NSN White paper December Nokia Solutions and Networks Network security - An imperative for the global economy

Transcription

1 NSN White paper December 2013 Nokia Solutions and Networks Network security - An imperative for the global economy

2 CONTENTS 1. Executive summary 3 2. Introduction 4 3. General Trends that Impact Network Security New Threats New Challenges for operators Telecommunication Network Solutions 7 in Industrial and Rural Sectors 3.4 Network Equipment in Residential and 7 Public Areas 3.5 Smart Objects and Internet-of-Things 8 (IoT) 3.6 Impact of Virtualization and Cloud 8 Computing 4. Selected Technical Trends and Challenges 9 for Network Security 4.1 Ubiquitous Access Security Advanced Network Management 10 Security Functions 4.3 Software Integrity Cryptographic SW Integrity Protection Trusted Computing Mechanisms Backdoor Detection Unwanted Traffic Malware and Botnets Regulatory Framework Overall Challenge: Privacy versus 15 Public Safety 5.2 Lawful Interception (LI) Critical Infrastructures Security Compliances 16 Page 2

3 CONTENTS 6. Nokia Solutions and Networks Security 17 Approach 6.1 General Product Security Security Solutions for operators Security Solutions Security Consulting Integration and Care Summary List of Acronyms Executive summary Tomorrow s network security offers both challenges and opportunities. A key challenge is to adopt the Internet model for ubiquitous connectivity and five billion people. This must be realized while maintaining a high level of security that ensures smooth operation of communication networks. Another major challenge is the need to balance user requirements for privacy and anonymity with regulatory requirements. On the other hand, tomorrow s network security will provide the basis for many new communications and collaboration applications and secure communication networks will play a pivotal role with regard to public safety. It is therefore hard to overstate their importance to the global economy. Nokia Solutions and Networks (NSN) creates and markets solutions that deliver advanced security features for end users, enable the smooth operation of carrier networks, and protect what has become part of the critical infrastructures of our society. This paper outlines the security aspects of NSN s vision of tomorrow s connected world. It looks ahead to the year 2015 and analyzes security-specific trends as well as their impact on network developments and market requirements. Page 3

4 2. Introduction In future we will increasingly rely on the exchange of information via open, IP-based telecommunication networks. This development will place new, sophisticated requirements on these networks, for example: They will carry much larger volumes of information than today. This comes via millions of new customers of operators as well as the new bandwidth-hungry applications. Networks will therefore grow in order to accommodate the additional traffic, and new architectures will be needed to enable ubiquitous connectivity for multiple access types (fixed, wireless, mobile, etc.). In particular, sophisticated devices like smart phones will pose additional requirements related to mobile internet access. These developments will expose carrier networks to more security threats. At the same time, the potential damage caused by successful attacks will increase, as more and more businesses and applications will depend on network services. Tomorrow s networks will therefore become an increasingly attractive target for cyber-crime and cyber-terrorism. In turn this means that the protection of carrier networks against will become an important success factor for the global economy. In addition to ensuring network availability, maintaining user privacy, confidentiality and the integrity of communication processes will become increasingly complex. And the requisite security solutions must also balance these market requirements against regulatory requirements like law enforcement. This paper details the security challenges and the necessary security functions for tomorrow s communication networks. Chapter 2 analyzes general trends and their impact on security, e.g. new types of threats. In chapter 3 we detail selected technical developments in the network security area itself. Chapter 4 complements this analysis by exploring related regulatory topics. Chapter 5 outlines the way NSN approaches this multi-faceted topic. Finally, chapter 6 gives a summary of this document. Page 4

5 3. General Trends that Impact Network Security 3.1 New Threats The increased use of IP combined with ubiquitous connectivity will result in the introduction of a number of new threats. They will include more sophisticated and powerful attack tools and mechanisms (e.g. botnets) and we can expect to see commercial attack products becoming available at low prices. The company s vision of tomorrow s connected world is based on a simple, smart, flat architecture. This approach will result in significant benefits for operators and their customers, but since it is based on IP there are attendant risks. This is the case with all IP-centric networks. It is therefore necessary to implement powerful security mechanisms and to update them in line with the emergence of new threats. Network cores will be simpler in future but the edge of the network will be more complex, e.g. due to fixed-mobile convergence, software complexity, new service platforms and systems, new access technologies like Femto, I-HSPA, LTE, and the need for interoperation between new and established access technologies like UTRAN and WLAN. This means that the overall communications infrastructure will potentially result in more vulnerabilities and the increased likeliness of a wrong configuration, unwanted backdoors in software programs, etc. Taking appropriate measures against these threats and vulnerabilities is becoming more important. Not only are they increasing, but professionals and organized criminals are also mounting them for monetary reasons. Attacks are no longer limited to script kiddies and leisure time hackers, but follow mechanisms of a criminal eco-system. Number of security threats Fig. 1. Number of security threats in IP-networks. Page 5

6 3.2 New Challenges for Operators In addition to the general threats, new security challenges are also emerging specifically to operators, e.g. network operators. For example: Due to new business models, operators need to diversify and take on new roles: e.g. network operator vs. service/application provider, and virtual operator. Another factor is the need to differentiate between access and core providers. Therefore new modes of operation and practices have to be developed. Insider threats will increase due to increasing co-operation with sub-contractors, collaborators, partners, temporary relationships, etc. Operators will therefore look to implement new models for interoperator security assurance as well as sophisticated prevention systems against internal fraud. Solution providers like NSN will be requested to support these activities via related security solutions, e.g., in the areas of mutual security co-operation, intrusion detection/ prevention, Security Information and Event Management (SIEM) (see 3.2 below) and fraud management. Security spending of operators worldwide is growing strongly in the last year more than 7% - and this trend is set to continue with a CAGR of 11% from 2009 until 2014 (see Figure 2) Total market in million Euro Security market Year Fig. 2. Security spending of operators worldwide. Page 6

7 3.3 Telecommunication Network Solutions in Industrial and Rural Sectors The penetration of telco-like structures and IP technology in industrial areas (factory networks, remote control of manufacturing, plant operation, clinical communication, etc.) will increase further. The Stuxnet malware which received major news coverage in 2010 due to its objective to manipulate industrial processes and system control units, has demonstrated very clearly that such areas can no longer be viewed as protected areas, but face similar security challenges / threats as known from the public internet. However, in many cases staff having the requisite knowledge and experience may not yet be available, and the required organizational protection structures have not yet been established. Similar developments can also be seen in rural environments, particularly in the emerging markets where financial resources for sophisticated protection mechanisms may not be available. An additional challenge in rural areas comes from the fact that the network equipment might be physically exposed and therefore subject to vandalism and damage. Security gaps originating in industrial networks and / or rural networks may also impact core telecommunication networks or even whole economic infrastructures. New threats caused by this potential development will have to be analyzed and taken into account. Operators will therefore increasingly offer Security-as-a-Service functions for these sectors. 3.4 Network Equipment in Residential and Public Areas Home networks will be more sophisticated in future. They will go beyond simple WLAN/home router configurations and may, for example, integrate mobile network technologies using Home- (e)nodeb/ Femto base stations. Configuring all this advanced communications equipment and enabling a secure environment is an upcoming security challenge, e.g. related to access rights, the handling of possible closed subscriber groups, and the separation of local and external traffic. This issue is compounded by market requirements such as the need for remote control, Intelligent Building Technologies, surveillance functions and the fact that vendors cannot expect users to have technical knowledge. One of the research keywords in this area is therefore zero configuration security, ideally accomplished via a plug-and-play solution. Page 7

8 Eventually, LTE- based communication networks will require network elements to also be located in public environments, e.g. airport hot spots. Therefore possible threats caused by accidental or intended damage to the equipment have to be taken into account. 3.5 Smart Objects and Internet-of-Things (IoT) Network security today often relies on human interfaces e.g. using passwords and smart cards. In the future, more and more autonomous, embedded systems (often summarized as smart objects ) will become players in communication networks, e.g. residential consumer equipment with network interfaces, vending machines, any kind of sensors (machine-to-machine communications), and medical equipment. The latter could involve emergency applications based on telemetric sensors. Major changes and progress is particularly expected in an area called smart grid / smart energy, where telecommunication networks are used for a more efficient and smart energy distribution, and this might be complemented by smart meters at locations where power is consumed. Also, cars, trains and traffic lights (or other traffic control systems) are very likely to be upgraded with smart communications functions. Although some of these smart objects require sophisticated security functions, most of these systems will have to be cheap and simple, and they may also have limited functionality, which in turn means that new types of network security solutions will be needed. These demanding requirements will e.g. be via the development of low-cost ICs that enable secure, one-way-authentication and an identity that cannot be forged. 3.6 Impact of Virtualization and Cloud Computing Cloud Computing denotes the usage of shared servers, resources, software, and data, provided as a service by cloud providers in the Internet. Particularly by the use of virtualization and the related decoupling of software from hardware, cloud providers are expected to be able to offer their services at much lower cost and faster, and more flexible than traditional IT centers. Also, virtualization and cloud computing may offer security benefits as for example isolation of customers to provide multi-tenant applications. Page 8

9 On the other hand, security issues are currently the biggest blocking point and concern related to the use of cloud computing. In particular, traditional security mechanisms like traffic separation, security architectures using walled gardens, demilitarized zones, etc. are no longer applicable; instead, users of cloud services will depend on security functions offered by the cloud provider. Applications deployed on cloud systems are exposed to the Internet and will be accessed by many users. Correspondingly, they have to provide a so-called defense-in-depth strategy with multiple layers of security. Users of cloud services therefore have to carefully select a cloud provider based on the offered security functions and on the detailed contractual terms. For such a selection, a dedicated security checklist should be used. Also, a user should make a detailed threat and risk analysis to decide on which application is suitable for a cloud implementation and whether expected benefits like cost savings outweigh possible related security risks. 4. Selected Technical Trends and Challenges for Network Security While many network security areas will continue to evolve (e.g. firewalls, antivirus software and VPNs), there will be new trends and challenges in the network security area itself, and these may lead to disruptions as well as new business opportunities. The purpose of this chapter is not to give a comprehensive overview on all security functions (cf e.g. ITU-T Rec. X.805), but rather to focus on a number of selected new trends and challenges. Most of the expected security trends and challenges can be summarized to refer to the areas of: security assurance (verification of a certain behavior or security level, or of the compliance to security specifications or standards) and trust co-operation (methods, tools and organizational arrangements for security collaboration of two or more partners) 4.1 Ubiquitous Access Security Future telecommunication networks will be multi-access structures, allowing parallel access to fixed broadband (xdsl, cable, fiber) and mobile wireless networks. In addition there will be flexible, smooth roaming and handover between them. Such Fixed-Mobile- Convergence (FMC) solutions will enable ubiquitous access to a wide range of applications. Page 9

10 These multi-access structures will require related security solutions, e.g. maintaining security associations when changing to a new access network. These associations will include access agnostic security functions, follow-me security, session continuity with security context transfer, handover keying, and security context pre-establishment to prepare handover. In multi-access networks, the deployment of security solutions and related equipment has historically evolved over time, and often there is a zoo of different, dedicated equipment in various network parts, located at different locations. This results in a significant increase in complexity and there is also the possibility of unintended crosseffects between security functions. In turn this introduces difficulties in the management of these solutions. There is therefore a need for holistic security concepts for such networks, which often include functional consolidation, e.g. based on virtual firewall concepts, blade server solutions or UTM (Unified Threat Management) platforms. Quite often, the number of security devices can be reduced significantly by such concepts. A topic also related to multi-access networks is the need for personal (network-access independent) authentication which can e.g. be based on biometric identification such as fingerprints, or on citizen cards / medical cards, which can be combined with one-time tokens or passwords. It can be used for functions like parental control, medical applications, personalized services for individual persons or user groups. In some countries, government programs to support such personal authentication (e.g. electronic ID cards) have already been initiated. 4.2 Advanced Network Management Security Functions In addition to the ongoing evolution and improvement of current functions, the security functionality in the network management area will have to react to the new challenges outlined in section 2.2, as well as the growing complexity of future networks outlined in section 2.1. This means that security solutions from the area of Identity Management will also be used for network management purposes, e.g. for implementing centralized authentication of network management staff and authorization solutions across multiple heterogeneous networks. Centralized staff authentication and identity management systems will be further expanded in order to encompass network management of the whole network. Page 10

11 A further challenge for the network management security area is the need to handle and structure the information created by various network elements, to identify what information may be securityrelated, and to define appropriate counter-measures. For example, network management systems may create alarm and logging data, firewalls may block traffic and issue related notifications, IDS/IPS systems may identify and re-act to possible intrusions, etc. The challenge for an operator is to handle and structure all this information in order to identify real attacks or other security issues, to distinguish them from the large amount of noise (false positives) as well as cluster notifications, alarms, and logs belonging to the same event. And then the operator must react accordingly. This area is often referred to as Security Information and Event Management (SIEM). SIEM is considered to be one of the areas with significant market growth. Another aspect of network management is the fact that the configuration of network elements will require even more attention. Tomorrow s network architectures will be simpler fewer elements but logically they will be more complicated. A careless change in configuration data could cause a severe loss of service or more subtle, hard-to-detect problems that will impact on the quality and reliability of service. Formal verification of configuration data will therefore be needed before data is committed to network elements. Collection & Storage Analysis & Correlation Reports: Compliance & Performance Log data Incident Handling Alarms Collector Forensics Fig. 3. Security monitoring in the Network Management area. Page 11

12 4.3 Software Integrity New types of attacks to various devices often try to exploit weak SW/HW implementations by using root kits and manipulated firmware (e.g. targeting base stations). This increases the need to check the integrity of these devices, particularly in SW installation and update processes and before attaching or reattaching them to a communications network. Of course, proper security rules in software development processes, and the thorough implementation of hardening (e.g. closing unused TCP-/UDP ports and unused services) are a pre-condition for SW integrity protection. Additionally, further complementing mechanisms will most likely be needed in the future, particularly methods and mechanisms which can be applied to fight against unintended behavior, induced by hostile attacks - but also by unintended modifications - and thus are able to prevent and to detect malicious or harmful anomalies. These mechanisms may include Cryptographic SW integrity protection, trusted computing mechanisms and backdoor detection as well as malware detection (which is described in section 4.3.2) Cryptographic SW Integrity Protection Cryptographic SW Integrity protection (SW-IP) is based on good reference measurement values (describing the system as it has been implemented by the manufacturer) as reference for comparison with the real system at a certain stage of usage or operation (e.g. just before it is installed or booted). By nature, SW-IP does not try to examine or to understand any SW, data or any other content which is protected, but just identifies deviations from a verifiable correct sample; correspondingly, hostile code is detected if it is causing measurable changes in the original SW image. SW-IP mechanisms advantageously are based on PKI systems and code signatures to assure vendor governance and reliable security control. Initially SW-IP will be applied in scenarios like secure boot, secure SW delivery and installation. It is expected that in a few years, SW-IP mechanisms may also evolve to detect SW manipulations during the run-time of equipment, e.g. related to installed SW each time before it is loaded or during execution. This is one of the active research areas of NSN. Page 12

13 4.3.2 Trusted Computing Mechanisms To support cryptographic SW-IP, local mechanisms are also currently being discussed related to the trustworthiness of network equipment, e.g. attack resistant implementation of roots of trust and verification routines for local anomaly detection methods e.g., the application of trusted computing technologies (such as a Trusted Platform Module (TPM)). While such technologies may be widely accepted for standard IT systems (such as a standard processor based PC or Laptop), transfer of these onto network elements and integration into a telecommunication network environment and infrastructure is difficult and has to be balanced with alternative technologies (such as protected firmware, virtualization, process separation, or attack mitigation mechanisms), which may be easier to implement and might provide sufficient protection for many scenarios, even beyond the scope of SW-IP Backdoor Detection The term backdoor is often used to denote a hidden access to a system. Such a backdoor may be implemented with malicious intent to enable unauthorized retrieval of information. The term is sometimes also used to denote hidden programs installed for hostile or subversive purposes. In international discussions, particularly possible backdoors used for espionage are discussed. Backdoors are a major breach of trust related to the integrity of software. It is therefore very important that SW vendors deploy particular rules and checks within SW development and testing processes to make the deployment of backdoors as difficult as possible. NSN also sees the development of tools to detect backdoors as an important security research area. 4.4 Unwanted Traffic Unwanted traffic is known from (spam), and in the future is likely to extend to VoIP calls (SPIT = Spam in IP Telephony) and other areas (unwanted advertisements). There are anti-spam and anti-spit mechanisms that are based on blacklists, white lists and keywords, but they may be less successful in future since attackers are likely to hide or spoof their source address information and prepare for these mechanisms. Therefore, more sophisticated mechanisms will have to be created and deployed e.g., enhanced signaling interpretation, behavior or traffic analysis, or human user detection. Page 13

14 4.5 Malware and Botnets In the area of detection of malware (a term comprising all types of malicious SW, including viruses, worms, etc.), some major paradigm changes are expected. In particular, the traditional approach of pattern-based detection will have to be complemented by other mechanisms. Pattern-based (also called signature-based ) approaches try to identify known attack patterns in data or executable code or try to determine possible derived variants. Such anomalies will also be detected in integrity protected code, if the SW has been manipulated during creation or after verification of cryptographic protection. As malware can appear in different shapes (e.g. modified versions or even hidden in compressed data), for such (partly) unknown patterns heuristics have to be applied, which may come along with reduced malware detection coverage. Consequently, malware detection is able to examine dynamic changes in continuously modified systems, as long as the attack patterns are known or similarities with known patterns can be derived. In the future, pattern-based malware detection will be complemented by other approaches, e.g. by behavioral malware analysis, which compares a system s real behavior with an expectation of it or with known misbehavior. This allows black box views, without the need for any examination of HW or a code level implementation of a system. That way, systems can also be examined on protocol level without any knowledge of their internal structure or implementation details. A particular trend in the area of malware is the establishment of botnets, where infected computers (called bots ) are silently controlled by a herder or controller, who is able to instruct the bots for co-ordinated actions like spam distribution or running ddos attacks. Botnets often comprise hundreds or thousands of infected computers. For the detection and mitigation of botnets, typical malware detection mechanisms are not sufficient, but have to be complemented with detection mechanisms for traffic anomalies and unusual user behavior, the use of honeypots and botnet analysis structures, and a rapid information exchange about known botnet herders and their activities. Page 14

15 5. Regulatory Framework 5.1 Overall Challenge: Privacy versus Public Safety New threats and the possibility of increased impacts on network and economy infrastructures mean that tomorrow s communication networks will face a balancing challenge. On one hand they need to meet user requirements for privacy, anonymity, etc. On the other hand there are the requirements of society for public safety, protection against terror, and related user surveillance. These are not contradictory requirements. Security solutions can accommodate both privacy and public safety requirements if certain basic conditions are met: Transparency of the applied security mechanisms rather than security by obfuscation Clear and known roles, responsibilities, privacy levels, authorizations, etc., and their enforcement, rather than silent backdoors. NSN follows these principles in order to meet the challenge and find network security solutions that accommodate both requirements. Also, the implementation of privacy-enhancing technologies and privacy-by-design are important work areas to satisfy related requirements from end users, operators and authorities. 5.2 Lawful Interception (LI) Lawful interception capabilities are present in today s networks. There are minor deviations in the related legal framework from country to country, e.g., differences related to the rules on the signaling information (who communicates with whom) versus the rules on the communication content. In tomorrow s networks some new challenges for LI will emerge (e.g., P2P traffic and encrypted traffic) and corresponding standardization activities have already started in the 3GPP SA 3 LI working group. 5.3 Critical Infrastructures Due to the growing importance of telecommunication networks for a society, they are attributed to be part of the critical infrastructure, similar to traffic infrastructure, governmental institutions, the health system and energy distribution networks. Page 15

16 Broad national-scale attacks on networks in Estonia, and other similar attacks associated with military conflicts have shown that the telecommunication infrastructure is vulnerable and exposed to attacks. Furthermore, it also can function as an attack path to a country s other critical infrastructures (see Figure 4). Governments in many parts of the world have therefore started initiatives to ensure that attacks on this infrastructure become as difficult as possible. Examples are the European activities on CIIP (Critical Information Infrastructure Protection) and on NIS (Network and Information Security). Telecommunications Networks: Critical Infrastructure and Link between Critical Infrastructures Electricity Food/water supply Government Telecommunication Network Finance Traffic & Logistics Emergency Health Care Fig. 4. Telecommunications networks: critical infrastructure and link between critical infrastructures. 5.4 Security Compliance Current network equipment is typically subject to sophisticated security tests and vulnerability scanning. To cope with threats emerging in the future, it is foreseen that the telecommunication vendors testing and security processes will have to be further refined and will be more intensively verified and demonstrated. Statementsof-compliance detailing which security measures have been applied will be one way to communicate the efforts. Establishment of stronger trust co-operations between vendors, network operators and government authorities are already on the way. In general, compliance requirements will also be a major driver for stronger deployment of security functions, e.g. related to data loss prevention, SIEM, identity management, business continuity management and information security management systems. Page 16

17 6. NSN Security Approach 6.1 General Product Security Taking the earlier outlined trends, challenges and regulatory frameworks into account, NSN has established a number of security rules, guidelines, processes and awareness programs for its development units to be applied across the whole Software Development Lifecycle. A detailed mandatory security framework, including both proactive and reactive security measures, is in place. Proactive measures include: mandatory e2e security concepts for all products/solutions full flavored Security Development Lifecycle tailored to the special needs of telecommunication equipment security awareness program throughout all business units, including security seminars and trainings with regular updates clear rules on secure software development (e.g. promoting secure coding practices and general application of completeness checks ) sophisticated security testing and independent auditing Reactive measures include: best-in-class security vulnerability monitoring and patching system rapid sales and service information on newly detected vulnerabilities In addition to these rules, vendor/carrier trust relationships have been established. These include lab visits, security test information sharing and security monitoring co-operation. An important cornerstone of NSN security strategy is also the fact that the company carries out its own security research as well as active standardization support. This ensures that state-of-the-art security functionalities are incorporated into the company s products. NSN also leads the multicompany project Asmonia ( de) on attack detection and protection concepts for future mobile networks, funded by the German government (BMBF). NSN further co-operates closely with a number of leading security vendors to provide a complete portfolio of security products. Page 17

18 Improve operational efficiency Enhance Customer experience Drive new revenue streams NGN Security Identity & Access Mgmt. for Subscribers Revenue Assurance Network Security as a Service Content Security Identity & Access Mgmt. for OSS/BSS Fraud Management Content Security as a Service Security Management Identity Mgmt. for Network Elements Remote Access as a Service Security Consulting, Integration & Care Services Fig. 5. The right services and solutions to improve operation efficiency, enhance customer experience and drive new revenue streams. 6.2 Security Solutions for Operators NSN offers a full range of security services and solutions to meet the specific needs of operators. Customers can choose from a wide set of security services to complement their in-house security resources. They can also select the needed NSN turnkey security solutions, which are based on bestof-breed 3rd party products. All solutions are fully customizable with an emphasis on customer interaction throughout the entire consulting and delivery process. Operators can rely on the skills and experience of NSN professional security consultants to safeguard against the full spectrum of threats in today s mobile (2G, 2.5G, 3G, LTE) and fixed-line networks Security Solutions For today s networks a proper IP design including the appropriate security is essential. This is a combination of security specific devices (Firewalls, Intrusion Detection & Prevention Systems, Anti-Virus, and Anti-Spam) and an inherently secure configuration of core technology like routers, switches, GGSN, network servers, and application servers. NSN offers turnkey Security Solutions which cover operator-specific issues. They comprise a bundle of pre-integrated, secure network elements (both hardware and software) and a pre-defined set of services. The security portfolio is complemented by best-of-breed security products from suppliers like Check Point, Cisco, Crossbeam and Juniper. Page 18

19 NGN Security provides efficient and reliable security for networks transforming to all-ip. The solution protects the network (e.g. LTE-transport, Mobile Packet Core, IMS, SDM) against security attacks, e.g. intrusion, eavesdropping, hacking, denial of service, sniffing and botnets and protects data from unauthorized access, manipulation and misuse. It also fulfills compliance requirements from standardization and regulatory bodies (e.g. 3GPP) Content Security improves operator s competitive advantage through secure customer experience and differentiation as clean service provider (e.g. secure browsing gateway). The solution protects customers from spam, viruses and malware and supports the fulfillment of regulatory requirements (e.g. child protection). By reducing unwanted traffic, the solution frees up bandwidth and saves system resources and thus saves OPEX. Security Management NSN Security Management Solutions help operators to keep control of security incidents and security status. The solutions are also aimed to support compliance requirements. Two major components of Security Management are Security Operation Centre (SOC), the main customer benefit of which is the reduction of OPEX by centralizing security monitoring and management, and Security Information & Event Management (SIEM), where the value is in the consolidation and analysis of security information from a huge number of different sources (e.g. Firewalls, Web-Servers, Routers, MSC, GGSN). Identity & Access Management NSN provides Identity & Access Management solutions for: Subscribers To simplify their experience through single sign-on and federated services. In addition, operators have the opportunity to generate revenue from subscriber data assets as a trusted identity provider. Operator employees in the OSS/BSS domains The Identity & Access Management solutions in the OSS/BSS domains include for example Role Based Access Control, Unified User Management and Single-Sign-On. All the solutions aim to simplify the daily operations and thus reduce OPEX. At the same time the solutions increase the level of security and the fulfillment of compliance and regulations. The solutions can also prevent unauthorized changes resulting in outages, which could then cause churn. Page 19

20 Network Elements Identity Management for Network Elements (e.g. enodeb) via Certificates as part of an operator PKI reduces OPEX and prevents loss of revenue, damage to image, subscriber loss and contractual penalties. Securing key network elements via certificates provides business benefits for operators as secured infrastructure prevents service and business disruption.the solution also enables secure, encrypted and remote management including pointed software updates. Security as a Service Providing Security as a Service to their business- and private customers opens up new sources of predictable revenue streams and growth for operators. These solutions provide a flexible suite of cloud/network-based security services with pre-defined and easily selectable service packages available to end customers independent of user end device (PC, notebook, netbook, smart phone). Security as a Service modules include Content Security (secure web/ ), Network Security (perimeter protection, intrusion and basic ddos prevention) and Remote Access. Revenue Assurance & Fraud Management NSN offers a modular, flexible service portfolio and complete turnkey solutions for Revenue Assurance and Fraud Management. The company provides consulting and integration services plus fully automated tools that detect, analyze and recover revenue leakage Security Consulting NSN supports its customers by designing and implementing security strategies, processes and policies that tie security issues to business requirements. Experienced security consultants support operators with the following security core topics: With a broad range of Security Assessment offers, e.g. Vulnerability Assessment, Penetration Testing, Security Audits, NSN helps its customers to reduce the risk of security incidents. Business Continuity services reduce the risk of revenue loss and churn due to service outage and reduce time and cost to recover from an incident. Security Governance services support operators to manage the balance between threat, risk and control. NSN provides advice on the security strategies, architectures and governance approaches to maximise the effectiveness of shrinking security budgets. Operators encounter increasing challenges to meet government and industry security compliance requirements. NSN Compliance Consulting helps to achieve compliance cost effectively and to streamline compliance reporting processes. Page 20