By Chris Pearson – September 2022
Security is a mainstay foundation for the mobile communications industry. Yet, as our 5G communications world expands into new areas we will need to continue our progress with our industry security standards and capabilities. It seems every year, there is troubling news about security breaches in every place you look. From state-sponsored activities against telecommunications providers to attacks against new emerging financial networks, no organization seemed to have been spared. Even some of the largest companies in the world have experienced setbacks due to sophisticated attacks, so remaining vigilant is important whether you’re a small organization or a behemoth enterprise.
As the world becomes more interconnected and the size and speed of data flows increase, the challenge becomes greater, and the stakes get higher. In previous 5G Americas white papers, we’ve talked about how surface area for threat vectors increases due to the growing complexity of modern networks as computing, networking, and storage become more de-centralized. In particular, the emergence of cloud computing can present an expanded attack surface for both internal and external threats to 5G networks, requiring a “zero-trust” mindset to secure those networks.
In our latest white paper, “Evolving 5G Security for the Cloud,” 5G Americas takes a deeper look into how cloud security is a foundational pillar for the mobile communications industry, as it protects against increasing threats from nation-state and non-nation-state actors and enables new applications and use cases. We examine how 5G security continues to improve as security controls, tools, and standardization evolve, as the ecosystem extends to include virtualized and cloud-based Radio Access Network (RAN).
In the white paper, we argue that a stepwise approach is needed to achieve a Zero Trust Architecture for 5G deployments in the cloud so that network functions, interfaces, and data are protected from external and internal threats. Rome wasn’t built in a day – and neither is cloud security in 5G networks.
Despite the security challenges, cloud computing is a great opportunity for wireless cellular networks. The cloud holds great promise for new 5G use cases when software has security built in upfront and deployments are securely configured to establish a safe foundation. As wireless telcos evolve to become wireless “tech cos”, the mobile industry continues to collectively embrace advancements in cloud computing and virtualization to take advantage of its efficiency and deployment flexibility.
Our industry has done a lot of work to integrate cloud principles into wireless networks. 5G standards have been developed that enable separation of the core and edge compute network functions (NFs) from the hardware layer to enable virtualization of the NFs – and evolved containers for cloud-native network functions (CNFs) that work at scale. These types of advances create new opportunities for automation and improved user experience, but they also bring along with them new challenges, as virtualized network functions and containers themselves can present a potential new vector for security threats.
As we can see below, there are a variety of different types of risks that cloud computing may present in the context of a 5G network. Each of these potential avenues (and more) need to be addressed by both the mobile network operator, as well as the cloud computing provider. But how do they work together to ensure all the bases are covered and that the security response is not duplicated, confused, or undermined by security teams?
One major complication is the architecture of cloud-based networks themselves can present a challenge for 5G network operators to secure. For instance, private, public, and hybrid cloud deployment models are now available when designing and deploying 5G core networks, edge computing, network slicing, private networks and more. Each of these different types of architectures presents a different set of requirements for the cloud operator, as well as the mobile network operator. Who is responsible for security on-site? Which elements of the network need to be locked down in the data center?
Indeed, there are multiple flavors of hybrid cloud deployments that themselves present different security stances, depending on the hybrid cloud platform (HCP). Not all hybrid clouds are built the same and therefore provide unique security scenarios.
So do we share security responsibilities between the various entities? These must be mapped out ahead of time. In general, while the mobile network operator (MNO) is accountable for the security posture of the deployment, it must delegate responsibility for security controls to the cloud service provider. In the cloud shared responsibility model below, we see where responsibilities have often been shared between the consumer of cloud services and the provider – it’s different depending on the type of cloud service model that has been arranged. A similar type of shared responsibility model should be created between the MNO and the cloud service provider.
Another major issue for 5G networks involves the supply chain, which has also recently increased in importance, as national security concerns become intertwined with mobile networks. In the United States, progress is being made on a secure 5G supply chain, led by government agencies such as US NIST, US National Telecommunications and Information Administration (NTIA) and industry consortia such as ATIS (Alliance for Telecommunications Industry Solutions) and Telecommunications Industry Association (TIA) – but responsibility for safety must be shared across the entire ecosystem.
For network operators, a secure 5G cloud deployment must be built upon a secure 5G supply chain that includes software vendors and cloud service providers because cloud deployments may increase risk due to virtualization, increased use of open-source software, and a larger array of third-party vendors. Due to the continuous improvement nature of cloud computing, MNOs must also ensure 5G software vendors implement secure software assurance that integrates security into the software development process, continuous integration/continuous delivery, and DevSecOps early in the software development lifecycle. Ultimately, a Software Bill of Materials (SBOM) provides a comprehensive view of the third-party commercial and open-source components which are incorporated in a product which can help to assess security in the supply chain.
But even as national security considerations are paramount, connectivity is critical for globally connected societies and essential to human and economic progress. Indeed, 5G America’s mission is to build a community in the Americas for the advancement of 5G and LTE technologies. We understand the need to address national security interests along with the need to balance international leadership and co-operation among allied nations.
Fortunately, advances in 5G security include a host of improvements that allow public land mobile networks (PLMN) to interconnect with each other across borders – more so than any previous generation of wireless cellular. These improvements are incredibly important to support roaming without revealing confidential information or facilitating fraud or abuse.
For instance, in 5G networks, both roaming hubs and internetwork packet exchange providers play a key role in the roaming ecosystem and operators expect to employ these intermediaries in 5G Standalone (SA). Additionally, 3GPP standards include the Security Edge Protection Proxy (SEPP) that provides a model for either direct transport layer encryption security (TLS) for end-to-end communication or PRINS (Protocol for N32 Interconnect Security) to secure the roaming interconnection. In these instances, 5G Inter-PLMN roaming security requires the use of cryptographic keys that will need to be exchanged between the different stakeholders involved in roaming. Much of this inter PLMN standards work will be finalized in 2022, so there is still a lot of work to be done. But we will get there!
Sometimes it seems the world has become an increasingly dangerous place. You can’t turn on the television without a news report about the latest tragedies and the scariest security breaches. But if I know anything at all about this 5G and technology industry, there are a lot of dedicated security researchers and engineers who are working hard every day to continually progress security capabilities. Advancements are being made to lock down every conceivable point of attack on our increasingly complex networks. It’s a never-ending process that requires the entire ecosystem to remain ever vigilant.
Luckily, rest assured that we have some of the best people on the job securing our Interconnected networks.
-Chris