Telecom SaaS: Navigating facts from fiction on data privacy and security

While the software-as-a-service (SaaS) model offers numerous benefits for telecommunications service providers (telcos), many are still hesitant to embrace it. Their reservations often stem from concerns around data security and privacy — in particular, whether they can move to the cloud while safeguarding their customers’ personal information and ensuring compliance with regulatory requirements.

While it’s true that there are certain hurdles that need to be overcome as part of the SaaS journey, other concerns are fueled by persistent myths and misconceptions about telecom SaaS.

It’s time to set the record straight and show telcos why they can trust telecom SaaS. We’ll also talk about why telcos should consider a phased approach to SaaS migration and how this will help them address their regulatory requirements.

Why some telcos are still on the fence

With telecom SaaS, telcos can access the software they need to run their networks on demand as a subscription-based service over the cloud. This leads to faster rollouts of new services, lower upfront costs, and greater agility to respond to changing market conditions.

Yet many telco security and compliance officers are reluctant to embrace telecom SaaS. They’re used to owning all aspects of the network, making the public cloud seem risky, particularly as it relates to preventing data access through leaks or breaches, maintaining compliance with data privacy laws and regulations, and controlling data location and keeping it subject to the laws of a specific jurisdiction.

There’s good reason to be cautious. A data breach can damage brand reputation and customer trust. Non-compliance can bring major fines. The stakes are high. But the fact is telcos can trust telecom SaaS, despite what the myths surrounding it might suggest.

Myth 1: Data in the public cloud can be accessed by multiple parties

Controlling the use and storage of customers’ personal and financial data is paramount for telcos. So when many think of putting that data in the cloud, they’re concerned that the cloud provider and the SaaS vendor will have unrestricted access to it all.

But that’s not the case, largely because cloud providers enforce strict data isolation policies.

Their system reliability engineers (SREs) and other personnel cannot view or interact with customer data without first getting authorization from the customer. They don’t even have login permissions or privileges. The only exception is if access is essential to preventing fraud or complying with requests from law enforcement agencies — but even then, cloud providers have pushed back on requests that seem too broad.

In addition, cloud providers and SaaS vendors:

Myth 2: The SaaS and public cloud make it harder to stay compliant with privacy regulations

When thinking about SaaS, some telcos get particularly nervous about compliance with data privacy laws and regulations across multiple jurisdictions and regimes. Many are worried that a global cloud provider or SaaS vendor won’t have the expertise specific to their sector or country to keep them compliant with increasingly complex and strict frameworks and standards.

The reality is cloud providers and SaaS vendors maintain teams dedicated to compliance, with disciplined processes for staying current with accreditations and certifications. They dedicate significant time and resources to this because they themselves need to comply with all the relevant data privacy laws and regulations in the jurisdictions in which they operate, such as Europe’s General Data Protection Regulation (GDPR). And they regularly face independent audits to verify their ability to comply with those regulations and standards.

Cloud providers and SaaS vendors also have processes in place to ensure data cannot move or leave a protected cloud instance without the customer’s approval. They run data locally in each customer country and keep regional operations independent of each other to meet data sovereignty requirements.

Likewise, they also use techniques such as encrypted key generation to ensure control remains within the right borders and entities, and incorporate the principles of the Privacy by Design framework, implementing features like granular access controls and anonymization to protect user data.

Myth 3: Data stored in the cloud is inherently less secure

The final misconception we’d like to address is perhaps the biggest of them all: that the cloud could never be as secure as an on-premises deployment. In fact, SaaS has become just as secure as on-premises software, if not more so.

Cloud providers’ reputations depend on maintaining the security and privacy of customer data, so they’ve made massive investments in technologies, people and resources to build industry-leading capabilities in this area.

The pressure they face to ensure their infrastructure is hardened has prompted them to make investments well beyond what any one telco could do on their own. That means telcos benefit from security practices designed to operate at scale and for the most demanding clients worldwide, like banks and governments.

At the same time, serving many customers across all sectors has given them unparalleled insight into security incidents and vulnerabilities, enhancing their ability to mitigate and prevent threats.

On top of that, SaaS vendors bring defense-in-depth capabilities to the table, taking a multi-layered security approach that includes network segmentation, traffic logging, intrusion detection, vulnerability management, and more.

SaaS traffic is not routed over the public internet, while strict approval processes limit the SaaS vendor’s ability to move data from one cloud to another. And measures like replication ensure the availability of customer data even if a data center goes offline.

Cloud providers also adhere to strict data resiliency guidelines, ensuring regular data backups are made to facilitate fast and easy data recovery to previous states.

Charting a roadmap for a smooth SaaS migration

The reality is that most telcos likely already use cloud services for a number of mission-critical business applications. Shifting their network operations and management into the public cloud via SaaS is the next logical step.

The good news is that telcos do not need to migrate their entire operational infrastructure to the cloud overnight. The transition to the telecom SaaS model can be a gradual, multi-year journey that allows telcos to properly plan, assess, and implement each step of the process.

It can begin with moving low-risk, non-core functions such as analytics or network management into the cloud, then expand from there. Taking a phased approach, rather than moving everything into the cloud all at once, makes it easier for telcos to ensure they’re staying compliant with data privacy mandates each step of the way.

It's important that telcos are aware of their role in assuring SaaS security. Under the Shared Responsibility Model, while cloud providers are responsible for securing the underlying infrastructure, telcos are responsible for how their data in the cloud is accessed, managed, and used. That means adopting a zero-trust approach to data security. Key elements of a zero-trust framework include defining data-recovery procedures; implementing authentication, authorization, and accounting best practices; diligent logging, auditing, and transparency; and end-to-end data protection.

Moving past the myths

Data security and privacy are topics telcos can’t afford to dismiss.

Given what’s at stake, it’s in their right to interrogate the claims of SaaS and cloud providers. That’s why companies have put in place technologies and procedures to make telecom SaaS just as secure, if not more secure, than traditional on-premises software deployments — so telcos can move past the myths and start taking advantage of a new era of cloud-based benefits and capabilities.

Mark Bunn is the Senior Vice-President of SaaS Business Operations for Nokia Cloud and Network Services. Mark joined Nokia from Oracle where he led Monetization and Orchestration Products for Oracle Communications Applications, focusing on Cloud development spanning digital service provider’s businesses and operations. He brings over 25 years of experience in product management and software development, and a passion for driving SaaS transformation. He holds an MBA in Business Computer Information Systems from the University of North Texas (Denton, Texas) and BBA degrees in Finance and Management from the Florida State University (Tallahassee, Florida).

Rick works with customers and partners in developing telecommunications industry solutions and reference architectures to address the rapidly changing needs of service providers across the globe. He is an enthusiastic participant and speaker in many industry communities, an advocate of industry frameworks and open standards, and holds TM Forum Open Digital Architecture and Business Development Manager Career Certifications. At TM Forum, he is a member of the Collaboration Sub-Committee, overseeing the effective creation and adoption of pragmatic best practices and standards to deliver value to the membership. Rick currently leads initiatives to help operators achieve more by infusing Artificial Intelligence across their business.