With Telecom APIs on the Rise, Access Security becomes an Imperative
By: Orhan Yildirim
The global market for Telecom API estimated at US$170.3 Billion in the year 2020, is projected to reach a revised size of US$435.6 Billion by 2026, growing at a CAGR of 16% over the analysis period, according to a recent report by Global Industry Analysts Inc.
Privileged Access Management solutions can help avoid security breaches that may keep the telecom industry from optimizing this rapidly growing, high-value business.
The Telecom API market includes the API services provided by telecom carriers, service providers and aggregators to their application designer customers generally building mobile applications. Telecom APIs, consumable via Communications-Platform-as-a-Service (CPaaS) offerings, make it easy for application designers to coordinate different data sources that add value to their applications. Administrators, for example, can subscribe to services to enable everything from location-based services through GPS information, to payment integration, voice, messaging and video capabilities, SMS and WebRTC-based features and more.
API-based services pull valuable data from the CSPs into applications making them more intuitive, useful, and friendly.
Applications like Waze consume billions of bytes of real-time data every day, delivering directions and much more to drivers, bicyclists, and pedestrians, and leverage an advertising model to monetize.
Telecom APIs provide endless creative possibilities for product designers. With the explosion of the Internet of Things (IoT), this is only going to grow and provide a massive revenue stream to operators and services providers wishing to monetize the transformation of their networks, including into 5G.
What are the potential pitfalls?
Security is going to be paramount, and the time to think about its implications are now. While some developers will claim security is built into APIs – that is not always true.
A major concern associated with opening telco APIs for calls and messaging to developers is malicious and fraudulent usage; telecoms started to invite developers to build new revenue streams from value-added services, but their core networks and security systems were not built for such usage. Telecom equipment is inherently insecure only because it has been traditionally hosted behind vaulted doors.
Adding to that, the culture within CSPs and large enterprises is conservative by nature, and understandably so. Even for the internal IT organization of a telco operator, it has traditionally been difficult to access the core network. Now, with software-defined networking and the promise of such new revenue opportunities, network architects and CISOs, together with their product teams, are designing means to build new offers but they must do so without compromising their main infrastructure assets, resulting in catastrophic business losses in case of a breach.
Many of the same security technologies still apply in this case but utilized in more elegant and modern ways.
Today, the basics of securing APIs must include:
- Authentication, Authorization and Accounting/Auditing of apps accessing telco APIs
- Encryption of IP network protocols via HTTPS, SIP TLS, DTLS/SRTP
- Network Firewalls
- Intrusion Detection Systems
What is needed, and what Ironsphere offers today, is a comprehensive Privileged Access Management solution with extensive modules designed from the ground up to support multi-cloud, multi-application, multi-network Telecom API solutions.
Most modern Telecom API products offer adequate security support, including those around new standards such as WebRTC, which is continuing to grow at a steep pace. This is shifting more of the communication traffic from insecure telco infrastructure to the public Internet with private networking software overlays, and new methodologies associated with session management. But that is a transition/transformation that will take years.
Let’s be real: Telco operators have a high growth area of opportunity with opening their APIs but inherently still are in a very mixed environment of diverse communication networks and clouds, making this an ideal playground for malicious developers who can wreak havoc across massive networks, initiate attacks into apps which can pivot to whole systems and databases, and more.
The roles and responsibilities of administrators are also ever-evolving with supporting complex integrations and ecosystems, the likes of which not seen in recent history. The whole opportunity quite exciting, and it is in fact going to drive billions of dollars in revenue and profits, as forecasted by many industry analysts.
Whether protecting from unintentional or intentional internal threats, or locking critical infrastructure down from external attacks – to fully benefit from the Telco API economy, as a service provider or an apps developer – ensuring a solid PAM strategy and platform are in place will make the management of innovation and the long-term growth of new services not just a probability, but a reality.
Ironsphere is ready to support Telcos today in their API journey with its E2E comprehensive PAM SW suite.
Regulatory compliance is becoming harder, and IT security teams responsible for protecting networks, systems, data, and other assets are being hard-pressed to keep up with increasingly strict regulations, which are in place for all the right reasons – but can be daunting.
According to a Deloitte “Third Party Governance and Risk” report, 83% of organizations experienced a third-party incident in the past 3 years, 11% of them with a severe impact and 35% with a moderate impact on customer service, financial position, reputation, or regulatory compliance.
The impact of the global pandemic has brought the requirement for more intelligent, sophisticated threat analytics, given the damage being done as attacks on networks, applications and databases increase, and new threats surface that could take down entire mission critical systems, including those which are needed more than ever in times of medical and environmental crises.