Addressing evolving cybersecurity threats within virtualized and software-defined telecom infrastructures

Many of the traditional approaches to security in telecommunications networks assume that the network is 'confined' within certain boundaries, and measures like defining the perimeter of security defenses, privileging certain traffic types, and adding extra layers of security—like deep packet inspection, traffic anomaly analysis, and sophisticated intrusion prevention systems—have been developed to deal with external threats. However, in a virtualized and software-defined infrastructure, these traditional approaches become less effective, as these measures have been designed to operate at the macro level of communication, while a large amount of security risks involve threats arising from resource sharing at the hardware level. In such a context, various resources, which traditionally operate as physically separated and truly secure, are instead replaced by software that operates over standard hardware based on standard protocols. This increases the risk of various types of snooping, data leaks, identity masquerades, information tampering, and denial-of-service attacks.

This paper, which focuses on how a virtualized and software-defined infrastructure can be attacked and the consequences of these attacks for critical communications pointing to the lack of a significant security approach for facing this scenario, shows that many of the threats come from the limited use of cryptographic security mechanisms. The full deployment of built-in security, which can be made much more manageable and less expensive than the sheer volume of attempts—through the integration of carrier-grade encryption and grouping services and inter-service isolation, traffic separation, and centralized control based on the specific management plane, which should include not only capabilities to manage security elements but also policies and processes specific to security.