Following the recent announcement of Cisco creating its own Continuing Professional Development (CPD) scheme, theCisco Continuing Education Program, it is now possible to recertify your CCNP or CCNA certification using an exam-free approach. With some studying and time applied, this can even be done free of charge! So, what are the credits you can earn for recertification and how do you go about earning them?
What is a CE credit?
Cisco Continuing Education Credits (CE Credits) is a programme that offers Cisco certification holders flexible options to recertify by completing a variety of eligible Continuing Education (CE) items. The programme is designed to help professionals stay up to date with the latest technologies and trends in the industry, including Python, network automation, NetDevOps and beyond. CE credits are similar in form to CPD points seen in other fields, and can be earned through the following means:
The amount of CE credits earned will depend on the type of activity and its duration. For example, you can earn 12 CE credits for a 14-hour Cisco course delivered via the Cisco Digital Learning platform or earn a generous 40-65 credits for attending a five-day Cisco instructor-led training course offered by authorised Cisco Learning Training Partners. You can also earn small amounts of “top up” credit here and there through ad-hoc, time-bound initiatives.
How points contribute towards certificate renewals
The CE Credit process has some legwork to it, as CE Credit issuance isn’t automatic.The process roughly looks as follows:
Attend the training session, course or webinar for its full duration.
Note down the official course name, date when you began and date when you finished.
For online courses, you should expect to receive a completion certificate at the end, which is a PDF document with a certificate number in it.You’ll need this certificate validation code later on.
Log in to the Cisco CE Credit User Portal with your Cisco.com CCO account and click “Submit Items” in the topright side to enter the details of the training course, webinar or online learning you have completed.
Ensure you have the course name, start date, end date and certificate validation code and PDF version of the Completion Certificate to hand to submit.
Wait a few days for the credit status to change from “Pending” to “Earned” on the Cisco CE User Dashboard.
Within 24-48 hours, your CE Credits will then also show against your Cisco CertMetricsunder Certifications -> Cert Status -> Pick your CCNP/CCNA Certificate -> View More. This shows the progress these points make towards the recertification, where the following table is handy to know:
Certification
Renewal Period
Renewal (CE Credit-only)
Renewal (Exam + CE Credit)
Associate (i.e. CCNA)
3 years
Earn 30 CE credits
Specialist
3 years
Earn 40 CE credits
Professional (i.e. CCNP)
3 years
Earn 80 CE credits
Earn 40 CE credits + Pass 1 Professional exam
Expert (i.e. CCIE, CCDE)
3 years
Earn 120 CE credits
Earn 40 CE Credits + Pass 1 Technology exam(OR)Earn 40 CE Credits + Pass 2 Professional exams(OR)Earn 80 CE Credits + Pass 1 Professional exam
If you need qualified Cisco professionals to help your business thrive, why not get in touchto see how we can help you fully utilise our talented CCNA, CCNP, CCIE and other vendor expertise for your business network.
In today’s hybrid-working world, many employees often work remotely from the branch – at home, hotels, conferences, coffee shops and the like. This effectively moves the network perimeter from the traditional branch and office boundary right into the heart of the endpoint laptop device itself, increasing the possible attack surface for organisational network WANs. Zero Trust is one approach that can help to overcome some of the cybersecurity challenges that hybrid working can create.
Key considerationsto successfully implement Zero Trust Network Access (ZTNA)
Not trusting anything is the goal
Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It assumes that no one and nothing on a network can be trusted until it’s proven not to be a threat to organisational security. This means that all users, whether in or outside the organisation’s WAN, must be authenticated, authorised and continuously monitored.
One of the main benefits of Zero Trust is its ability to improve risk management. By assuming that all users and devices are potential threats, Zero Trust forces organisations to take a more proactive approach to security. This includes:
Implementing strong authentication mechanisms
Monitoring user behaviour for signs of suspicious activity
Segmenting networks to limit the impact of any potential breaches.
Moving beyond the tuple
Where traditional firewall and security approaches focused largely on the “tuple” – source IP address, destination IP address and TCP/UDP destination port – Zero Trust Network Architectures (ZTNA) move beyond these three dimensions and allow for additional dimensions of trust verification, such as:
Time of Day
i.e. John in HR works 9-5, so if he’s logging into a system at 9 p.m., is something suspect?
Access Location
i.e. Sandra on the reception desk is normally desk-based at front of house.If she suddenly logs in from the third-floorpayroll desks, is something amiss?
Host Posture
i.e. Paul may be logged in with the correct username and password, but if his antivirus isn’t up to date and his laptop last logged into the domain four months ago, do you really want him on the network?
Other dimensions are available depending on organisational need, but you can quickly see how the dynamic of implicit trust moves instead to explicit verification – moving the notion of trust further down the network stack towards the Network Edge rather than notionally dealing with arbitrary concepts such as trusted networks, trusted VLANs or trusted segments.
When Split Tunnel becomes No Tunnel
Zero Trust requires consideration of encryption of data, securing email, verifying the hygiene of assets and endpoints before they connect to applications. It also involves automating patches to ensure good network hygiene while preventing potential malicious actions. A successful implementation of Zero Trust can help bring context and insight into a rapidly evolving attack surface to the security team while improving users’ experience.
This moves beyond the nascent “Split Tunnel” approach which an SD-WAN might take – where, for instance, Office365 traffic may bypass (or “split”) from the IPsec or SSL VPN tunnel back to the corporate network WAN and use the native internet connection instead towards a “No Tunnel” approach.
In traditional Split Tunnel, the notion runs:
The default route (0.0.0.0/0) – or the implicit – is sent via the VPN tunnel back to the corporate WAN
The “Split” (i.e. Office365 FQDNs and IP ranges) – or the explicit – is bypassed from the VPN tunnel and bypasses the VPN tunnel to the internet direct
In Zero Trust remote access, this paradigm changes to a notion of:
The default route (0.0.0.0/0) – or the implicit – is not sent via the VPN tunnel back to the corporate WAN
Every corporate application – or the explicit – is sent on a case-by-case basis down the VPN tunnel towards the corporate WAN
Adding to this, such VPN tunnels are often temporal in nature and instantiated per-application-request rather than running akin to a singular, long-running IPsec or SSL VPN tunnel session.
How an organisation can drive the adoption journey
An organisation’s Zero Trust journey begins with understanding what Zero Trust offers. Conceptually, Zero Trust accomplishes this by removing implied trust from any device or user attempting to access resources on a network. Instead of trusting devices based on their location or IP address range as in traditional perimeter-based security models, Zero Trust verifies each request as though it originates from an untrusted network. This verification process includes authentication checks such as multi-factor authentication (MFA), authorisation checks such as role-based access control (RBAC), endpoint health checks such as patch level compliance monitoring or antivirus signature status monitoring.
How CACI can support your Zero Trust Network Access adoption
Just as no two organisations look the same, neither do any two Zero Trust Network Architectures or approaches.The entire point of Zero Trust is to wrap in your specific business context and nuances into your technology estate. At CACI Network Services,we have deep heritage and expertise with organisations and networks all the way from SME up to enterprise and public sector. We are well placed to help you get to grips with ZTNA and associated microsegmentation cybersecurity technologies.
Get in touch with us today and let us help you on your Zero Trust journey.
Observability as a discipline distinct from network management is still in its infancy within the network engineering realm, with newer job titles such as Network Reliability Engineer (NRE) looking to extract the same organisational value that the more DevOps-aligned Site Reliability Engineer (SRE) provide to the more traditional SysAdmin space. Network as a Service (NaaS) is a new approach to network operations, which often distils down to two commonly accepted meanings:
An Operational Expenditure (OpEx)-led approach to procuring Managed Network Services and associated network hardware
A paradigm shift in the approach to network management away from legacy Network Management System (NMS) and associated Element Management System (EMS) lifecycle approaches
In this blog, we’ll focus on the latter, and how the formation of a NaaS Team – or Squad – can improve network observability andenhance yournetwork infrastructure’s insight, uptime and value.. We’ll also touch on the former and larger shift from Capital Expenditure (CapEx) to Operational Expenditure (OpEx) Lifecycle Management approaches, and what this means for shifts in the IT and network industry.
Getting to the root of Network as a Service (NaaS)
“Oh no, not another ‘as a Service’ buzzword-fest…” I hear you say, and yes, in some respects, you would be sadly correct. However, Network as a Service (NaaS) has its roots firmly in the overall cloudification trend found elsewhere within the wider IT and cloud industry, only now having percolated down towards the steadfast realms of the hardware-centric network industry.
At its core, NaaS is about the following differentiators from other more asset-centric approaches:
Consumption of network infrastructure through flexible OpEx subscription-based models
Exploitation of cloud-based models such as Infrastructure Elasticity and Horizontal Scaling
Commoditisation of private WAN services (such as MPLS) into public WAN services (such as SD-WAN)
Centralisation of visibility of network insight into application-aware dashboards and telemetry systems
Ultimately, NaaS is more of an operational model than it is a consumption pattern. NaaS is chiefly about realigning thinking towards that of the upperlayers of the OSI model in remembering that the objective of the network is to solidly underpin a complex soup of interconnected middleware, microservices, PaaS and SaaS dataverse ecosystems which eventually combine toward the aspiration of the modern Twelve-Factor App Manifesto.
Observability versus monitoring
Before we can dive into NaaS, we need to understand the difference in observability versus monitoring – or that is, focus on the Three Pillars of Observability which are:
Logs
Metrics
Traces
Each is distinct in its value and requirements in the art of observability, but in short, can be defined as:
Logs – The act of logging function or component-level activities to an off-system repository for later analysis.
An example might be a Syslog showing the last reboot of a Linux or NOS Daemon or Service, such as NTPd for System Clock.
Metrics – The performance of the infrastructure-aligned components within the system, as typically observed over a time-graphed basis.
An example might be a CPU utilisation monitor, showing that the processor has crept up to 78% utilisation over the last ten minutes.
Traces – The ability to debug low-level sub-component and function activities to derive context of whether a piece of software code is working as prescribed.
An example might be a trace within a Python function, showing that the error being caused by Netmiko is because a SSH session to a Cisco router dropped out at v1.99 instead of expected SSHv2.
These differ somewhat from traditional monitoring approaches like Network Management Systems (NMS), which have typically only focused on the Metrics pillar and have superficially referenced the other two pillars. What observability has done to traditional monitoring is comparable to the movement happening from the NMS to the NaaS arena—moving the management concern “up the stack”to focus on higher-level abstraction objectives and away from lower-level hardware-led concerns.
Understanding NaaS as an approach
NaaS is a conceptual change in network consumption as a going concern.Rather than worrying about the network layer as a discrete concern, the network is positioned as part of the wider technology stack – often up to and including the application layer – that is services. While this may sound trivial, it is a huge step change in how Enterprise and Service Provider (SP) Networks run when contrasted against the current de facto practices. NaaS can be simplified as being a “cloud model” – not in the sense that it must be operated and hosted within Public CSPs – but more in the ideas associated withcloud operational models, including Service Elasticity, OpEx-led billing, Horizontal Scaling and API-first integrations into wider ecosystem concerns.
Benefits of the NaaSapproach
The main benefit of NaaS is flexibility and adaptability to changing technical stack conditions.Where a legacy NMS-led approach might falsely report “All clear; the network is fine” because metrics are clean and green, a newer NaaS-led approach might instead report “Problems detected in latency experienced by the application due to MTU clipping” because the upper-level traces and logs collectively indicate an issue to a latency-sensitive service bus-based application.
The true strength of NaaS lies in its alignment of the network layer to cloud, DevOps and observability practices to enable the monitoring, management and tracking ofthe network as if it were just another IaaS or PaaS component of the overall application stack.
How CACI can help you add NaaS to your IaaS and PaaS
With several years of network management and enterprise network operations experience, the CACI Network Servicesteam is ideally positioned to help you transition from NMS to NaaS. Contact us todayto see how we can help your business fully shift towards the observability promise as delivered by a NaaS approach to network operations.
NetDevOps and associated network automation are constantly evolving fields, and as such, have what seems like a never-endingnumber of cool-named tools, frameworks and libraries available to simplify your NetOps life. We’ve curated a few of our favourites, which we hope will enhance your journey towards NetDevOps. As always, let us know what you think of these, or if we can help you in your NetDevOps journey.
Our top picks for the most useful NetDevOps tools in 2023
Network automation tools are essential for IT teams to execute complex tasks, including network configuration, security and cost-efficient operations. Here’s our pick of what we consider to be the most useful tools in 2023:
Terraform
netlab
Batfish
Cisco YANG Suite
Git
Terraform
Terraform is an automation and orchestration tool that is capable of building cloud, network and IT infrastructure based on input in HCL (HashiCorp Configuration Language), which act as IaC (Infrastructure as Code) artefacts. Terraform is highly flexible and provides modules and providers for nearly every network and cloud vendor and technology going within the Terraform Registry.
netlab
netlab is a network lab and emulation tool that is capable of taking IaC input definitions of a given network lab topology (such as YAML) and having an emulated lab of network device VM, containers and topologies to play with and perform learning or “what if?” scenarios upon.
Batfish
Batfish is a network configuration analysis tool that is highly useful in performing “what if?” scenarios and supplying rapid ability to pre– and post-test network changes to ensure the desired state is achieved.
Cisco YANG Suite
Cisco YANG Suite is a learning and development suite which provides a web-based user interface to interact with an opinionated set of tools and plugins. It enables you to learn, test and adopt YANG network model programmable interfaces such as NETCONF, RESTCONF and gNMI others.
Git
Git is the de facto version control system, allowing for IaC, network configuration and network automation scripts and code to be stored in a consistent but distributed manner. It alsosupports collaboration on modifications of these to be shared between teams of network and automation engineers without file blocking or version management issues.
Our honourable mentions for 2023
Although these didn’t make our opinionated cut, these are certainly worth a mention and merit some investigation to see whether they can benefit your situation at all:
Network automation tools are essential for IT teams to execute complex tasks, including network configuration, security and cost-efficient operations. These are just a few of what we consider to be the best network automation tools available in 2023, withother notable mentions including Chef, SaltStack, Jenkins and Python for Network Automation. Ultimately, however, choosing the right tool will come down to your organisation’s specific needs and requirements.
Why not get in touch and see how we can help your business fully utilise some of these awesome tools and frameworks to accelerate your digital transformation journey.
CI/CD (Continuous Integration/Continuous Deployment) pipelines are a modern DevOps practice that automates the process of packaging, testing and deploying code in small increments. This practice has made software development agile and reliable and holds the same promise for networking as more environments transition to the infrastructure-as-code (IaC) mode. In network engineering, CI/CD pipelines help implement network changes quickly and push them into production with speed and accuracy.
With CI/CD pipelines becoming increasingly popular, it’s important to understand what they are and the purpose they serve in a business, how they are set up and what their benefits will be.
Configuration of CI/CD pipelines
To set up a network CI/CD pipeline, you must start by creating, verifying, pushing and committing to your configuration change within the local development configuration. The pipeline should be iterative rather than linear so that DevOps teams can write code, integrate it, run tests, deliver releases and deploy continuously. When selecting CI/CD tools for your network pipeline, focus on how to optimise and automate the software.
A practical approach to building a network CI/CD pipeline is similar to the ones built for customers by Batfish. The demo of this pipeline is available on YouTube while the code is on GitHub. Reading earlier blogs may also be useful if you’re curious about basic concepts behind network validation and CI/CD pipeline structure options.
Benefits of CI/CD pipelines
Reducing potential errorsor downtime
One of the main benefits of using CI/CD pipelines is that they help reduce errors and downtime caused by manual configuration changes. By automating the testing and deployment process, engineers can catch errors early on and fix them before they cause any issues in production. This improves the overall quality of software and reduces the risk of costly downtime.
Bolstering cross-team collaboration
Another benefit of using CI/CD pipelines is that they help improve collaboration between teams. By using a shared repository for code changes, engineers can easily collaborate with each other and ensure that everyone is working on the same version of the code. Thisenhances communication and reduces the risk of conflicts or misunderstandings.
Increasing deployment speed
CI/CD pipelines also help improve the speed at which changes can be deployed to production. By automating the testing and deployment process, engineers can deploy changes faster than if they were doing it manually. This helps organisations stay competitive by enabling them to release new features or updates quicker.
Enhancing security measures
In addition to these benefits, CI/CD pipelines also help improve security by allowing for automated security testing during the build process. This helps identify vulnerabilities early on and ensures that software is secure before it is deployed to production.
Overall, CI/CD pipelines offer many benefits for software development teams from improved quality and collaboration to speed and security. As such, they have become an essential tool for modern software development practices – and increasing infrastructure provisioning is following this trend.
HowcanCACI help?
Implementing a CI/CD pipeline in network engineering helps automate the building, testing and deployment of applications. It bridges the gap between development and operations teams by automating processes that were previously manual. A well-designed CI/CD pipeline can help organisations achieve faster time-to-market with fewer errors while improving overall efficiency.
Why not get in touchto see how we can help your business leverage the power of CI/CD pipelines to help improve your IT infrastructure and networking automation journey.
DevOps and ITIL are two different approaches to managing IT services. DevOps is a philosophy that focuses on improving software deployment whereas ITIL is a highly structured model built to boost productivity and supply IT teams with statistics. DevOps emphasises speed and delivering new features and updates as quickly as possible, while ITIL prioritises managing and improving existing services. So, how do you know which one is right for you and your business?
DevOps killed the ITIL star?
While some people believe that DevOps is replacing ITIL or vice versa, the truth is that both approaches can work together. In fact, combining the two can actually lead to high productivity and improved workflow. To successfully combine DevOps and ITIL, it’s important to establish a common framework for collaboration between teams.
When deciding which approach to use for network management, you must consider the problems you’re having and the goals you want to reach. If your organisation values speed and agility in delivering new features, DevOps may be the better choice. On the other hand, if your organisation values stability and reliability in managing existing services, ITIL may be more appropriate.
Benefits of DevOps
DevOps offers several benefits over ITIL, particularly in terms of speed and agility:
DevOps emphasises collaboration between development and operations teams to improve software delivery speed and quality.
By breaking down silos between teams, DevOps can help organisations achieve faster time-to-market for new products and features.
Another benefit of DevOps is that it brings cultural transformation, improving the speed and quality of how software is developed and delivered. This is achieved through automation, continuous integration/continuous deployment (CI/CD) and feedback loops. Enhanced collaboration and experimentation that comes with DevOps can lead to greater innovation and creativity.
In contrast, ITIL focuses on process, standardisation and metrics. While these are important aspects of IT service management, they can sometimes lead to a rigid approach that may not be well-suited for fast-paced environments. ITIL also tends to be more focused on control than on agility.
How CACI can help you choose the right approach
Ultimately,you don’t need to choose between DevOps and ITIL as they can complement each other. The decision of which approach to use depends on the specific needs of an organisation, as combining both approaches can lead to high productivity and improved workflow.
Why not get in touchto see how we can help your business fully utilise both DevOps and ITIL to run your IT infrastructure and ITSM practice.
CACI’s new Digital Forensics Laboratory has successfully passed its initial assessment and been recommended for ISO 17025 by UKAS. This coincides with the Forensic Science Regulator’s Statutory Code of Practice which took effect on Monday 2 October.
CACI has been recommended by UKAS for accreditation to the following scope:
ISO/IEC 17025:2017 with compliance to ILAC G19:06/2022 and Forensic Science Regulator Code of Practice Version 1
Scope:
Capture and preservation of data from computers and digital storage devices – HDDs, SSDs, M.2 memory devices, memory cards and USB flash devices – Using FTK Imager, EnCase Imager and Tableau T356789iu
Capture, preservation, processing and analysis of data from Mobile Devices, SIM cards and Memory Cards – Using Cellebrite 4PC, Cellebrite Physical Analyser, MSAB XRY, MSAB XAMN and Magnet Axiom
The laboratory, based in Northallerton, was launched on 9th June and has been created to mirror the capabilities of law enforcement digital forensic laboratories, adhering to industry standards and employing the same tools and processes.
It took an 18-month process for the laboratory to be created, but it is now housed with industry-leading individuals with years of expertise across the Digital Forensics space.
The formation of the team was heavily influenced by the already-established counterpart in the United States, which has been providing exceptional service for the past decade, shown through various accomplishments and significant recognition.
The DF Laboratory’s Operations Director, Richard Cockerill, had this to say:
“This is a fantastic achievement for CACI and is testament to the hard work and experience of our Digital Forensics team over this past year. Accreditation enables CACI to increase its support Law Enforcement which is particularly important now that the Forensic Science Regulator’s Statutory Code is in effect. CACI have the capacity and expertise to provide high quality digital forensic investigation services to the UK criminal justice system, and this recommendation from UKAS is a significant milestone in our journey.”
CACI are now looking forward to the many opportunities that will open up for the Digital Forensics team following this recommendation being confirmed, as well as the continued progression we’ve seen since the formation of the laboratory.
Cisco IOS and Nokia SR Linux are two popular operating systems used in networking. While both have their strengths, they differ in several ways– SR Linux is chiefly a microservices-led, containerised network operating system (NOS), while Cisco IOS is a monolithic NOS, with Cisco having made enhancements to their approach in the NOS under IOS-XR, IOS-XE and NX-OS. So, what are the main differences between these two operating systems, and how do you know which one is right for you and your business?
Breaking down the differences between Cisco IOS and Nokia SR Linux
Architecture
One of the main differences between Cisco IOS and Nokia SR Linux is their architecture. Cisco IOS is a monolithic operating system, meaning that all features are integrated into a single image. This can make it difficult to upgrade or modify specific features without affecting the entire system. In contrast, Nokia SR Linux is a modular operating system, which allows for more flexibility in upgrading or modifying specific features without affecting the entire system.
Command-line interface (CLI)
Another difference between the two operating systems is their command-line interface (CLI). Cisco IOS uses a proprietary CLI that can be difficult to learn and use for those who are not familiar with it. On the other hand, Nokia SR Linux uses a standard Linux CLI that is more familiar to many users.
Security features & capabilities
In terms of security, both operating systems have strong security features. However, Cisco IOS has been around longer and has had more time to develop its security features. Additionally, Cisco has a larger market share than Nokia in the networking industry, making it a bigger target for hackers.
Support and documentation
Another difference between the two operating systems is their support and documentation. Cisco has an extensive support network and documentation library due to its large market share. In contrast, Nokia’s support network and documentation library may not be as extensive due to its smaller market share.
Containerlab.io and SR Linux
Containerlab is an open-source tool that supplies a CLI for orchestrating and managing container-based networking labs. It allows users to create virtual network topologies using Docker containers, making it easy to test and experiment with different network configurations.
One of the main benefits of Containerlab is its ease of use. It provides a simple command-line interface that allows users to quickly create and manage container-based networking labs. Users can specify the number of containers they want to create, the type of network topology they want to use and other configuration options.
The open-source project is backed by Nokia SR Linux and has a great deal of flexibility in supporting a wide range of containerised routers, including FRRouting, Quagga, Bird, Juniper and others. It enablesnetwork engineers to experiment with different routing protocols and configurations as well as virtual wiring, VNETs, VXLAN and other topologies. Not to mention, it’s easy to integrate with network automation tools such as Ansible and Terraform.
How can CACI help you choose between the two?
Both Cisco IOS and Nokia SR Linux have their strengths and weaknesses, and they differ in several ways— their architecture, CLI, security features and support/documentation. Ultimately, choosing between the two will depend on individual needs and preferences.
Why not get in touchto see how we can help your business fully utilise data centre network operating systems (NOS) such as Cisco IOS, IOS-XE, IOS-XR, Nokia SR Linux and others.
Following the introduction of the Telecommunications (Security) Act in November 2021, telecommunications providers large and small must now comply with ‘one of the toughest telecoms security regimes in the world’ or risk financial penalties up to £10m.
The UK government has marked out ambitious targets to connect 15 million premises to full fibre by 2025, with nationwide connection expected to be delivered by 2033. While much of the population is to be covered by 5G networks by 2027.1 Bringing far more than just increased speed, 5G will soon be central to daily life in the UK – from connective vehicles to smart factory production lines.
Yet, as the advancement in network technology accelerates and becomes further embedded in our daily lives, the threats posed from nation states and cyber criminals continue to grow. Research by Skybox Security reported a 106% increase in malware and a record-breaking 18,341 new vulnerabilities in 2020.2 Despite this, findings from the 2019 UK Telecoms Supply Chain Review Report carried out by the Department for Digital, Culture, Media & Sport (DCMS) revealed that there was little to incentivise communications providers to manage cyber security risks.
Additionally, the lack of diversity across the UK telecoms supply chain raises the possibility of critical national infrastructure balancing on single suppliers, posing a range of risks to the security and resilience of UK telecommunications networks.
Introduced into UK law in November 2021, the UK Telecommunications (Security) Act aims to tackle the risks highlighted in the Telecoms Supply Chain Review Report by raising the bar on telecommunications network security. A core element of The Act is the establishment of a new regulatory framework for telecommunications security. The framework comprises three key components:
1. New Telecoms Security Requirements (TSR)
At the heart of the framework, the TSR marks a significant shift away from The National Cyber Security Centre (NCSC)’s now closed telecoms assurance standard model known as CAS(T). Overseen by Ofcom and Government, the new requirements will provide clarity on how providers will be expected to design and manage their networks to ensure they’re meeting the new higher bar of network security standards.
2. Establishing an enhanced legislative framework
In addition to statutory compliance of the TSR, the Act strengthens Ofcom powers to enable monitoring and assessment of operators’ security. This is to include technical testing, interviewing staff, and entering providers’ premises to view equipment and documentation. Failure to meet the new legal duties could leave providers facing hefty fines of up to ten per cent of turnover, or £100,000 per day if directives continue to be contravened.
3. Managing the security risks posed by suppliers
Telecommunications providers will need to ensure that they are managing the security risks posed by all suppliers. This will be addressed by:
Providers having vigorous oversight of vendors to ensure they follow the TSRs
Working closely with vendors on assurance testing of equipment, systems, and software
New powers for the government to impose controls on telecommunications providers’ use of goods, services or facilities supplied by ‘high risk’ vendors.
Security-first is the new mantra across the industry as minimising risks to critical national infrastructure will soon become part of day-to-day operations. Bringing together legal, technical and industry perspectives, this report explores the opportunities and obstacles ahead, and how to chart your course for success in the new security era.
Telecoms (Security) Act: Three Pillars
Key considerations for communications leaders
Clear visibility is critical
Protecting your network, applications and data has never been more critical. However, blind spots, missing data, and the risk of dropped packets make management and protection of these challenging, not to mention the scale and complexity of many providers’ hybrid network infrastructure. Nonetheless, providers must ensure they are able to monitor security across the entirety of their network and can act quickly when issues arise.
Security and service quality will need to be carefully balanced
Whilst enhancing security is the ultimate goal of The Act, this cannot be at the cost of network performance. Outages themselves can put providers in breach of the regulations. Security scans are a key line of defence for network security, helping to identify vulnerabilities which can be exploited if the correct mitigation steps aren’t followed, so ensuring you have a robust vulnerability management process is critical. Incorporating the right vulnerability scanning tools and following the required change management processes to correctly implement tools will help to secure your network whilst minimising any potential performance impact to your existing infrastructure or service outages.
Auditing abilities are a new superpower
Demonstrating compliance with the new legislation may pose a significant challenge to providers, particularly as they attempt to flow down security standards and audit requirements into the supply chain. However, implementation of robust auditing processes to identify and eliminate weaknesses and vulnerabilities are a must for keeping providers on the right side of the regulations.
Knowledge is power
With any significant legislature change comes a period of uncertainty as businesses adapt to change, so getting to grips with the new regulation changes ahead of the game is key. Many providers have already begun the search for talent with the technical skills and experience to deliver their TSR programmes; however, with the jobs market at boiling point, some providers may find utilising external partnerships provides a more practical route to successful delivery as well as a means to upskill and educate internal teams.
You’ll be tested
In 2019, OFCOM took over TBEST – the intelligence-led penetration testing scheme – from DCMS and has been working with select providers on implementation of the scheme. Whether through TBEST or not, providers will be expected to carry out tests that are as close to ‘real life’ attacks as possible.
The difficulty will be in satisfying the requirement:
“that the manner in which the tests are to be carried out is not made known to the persons involved in identifying and responding to security compromises.”
Providers may need to work with an independent vendor to ensure compliant testing.
Costs are still unclear
While the costs for complying with the new regulations are still undermined, an earlier impact assessment of the proposed legislation carried out by the government indicated that initial costs are likely to be hefty:
“Feedback from bilateral discussions with Tier 1 operators have indicated that the costs of implementing the NCSC TSR would be significant. The scale of these costs is likely to differ by size of operator and could be of the scale of over £10 million in one off costs.”
Culture may challenge change
Technology will, of course, be at the forefront of communications leaders’ minds, yet the cultural changes required to successfully embed a security-first mindset are of equal importance and must be considered in equal measure. Change is never easy, particularly when there is a fixed deadline in place; however, delivery that is well designed and meticulously planned is key. Ultimately, the onus will be on leaders to craft a clear vision – achieving network security that is intrinsic by design – as well as mapping out the road to get there.
Roadmap to Compliance: How to prepare for the regulatory road ahead
Identify your gaps
Understanding your current state is the first step in achieving a successful transformation. A full audit of your security strategies, plans, policies, and effectiveness will expose your weaknesses and gaps, enabling you to take the right actions to protect your business and ensure compliance.
Prioritise your most pressing threats
While gathering data can provide better visibility of your network, taking reactive action to lower your risk isn’t the most efficient approach. Establishing levels of prioritisation will ensure your resources are being used to reduce risk in the right areas.
Get the right people in place
From gap analysis to operating model design, programme delivery, and reshoring, it’s likely you’ll need more people in place and new competencies developed. Getting the right partnerships and people now is key to getting ahead.
Plan to avoid legacy issues
Today’s telecommunications industry is built on multi-generational networks and legacy systems continue to underpin critical infrastructure. While extracting these systems is not going to happen overnight, dealing with your legacy should be an integral part of planning
Implement transparent designs
Failing to disclose evidence of a breach could result in a £10m fine, so built in transparency and traceability are key to your programme. Consider the likely information requests that are to come to ensure your design changes enable clear tracking and reporting.
Embed a security-first focus
Mitigating the risks facing the UK’s critical national infrastructure is the driving force behind the TSRs, and telecommunications providers will need to ensure that this mindset is embedded in the everyday. Buy-in from the business is core to any cultural shift, so align your leadership with a shared, cross-functional vision and get some early delivery going to build gradual momentum.
Prepare for future cybersecurity legislation
In November 2021, the Government announced The Product Security and Telecommunications Infrastructure Bill (the PSTI) to ensure consumers’ connected and connectable devices comply with tougher cybersecurity standards. As cybersecurity evolves, so too will the threats to organisations, and telecommunications providers must be prepared for more regulatory oversight.
Embrace the benefits of built-in security
Ultimately, security that is built in rather than bolted on will enable providers to offer better protection and performance for customers, as well as foster trust with greater transparency. While the industry may not have been seeking the Telecoms Security Act, its passing prompts action to remove the constraints of old and reimagine and reshape to seize the opportunities of a new era.
Start your security transformation now: How CACI can help
The Telecoms Security Act is clear – security is everyone’s priority, from executive to employee. However, embedding a security conscious culture from top to bottom requires significant resource and expertise to steer towards success. With the clock already counting down, telecommunications providers are under pressure to begin their TSR compliance journey whilst ensuring that existing change programmes stay on track.
In today’s global market where demand for security resource and competence is fierce and available talent is few and far between, companies may struggle to find the in-house resources and expertise required to meet the new regulations. With over 20 years’ experience in telecommunications, CACI can guide you through the challenges and change brought by the TSR. From auditing your current security and addressing shortfalls to full Telecoms Security Framework implementation guidance and upskilling of your internal resource, our highly experienced security and compliance experts can help prepare your organisation for the new security era.
On 16th March 2021, the British government carried out the largest review into the operations of Defence & National Security since the cold war. The reports that followed (the ‘Integrated Review of Security, Defence, Development and Foreign Policy’ and ‘Defence Command Paper’) were a scathing indictment of the Ministry of Defence (MoD), declaring it an institution that was inefficient, wasteful and no longer fit for purpose.
The government assured that, in the face of growing adversaries and an increasingly uncertain global economy, the MoD needed to change fast – or see its budgets slashed.
One step forward, two steps back
These reports placed MoD in the spotlight, and this scrutiny was only exacerbated by the invasion of Ukraine in 2022. The Ukrainian conflict proved the MoD could be an efficient, agile organisation when placed under threat – delivering nearly £4.6 billion worth of additional arms to Ukraine – but its success was a double-edged sword. It showed that the MoD was capable of a rapid response when needed but begged the question, ‘Should we need conflict to move quickly?’.
With the government’s focus now firmly on the MoD’s shortcomings, it was essential for it to self-reflect to successfully grow. The MoD released its own publications – a refreshingly honest accounting of its failings and outlining of the necessary objectives to achieve modernisation. Within this, it was clear that although the MoD had managed to maintain an incredibly capable military for decades, it had been reliant on expensive, proprietary technologies. These technologies were creating a vast amount of data, which although useful, were disparate, unhygienic and difficult to locate. If this data was properly managed and effectively used, it would be the biggest transformation in a century – harnessing digital technologies in a way that the MoD had never done before.
Harnessing the power of data
Though the MoD has the data it needs at its fingertips, it faces numerous challenges to be able to use that data effectively and efficiently:
Data siloes
As of 2022, the MoD employs nearly 220,000 staff, working across Front Line Commands, Executive Agencies and other branches of the military, all of which are creating data in isolation. The MoD must find a way of unifying, cleaning and, where appropriate, aggregating this data to drive the insight and intelligence it requires.
Legacy systems
The world of technology is rapidly paced, causing the MoD to have to maintain systems that are outdated, unsupportable and difficult to integrate to carry out its function. This makes accessing and analysing data far more difficult. As this data underpins legacy systems, it will ultimately need to be migrated to new systems as the MoD modernises.
Data security & privacy concerns
The MoD deals with sensitive and often classified data relating to the security of the nation. Ensuring its security is vital, and a balance must be struck between making data available for analysis while maintaining security and safeguarding it from increasingly sophisticated cyber threats.
Governance & compliance
Compliance with complex legislation is a crucial practice for the MoD. As defence is an international operation, a robust and comprehensive data governance regime is vital. Access, usage and sharing of data must all be governed by a strict set of rules that ensure ongoing compliance with both international and domestic legislation.
Interoperability with allies
In coalition operations, the MoD must collaborate and share data with allied forces worldwide However, ensuring data interoperability with partner nations can be challenging due to differences in systems, formats and security protocols. Programmes such as Future Combat Air System / Global Combat Air Programme require co-operation with MoD’s partners to collaborate, allowing for sharing of data using a common methodology.
Cultural resistance
Shifting the organisational culture towards a data-driven approach may result in resistance from personnel accustomed to traditional decision-making processes. Promoting data literacy and demonstrating the value of data-driven insights are essential to overcoming this challenge.
The path to a modernised MoD
The MoD faces significant challenges in leveraging data effectively. However, it has embraced transformation and modernisation, showing a strong commitment to becoming more efficient, capable and agile. As the MoD progresses, we can be hopeful that its dedication to digital transformation will lead to a more resilient and forward-looking defence force, safeguarding national security and upholding democratic values globally.
To find out more about CACI’s Defence and Security services, click here.
