Ericsson’s Security Reliability Model
For many years, Ericsson has systematically developed a state-of-the-art model to incorporate security and privacy considerations into all phases of product development. The result of this effort is a well-established internal governance framework for security and privacy by design, the Security Reliability Model (SRM).
SRM is the framework that Ericsson uses to deliver on security and privacy ambitions across the product portfolio. Its key characteristics are that it:
- Defines the product security and privacy ambition level
- Ensures the implementation of appropriate security and privacy features and functions
- Follows up and measures actual product security and privacy status
- Enables Product Near Security Services
Ericsson's internal directive defines how responsibilities and authorities are distributed between different roles and functions to ensure, manage and control product security and privacy across Ericsson product portfolio.
Security Reliability Model (SRM) defines a set of security and privacy baseline requirements for Ericsson products. Those requirements are derived from decades of experience and additionally from sources in the telecom and IT industry, including standards, customer policies and regulation.
The product organization responsible for each Ericsson product will analyze, decide and document the applicability and compliance to the given security and privacy requirements, with a risk-based approach. Risk Assessment and Privacy Impact Assessment processes are used to identify and prioritize a list of security and privacy functions which are required to mitigate known risks to an acceptable level.
Assurance activities are divided into three levels; basic, advanced and tailored level. All basic level assurance activities relevant to the product shall be performed by the product development Advanced level activities can be performed for parts of products with need of high security and privacy assurance. Tailored level activities are used for products, or parts thereof, where product specific assurance requirements exist.
The most prominent assurance activities leveraged by Ericsson are Risk Assessments, Privacy Impact Assessments, Secure Coding practices, Vulnerability Analysis and Hardening. These are defined as such:
- A Risk Assessment and Privacy Impact Assessment will identify risks related to the product when used in the customer's network. The assessment will also identify the privacy risks related to the individuals (e.g. subscribers) when their personal data is processed in the product. As a result, mitigating security and privacy mechanisms to protect the identified data will be applied according to the Ericsson privacy and security design rules
- By following secure coding practices, Ericsson reduces the possibility of design flaws and implementation bugs during the software development. Secure coding activities aim to reduce flaws and weaknesses in the software code through code reviews and selected static and dynamic scanners and tools
- The Ericsson way of performing Vulnerability Analysis (often referred to as Vulnerability Assessment within the industry) comprises the testing and verification (including penetration testing) activities which are designed to identify weaknesses and vulnerabilities present in the product or solution. The vulnerability analysis verifies security characteristics and security configuration of the product/solution and identifies new vulnerabilities through both black box and white box testing. Remaining vulnerabilities shall be documented with mitigation proposals. A Vulnerability Analysis shows that Risks discovered in the Risk Assessment activity are sufficiently controlled (or mitigations documented) in the final product.
- Hardening means increasing product security by reducing its attack surface. Hardening is relevant both for design and configuration and for deployment. Hardening ensures that the product is configured in a manner that minimizes the risk of unauthorized access, including system compromise. Hardening includes, for example, removal of unnecessary software, installation of the latest patches, disablement of insecure services and replacement of default passwords
The documentation aspect in SRM defines security and privacy specific customer documents. The documents defined in SRM are the Hardening Guidelines, Security and Privacy User Guide, and the Security Test Results report.
SRM documentation has multiple purposes. It allows the customers to know what security functions are available on the product and how to configure them to achieve and maintain security and privacy compliance. The documentation also informs about what assurance activities were performed on the product and communicates other sensitive aspects related to operating the product, like the impact on privacy and the processed personal data.
Product Near Security Services
Ericsson's product-near security services are currently handled separately by the service organizations and are independently defined by the products.
Typical deliverables are security and privacy training recommendations, solution level integration guidance, international data flow handling and potential deployment-time hardening activities that need to be included in customer delivery projects.