ECTA Regulatory Conference 2006 Workshop Data Protection, Retention and Security Issues in the Electronic Communications (NW & IT) Security: A Global Provider s Perspective 15 November 2006, Brussels Marcel Grijsen Director Regulatory Affairs, EMEA
Introduction - 1 > Orange Business Services : a Global Provider of (Integrated & Converged) Services & Solutions for Multi National Corporations and International Organizations (MNCs). > Since 1 June 2006 the France Telecom Group re-branded to Orange Business Services for the large corporate customer segment. > Therefore, at commercial level our services are now sold under the Orange Business Services brand name. > But our local licensed operating entities remain Equant companies. > I may use the two interchangeably so please don t be confused! I mean one and the same business.
Introduction - 2 > Disclaimer: In my day-to-day Telecommunications Regulatory practice I generally do not work much in the specific area that is covered by today s workshop. > Therefore I am not a specialist by any stretch of the imagination in this domain. > It may be basic, but I hope that my contribution sharing with you some of our experiences and insights from a specific provider s perspective may be valuable regardless.
Security is Key: Provider Perspective > Security is an important part of our business, see e.g. Security section on our website: > http://www.mnc.orange-business.com/content/xml/obs_home.xml > We take Security very seriously and it is a key and central part of our business. > Equant has been audited under Sarbanes Oxley rules and holds SAS70 certification. Equant complies with ISO17799 and intends to work towards ISO certification. Equant uses COBIT, ITIL, ISO17799 (BS7799) as security standards in its operations. > Towards Ourselves as a Global Network and Services Provider to MNCs Security is key: Apart from complying with regulatory requirements related to Security, it is only Logical to protect and secure your business core assets, such as our Global Network we would even do it if there were no obligations embedded in regulations to ensure security!! > We regard ourselves as a reliable, trusted and secure Provider to MNCs across the Globe, and hope our Customers share this vision.
Equant Security Goals > Ensure business continuity of our customers at all times. > Ensure secured customer traffic over the Equant network backbone. > Prevent and minimize the impact of security incidents on customers through the implementation of appropriate security practices/policies throughout the Equant organization. > Ensure the protection of the Equant network backbone & systems and the network information.
Equant Security Organization > Global Security Organization Headed by the Equant Chief Security Officer CSO, responsible of Security governance on the corporate level. > Security Council Created to Establish a corporate vision about security throughout Equant. Its members are first level management representatives > Security Management Organization Responsible of day to day security management and security Engineering. > Security Operations Center (SOC) Monitor the Equant Network & Systems Security & network security incident investigation & mitigation on a 24x7 basis. > Network Infrastructure Security engineering. Responsible for the network infrastructure security engineering projects. > Business Information Security Managers - BISMs The BISMs are security representatives in all Equant organizations, they are the point of contacts with Equant Corporate security and are responsible for integrating security in all business aspects within Equant.
Equant Security Policies > Equant has a core security policy which is divided into a number of policies and sub-policies defined on all levels to ensure business continuity and to minimize business damage. > Equant handles Security in a Global manner. Our security programs cover different areas utilizing best business security practices to Equant business and Equant customers and partners business. > Therefore it makes sense for us to develop Global Security Policies to support our Global business. Our business model is not well served by differing, prescriptive, national, Member State level, approaches and local regulations.
Equant Backbone Security > Equant has implemented various methods and policies on the Inside, Between and Access to the Equant networks to secure the infrastructure and protect from the main IP network vulnerabilities (DDoS, configuration weaknesses, etc..) - Inside of the backbone networks. - For Backbone Networks Security Hardening and Control. - Between the Backbone Networks. For Isolation and Control. Access to the Backbone Networks. For secure backbone elements Access Control.
Equant Security Audit & Assessment > Equant recognizes the need to do regular security audits (External, by internationally recognized auditors and Internal, by Equant security experts) on the backbone network and systems to ensure compliance with the security policies defined. > External audits done by internationally recognized audit firms. > Audit findings and recommendations are used to drive security projects to enhance the security of the network.
Security is Key: Customer Perspective > Towards our Customers: Security is key to our Customers and their businesses, e.g. banks. > Our specific focus on serving MNCs across the Globe means that these big global companies are dependent for the security of their business communications, corporate networks (such as IP VPNs) and/or business (critical) applications on Orange Business Services. > Therefore our focus is to not breach this Trust. > In addition: our customers are highly demanding and given their business interests and requirements they will bring Security as a main topic to the negotiation table. This also has an impact as to how we regard the EC proposals as part of the NRF Review. Triggered by our customer experience.
Security is Key > In Our Experience, the rules have changed: > Old Rule: only invest in Security if the cost to secure is less than the cost of exposure. > New Rule: If your customers or partners can t trust your business, you will be out of business!!
NRF Review 2006-1 > Currently Security is mainly covered in the New Regulatory Framework (NRF) by e.g. Article 23 of the Universal Service Directive and Article 4 of the e-privacy Directive. > Article 4 (1) The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, ion, these measures shall ensure a level of security appropriate to the t risk presented. > EC Review Proposals range from introducing detailed new provisions on security and integrity at EU level via a mid-way proposal (general security and integrity requirements together with enabling measures) to No changes to the regulatory framework.
NRF Review 2006-2 > Get more prescriptive and detailed? Not the right direction in our opinion, move to patch-work Europe?, as we start to gain experiences in this area! > One reason that EC mentions to drive the proposals is a perceived decline in confidence. We do not experience such decline in confidence. In our world Security is a key topic in provider selection process and rest assured that all Security requirements, processes, reporting etc are well covered in agreements between MNCs and their Global Providers, such as ourselves. > Also proposed liability for security problems and notification requirement not applauded by us and far away from our situation where these issues are handled in a satisfactory manner directly between MNC Customer and Provider.
The Way Forward - 1 > In our view no need for a major review re Security, at least not one that would be culminating into new, detailed, descriptive levels of regulations. > Describe the principles, high-level, EU standard Guidance, but leave the practical implementations to the operators, especially if you seek to serve Globally it makes a lot of sense to aim for Global policies and solutions. In that way operators can comply in different ways, suiting their respective business models, whereas they remain to be compliant with applicable law! > It would be very helpful if EC undertakes an EU wide study on what the current MS regimes re Security come down to, map these, how these differ, and see whether this has internal market impact, and act upon that. > If anything should be done, the focus should be on harmonizing as much as possible at EU level, while leaving NRAs powers to implement at MS level.
The Way Forward - 2 > Possibly exempt the Providers with (Large) Business focus from any new rules, if these would have to be adopted, since our reading of the EC proposals is that these are very much done with a Residential / Consumer interest perspective in the background. > However please note that already today (some) local NRAs already seem to have far-stretching powers and MS deal with Security at National level in a non-transparent way for us. Serious risk, especially for pan-european and Global operators, of being caught in national micro regulatory practices re to Security. > Since Security is key and will remain to be, and looking after Security does not stop at borders, from a pan-european and Global level we d prefer to have high levels of harmonization at EU level: to know what operators have to comply with in a one-stop-shop approach! Cover 25 (soon 27) countries in one go! That is, if something really has to be done to change the current NRF. > - THANKS FOR YOUR ATTENTION -