You are on page 1of 18

White Paper

Policy, Identity & Security In NextGeneration Mobile Networks


Prepared by Graham Finnie Chief Analyst, Heavy Reading

www.heavyreading.com On behalf of Juniper Networks

October 2008

TABLE OF CONTENTS
EXECUTIVE SUMMARY .................................................................................................. 3 EXECUTIVE SUMMARY .................................................................................................. 3 I. II. III. NEW SERVICES, NEW CHALLENGES............................................................... 4 THE EMERGENCE OF POLICY CONTROL, IDENTITY MANAGEMENT & MULTI-LAYER SECURITY................................................................................... 8 SUMMARY: CHALLENGES & BENEFITS ........................................................ 17

LIST OF FIGURES*
SECTION I Figure 1: Flat Mobile Revenues Are Driving The Transition To Mobile Broadband .......... 4 Figure 2: The Rise Of Mobile Broadband.......................................................................... 5 Figure 3: Core Catalysts For Deploying A Policy Architecture........................................ 10 Figure 4: Better Collaboration With Third Parties Is The Core To Future Success......... 14 Figure 5: Security Is The Most Important Application For Policy Management .............. 16 Figure 6: Policy , Identity, Security and Value: Enhancing Service Propositions............ 17

* All charts and figures in this report are original to Heavy Reading, unless otherwise noted.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

Executive Summary
The worlds global mobile operators are currently experiencing a once-in-a-generation upheaval that is creating many new opportunities but also multiplying the dangers that they face. This upheaval is still in its early stages, and the challenges it poses will increase rapidly over the next 2-3 years. In particular, it is creating open access mobile networks offering broadband connection speeds to customers who are using smartphones, laptop PCs and other open devices to access any site or application available on the Internet. As a result, mobile networks increasingly resemble fixed broadband networks. Can mobile operators manage this transition without becoming providers of commodity broadband servicesalready the norm in the fixed network? And what is their core value in this emerging world? There are already signs that mobile telcos could indeed become commodity broadband providers. Over the past two years, dozens of mobile broadband operators have introduced broadband services for a flat monthly fee that are identical in most respects to fixed broadband services, using 3G EVDO and HSPA technology (and more recently, WiMAX). And those services are based on the same principles as fixed services: a contracted speed at a single price, with litte in the way of added value. Yet the game is very far from over. Mobile operators do for now retain significant control over the majority of their customers activities. They still have time to adapt. The key question they must ask is: are there ways to provide customers with the more open Internet service and applications environment they want (and will ultimately get) while still retaining a close and valuable relationship with those customers? This paper argues that the only credible way to do that is to deploy a policy framework that enable operators to intelligently control the applications running on the network, and the bandwidth they consume and need, in order to personalize and optimize the subscriber experience. Mobile operators enjoy a unique and enviable direct relationship with customers as individuals, and must build on that relationship by ensuring that any tools they do deploy are centered on the individual, not the application or the network. In practice, this means that policy tools must be deployed hand in hand with subscriber identity management tools, and in a context where they can be used equally effectively to handle all the applications that customer values-- both an operators own applications and third party over the top (OTT) applications. Finally, policy tools must also be capable (as they increasingly are) of handling the proliferating security threats that are bound to emerge in this more open network environment. Hence policy, identity and security are the foundation elements for the development of a new relationship between mobile service providers and consumers that recognizes the need to provide open access to Internet resources, but at the same time enables providers to enrich the individual subscribers experience in ways that improve subscriber loyalty and increase the opportunity to sell them new servicesmore often than not, in alliance with 3rd party Internet and Web service providers. Policy control is a highly complex area which presents some major challenges when making decisions about what to deploy and where. But as this paper will show, so long as mobile service providers keep these core principles in mind, they will be in a strong position to weather the many challenges in front of them.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

I.

New Services, New Challenges

Mobile network operators are undergoing convulsive changes that will revolutionize the services they provide and their relationship with customers. There are two related changes taking place, which together will completely reshape the mobile service ecosystem over the next 5-10 years. These are the deployment of an all-IP network infrastructure optimized for the delivery of IP data services rather than telephony; and the deployment of broadband radio access infrastructure based standards such as 3G CDMA 1X EV-DO, 3G WCDMA HSPA, LTE, or WiMAX. The main impact of these changes is to open up mobile networks across a range of dimensions, creating a new kind of open access mobile network. In particular, these networks have the following characteristics: Open devices which are not wholly controlled by the mobile operator Open user interfaces that enable users to gain direct access to the Internet services and applications they want, without going through the operators portal Open applications that can be used by end users and others to build new services and service features Open operating systems that resemble the OS already installed on PCs

As a result ot these changes, the core challenge facing mobile telcos is to build a new ecosystem that takes maximum advantage of the opportunities this creates. The transition to these new infrastructures is inevitable for a number of reasons. Most important, in developed economies (and increasingly in less developed economies) the market for mobile telephone services is saturated and both ARPU and total revenues from mobile telephony are flat or declining, as Figure 1 shows. Existing packet data service such as WAP and GPRS have yielded only modest new revenues. Something new is needed. Figure 1: Flat Mobile Revenues Are Driving The Transition To Mobile Broadband

Source: Mobile ARPU, annualized, Orange France This is driving mobile operators to seek new revenues from other sources, and to cut underlying costs. And this in turn is creating the impetus to build lower-cost and higher-value all-IP broadband networks that increasingly resemble the networks already being built by fixed network op-

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

erators. These networks offer greater bang per buck, and enable customers to get access to a far wider and richer set of applications and services than hitherto. The transition to broadband IP networks provides mobile operators with a massive opportunity in a huge and growing market. At the end of 2007, there were approximately 340 million fixed-line broadband subscribers worldwide, the vast majority in the developed countries of North America, Europe and Asia. Broadband services became widely available approximately 10 years ago, and have grown steadily to reach around 50% household penetration in the average developed country; globally, broadband subscriber growth is around 15% per annum, but is lower than that in developed countries, and already flat in those most developed markets. On the mobile side, the transition to broadband may happen much more quickly than that. Although there are fewer mobile broadband customers than fixed broadband customers at mid2008, the accelerating growth in mobile broadband means that there could be more mobile than fixed broadband customers as early as 2010. By the middle of 2008, there were already nearly 200 million mobile broadband subscriptions, which we define as any customer with a suitable device connected to a service based on 1X-EVDO (where there are about 100 million customers), and HSPA (where there are about 50 million customers). Although there are fewer customers on HSPA--which offers higher-speeds and is the long-term solution of choice for cellular networks and not all those with broadband-capable phones use them much yet, the potential is vast: there already by mid-2008, over a third of the 313 GSM networks worldwide had launched an HSPA network at 3.6Mbit/s or more. Figure 2: The Rise Of Mobile Broadband
1400 1200 Subscriptions (millions) 1000 800 600 400 200 0 2007

2008

2009

2010 End of year


mobile WiMax LTE

2011

2012

EVDO
Source: Heavy Reading

HSPA

These services are proving extremely popular because they offer far more utility and value than their immediate predecessors in the mobile data service portfolio. In particular, they offer connection speeds that are comparable with those in fixed broadband networks. Current generation EVDO networks can support download speeds of 3.1Mbit/s, while current generation HSPA networks support either 3.6 Mbit/s or 7.2Mbit/s (over 50 operators worldwide now operate a 7.2Mbit/s service). Although this bandwidth is shared among all customers in the cell site, initial

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

experience suggests that HSPA services in particular are comparable with fixed broadband services, and therefore potentially a substitute for them. This is especially the case where services are tariffed at a flat monthly price, rather than by data volume (which was typically the case in previous-generation mobile data services). Most of the recently-launched mobile data services are indeed flat-rate services, competitively priced between $20-35 per month, and although the majority cap total data downloads, these services give customers far greater freedom to use the Internet than hitherto, increasing the value and use of these services and therefore moble data uptake. Just as important, the mobile device market is undergoing equally important changes that increase the value of 3G mobile broadband services still further. The huge success of the Apple IPhone only confirmed a trend that was already underway, in which closed devices are being replaced by more open programmable devices, usually called Smartphones, which give customers the ability to load and use applications that are not under the control of the mobile operator. However, an equally key trend is the proliferation of wireless 3G radios in other devicesmost importantly, in computers. The unexpected success of USB dongles, which enable PC owners to connect to mobile broadband services using the PC itself, is the most important development here. HSPA radio modules in easy-to-install forms (eg mini PCI) are also being added to hybrid devices such as PDAs and micro (super-mini) PCs, and into consumer electronic devices such as games machines. In other words, mobile phones increasingly resemble personal computers in almost every respectmeaning that they are becoming true multi-application devices that can no longer be closely control of the mobile service providers. In the HSPA world, the transition to open devices is already nearly universal: the vast majority of HSPA subscribers have programmable devices based on Symbian S60, Windows Mobile, and prospectively on the Apple OS and on versions of the Linux OS, used in devices such as Google Android. It is clear that these trends offer mobile operators enormous new opportunities. Most obviously, it creates a brand-new mobile broadband revenue stream that is incremental to the telephony revenue stream. It also allows the more aggressively-minded operators to compete directly with wireline operators for broadband customers. In the long-run, however, the bigger opportunity is the ability to enable new services to be deployed on these more powerful devices and networks. Yet the challenges and dangers are equally large, and for the most part are related to the loss of control that is implied by the transition to mobile broadband. Badly managed, this transition to mobile broadband will provide only a temporary fillip to revenues: a few years down the line, as the market saturates, it will lead to the serious danger of real declines in revenue if operators do not address those dangers head-on. The clearest and most present danger (but not, ultimately the biggest) is the growth in mobile data volumes. HSPA in particular is leading to huge and often unexpected growth in data volumes as customers make maximum use of the new freedom to use high-bandwidth OTT applications. One major operator reported a threefold increase in mobile data volume 2007 and anticpated eightfold increase in 2008a more than 20-fold increase in data traffic in just two years. And a Heavy Reading survey of 67 mobile operators in December 2007 found that almost half of cellular operators believed that data will account for more than 50% of their traffic by 2010. Clearly this can only increase as 3G networks evolve. For example, the HSPA roadmap envisages downlink capacity ibeing increased from 7.2Mbit/s per cell to 14Mbit/s per cell imminently, and 40Mbit/s is mooted by some operators for later in 2009. Beyond that, the UTRAN Long Term Evolution (LTE) architecture envisages up to 300Mbit/s downstream and 100Mbit/s upstream within the next decade. All of this is putting great strains on the networkparticularly the backhaul network, and is itself a core reason for the rapidly rising interest in policy tools that is described in the next section of this report.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

However, the transition to more open broadband networks with much greater data volumes creates a more insidious problem: some customers will consume far more bandwidth than others, usually because they are downloading or streaming large video and audio files. Although mobile operators usually place a cap on total (monthly) bandwidth usage, this problem of fair usage will only get greater as speeds increase, caps are expanded or even eliminated, and increasingly powerful programmable devices proliferate. Again, this is a core catalyst for various types of policy tools. More open devices and networks have other dangers toomost obviously, a much greater exposure to the security threats that are already endemic in fixed networks, including viruses, malware, DDoS attacks and botnets. In the closed mobile networks of the past, these threats were largely absent or easily contained. In the new networks, they are just as dangerous as they are in the fixed network, and the majority of mobile operators are not well-equipped to deal with them today. But the biggest challenge of all facing mobile operators is that their network offers will increasingly resemble those available in the fixed networksexposing them to exactly the same dangers that fixed networks already are struggling with. In the fixed network, telephony revenues are falling, broadband ARPU is in decline and the only silver lining currently is the provision of video entertainment (IPTV and IP VoDa service option that is not realistic with current generation 3G. The value in broadband, from the customers point of view, lies largely in the OTT applications it gives access to, provided by 3rd parties such as Google, Facebook, BitTorrent and other similar sites and applications. And that reflects the new separation of powers in networking: whereas telcos understand how to connect and deliver packet streams, they do not, on the whole understand how to create and deploy new applications. That task has already largely been ceded to third parties in fixed networks, and the same trend has now begun in mobile networks. Finding the correct strategic response to that unavoidable reality is perhaps the single most important task now facing the worlds mobile operators. The central questions they must answer are as follows: In a much more open network and service environment, how can we retain control over customers? What, if anything, is our unique value in a converging broadband network world?

What kinds of services and service attributes will enable us to retain customers in this open environment and increase ARPU? How can we ensure that these services and attributes perform consistently to a standard the customers are satisfied with?

In the next section of this report, we will look in detail at the most plausible technology able to answer these questions: a policy framework that focuses not simply on controlling (or even blocking) access to certain applications, but also (and increasingly) on creating more valuable service packages that are based on the preferences and activities of individual customers. A core requirement in creating that value is working more effectively and constructively with providers of the OTT services, applications and Web sites. As we shall see, this has important implications for the kind of policy framework that is needed.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

II.

The Emergence of Policy Control, Identity Management & Multi-Layer Security

Views about policy may differ, but one thing is clear: policy now matters. Over the past two years, Heavy Reading has conducted extensive research on this topic, and witnessed a sea change in attitudes among both service providers and vendorsespecially in the wireless and mobile domain. Most service providers now believe they need some policy tools in the network to help them manage applications, network resources and subscribers more intelligently and effectively. The end game is an environment where both service providers and their customers make gains: wellimplemented, policy is not a zero sum game in which the telco wins and the customer loses. But good mplementation requires some hard thinking. Indeed, choosing among policy solutions is fraught with challenges, and has led in some cases to analysis paralysis.. This is a highly complex and evolving field with a wide range of vendor options, including specialized point solutions and ambitious end to end architectures. A fragmentary standards environment increases the difficulties The aim of this section is to stand back and ask: what are telcos trying to achieve with policy control? And how do the available solutions stack up? We will show that in order to yield real longterm returns from a policy framework, telcos must focus on the individual subscriberand that means seeing identity management and policy management as two sides of the same coin.

3.1

What Is Policy Control?

Policy control has emerged gradually over the past five years or so as a set of techniques designed to give service providers more control over the applications running across broadband IP networks. While initial techniques were not necessarily identified as policy tools, all were concerned with increasing the intelligence with which service providers handled applications, subscribers and network resources. In most cases, however, there was little dynamic interaction between these three separate domainsthat is, the application, the network and the subscriber. Hence bandwidth management did not necessarily target all key applications, especially OTT applications, still less did it allocate resources on the basis of information on subscribers, such as their value, preferences or behavior. While mobile operators had a wealth of information on customers, and highly sophisticated tools providing so-called AAA functionality (Authentication, Authorization and Accounting), this was rarely linked in a really meaningful way to the other two sides of policy. For example, tools based on deep packet inspection (DPI) were able to identity applications and enforce policies related to those applications, but rarely referred to subscriber data when doing so. In the past two years, however this has begun to change, especially since the codification of a widely-accepted policy framework that is now part of 3GPP Release 7 standards, as well as related 3GPP2 standards and other similar network architectures. These new approaches tend to envisage two related policy entities: a Policy Decision Point, or PDP, and a Policy Enforcement Point, or PEP. In most cases, it is assumed that the PDP is a centralized, relatively sophisticated and intelligent compute-intensive entity that includes a rules engine to apply policies in a very wide range of situations. The PDP also usually allows for new policies to be written relatively easily to meet new requirements. PEPs are simpler devices including core categories of equipment such as edge routers, GGSNs, DPI appliances and the like, and simply enforce policies, in some cases referring to the PDP for a decision. Both of these elements are important in creating a rich set of options for service providers.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

This conceptual architecture has been codified in the W-CDMA environment into 3GPP Release 7, which defineds the Policy Charging & Rules Function (PCRF). The PCRF is part of the wider Policy and Charging Control (PCC) architecture, which provides access, resource, and QOS control. It has three elements: the P-CSCF, the PCRF, and the Policy & Charging Enforcement Function (PCEF). Standards were published in September 2007. From a conceptual point of view, the PCRF acts as a PDP, accepting queries from other kinds of equipment seeking a policy decision. These could include any kind of equipment that is acting as a PEP. As this implies, the PCRF is usually conceived of as a centralized device. In a complete Release 7 network architecture, user session signaling comes into the P-CSCF, which can refer to the PCRF for a policy decision if necessary. The PCRF authorizes the session and handles charging if necessary. The PCRF communicates with any device acting as a PCEF (such as a GGSN or B-RAS) to ask it to enforce the policy for example to deny or allow access. The PCEF can also ask the PCRF for a decision when it detects events that require this. From an implementation point of view, support for the various interfaces from the PCRF to other functions is just as important as the PCRF itself. The key interfaces include: The Rx interface, which is based on the IETF's Diameter standard, and connects the PCRF and the P-CSCF, as well as to an IMS Application Server. The Gx interface, which links the PCRF to any PCEF The Gq interface, which is for call admission via a RAC-F, hence part of the Tispan standard The Gy interface which links the PCEF to an online charging system The Gz interface which links the PCEF to an offline charging system

Meanwhile the 3GPP2, which develops standards for CDMA2000 3G networks, has largely adopted the 3GPP architecture, but with some changes in terminology and some minor differences in approach. The 3GPP model has also been augmented by other bodiesin particular by the ETSI TISPAN group, which created standards modeled on the 3GPP approach, but with additional capabilities that were needed in wireline NGNs. In particular, these included the Resource Allocation & Control Function (RAC-F), an admission control system that is valuable in session-based services that need clear rule on admitting or denying session set-up. TISPAN was merged into 3GPP in 2007. The main benefit of this approach is that it enables the bridges between applications and networks that were a core feature of legacy telco networks to be retained in the multiple application IP world. However, the 3GPP architecture leaves open some worrying questions. Most importantly, the architecture tends to assume that the PCRF is being deployed in an IMS context, with telcos retaining relatively close control over the deployment of the applications. Typically, the applications that policy control is intended to support in this context include services provided by telcos over IMS, which including VoIP (especially premium VoiP, eg business telephony), other communications services such as videotelephony and videoconferencing, and entertainment services such as IPTV and VoD.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

Figure 3: Core Catalysts For Deploying A Policy Architecture

Improve quality/reliability of certain key services (eg IPTV or VOIP)

Protect the network from malicious traffic

Enable us to offer tiered/customized services

Reduce our operating costs

Allow dynamic changes to features such as BoD

Reduce the cost of our transport network

Gain better understanding of subscriber behavior

3.50

3.60

3.70

3.80

3.90

4.00

4.10

4.20

Score on a Scale of 1-5

Source: Heavy Reading Survey of Telco Attitudes to Policy Control. Question: On a scale of 1-5, where 1 is not important at all and 5 is criticially important, how important are the following catalysts to deploying a policy architecture in your company? Only the top 7 catalysts from a list of 17 possible catalysts are shown.

As Figure 3 shows, telcos tend to see protection of their network and support for their services as the core objectives in a policy architecture. But that must change. This schema and view takes relatively little regard of that fact that the emphasis in the broadband Internet has move to Web-based applications and services that do not use SIP, are not created or deployed by the telco, and are not talking to IMS. These services are part of that vast universe of potential value that telcos call the best effort Internet. And those developing applications in that universe have little interest in using telco applications languages to do so, even those, such as Parlay X, which are specifically aimed at them. Meanwhile, the value of best-effort (and non-IMS) Internet applications to broadband customers continues to grow. Among many others, they include hundreds or even thousands of sites that include video and audio streaming, hundreds of online gaming sites, Software as a Service (SaaS) and similar Web-based enterprise applications and sites, and proliferating social networking sites, And many emerging applications are difficult for a best-effort service to handle. This is particulary true of any form of video streaming or real-time communications, where best-effort IP inevitably struggles to deliver at a consistently acceptable level of quality. This means that policy tools, even those that follow the PCRF/IMS schema, must also be usable in non-IMS contexts. In particular, they must be able to identify and apply policy decisions to third party applicationsnot simply by blocking those applications, but by working with those third parties if necessary in order to improve the performance of specific services. By doing this, telcos can create much more valuable relationships with the sources of most broadband applications. This in turn requires care in analyzing vendor solutions: those that have direct interfaces between policy servers and Web-based applications will be more efficient than those in

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

10

which Web applications are directed through other IMS and SIP-centric network elements and modules. However, adding value to applications, and working with third parties, requires more than simply building bridges between network resources and applications. Real value creation only comes from linking network resources and applications to the specific behavior, needs and profiles of individual subscribersaka subscriber identity. Although 3GPP does specify interfaces between policy servers and repositories of basic subscriber information, such as the Home Subscriber Server (HSS), identity management was not a core objective of standards-setters. In the next section, we consider the role and value of identity management.

3.2

What Is Identity Management?

Identity management is an emerging concept that has its roots, at least in mobile networks, in socalled Authentication, Authorization and Accounting (AAA) systems for customers that are trying to attach to the network or use a particular application. In mobile networks based on 3GPP, the core component that handles identity is the Home Subscriber, or HSS, effectively a replacement for the Home Location Register (HLR) found in existing UMTS mobile networks. In US CDMA networks, the core element is the stand-alone AAA node. Radius servers are another important existing store of identity data. The WiMAX standard also includes an AAA. These various elements have a relatively narrow view of identity, and only a limited ability to share that information easily with third parties. Narrow views of identity do little more than authenticate the subscribers identity and authorize the subscriber to use a service. Broader definitions of identity might include a wide range of information on subscribers, for example their age, sex, interests, online behavior and so on. What is required is a complete view of the customer--who they are, what services they use, where they are, how they are connected, what roles they play at different times of day, how and when they use their services, how much they pay, to whom they are connected their lifestyle preferences, and their privacy needsamong other things. In the IMS vision, the HSS would potentally play the central identity role as the single repository of information on a subscriber. It can potentially store both identity information and information subscriber network behavior. In reality however, subscriber information will be patchy: many applications they are using will not run on the IMS network, and in any case the HSS will take many years to replace existing subscriber information silosif it ever does. Moreover, none of the elements in the current standard architectures unifies or federates identityin fact, the addition of new applications and network elements may actually make the fragmentation of network identity worse rather than better. And with more new access networks based on femtocells, WiMAX and other technologies being added into the network, things are unlikely to improve soon: hybrid access is here to stay. Complicating things further, most subscribers have identities on the Internet that are invisible to mobile network operatorsand vice versa. In a Web or Internet environment, identity is usually verified using the username and password convention, an approach which has important drawbacks but is all the same extremely widespread. Hence the new interest in federated identity concepts. The basic idea here is that if a customer has been identified by, say, a mobile network operator as customer A, that information can be federated (under closely controlled conditions) to a third party such as a Web e-commerce site without the need for the customer to identify himself a second (or third) time. Often called single sign-on, federated identity typically restricts the 3rd party to only the information that is required in a particular case, protecting the users private data as well as their real identity in most cases.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

11

This does not mean that identities are stored in a single repository or database: with identity already widely scattered, this would be both impractical and potentially dangerous. But it does mean that that identity is logically correlated by a single authority, sometimes called an identity providera kind of logical front-end for identity. Federated identity is relatively easy to describe but tough to implement, especially in an environment where there is no clear standards authority. Nevertheless identity management is set to become increasingly important. For many telcos, the original interest in identity was sparked by a desire to manage identity across a telcos own boundariesespecially across the boundary between fixed and mobile networks. More recently, however, interest has been rising in the use of identity management to improve the relationship between network operators and Web or Internetbased 3rd party service providers. And mobile networks operators are in a powerful position to be the lead provider of identity in that relationshipin effect, identity brokers-- for a range of reasons: Mobile operators already have a strong pre-existing relationship based on billing and subscriber management. Mobile operators have a lot of information about the behavior of individual customers, and the volume and value of that information willl increase exponentially as they migrate to broadband Internet-oriented services. Mobile operators are usually more trusted entities than Internet-based companies, and their long pre-existing relationship with many of their customers makes that relationship difficult for others to replicate Mobile operators already have strong authentication mechanisms to identity customers, and can use that to build new identity-based products. Equally, mobile phones can be used to identify customers without divulging the customers identity to a third party

For competitive operators, there is another reason to take a lead in this area: Web-based companies such as Amazon, Ebay, Google and Yahoo are in a strengthening position, at least in principle, to federate identity across different Web servicesservice that will increasingly include mainstream communications and entertainment services. By not acting early and decisively in this area while they are still ahead, telcos run the strong risk that they cede the identity role by default to these Web-based competitors. To take full advantage of their strong pre-existing position, mobile network operators need to be at the forefront of efforts to create a single identity for their customers in all their activities, on any kind of network, and in both telco and Web contexts. Ultimately this clearly needs a standards framework, but in the mean time some vendors are ahead of others in pushing this concept forward. To put it mildly this is a major task that is likely to take many years to accomplish, so starting the effort sooner rather than later is an important step on the road to higher-value service propositions for customers. The hig-level aim is to decouple subscriber information from the applications or network typesa major task but one that potentially brings very large benefits to both customers and providers. By linking policy and identity, telcos can make rapid progress towards that goal, as we will argue in the next section.

3.3

Why Policy & Identity Belong Together

Increasingly, policy and identity are two sides of the same coinespecially for mobile providers. For mobile telcos, identity-based policy management is important because it can be used to extend and enrich the biggest potential opportunity that mobile operators enjoy-- their unique oneto-one relationship with the end user, unique because mobile services are personal services.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

12

Neither fixed broadband operators nor Web-based service providers and Web sites enjoy this kind of relationship. And importantly this relationship is based on powerful subscriber management technologies that are already an important part of the mobile operators technology arsenal. Another important reason for mobile operators to link policy and identity is that this enables links to be forged between static subscriber data and dynamic state-based information on network resources and applications behavior, as well as information on subscriber behavior itself. For example, this can enable on the fly promotions, advertising and other applications to be launched in response to real-time cues, such as subscriber location. In other words, policy linked to identity can be used to create more personalized service offers. Dynamic knowledge of when and on what device a subscriber is using the service, combined with static knowledge of the subscriber's service plan and value as a customer, plus historical knowledge of the experience the subscriber has received in the past, will enable the operator to control the experience this time. Service-specific knowledge of the content being viewed, combined with CRM-held preference and privacy information, can be used to trigger personalized cross-selling offers or targeted advertising. Knowledge of the subscriber's buddy list (service-specific information) and buddies' real-time network-based and service-specific information (presence, authentication, authorization, privacy, service permissions, etc.) can be used to fulfill a request to open a session with friends to discuss or share content. At the same creative interplay between policy and identity is the principal means through which telcos can end or allay the view that policy does what it sayspolices customers. This negative view of policy has its roots in the fact that the major use of policy tools today in all major network typesfixed networks, cable MSO networks (where policy tools are particulary widely deployed) and increasingly wireless networksis to either to block access to highbandwidth applications such as video streaming, or to constrain bandwidth available to these applications, often in a way that makes them effectively unusable. This is widely disliked by customers and has earned those who use it some damaging publicity in some cases. And one core reason is that most telcos make no attempt to link bandwidth allocation to individual subscriber identityall customers are equally affected by this kind of policy. By linking policy to identity in this case, telcos could offer on-the-fly service upgrades to customers, temporary increases in bandwidth, and other mechanisms that handle the issue more intelligently. Equally, policy can be used to ensure that valuable individual customers get special treatment where networks are congestedincluding special treatment on a per-application basis. For example a premium customer that has subscribed to an online gaming package can still get access to enough bandwidth to run games, even when the network is congested. Beyond that, there are a very wide range of other potential use cases, because a generic policy engine allied with identity management provides a myriad ways to interact more intelligently with customers. Ultimately, however, the biggest prize here may be in the interaction with 3rd party service providers. In a survey conducted in 2007, Heavy Reading examined some of the core strategic issues facing telcos as they try to make the transition to becoming next-generation telcos. And as Figure 4 shows, creating better relationships with 3rd parties emerged from the survey as the single most important objectiveand challengefor service providers going forward. In a sense, telcos need to devote as much time to cultivating the sources of value to consumers of broadband servicesthat is, third party Web sites, service providers and applications developersas they do to the main sources of value to telcos themselvesthat is, their customers. By interfacing with both the service layer and the network, the identity and policy layer can abstract services to the network, enabling network resource adjustments that are based on specific service requirements. When there is a lack of network resources, for example due to an exces-

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

13

sive number of requests or because of network events such as failures or rerouting, the identity & policy layer can also feed back this information to the service layer, allowing service delivery to adapt to network events. Although many third parties remain suspicious of the motives of telcosa suspicion that has found expression in the long-running US debate about networks neutrality-- it is clear that only the network can provide the assured Quality of Experience that will be a requirement for any paidfor service, or any service that customers come to think of as essential. This is the source of any network providers long-term value, and an asset they must exploit if they are to prospect in the new mobile world. Figure 4: Better Collaboration With Third Parties Is The Core To Future Success
Better partnering and collaboration w ith 3rd party service providers Rapid transition to all-IP NGNs Complete convergence of fixed and mobile assets Internal reorganization to remove divisional barriers Deployment of faster, low er-cost applications creation technology Transformation of OSS Focus on providing unique new services and exclusive content (Continued) ow nership of access netw ork infrastructure Deployment of more open softw are & service development platforms Better segmentation and targeting of customer base Transformation of CRM

10

20

30

40

50

60

Percentage of respondents
Source: Heavy Reading Survey Of Industry Attitudes To Next-Generation Telcos; N= 138 service providers. Question: Which of the following will be the three most important factors to the future success of today's mainstream telcos? (Select three options only).

3.4

The Third Leg: Security in Mobile Broadband Networks

An important third element in any policy/identity framework is securityan area that is rapidly becoming much more important to mobile network operators as they make the transition to nextgeneration networks. Since most networks have been closed hitherto, many do not currently have security controls at potential points of attack and are therefore more vulnerable than a typical fixed network However, the main reason for the rapidly rising interest in security is the transformation of the device market, where, as explained in the previous section, devices are increasingly based on open operating systems including Apple OS, Symbian S60, Linux OS and Windows Mobile, which means that applications can be downloaded from the Internet and used without any reference to the mobile operator. In a typical instance, security consultants reported that they were able to take control of the IPhone in order to eavesdrop on the user or use it to make calls to third parties.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

14

As a result, security tools are already in use by mobile operator, often in stand-alone software, but there are good reasons to link security to identity and policy, as we shall explain. Security in mobile networks requires a holistic multi-layer review of the all the potential threats, since and security system is only as good as its weakest link. In a broadband mobile network, the required security layers include at a minimum: Authentication and authorization of the user, as described in the previous section; Security systems in routers and other network equipment to ensure that breaches do not occur directly here; Stateful firewallsstateful in order to keep track of network connections when examining packets Intrusion detection & prevention systems that can identity and prevent common security problems, such as distributed denial of service (DDoS) attacks and botnets.

These tasks need to be accomplished at every point in the network where they are relevant, including the data center, the core network perimeter, the network edge and in CPE. By keeping track of applications, and creating stateful signatures using information up to Layer 7 in the OSI model, telcos can ensure that, for example, separately created and syntactically correct SIP messages do not when combined create a security breach. Deploying these security tools in a policy context has been an increasing trend over the past 1218 months, and for good reason: detected security problems typically need some kind of policy decision, and the more sophisticated the policy framework, the more sophisticated (ie, flexible) the response can be. For instance, where an illegal intrusion is detected, policy tools could be used to dynamically reconfigure the network in order to isolate the attack and minimize the impact on customers. Similarly, by linking security and identity information, telcos can handle security problems more intelligently in order to reduce the effect on customers. Moreover, the increasing desire among telcos to avoid having too many separate appliances and boxes with proliferating interfaces points towards the deployment of higher-level hardware and software that can handle security tasks directly. Security is not always associated with policy management. Indeed, it is fair to say that current policy-based standards make no explicit link between policy and security except incidentally in the area of AAA. Yet the most progressive vendors have been making this link for the reason just described, and telcos appear to be accepting the argument. Moreover, Heavy Readings 2007 survey of telco opinion on policy management demonstrated how much security already matters in telco thinking. As Figure 5 shows, security was the number one application out of 17 applications that we offered as potential catalysts for deploying policy solutions.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

15

Figure 5: Security Is The Most Important Application For Policy Management


Security Triple play IPTV Residential VOIP Converged telephony (fixed-mobile) Combinational services 3rd party content Mobile office Presence Mobile messaging Social netw orking 2.60 2.80 3.00 3.20 3.40 3.60 3.80 4.00 4.20

Average score on a scale 1-5

Source: Heavy Reading survey of telco attitudes to policy management, 2007. N=100. Question: On a scale of 1-5, please rate the importance of policy management to the following applications and packages. Not all offered elements are shown.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

16

III.

Summary: Challenges & Benefits

We have shown in this paper that the new challenges facing mobile operators moving into the broadband IP era require a response that enables them to handle network resources, applications and subscribers in a more intelligent and sophisticated fashion than hitherto. The objective for telcos is to be the delivery channel of choice for all the broadband applications and services that their customers valueboth their own and (more and more) those of third parties. In todays environment, policy, security and identity tools tend to be associated most closely (and sometimes exclusively) with handling challenging applications including video streaming and P2P downloads. But modern frameworks, particularly those that look at things from the point of view of individual subscribers and their behavior and needs, can do far more. Figure 6 summarizes some of the potential uses of this kind of framework. Figure 6: Policy , Identity, Security and Value: Enhancing Service Propositions Event or Requirement Policy Solution
Monetizing a 3rd party service relaOffer the 3rd party service provider detailed information on subscriber tionship without charging direct that creates an opportunity to add targeted advertising to the solution fees Testing the market for the many Use policy tools to identity customers that are likely to subscribe, and new anticipated applications offer them the service on a try and buy basis Using real-time information on subscriber behavior and network stater, On-the-fly network operator seroffer bandwidth upgrades, preferential treatment of applicaitons etc to vice offers induce impulse buying of add-on services On-the-fly 3rd party service offers As above, but with single sign-on to the new service using federated identity

Support for over the top video ser- State-based information on subscriber terminal and type of access vices network to enable automatic adaptation to the customers situation Increasing the ability of customers Enable customers to add bandwidth, parental controls (URL filtering, to handle services via self-service time-of-day controls etc) via simple Web portal, with direct links into portals policy server for immediate activation Use policy tools to analyze subscriber activity, use to create special Develop better understanding of offers, more appropriate pricing etc and sell information on to third subscriber behavior party providers Mitigating fraud and identity theft Use single sign-on authentication to reduce fraud across both own and third party services and networks

Simplifying the creation of new Using policy to automatically verify the viability of a new service in the services by third parties existing network environment

In choosing a policy framework that can handle all of these needs at a viable cost, network operators need to ask the following key questions: Will it scale? A good policy solution must be able to handle both high network loads and have sufficient computer processing power (and the optimal computing architecture) to rapidly analyze data streams, seek a policy decision if necessary, and enforce itall without materially affecting the performance of applications. This is critically important for mobile operators because of the enormous increases in data traffic that are inevitable over the next 3-4 years.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

17

Will it have an unacceptable impact on space and power used in data or switch centers? In an emerging market, policy solutions vary very widely in this regard, and telcos need to analyze technical data with careprojecting not just on the basis of current traffic loads, but the very high loads expected in the future. A core objective for most is to avoid proliferating boxes, appliances and interfacesa major potential problem. Does it enforce policy end to end? Some policy tools assure services only on one link or in one node, but policy must look at the whole chain, from the users point of view, if it is to be secure and reliable. Does it enable me to create new value for third party service providers? This crucial question has several sub-components, but most importantly it requires that the telco is able to offer valuable enablers to third parties such as authentication, admission control, threat mitigation or real-time data on subscriber state (e.g. location)implying a sophisticated solution that can handle all core requirements across the policy, identity and security space. Can it handle both IMS and non-IMS applications? A standardized framework that follows the 3GPP specifications may be just fine for IMS applications, but may be highly inefficient in its handling of non-IMS applications based on Web software and serviceswhich for the foreseeable future will comprise the bulk of applications the customers actually use. Can it be used seamlessly in fixed and mobile networks? The barrier is coming down between the two, not least because mobile networks are becoming broadband networks, but not all policy solutions work across the network boundary in a seamless fashion. Can identity be federated? This capability is not widely available at present, and there are no agreed standards, but it will be vital to consolidating relationships with increasingly important third party service providers. Does the vendor have a strategy for it? Does the framework provide full security support? The requirement here is a comprehensive solution set for security threat mitigation that avoids the weakest link scenario described earlier. Is the proposed solution open at all key interfaces? In order to encourage the development of applications ecosystems and enable both network operators and third parties to easily and safely deploy new applications, this is a key requirement in any solutions. In the final analysis, the aim of a policy and identity framework in next-generation mobile broadband networks is to create value by facilitating the delivery of the applications that individual customers needrather than destroying value by blocking or throttling access to those applications. Both routes are possible with policy tools. It is up to telcos to decide which will yield them the most long-term benefit.

HEAVY READING | OCTOBER 2008 | WHITE PAPER | POLICY, IDENTITY & SECURITY IN THE NGMN

18