Global Title leasing has been a widespread practice whereby service provides lease access to their Global Titles (GT) and Hosts to enterprise customers. But today, GT leasing poses network security risks that CSPs must address immediately, says Saverio Vardaro, CCO Security at Mobileum.
Initially, the use of GTs made sense. As well as supporting services such as A2P SMS or Sponsored Roaming, enterprises wanted a mechanism whereby they could track and verify the legitimate location of a customer. For example, global fleet management companies may want to track the location of trucks periodically, or a bank may need to confirm a customer’s location to validate an international credit card transaction.
However, the practice of Global Title leasing has significantly increased the attack surface for communications service providers. For example, a GT is provided for sending A2P SMS, but there is the potential that it is used to track a high-value subscriber in a roaming partner network and possibly spy upon their calls and SMS. Another case is where an enterprise uses GT access to send promotional messages to international customers, but access is exploited to send spam and smishing messages. A wrap-up of some recent high-profile cases of the risks that GT leasing can be found in our blog “The Battle to protect our subscribers against cyber weapons.”
One of the most significant vulnerabilities of GT leasing is that access to interconnect protocols and systems has been granted to third parties, sometimes without the required due diligence, protection, or monitoring mechanisms being put in place by operators. The ongoing risk has now been deemed so high that the GSMA is currently working on a formal Code of Conduct that designates GT Leasers as the responsible party that needs to actively manage and control the use of their leased GTs through the use of real-time technical controls. Mobileum is steadfastly committed to this activity and has in fact chaired the task force.
Signaling outbound firewalls have been identified as a real-time technical control that is capable of restricting the use of those global titles to legitimate and authorized purposes only and safeguarding the security of the network and subscribers. However, not all outbound signaling firewalls are made equal. Having an SS7/DIAMETER Outbound firewall that handles all of the GSMA threat categories is the minimum requirement. CSPs need an outbound firewall that not only protects their own network but also ensures that it is not compromised to send malicious traffic to other partner networks. To do so, CSPs need an outbound signaling firewall that has the full capabilities to:
- Apply rate limits to outgoing traffic per GT/Host
- Application of Message Sequence and customized advanced rules
- SMS rules to check senders, binary, volume, spam/A2P content
Mobileum’s Signaling Outbound Firewall works on zero trust architecture. By operating on the basis of not trusting anybody or anything inside the network perimeter, it provides CSPs added protection by applying restrictions to activities and only allowing interworking functionality on an exception basis. In addition to having the full capabilities to meet the GSMA threat categories, the Signaling Outbound Firewall enforces controls at the individual originating Global Title/Host level to allow/block specific signaling operations or block specific destinations.
If you are leasing global titles to third parties, you must have the capabilities to restrict the use of those global titles to legitimate and authorized purposes. If you don’t you cannot comply with the new GSMA Code of Conduct. Only with Mobileum’s Signaling Outbound Firewall can you be sure that you have protections in place to do so. Contact us to learn more.