RSA Conference Europe's Linda Lynch questions Alessandro Campioni from Telecom Italia
RSA Conference Europe's Linda Lynch questions Alessandro Campioni from Telecom Italia

Q&A with Linda Lynch - Alessandro Campioni, security engineer, Telecom Italia.

What is your role at Telecom Italia?
I work in Security Innovation, a department of Telecom Italia's IT technical security area. Our mission is to define new security service concepts and innovative solutions for company and customers.

I focus on customers' security issues and design technical solutions to their problems. Our department collaborates with other Telecom Italia areas to design and deploy security services: good collaboration is a must.

Specifically, my group is working to build security access services for mobile customers, enabling services such as mobile banking or payment, reducing the risk of phishing and identity theft.

What are some of the security challenges specific to telecoms that you face day to day?
Agcom, the Italian communications regulatory authority, has driven a big part of our activities in the past couple of years. Encryption of customer data, strong authentication for access to customer data and enforcing of logging services have been some of our goals. At this time, we are working to enforce security on system administration activities.

Incidents such as data breaches have been a big problem for other companies and governments. What problems are raised for Telecom Italia?
Ensuring our customers' data is our main security concern.

In addition to technological solutions for strong authentication and data encryption, we're working to evolve the efficiency of the company's IAM services. In the past couple of years we have been working to build a strong risk management process, to give us awareness of the security issues of our infrastructure and our applications. It gives us the capability to prevent incidents such as data breaches. A risk management process is a critical item for a telco such as Telecom Italia: a taskforce works on it daily to optimise methodologies and tools.

You presented at RSA Conference Europe in October about the challenge telcos are facing around encrypting sensitive data. How does Telecom Italia meet this challenge?
After the publication of the 2009 Data Retention (EC Directive) Regulations and the Italian Data Privacy Law 196/2003, we were charged with finding a solution to apply the laws to our system.

Telecom Italia is a large company with its HQ in Italy and branches in South America and Northern Europe, with more than 60 million customers (mobile, fixed line and broadband).

For the business processes involved, there are 150 apps with sensitive data, distributed in several datacentres. Those applications generate more than a million traffic tickets daily, just for the prepaid mobile billing process.

Usually the approach to encryption is based on point solutions such as the Oracle TDE or on a developer group's know-how. An encryption library is used to encrypt and decrypt data, with an HSM or a NetHSM to store the keys. It takes a lot of effort to design a complex NetHSM architecture and HSM management process.

In a large enterprise such as Telecom Italia, the capability of sharing encryption keys is mandatory.

The right encryption solution for us needs to provide standardised developer tools, the overcoming of HSM infrastructure limits and that will enable the key sharing among many applications.

This solution had to be able to work on different platforms and had to simplify the key management process, offering, at the same time, interoperability among different platforms and applications. A main focus is high availability – because business processes, such as billing, can never be halted.

We had to design a solution that satisfied our protection needs. We follow a detailed set of guidelines to carry out such projects successfully. First, we identify the real encryption needs and verify if Key Manager schema can be applied. Next, we verify client and connector compatibility. We consider high availability to ensure business continuity and define a strong process for HSM management. Finally, we activate support for the project teams.