Operating a telecommunications network is more than just connecting phone calls, or helping people share funny videos online. Telecom networks are critical components of our society’s infrastructure. Telecom operators face a wide array of risks to the critical communication services they provide and the sensitive data they protect, from network outages, to criminally-motivated ransomware attacks, to sophisticated nation-state intrusions.

In order to address and manage these risks, operators are subject to a complex and evolving set of security and privacy regulations. Telecom operators may see these regulations as a potential barrier to cloud migration. However,  Google Cloud supports customer compliance in several ways, making this process easier than you might expect (and more straightforward than in many legacy environments):

• Google Cloud provides a consistent and unified technology platform, with common security controls and platform-wide, policy-based security automation.

• Google Cloud adopts a Secure By Design and Secure By Default approach which supports customers in meeting many security requirements “out-of-the-box.” Examples include default encryption, Zero Trust infrastructure, data center physical security, and organization policies.

• Most regulations can be mapped to a common baseline. Google Cloud has an extensive compliance framework and experience in guiding customers as they adapt to new standards.

Google Cloud is working with partners including Nokia to enable telecom related workloads in the public cloud. Our webinar on Demystifying Telecoms SaaS Security highlights how we are collaborating to solve security and compliance challenges for communication service providers. 

“Google has invested an extraordinary amount in security technologies that allow us to use things like encryption, anonymization, tokenization, and other means for keeping sensitive information inside the privacy domain. Maintaining regulatory compliance and privacy inside the cloud becomes inherently possible for customers thanks to the technologies that Google has made available,” said Phillip Blanchar, senior director of SaaS delivery and operations, Nokia.

Here’s how Google Cloud is helping telecom operators around the world to maintain compliance with applicable regulations.

Regional regulatory guidance 

Google Cloud has published a series of whitepapers detailing the telecoms regulations that are applicable in the United States, Europe, Middle East, India, and Latin America, and the measures supported by Google Cloud to help telecom customers comply with these regulations.  The guidance in these papers covers an array of regulations and standards, including:

• Consumer data privacy measures

• Communications confidentiality regulations

• Telecom-specific security regulations and guidelines

• Critical infrastructure regulations

• National regulations relating to cloud security

In addition, these papers cover global standards such as ISO 27001 and industry-specific security guidance such as the GSMA Baseline Security Controls.

Keeping guidance current

Regulations continue to evolve and we have recently updated these whitepapers to include some important changes. These include a national security memo from the U.S., the EU NIS2 directive, the EU-U.S. Data Privacy Framework, and the Telecommunications Act of India.

Even with the changes, the controls are still applicable. These laws mandate best practices for data residency, data privacy, confidential communications, operational resilience, and cybersecurity. Fortunately, most regulatory requirements can be mapped against a harmonized baseline (such as the Cloud Security Alliance’s Cloud Controls Matrix). 

Google Cloud offers a strong set of security controls that can assist customers in meeting these common requirements, covering domains such as Infrastructure Security, Network Security, Application Security, Secure Software Supply Chain, Data Security, Identity and Access Management, Endpoint Security and Security Monitoring and Operations, as well as Governance, Risk and Compliance.  

"In a SaaS environment, the operating model itself becomes a critical factor in security. It's not just the product, but the constant patching, monitoring, and threat management that helps to elevate the security posture beyond what's typically achievable on-premise," said Blanchar.

Google Cloud has also been audited by trusted third parties against many global and regional standards, providing evidence of both our customer facing security controls and capabilities, as well as internal security controls (such as personnel security, change management, incident management, and vulnerability management). 

How shared fate can help telecoms

In Google Cloud’s Office of the CISO, we work directly with our customers (and, where appropriate, with regulators) to evaluate and support compliance efforts. This direct engagement with telecommunications providers and industry leaders is part of our shared fate vision: A model for how cloud providers can work alongside their customers and play a significantly more active role in achieving their desired security posture. From leading transformation workshops and connecting your team to the necessary training resources, to building secure landing zones and providing posture and risk assessments, the Office of the CISO is here to help the telecommunications industry. 

We’re invested in helping telcos navigate their complex regulatory environment, and improving the cyberdefense capabilities of the entire telecommunications network. Because a well-protected telecom network means we can continue sharing cat pictures and dog videos, as well as making phone calls — all while knowing our data is protected.

To learn more about Google Cloud support for telecoms, you can check out guidance at our CISO Insights and Board of Directors Insights hubs.