03 April 2024
Internet of Things, Smart Connectivity
Related Blogs:
Sign up for blog updates
Get innovation delivered to your inbox. Sign up for our blog and stay on top of the very latest from Semtech.
03 April 2024
Internet of Things, Smart Connectivity
As a leading provider of Managed Connectivity Services and a Mobile Virtual Network Operator (MVNO), Semtech oversees the secure operation of a complex critical infrastructure platform relied on by customers around the world. With customers relying on connectivity to maintain data communications with endpoints ranging from critical infrastructure, to mobile-connectivity for first responders, to border-crossing cargo shipments that require asset tracking our teams take this responsibility seriously. We are proud to share some insight into some of the key measures we take to keep our customers safe, secure, and connected, as well as how those measures fit into our broader strategy. First, some background.
A Mobile Virtual Network Operator, or MVNO, is a mobile communications provider that offers service to their customers using infrastructure owned and operated by a traditional Mobile Network Operator (MNO). Through this model, MVNOs can provide customers with additional value on top of mobile connectivity. As MVNOs can partner with multiple MNOs, they can offer customers one-stop connectivity that spans the operating areas of more than one MNO without the customer needing to manage each of the different carriers. This means that an MVNO can provide transparent service on a global scale, giving customers unmatched flexibility and efficiency. MVNOs can also offer customers a range of additional services for managing connectivity that goes beyond what individual MNOs make available to customers.
Due to an MVNO’s reliance on their partner MNOs for the infrastructure used for underlying connectivity, they are not responsible directly for the security of that telecommunications infrastructure. That responsibility falls to the MNO. Nonetheless, MVNOs face their own threat landscape. To deliver their services, MVNOs need significant access to their MNO partner’s infrastructure, and attackers see MVNOs as a path to attempt to compromise the underlying mobile telecommunications infrastructure. Further, an attacker who can disrupt the operations of an MVNO can have a significant impact across the MVNO’s customers that exceeds the impact of affecting a single MNO. Examples of threats faced by an MVNO include:
Tampering with data in transit, impacting the integrity of information
Theft or disclosure of sensitive information transiting the MVNO
Disruption and interruption of services, denying communications to critical customers
Theft of customer and subscriber information from the MVNO, or destruction of customer data
Semtech has implemented a robust cybersecurity and resilience program across our MVNO footprint with focused investment in tools, technologies, strong practices, and training. Combined with around the clock monitoring, layered resilience, and business continuity practices, this gives Semtech the depth of defense needed to combat today’s threats and tomorrow’s.
Semtech recognizes that there is no single measure or practice that is going to ensure that our MVNO operates with the level of security our customers need and expect. Reflecting the myriad types of threats previously described, we employ a Defense in Depth strategy built on a range of different technologies. Our cybersecurity partners, all industry leaders, provide us with the tooling and systems we need, and enable the following capabilities:
24x7 Managed Endpoint Detection and Response (EDR) – monitoring and actively responding to threats within our infrastructure
Web Application Firewalls – Intelligently monitoring network traffic and actively preventing high risk or suspicious activity
Telecommunications-specific cybersecurity appliances designed to protect cellular-related network protocols
Vulnerability Scanners – Ongoing, regular scanning of internal and externally facing infrastructure for vulnerabilities and risks
Active Asset Detection & Management – Centralized aggregation of asset data with a wide range of data sources from across our footprint, supporting risk detection and asset management
Cybersecurity, particularly for complex entities like MVNOs, is not solely about the use of industry leading technologies. Secure practices must be leveraged during the design, implementation, and operation of the infrastructure to provide robust protection and to get the maximum security value from technical controls and capabilities. Some of the key operational and architectural practices used by Semtech’s MVNO include:
Workload isolation and segregation – Zero-trust VLAN design using leading-edge firewall protection to isolate workloads
Data Encryption – Use of Virtual Private Networks (VPN) to encrypt partner and carrier connectivity, as well as encryption of data at rest
System Hardening - Operating System and Shell Hardening following Center for Internet Security (CIS) Version 8 guidance
Lifecycle Management – Workflows and practices in place to ensure that systems and infrastructure remain current and supported
Vulnerability and Patch Management – regular operational practices to monitor for vulnerabilities and threats, and applying patches and mitigation measures in a timely manner
Recognizing that well-trained employees are a key part of keeping infrastructure secure, Semtech requires all employees to participate in mandatory cybersecurity training annually. Further advanced cybersecurity training is available for employees in cybersecurity-specific or sensitive roles. All workstations used by employees to interface with sensitive systems, including customer-facing platforms, are also deployed with security measures including 24x7 Managed EDR monitoring and response, network layer web filtering and threat prevention, and advanced Multi-Factor Authentication (MFA). These measures help our employees do their jobs in the most secure way possible.
Physical data centers are all Tier 2 data center compliant. To achieve high availability, multiple geographically dispersed data centers run in an active-active configuration with multiple instances of underlying services similarly configured. This provides continuous services to our customers in a disaster or cyber event.
A robust backup strategy is a key part of the Semtech data protection policies. Backup and restoration centers around a combination of on- and off-premise data storage using data archiving techniques supporting immutability. Semtech policies further require regular testing of our backups to ensure the recoverability of data in the event of a disaster of any size. All backup solutions include rollback solutions.
Even after implementing all the technologies, operational practices, and policies referenced in this document, it is still critical to know if all your capabilities are operating as anticipated and with the expected operational impact. Semtech relies on regular security assessments and red team testing by recognized third parties to evaluate not just the presence of our controls but their effectiveness. Lessons learned from each successive testing engagement flow back into the workflows noted here, reinforcing strengths and ensuring any weaknesses are quickly addressed.
We engage a 3rd party security services provider at least once per year to perform an Internet facing vulnerability and penetration test.
MVNO-specific security audits are performed by a third-party specializing in the unique and advanced infrastructure, protocols and architectures used by an MVNO to deliver services.
Semtech performs regular internal audits and security assessments as well, in addition to tracking our alignment with our selected industry security benchmarks.
Semtech is committed to delivering secure Managed Connectivity Services to our customers through the responsible operation of our MVNO infrastructure. Recognizing the numerous threats faced by MVNOs, Semtech employs a defense-in-depth security strategy built on industry-leading tools and recognized practices supported and verified by third-party assessments and audits. Together with security training and robust asset management, Semtech delivers efficient, reliable operation for our customers built on a secure foundation. As customer needs, telecommunications technologies, and threats continue to evolve, Semtech is resolved to continue maturing and evolving to keep pace and remain a trusted partner and provider for our customers.
Get innovation delivered to your inbox. Sign up for our blog and stay on top of the very latest from Semtech.