Evolving 5G Security for the Cloud

Security is an important topic for the mobile communications industry as 5G enables new applications and use cases. The mobile communications industry continues to consider security as a foundational pillar for each generation of our technology. It is essential to continue the progress in security innovations as there are increasing threats from nation-state and other sophisticated actors threaten critical infrastructure and present material risks to mobile network operators (MNO) and their suppliers.

5G security continues to improve as security controls, tools, and standardization evolve and the 5G ecosystem extends to include the virtualized and cloud-based Radio Access Network (RAN). 5G evolution to cloud hosting for Radio Access Network (RAN) and Core deployments brings both additional security benefits and security risks. Cloud deployments present an expanded attack surface with internal and external threats to 5G networks, requiring a zero trust mindset to secure those networks.

While the MNO can delegate responsibility for security controls to the cloud service provider (CSP), the MNO is accountable for the security posture of the deployment. Hybrid Cloud deployments, such as Multi-Access Edge Compute (MEC), pose additional security risk due to the responsibilities retained by the MNO in the Cloud Shared Responsibility Model. The MNO is always responsible for configuration of CSP provided security controls, including firewalls and access management, data protection from exposure and leakage, and scheduling and execution of software patches and upgrades. The MNO must validate configurations, use secure versions of APIs and protocols, and assign least privilege to access workloads and data.

A secure 5G cloud deployment must be built upon a secure 5G supply chain that includes software vendors and cloud service providers. The cloud can potentially introduce increased supply chain risk due to virtualization, increased use of open-source software, and a larger array of third-party vendors. MNOs must ensure 5G software vendors implement secure software assurance with a shift-left philosophy that integrates security into the software development process, continuous integration/continuous delivery, and DevSecOps early in the software development lifecycle.

The Software Bill of Materials (SBOM) provides a comprehensive view of the third-party commercial and open-source components which are incorporated in a product. The SBOM can be utilized to identify known critical vulnerabilities inherited from third parties and affected products when new vulnerabilities emerge. The GSMA association’s Network Equipment Security Assurance Scheme (NESAS) assessment is a valuable tool to ensure the 5G software vendor is following industry best security practices. Third-party applications in the O-RAN ecosystem, called rApps and xApps, could introduce additional risk to the supply chain. The Service Management and Orchestration (SMO) platform vendor and MNO must practice due diligence to ensure rApps and xApps are trusted, securely on-boarded, and designed with proper security controls for integration into the ecosystem.

The cloud has great promise for 5G use cases, which can be realized when the software products have security built in and deployments are securely configured to establish a foundation for secure 5G use cases. A step-wise approach should be taken to achieve a Zero Trust Architecture for 5G deployments in the cloud so that network functions, interfaces, and data are protected from external and internal threats.