well as other resources such the internet. Telcos that aim to strengthen their offering and support enterprises in addressing cybersecurity challenges should consider adding a CNAPP to their portfolio.