Critical Security Considerations When Deploying Software-Defined, Open 5G Solutions
In this article
The future of software-defined mobile networks will rely heavily on open, decentralized and virtualized solutions that will unlock the promise of 5G — increased bandwidth and low latency to support a new wave of world-changing applications and services.
But the broad scope and reach of 5G comes with increased exposure to a wider spectrum of security threats as the number of access masts and end-points susceptible to attack will grow exponentially.
Think of it like a house. Your existing 4G home has the typical entryways: a front door, back door and side door. In upgrading to a 5G model, construction crews have built a delightful new interior but have also added six new exterior doors to improve access and flow.
Is the existing security program you had in place for your 4G home an adequate solution to secure your new 5G model equipped with three times as many doors? The answer is no, of course not.
Prior generations of network connectivity required operators to protect the data center and put a nice perimeter around it. With 5G, the perimeter has disappeared, and potential threats have access to more entry points than ever.
Security is no doubt a concern and should be baked into an operator's 5G strategy from the get go. Simultaneously, telcos are moving away from a threat-based approach to security and toward a risk-based strategy as it relates to 5G — reducing exposure to enhance 5G security as opposed to simply reacting to threats.
Recently, industry stalwarts have butted heads over the security of software-defined, open network architectures, such as Open RAN. One side argues open networks, which will utilize more vendors within its ecosystem, broaden the attack surface. The other side reasons open architectures will provide greater visibility and enhance security positions.
The answer is not so cut and dry. The use of disaggregated, multi-vendor solutions is gaining momentum regardless if they are running on top of proprietary or open hardware. Yes, this will increase threat vectors. The question becomes: Do open architectures increase exposure?
As Rakuten Mobile CTO Tareq Amin recently said, "if vendor A provides you with equipment and it is locked and proprietary, the way you trust the security [of that equipment] is that the vendor told you it is secure. Well, that's one approach… the other is that, as an operator, you should have 100 percent visibility – you should know, end to end, what is happening in the network. Securing the perimeter and getting visibility [into the whole network] is 80 percent of the headache – getting into the details of how you continue to harden and secure [the network], that's an evolutionary process."
Put more bluntly by Dish Network's Stephen Bye in defense of open solutions, "it's easier to find the cockroaches when the lights are on instead of when they are off."
Still, there are several key security considerations to think about when deploying open solutions that will compose the 5G networks of the future.
Security always starts with visibility. Think about it — you can't protect what you can't see or don't know is yours.
Global service providers should begin any security conversation with three basic questions:
- What is on my network?
- What is each and every application or device doing?
- Is that application or device doing what it should be doing?
Surprisingly, answers to these three questions aren't always top of mind or easy to understand, given the sheer size & complexity of service provider networks. And that's a problem, especially for service providers. Consider this: One large service provider WWT has worked with in the past discovered nearly 4 million IP addresses under its thumb it previously didn't know existed — roughly 7 percent of its network.
Further, across the business, the answers to security questions can vary.
When the focus of board-level discussions turns to cybersecurity, it takes on a new meaning and the responses to those threats change dramatically. Instead of just looking at tools, controls, users and data, we now focus more on things like risk management, revenue enablement and shareholder value. The struggle then becomes how to align those IT technical controls with board-level concerns.
CISOs need to be talking with mobility teams to ensure they aren't making the same mistakes as in the past — buying a variety of best-of-breed security solutions that create a disparate, unintegrated approach that is unable to effectively detect and respond to threats.
The good thing about open architectures is it applies to almost everything in the 5G network — from core to edge — meaning there's genuine opportunity to have a unified security system that incorporates telco IT/OT and everything else into one umbrella.
This requires not just a technical change of mindset, but a cultural one, too.
Given this dichotomy, organizational and executive alignment are paramount.
Cloud-native technologies, such as containers, have become a critical component of service providers' ability to build and scale a 5G network, but vulnerabilities exist and measures need to be put in place to secure those containers in production as well as across the application development cycle.
But cloud-native applications — containerized or not — still need to be secured.
Software updates to virtual machines, according to a recent white paper from Palo Alto Networks, typically require upgrading the whole machine with a new software release, which adds risk due to software complexity and interdependencies. Containerization breaks code into smaller portions with each having defined infrastructures and allowing for dynamic, continuous, less-risky change.
The report continues: Containerization can "automatically check code as it is being written, scan it while it is being deployed into the infrastructure, and ensure the code can talk only to relevant parts of the infrastructure. As container adoption rises, so should the adoption of best practices for container security to protect running containers in production as well as secure containers across the full application lifecycle. This should be complemented by secure agile software release practices based on continuous integration and continuous delivery/deployment (the CI/CD pipeline). The CI/CD pipelines that scan for host and application vulnerabilities provide a head start on securing the container compute infrastructure."
Zero Trust is a security framework that implements the principal of "least privilege" by dynamically verifying identity and assessing the risk of each transaction. With its mission to "never trust, always verify," Zero Trust improves an operator's capability to protect against today's sophisticated attacks — both outside and inside the network.
Zero Trust provides three critical benefits compared to legacy security architecture:
- Reduced attack surface: Zero Trust focuses more on defining micro-perimeters closer to the data through the act of micro-segmentation.
- Continuous risk assessment: Zero Trust continuously assesses the risk level of the user, device or service requesting access. This concept provides a more effective way to mitigate changes that may occur post-authentication.
- Least privileged access: Access must be restricted on a need-to-know basis, which eliminates the grave impact of breaches, because there is a much smaller blast radius in the instance of negative cybersecurity events.
Without automation and orchestration, security cannot scale. Network functions have become automated, and now security threats have become increasingly automated. If threat actors are using automation to scale their attacks then why wouldn't security detection and response functions be automated, too?
Organizations over time have invested in many best-of-breed security technologies that while having independent value, create silos of visibility and generate too many alerts to manage. These disjointed tools also create complexity and latency in the investigation and response process, making it difficult for analysts to quickly understand context, determine root cause and identify the criticality of an incident.
To combat these operational challenges, organizations are increasingly looking to leverage orchestration and automation to amplify existing investments, standardize processes, accelerate response and reduce risk.
- Security orchestration can be thought of as the "control plane" of event response that bridges both security and non-security products to map out tasks and responses through documented workflows.
- Security automation is the "data plane" of security response that executes those workflows based on triggers or predetermined KPIs.
By incorporating automation and orchestration into your security strategy, you can:
- Reduce complexity in your operational environment.
- Enhance consistency and transparency of documented processes.
- Optimize tool integration and utilization.
- Accelerate resolve time and improve investigation quality.
- Improve analyst productivity and enhanced collaboration.
The Shared Responsibility Model of security clearly outlines the respective responsibilities of service providers and their customers.
Providers of network services are responsible for protecting the infrastructure that runs all the services offered on the network. Meanwhile, customer's obligations in the Shared Responsibility Model include monitoring for risky configurations, protecting their sensitive data, anomalous user activities, suspicious network traffic and host vulnerabilities.
Organizations that simply rely on their service providers to supply security and protections across their cloud environments and applications are at risk of:
- Lack of visibility and control over users, data and assets.
- Breaches and malware.
- Intellectual data loss and customer privacy violations.
- Compliance violations.
Service providers need help accelerating digital transformation by more rapidly integrating and adopting innovative technology solutions that make up a software-defined mobile network to fully realize their benefits and maximize ROI.
Security transformation is no different. With a sea of never-ending threats, service providers need to take a different approach that instead manages risk based on business goals and objectives. Our holistic approach to security helps service providers connect business goals and objectives to technical solutions, thereby enabling more effective outcomes and alignment with broader enterprise architecture efforts.
WWT can help service providers more rapidly deploy software-defined, secure open network architectures within their network by providing fully integrated cloud-based, virtualized solution blueprints that operators can leverage to accelerate 4G and forge a clear path toward broader 5G adoption.
Our Next-Generation Factory Model allows operators to move from innovation to validation and deployment more rapidly than in the past. It accelerates time to revenue by validating complex, multi-vendor solutions with speed in our Advanced Technology Center (ATC) before integrating and deploying them at scale in one of our global integration facilities.
Given the sheer volume of new access points expected to be added in the coming years, there is no doubt 5G comes with increased security exposure. Software-defined, open 5G solutions are not only inherently secure, but they will be key in helping bolster security measures for service providers moving forward.
When service providers take a comprehensive approach to cybersecurity for open 5G solutions by managing new cyber risks with integrated state-of-the-art security solutions and capabilities, they are able to secure their networks and data regardless of the underlying technology or vendors.