Meeting the UK’s Telecommunications Security Act with MongoDB
Emerging technologies like AI, IoT, and 5G have transformed the value that telecommunications companies provide the world. However, these new technologies also present new security challenges. As telcos continue to amass large amounts of sensitive data, they become an increasingly attractive target for cybercriminals — making both companies and countries vulnerable to cyberattacks. Fortunately, developers can protect user data which comes with strong security requirements on a developer data platform. By offering features to meet stringent requirements with robust operational and security controls, telcos can protect their customers’ private information.
The UK Telecommunications Security Act
Amid growing concerns about the vulnerability of telecom infrastructure, and its increasing digital dependency, the
UK Telecommunications (Security) Act
(TSA) was enacted on November 17, 2021. It was designed to bolster the security and resilience of the UK’s telecommunications networks. The TSA mandates that telecom operators implement rigorous security measures such as end-to-end encryption as well as identity and access management to protect their networks from a broad spectrum of threats, ensuring the integrity and continuity of critical communication services.
The act allows the government to compel telecom providers to meet specific security directives. The United Kingdom’s Office of Communications (Ofcom) is a regulatory body responsible for overseeing compliance, conducting inspections, and enforcing penalties on operators that fail to meet the standards. The comprehensive code of practice included in the act offers detailed guidance on the security measures that should be implemented, covering risk management, network architecture, incident response, and supply chain security.
The TSA tiering system
The TSA establishes a framework for ensuring the security of public electronic communications networks and services. It categorizes telecoms providers into different tiers, with specific security obligations for each tier. The Act outlines three main tiers:
Tier 1:
These are the largest and most critical providers. They have the most extensive obligations due to their significant role in the UK's telecoms infrastructure. Tier 1 providers must comply with the full set of security measures outlined in the Act.
Tier 2:
These providers have a considerable role in the telecoms network but are not as critical as Tier 1 providers. They have a reduced set of obligations compared to Tier 1 but still need to meet substantial security requirements.
Tier 3:
These are smaller providers with a limited impact on the overall telecoms infrastructure. Their obligations are lighter compared to Tiers 1 and 2, reflecting their smaller size and impact.
The specific obligations for each tier include measures related to network security, incident reporting, and supply chain security. The aim is to ensure a proportional approach to securing the telecoms infrastructure, with the highest standards applied to the most critical providers.
Non-compliance may result in fines
Under the TSA, non-compliance with security obligations can result in substantial fines. The fines are designed to be significant enough to ensure compliance and deter breaches.
The significance of the fines imposed under the TSA underscores the importance the UK government places on telecom security and the serious consequences of failing to meet the established standards.
How MongoDB can help
MongoDB offers built-in security controls for all your data—whether your databases are managed on-premises with
MongoDB Enterprise Advanced
or with
MongoDB Atlas
, our fully managed cloud service. MongoDB enables enterprise-grade security features and simplifies deploying and managing your databases.
Encrypting sensitive data
The TSA emphasizes securing telecom networks against cyber threats. While specific encryption requirements are not detailed, the focus is on robust security practices, including encryption to protect data integrity and confidentiality. Operators must implement measures that prevent unauthorized access and ensure data security throughout transmission and storage. Compliance may involve regular risk assessments and adopting state-of-the-art technologies to safeguard the network infrastructure.
MongoDB data encryption offers robust features to protect your data while it’s in the network, being stored, in memory, in transit (network), at rest (storage), and in use (memory, logs). Customers can use automatic encryption of key data fields like personally identifiable information (PII) or any data deemed sensitive—ensuring data is encrypted through its use.
Additionally, with our industry-first
Queryable Encryption
, MongoDB offers a fast, searchable encryption scheme that supports equality searches, with additional query types such as range, prefix, suffix, and substring planned for future releases.
Authentication and Authorization
The TSA contemplates stringent identity and access management requirements to enhance network security. Regular audits and reviews of access permissions should be designed to prevent unauthorized access and to quickly identify and respond to potential security breaches. These measures aim to protect the integrity and confidentiality of telecommunications infrastructure.
MongoDB enables users to authenticate to their Atlas UI with their Atlas credentials or via single sign-on with their GitHub or Google accounts. Atlas also supports MFA with various options, including OTP authenticators, push notifications, FIDO2 (hardware security keys or biometrics), SMS, and e-mail.
MongoDB Enterprise Advanced users can authenticate to the MongoDB database using mechanisms including SCRAM, x.509 certificates, LDAP, OIDC, and passwordless authentication with AWS-IAM.
Auditing
Under the TSA, providers must implement logging mechanisms to detect and respond to security incidents effectively. Logs should cover access to sensitive systems and data, including unsuccessful access attempts, and must be comprehensive, capturing sufficient detail to facilitate forensic investigations. Additionally, logs should be kept for a specified minimum period and to be protected against unauthorized access, tampering, and loss.
MongoDB offers granular auditing that monitors actions in your MongoDB environment and is designed to prevent and detect any unauthorized access to data, including CRUD operations, encryption key management, authentication, role-based access controls, replication, and sharding cluster operations.
Additionally,
MongoDB’s Atlas Organization Activity Feed
displays select events that occurred for a given Atlas organization, such as billing or access events. Likewise, the Atlas Project Activity Feed displays select events that occurred for a given Atlas project.
Network security
The TSA outlines several network security requirements to ensure the protection and resilience of telecommunications networks. These requirements encompass various aspects of network security, including risk management, protection measures, incident response, and compliance with standards and best practices.
Atlas offers many options to securely access your data with dedicated clusters deployed in a unique virtual private cloud (VPC) to isolate your data and prevent inbound network access from the internet.
You can also allow a one-way connection from your AWS, Azure, or Google Cloud VPC/VNet to Atlas Clusters via
Private Endpoints
. Additionally, you can enable
peering
between your MongoDB Atlas VPC or VNet to your own dedicated application tier VPN with the cloud provider of your choice or enable only specific network segments to connect to your Atlas clusters via the
IP Access list
.
In summary, the UK TSA is a critical regulatory framework aimed at protecting the nation’s telecommunications infrastructure from cyber threats. For telecom companies, compliance isn’t just a legal obligation but a business imperative. Failure to comply can mean significant financial penalties, reputational harm, and long-term operational challenges, underscoring the importance of adopting robust security measures and maintaining continuous adherence to the Act’s requirements.
Visit MongoDB’s
Strong Security Defaults
page for more information on protecting your data with strong security defaults on the MongoDB developer data platform, as well as how to meet stringent requirements with robust operational and security controls.
August 1, 2024