From AAA to Assurance: How the UK Telecoms Security Act Is Shaping Identity-Based Network Control

Introduction

As CISOs, we often face regulations that seem far removed from the practical realities of running identity and access infrastructure.
The UK’s Telecommunications Security Act (TSA) and its accompanying Code of Practice mark a significant shift in that dynamic.

Identity and privileged access management are no longer back-office hygiene tasks; they are front-line compliance controls.

By pushing identity enforcement closer to the network, the TSA challenges long-standing assumptions. Shared credentials, flat administrative domains, and implicit trust models are no longer acceptable.

If your organization already operates robust AAA (Authentication, Authorization, and Accounting) systems (tracking who logs in, what they do, and when), you’re not starting from zero.

The TSA simply raises expectations: identity must travel with privilege, be auditable, and be controlled at the network edge.

1. What the TSA Actually Requires

Legal Context

Under the Communications Act 2003, as amended by the TSA, telecom providers must adopt “such measures as are appropriate and proportionate” to identify risks, mitigate them, and prepare for incidents (Section 105A).

Providers must also notify OFCOM “as soon as reasonably practicable” after a significant security compromise.
While the Act defines what must be done, the Telecommunications Security Code of Practice (Dec 2022) defines how to demonstrate alignment.
Deviations are allowed but must be justified.

Key Identity and Privilege Requirements

Section 7 – Prevention of Unauthorized Access or Interference
“Privileged access is only granted to individuals whose identity has been verified, and the principle of least privilege must be enforced.”
Why it matters: This shifts compliance from authentication to continuous oversight of privilege.

Section 9 – Governance
“Oversight and accountability must flow from senior leadership with defined roles and review cadence.”

Section 10 – Reviews and Assurance
“Providers should continuously review controls, conduct audits, and test configurations to ensure resilience.”

Section 13 – Testing
“Scenario-based exercises and red-teaming should validate the strength of identity and access controls under stress.”

Together, these sections establish an assumed-compromise mindset: identity must be verified, privilege must be justified, and every action must be traceable.

2. The AAA Foundation and Its Limits

Most telecom operators already rely on AAA systems that provide:

• A central identity source for users and roles
• Authorization policies tied to those roles
• Accounting and audit logs for who accessed what and when

AAA is the foundation but not the finish line.
It authenticates users and records actions but often lacks real-time privilege enforcement and contextual awareness.

3. Evolving Toward Network PAM

The next phase of maturity extends identity into the infrastructure itself.
This is often referred to as Network PAM (Privileged Access Management) or more broadly, identity-based network control.

What It Enables

• Enforcement of least privilege at the command layer
• Full traceability of administrative activity
• Conditional or just-in-time privilege elevation
• Session audit and recording for compliance review
• Adaptive access based on real-time risk signals

These capabilities strengthen TSA Sections 7, 9, and 10, creating a living system of control and assurance.

Maturity Path

Crawl

• Inventory privileged accounts and map to verified identities
• Segregate roles by domain (network, infrastructure, cloud)
• Require MFA or step-up authentication for admin sessions

Walk

• Introduce just-in-time elevation and time-bound access
• Capture and log session activity
• Automate credential rotation or short-lived tokens

Run

• Apply real-time analytics and anomaly detection
• Use contextual risk (device, time, location) for adaptive access
• Prevent lateral movement across infrastructure

4. Common Gaps and Lessons Learned

• Operations vs. Compliance:
  Network teams prioritize uptime while compliance teams prioritize control. Success requires shared ownership.
• Legacy Infrastructure:
  Older devices may lack direct identity integration. Use control gateways or jump servers to retrofit enforcement.
• Third-Party Access:
  Vendors remain a high-risk blind spot. Tie all sessions to verified identities and record every action.
• Visibility and Auditability:
  Granular logging is often missing. Centralize session records and schedule periodic reviews.
• Credential Hygiene:
  Automate credential rotation and prefer ephemeral access.
• Cultural Shift:
  Identity governance isn’t just a security function; it’s an organizational discipline supported by leadership.

5. Self-Assessment: Are You TSA-Ready?

Key Takeaway

The Telecommunications Security Act embeds identity into operational assurance.
The expectation is not simply secure access but traceable, enforceable, and accountable privilege at every layer of the network.

If your organization already operates AAA controls, you have a head start.
The next step is to extend that foundation into Network PAM, where identity follows privilege and compliance evolves into assurance.

Closing Thoughts

TSA alignment is not a one-time project; it’s a maturity journey.

Each incremental improvement strengthens accountability, reduces risk, and reinforces resilience.

Use the checklist to start the conversation across your teams: security, network, compliance, and leadership alike.

Where does compliance break without identity-based control? Watch this discussion on how to bring identity to the network layer.

Webinar: Zero Trust Falls Short Without Network Identity: Lessons from Salt Typhoon

Watch On-Demand Now