The role of modern network inventory management in infrastructure security compliance
Communication Service Providers (CSPs) are facing security-related asset management and regulatory compliance requirements in the U.K., with other countries likely to follow suit soon. Blue Planet’s Senior Leader of Solution Architecture, Martin O’Connor, shares what he learned from helping one large U.K. customer successfully meet these requirements.
I recently worked with a customer in the U.K. to help them meet their asset management and regulatory compliance requirements under the country’s comprehensive Telecommunications Security Act (TSA). I thought I would take the opportunity to share the knowledge and experience I’ve gained from that program, as I suspect other countries across Europe and beyond will be sure to follow suit.
For context, governments around the world are at various stages of examining and implementing measures to reduce security risks that can effectively shut down mission-critical telecommunications services and applications affecting individuals, corporations, and entire countries. As such, Communication Service Providers (CSPs) face an increasing number of regulatory requirements to ensure service continuity in the name of public interest.
The U.K. introduced the TSA in 2021. It requires CSPs to have measures in place to identify and reduce the risks of current and future security compromises and to have strategies in place to limit or mitigate damage should it occur. The Act is governed by a Code of Practice enforced by the Office of Communications (Ofcom), the telecoms industry regulator of the U.K. Operators who fail to comply with the regulations face hefty fines up to a maximum of 10% of their annual revenue.
CSPs commonly maintain multiple disparate inventory systems without having a single federated inventory view. This architecture makes it challenging to maintain accurate records of their network resources to the reporting levels required by telecoms regulators such as Ofcom.
The TSA is largely targeted at Tier 1 CSPs, who were initially required to implement the least resource-intensive measures, such as maintaining accurate records of all external-facing systems in 2024, with subsequent yearly requirements until 2028 that address more complex and resource-intensive measures such as automating administrative processes. Tier 2 CSPs have two years after the timelines established for Tier 1s.
One of the first areas that U.K. providers are required to comply with is Regulation 3, pertaining to network infrastructure and asset management. Asset management is viewed as the basis of effective security risk management and security architectures, and CSPs are required to maintain their own accurate asset management records. More specifically, Ofcom requires that CSPs report on the security classification of each of their network assets, where they are placed in the network, and which function they serve. It also specifies that asset management should be automated whenever possible to further reduce security risk and maintain the integrity of the registry.
CSPs commonly maintain multiple disparate inventory systems without having a single federated inventory view. This architecture makes it challenging to maintain accurate records of their network resources to the reporting levels required by telecoms regulators such as Ofcom.
The modern solution to your security compliance challenges
The customer I worked with maintained double-digit inventory repositories across their multi-vendor access, transport, core networks, and cloud domains. Because of so many different source systems, the CSP had little to no end-to-end visibility of their network resources, including network functions in the cloud. The network resource data also had to be published seamlessly into the CSP’s enterprise asset management system used for Ofcom reporting.
Our Blue Planet Inventory (BPI) software solved their problem by not only federating and unifying these separate systems to deliver a single source of truth but also providing discrepancy management to cleanse and reconcile the data for improved accuracy. A key feature of BPI is Perspectives, which enables granular traceability of the federated inventory data to its originating source system, which is essential in determining the genesis of data in response to regulator inquiries or in analyzing a security event.
Also, having a resource inventory with telecoms-grade features and TMF 639 support is critical. These capabilities, which are often not possible with enterprise asset management systems, ensure accurate visibility and reporting of network resources to drive further automation of CSP operational processes and reduce the security risks associated with manual intervention.
Preparing your network for what’s next
While BPI already provides CSPs with a fast track to meet initial Ofcom regulations, an interesting area to look at next is automating network change and configuration management for multi-vendor devices. It can provide vendor-specific, non-abstracted resource configuration lifecycle capabilities, enabling completely automated asset management. Having an accurate and unified network resource inventory coupled with the vendor-specific and localized network device configuration is a powerful and robust way to address the asset management automation that Ofcom is stipulating.
The TSA is an early example of regulations addressing telecom infrastructure security, with imposed timelines and reporting structures for CSPs. The EU announced new security directives last year, and member countries will likely be watching and learning from the U.K. as they move forward with their respective measures. Given the plethora of devices and systems connecting to the internet every day, I believe the telecom sector will continue to face regulatory pressure to protect service continuity in the months and years to come. CSPs would be remiss not to know what resources they have in their network, and having a unified inventory is a great place to start.
