Security of MVNO and MVNE

Q: I'm interested to deepen the threats and risks connected to the deployment of MVNEs (Mobile Virtual Network Enablers) in a MNO (Mobile Network Operator) environment. If you have concrete experience in this area I ask you to share the main important aspects a MNO should consider for the deployment of MVNEs.

A: A very important question. I am not from the TelCo world but here is my view as an information security professional.
The answer depends on the deployment type. If MNO will keep existing services in house but offer MVNE services to MVNOs; proper segmentation and segregation of roles are the key points.

If MNO will replace existing internal operations or acquire new functionality with MVNE based offerings that is a more complex security status. I will not discuss the specifics for that scenario since it is specific to MNO infrastructure.

For security controls on MVNE services for MVNOs, I do not think that any MNO has the means to differentiate the virtual service provider's traffic at the field (Base Station) level. Base station's are trusted by Authentication Stations and Service Gateways. I think it is okay to assume native GSM security is sufficient. Basically MVNO and the MNO users will have same level of security experience. This will be the least expensive way for the MNO as well.

Here are the possible problem points for MNO/MVNO/MVNE type of deployment security:

User Space:
1- Any existing application/feature that is based on handsets’ properties will not be valid for MVNO users (SIM based applications, java applications such payment/banking, or client based application such as content players). Handsets will basically be out of control, it is a good practice for MNO to have a solid disclaimer at the initiation of the project.

2-MNO will still be able to identify/authenticate and authorize all end users by SIM. I will not discuss how secure this is , but MVNO users will be as secure as MNO users. MVNE will not utilize any new services but will need to access MNO resources. Communication must be managed

Backoffice:
3-As it has been stated above the biggest concern will be the provisioning, performance and the utilization of infrastructure (basically how to share it). The links between MNO and NVNE systems, esp. messaging/data access must be regulated. Physical segmentation with proper audit trails would be nice. MNO must have a very clear visibility for MVNE operations and the MNO infrastructure should support multiple MVNEs for business and technical reasons. Capacity planning will be very complex. QOS, VOIP, RSVP will be the tough words.. But it is more of a deployment question than security

4-Backoffice Service Gateways esp. IP security systems (e.g. Proxies, LDAP, GPRS firewalls, URL filters, SPAM gateways, Email/SMS gateways) are capable of supporting multiple providers. This won't be a main security issue. Check support for virtual systems on these gateways (e.g. virtual firewalls).. MNOs can cross sell their existing gateways to MVNEs or buy services from MVNEs for their own users. Security deployment should be structured. I do recommend following a framework like ISO 27001 to verify that all controls are in place.

If the architecture and the scope of the services are listed it is possible to elaborate more on the specific controls.

cheers,
- yinal