Auditing in TMF615 and its Benefits MOHAMMED IBRAHIM ALEEM www.wipro.com ARCHITECT, WIPRO TECHNOLOGIES Table of contents 02 ............................................................................................................................ Introduction 03 ............................................................................................................................ Auditing in TMF615 Specification 04 ............................................................................................................................ Security Breach – Problem Description 05 ............................................................................................................................ Problem Analysis using TMF615 Auditing 06 ............................................................................................................................ Finding the Login Account and User 07 ............................................................................................................................ Finding the Login and Logout time 08 ............................................................................................................................ Gathering User Information 08 ............................................................................................................................ Checking the Account in the Target 08 ............................................................................................................................ Who Created the User? 09 ............................................................................................................................ What Were the Details of This Suspect User? 09 ............................................................................................................................ Who Created the Account? 10 ............................................................................................................................ Asynchronous Mode in Auditing 11 ............................................................................................................................ Conclusion 12 ............................................................................................................................ Appendix 12 ............................................................................................................................ References 12 ............................................................................................................................ Terms and Definitions 13 ............................................................................................................................ About the Author Introduction TMF615 specification, a specification detailed by the TM Forum, empowers service providers by enabling centralized user management by detailing an interface between the centralized and local user management systems. TMF615 specification also has an exceptionally strong auditing feature which provides a comprehensive mechanism to monitor all the user and admin activities in the service provider network. This auditing feature can be effectively used in monitoring the security of the enterprise. This whitepaper lists out the advantages of auditing in TMF615 specification and explains through scenarios as to how exactly it can be used to resolve security issues. It is clear that monitoring security breaches through TMF615 auditing will help create a compliant and risk optimized system that will have a definite competitive advantage. TM Forum or the Tele- management Forum is an international (Operation Support System) products managing the network. In order association of industries that seeks to deal with the complex issues that to address this major issue, TM Forum has developed the TMF615 are inherent in the business of service provision. Vendors subscribe to specification which advocates managing the entire user provisioning and the standards, specifications and procedures directed by the TMF. Wipro auditing needs from a single place for the entire organization. In Wipro’s has found it expedient to comply with TMF’s guidelines to provide the own experience with telecom service providers, auditing with these best value to its customers. In this paper, we discuss TMF615 specifications has been useful in detecting security threats and managing specifications in particular and how complying with these specifications the network effectively. can help investigate and, thereby, minimize security risks. The below figure gives a overview of current problem pertaining to User Telecom service providers have for long lived with the problem of Provisioning in large service networks with multiple OSS vendor provisioning/managing users and access rights across the various OSS solutions. OSS Provider 1 User Management Network OSS Provider 2 OSS Provider n User Management Process Flow of User Management in Heterogeneous Networks 02 TMF615 Solution TMF615 specification details an interface which makes it possible for service providers to consistently provision telecom OSS operator’s Following are some of the key advantages of TMF615: access rights and authorities across systems using a central user management system (UMS-C). The interface deals with the information • Centralized User Provisioning across the Network exchange required between UMS-C and local user management system (UMS-L), related to the provision of access rights, authorities and • Ability of Service Provider to Define Roles auditing. UMS-L is a local UM solution for the OSS, which is usually vendor specific OSS. TMF615 specification introduces the concept of • Centralized User Auditing UMS-C and UMS-L, and provides a Web Services based integration • Significant Savings in terms of Money and Effort profile. Each administrator action at UMS-C will result in a simple object access protocol (SOAP)/http message coming to UMS-L, which will be processed, based on the request type and appropriate response will be sent back to UMS-C. The picture given below illustrates the process. User Access O SS O SS Prov Prov Network O SS ider 1 ider 2 Prov ider n UMS-L UMS-C UMS-L WSDL/SOAP UMS-L UMS-L User Management User Access TMF615 Compliant User Management 03 Auditing in TMF615 Specification In the following chapters, we explain each of the advantages of auditing mentioned in the TMF615 specification. To make the benefits clearer, Auditing is absolutely necessary for any user management system to we consider a practical problem scenario and show how different monitor the activities of provisioned users/administrators and prevent auditing features can be used for analysis and reporting. misuse. TMF615 specification supports two types of auditing. with each other. This checks the user accounts and their authorities Problem Description- Security Breach currently at UMS-L. Following are the Status Audit operations A major problem faced by operators is the constant threat to security. supported by TMF615 specification: A number of operators work round the clock to ensure that there is Status Audit – This is mainly used to synchronize UMS-C and UMS-L no loss of service to the subscribers while simultaneously ensuring that • User Provisioning Information there is no loss of revenue data which is a prerequisite for billing • Target Account Information purposes. Each of these operators has a unique role and is dedicated Audit Trail – This deals with monitoring the activities of provisioned users over a period of time and is very critical to security. Reports which provide details on the user status and actions performed can be generated. Following are the Audit Trail operations supported by TMF615 specification: to specific tasks like monitoring network events, faults etc. There are number of applications which the operators use for effective monitoring and reporting purposes. Typically, the operator who monitors the network is intimated of many critical alarms indicating the loss of events from the network. This is • User Admin Operations quickly escalated to the network administrator. The network • User Provisioning Operations administrator during his monitoring of the telecom network discovers • Target Admin Operations that the configuration of the critical section was radically transformed • Targets Account Usage leading to service outage to the end customers. It leads to major management escalation as it caused a huge revenue leak and loss of • Targets Authorization Usage In order to get more information on individual audit operations, please credibility for the organization. The below figure depicts this problem. check TMF615 specification document from TM Forum. OSS Network Network Network update SSO User Access Security Breach – Network Configuration Change 04 Problem Generation- How is the problem created? administrator creates a new user. The user is added to the UMS-L which, in turn, updates the Database store. Automatically, the OSS application is updated with the new User Account along with its role. The following diagram is a pictorial representation of how the UMS-L UMS-C DataStore Target/ plicati OSS Ap on “Create New User” AddUser() “Update DB()” Create User and Accounts with Role () Admin Create User and Accounts with Role () “Update DB()” AddUser() Sequence Diagram – Administrator Creates a New User Subsequently, the new User logs in and updates the network configuration creating the problem, as illustrated below. OSS cation SSO Appli Login() DataSto re SS Target/O r Netwo k “Update DB()” Update Network Configuration () Update Network Configuration () User Logout() “Update DB()” Sequence Diagram – User Changes the Network (Problem Creation) 05 In the final act the user and its accounts are deleted by the administrator, this is illustrated below. UMS-C UMS-L DataSto re Target/ plicatio OSS Ap n “Delete User” Remove User() “Update DB()” Delete User and Accounts with Role () Admin Delete User and Accounts with Role () “Update DB()” Remove User() Sequence Diagram - Admin Deletes the User Problem Analysis- Using TMF615 Auditing Finding the Login Account and User Ideally, the operators who were assigned the role of ‘Network The only information available to the auditor at this stage is that any Configurators’(usually administrators or senior operators) could have operator who has been assigned the role of “Network Configurator” is implemented the network update activity. However, initial investigation capable of damaging the network. In order to find out which revealed that none of them were actually present in office when the users/accounts were used with this role during that time period, the security breach was suspected. The TMF615 Audit feature provides a auditor can use the audit operation “Target Authorization Usage”. This good framework for tracking and locating the exact problem. audit operation gives a list of all accounts (and their users) which Following is a step-by-step procedure that can be followed by the posses the role “Network Configurators” and were active during the auditor to resolve this specific issue. See how after every step, the specified time period. Now in this list, the auditor has to scan the auditor finds more critical information that helps him get to the root of accounts/users and find out the account used and the suspect user. the problem. All the steps have been mapped to audit functions After a brief analysis, the auditor isolates the account/user which seems mentioned under TMF615. The first task is to find the login account to be dangling and does not actually belong to any of the existing and user. operators or administrators. Finding the login account & user Mapped to Target Authorization Usage under TMF615 Process Target Authorization Usage gives a list of all accounts (and their users) Output Suspect user & account ID The next task is to locate the time period when the suspect account was actually used. 06 Finding the Login and Logout time This audit operation gives the exact time slot, with login and logout time, during which this account was active. This establishes the user, account and the time duration during which the damage was inflicted. In order to find the exact time slot when the suspect account was active, the auditor uses the audit operation “Target Account Usage”. Finding the login & logout time Mapped to Target Account Usage under TMF615 Process Target Account Usage gives the exact time slot with login & logout time Output Time slot of the security breach Gathering User Information However, it might happen that this audit operation does not yield any In order to gather all the details about the user, the auditor uses the significant result. The “lookup user” operation informs that the user audit operation “User Provisioning Information”. This audit operation does not exist. gives all the user details like accounts, roles and its working schedule. Gathering user information Mapped to User Provisioning Information under TMF615 Process Checking the Account in the Target User Provisioning Operations gives user details like accounts, role and working schedule User does not exist Output Information". This operation might not lead to any substantial information either. The auditor now believes that the problem in the network As the user is not found, the auditor tries to check if the account exists is not a mistake committed while using the tools but a clear case of only on a target system without user association, like a dangling intentional security breach. account. For this the auditor uses the audit operation "Target Account Checking account in the target Mapped to Target Account Information under TMF615 Process Target Account Usage provides account information Output Suspect account does not exist on target The next steps are crucial in locating the exact problem. 07 Below is a sequential illustration of the process by which the auditor is able to track down the User, account and time slot of the problem. UMS-L UMS-C Auditor 1.a Finding the login account and User 1.b Target Authorization usage() 1.d Finding the login account and User 1.c Target Authorization usage() 2.a Finding the login and Logout time 2.b Target Account usage() Get Role usage Data() Get Role usage Data() Get Role usage Data() Get Role usage Data() 2.c Target Account usage() 2.d Finding the login and Logout time 3.a Gather all the user information Datastore 3.b Users Provisioning Information() 3.d Gather all the user information 4.a Check the account in the Target 4.d Check the account in the Target 3.c Users Provisioning Information() 4.b Target account Information() Get Role usage Data() Get Role usage Data() Get Role usage Data() Get Role usage Data() 4.c Target account Information() Sequence Diagram – Auditor Locates Suspect User, Account & Time Slot of Problem Creation Who Created the User? the suspected user was created and deleted after a short span of time. In order to determine who was responsible for creating the user, the Also, it reveals crucial information about which of the existing adminis- auditor uses the audit operation “User Admin Operations” and trators created it. Administrator can be identified using the request specifies the time range in which the deed was committed. This audit identifier at UMS-C. operation gives a wealth of information to the auditor. It reveals that User creation Mapped to User Admin Operations under TMF615 Process User Admin Operations provides information about the administrator who created the user Output Suspect account does not exist on target What were the Details of this Suspect User? Auditor can use the audit operation “User Provisioning Operations” to determine the exact provisioning details of this user. Details of the suspect user Mapped to User Provisioning Operations under TMF615 Process User Provisioning Operations provides provisioning details Output Provisioning details of the user 08 Who Created the Account? at the root of the problem is identified by using the advanced audit Finally, in order to determine similar details for the account, the auditor features supported by TM615 specification. Thus, the TM615 specifica- uses the audit operation “Target Admin Operations” and specifies the tion is successful in delivering in a situation that requires investigation time range. This step reveals that the suspected account was created into a security breach problem. Similarly, several other problems can and deleted after a short span of time. More importantly, the adminis- also be identified and resolved by the TM615 specification. trator responsible for creating it is identified. The administrator who is Creator of the account Mapped to User Provisioning Operations under TMF615 Process User Provisioning Operations provides provisioning details Output Provisioning details of the user Below is a sequential illustration of how the auditor is able to isolate the details of the suspect User, account and administrator 5.a Who created the user? 5.d Who created the user? 6.a Get the details of this suspect user 6.d Get the details of this suspect user 7.a Who created the account? 7.d Who created the account? 5.b User Admin Operation() 5.c User Admin Operation() 6.b Users Provisioning Operations() 6.c Users Provisioning Operations() 7.b Target Admin Operations() 7.c Target Admin Operations() Get Admin Operation Data() Get Admin Operation Data() Get History User Data() Get History User Data() Get History Account Data() Get History Account Data() Sequence Diagram – Auditor Gets Details about Suspect User, Account & Administrator 09 Future challenges: Asynchronous Mode in Auditing future. As depicted in the illustration below, the asynchronous mode of auditing allows the UMS-L to collect auditing data regularly and send The only aspect of auditing that TMF615 leaves unresolved is the the reports to UMS-C. Such reports are extremely useful to the admin- asynchronous mode of auditing. This, however, is a challenge for the istrator in managing and monitoring the OSS security effectively. UMS-L UMS-C “Create New Auditing Request” DataStore Target/ O SS Applic ation Enable Auditing() “Update DB()” Activate Auditing Log Collection() Admin Activate Auditing Log Collection() “Update DB()” Enable Auditing() “Update DB()” Collect Audit Data() Collect Audit Data() Auditing Report Collect Audit Data() “Update DB()” Collect Audit Data() Auditing Report Sequence Diagram – Asynchronous Mode in Auditing Compliant and risk optimized solution result in compliant and risk optimized solutions that have a distinct competitive advantage. Given this benefit, it is only a question of time TMF615 is specifically geared towards enhancing the efficiency of a before more telecom services providers adopt TMF615 specifications system focusing on the security threats that plague modern to ward-off security threats and manage the system more effectively. organizations and systems. Systematic investigation of security breaches 10 Conclusion It is clear that TMF615 supported auditing delivers huge benefits to Following future improvements are being considered for enterprise service providers. Auditing can also be managed completely at the security at TM Forum: UMS-C, if it captures all the user provisioning data sent to UMS-LsThe • Asynchronous operations support major advantages of TMF615 are: • Enhanced error reporting • Centralized management of all operators in the service provider network • More information for operators relating to integration and migration to • Single sign on/off can be realized quickly through proper integration with TMF614 specification • Increased security with the auditing feature TMF615/TMF614 and SCA standards • Specific ongoing work in order to standardize audit through "Security Compliance Audit Automation (SCA)" • Increased security due to proper management of operator permission and schedule • Faster user provisioning and increased automation leading to considerable cost benefits Despite these improvements suggested for the future, TMF615 is definitely geared towards creating compliant and risk optimized systems. Telecom services providers would have a competitive edge were they to adopt this solution for their systems. 11 Appendix Terms and Definitions References • TM Forum. TMF615 Specification. Website: http://www.tmforum.org/InformationAgreements/TMF615Telec omOSS/37358/article.html • Unified Modeling Language (UML). Website: • World Wide Web Consortium (W3C). SOAP 1.2 Specification. Website: http://www.w3.org/TR/soap12 SPML 2.0 specification. Website: www.oasis-open.org/specs/ Web Consortium • OS – Operating System • SOAP – Simple Object Access Protocol • SSO – Single Sign On • Oasis – Advancing Open Standards for the Information Society. Wide • NE – Network Element • OSS – Operation Support System http://www.omg.org/spec/UML/ • World • eTOM – enhanced Telecom Operation Map (W3C). WSDL • TMF – Tele Management Forum 2.0 Specification. Website: http://www.w3.org/TR/wsdl20 12 Mohammed Ibrahim Aleem is an Architect working with Wipro's Global Media and Telecom division. He has extensive experience is architecting/designing and providing consultancy for telecom OSS solutions. He is a specialist in the areas of identity management and security. He has been involved with many telecom solution implementations and consulting assignments and is well aware of the processes, standards and the best practices involved. He is an active member of the Enterprise Security Group at TM Forum and is working closely towards the development of user management and single sign on/off standards. Wipro in Media & Telecom Wipro Global Media and Telecom is the newly formed SBU which combines Telecom Equipment Vendors (TEV), Global Communications Service Providers (GCSP) and Media & OTT business units globally. Wipro is a strategic partner across the digital supply chain starting from content creation to content consumption and uniquely positioned to address Digital transformation and help organizations Do Business Better in a Digital World. Wipro’s vertically aligned business model gives a deep understanding of customers’ businesses to build industry specific solutions, while technology service lines provide the ability to design new solutions on emerging technologies delivering winning business outcomes. About Wipro Technologies Wipro Technologies, the global IT business of Wipro Limited (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company, that delivers solutions to enable its clients do business better. Wipro Technologies delivers winning business outcomes through its deep industry experience and a 360 degree view of “Business through Technology” – helping clients create successful and adaptive businesses. A company recognised globally for its comprehensive portfolio of services, a practitioner’s approach to delivering innovation and an organization wide commitment to sustainability, Wipro Technologies has over 120,000 employees and clients across 54 countries. For more information, please visit www.wipro.com or info@wipro.com 13 DO BUSINESS BETTER W W W. W I PRO.COM N Y S E : W I T | OV E R 120,000 EMPLOYEES | 54 COUNTRIES | CONSULTING | SYSTEM INTEGRATION | O U T S O U R C I N G WIPRO TECHNOLOGIES, DODDAKANNELLI, SARJAPUR ROAD, BANGALORE - 560 035, INDIA TEL : +91 (80) 2844 0011, FAX : +91 (80) 2844 0256, email : info@wipro.com North America South America Canada United Kingdom Germany France Switzerland Poland Austria Sweden Finland Benelux Portugal Romania Japan Philippines Singapore Malaysia Australia © Copyright 2011. Wipro Technologies. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without express written permission from Wipro Technologies. Specifications subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. Specifications subject to change without notice. IND/UNPL/JULY2011-DEC2011