The potential market for new 5G services is enormous and is estimated to exceed USD 400 Billion by 2027. Services like autonomous transportation, low latency healthcare apps, reliable communication for first responders turn 5G networks into national security and critical infrastructure that cannot be allowed to fail.
The challenge is that in a modern communication service provider (CSP) environment migrating to 5G, there is an increasing number of moving parts to protect, and that complicates 5-9s requirements. There’s a way to stay ahead of the threat, however. If we’re going to get there as an industry, we need to start thinking very differently about network security. That starts with recognizing that we can’t just delegate it to the security team.
Security is now a team sport—and should be part of every decision that gets made about your 5G network.
New Innovations Bring New Challenges
A couple decades ago, attackers may have been mostly lone operators seeking to cause mischief. Today, they’re highly organized, well-funded criminal operations, sometimes with state backing, with the time and resources to mount sophisticated long-term attacks. The new threats they’re developing are evolving more quickly than our strategies to combat them.
Major industry groups have, of course, made efforts to protect operator networks, but wireless security standards remain inconsistent and incomplete. For example, 3GPP continues to do important work securing the signaling plane between services and inter-function communication, but many of these measures are optional and implemented differently by different vendors. They also only address the areas where 3GPP traditionally operates—not the underlying cloud architectures that many CSPs are now adopting.
Today, as CSPs advance their 5G rollouts, these problems are growing more urgent.
As we build out next-generation networks, we inevitably create new potential inroads for new threats, both from outside and within the network. Externally, the sheer density of subscribers, devices, and applications is reaching a level unlike anything we’ve dealt with before. But it’s the potential internal vulnerabilities that can be even more pernicious and that don’t seem to be on people’s radars.
When your network gets heavily disaggregated, previously monolithic functions get broken up into many smaller pieces, in some cases, from multiple vendors. You can’t protect all those pieces, and the interconnections between them, using legacy approaches. Building proper security into the architecture from the beginning is easier than trying to overlay it later and thus savvy CSPs will consider this from the start.
In response to the fact that these increasingly complex 5G networks are being considered to support aspects of national security and critical infrastructure, the government oversight that has already begun in the UK (and is sure to follow around the world) will soon regulate the security requirements for these networks. Exactly what the regulation will be in each country will vary but looking at the UK should provide a pretty good level of guidance because the UK’s telecom security requirements are ahead of the curve.
Take Concrete Steps to Protect Your Architecture
We absolutely can improve security for a 5G world, but that process starts with accepting reality: threats will continue growing more powerful, networks will continue getting more complex, and defenses will likely always be playing catchup. In this environment, you can’t rely only on fulfilling the requirements of regulations to protect you or your customers. Instead, we need to think differently—and more holistically—about how we’re designing and protecting our networks. That includes steps like:
- Thinking through security implications of cloud-native 5G infrastructure: As we develop and deploy containerized network functions (CNFs) for 5G, we need to be thinking about security across the container lifecycle in heterogeneous, often multi-cloud environments. That includes steps like securing CNFs through CI/CD pipelines, using trusted container image repositories with strict access control, and tightly controlling communication between CNFs and microservices.
- Reducing the blast radius: If you accept that breaches are going to happen, then the wise move is to design and deploy systems to minimize the damage when they do. For example, if you only use cryptographic authorization and encryption in the cloud, and attackers discover a vulnerability in those systems, you now have a huge potential attack vector. However, if you pair encryption with micro-segmentation—isolating every layer in the stack with virtual firewalling and strict network access policies—you greatly restrict what even a successful attack can do.
- Embracing openness: It can sound counterintuitive, but using open standards and open, virtualized systems across your environment allows for stronger security than closed, proprietary technologies. Using a vendor’s vertically integrated system can seem more secure, but the reality is, you’re now completely reliant on that vendor to protect you. Effectively, you’ve got a “black box” in your environment, with no way to know what’s happening inside. Alternatively, if you’re using open, virtualized systems, you can inspect every layer of the stack. You also now have the freedom to quickly remove and replace any component that’s found to be insecure—including switching to another vendor’s product.
- Protecting your orchestration tools, as well as the things they’re orchestrating: In a world where more parts of your operations are getting automated, it’s essential to identify security-critical systems within management, automation, and orchestration tools. More than ever, we need to lock down management and operational access to network components and meticulously track any changes made.
- Think through security at every level of the network: Even as networks have gotten more virtualized, we still tend to think about security in a hardware-centric, box-by-box way. But while disaggregation means there are more pieces to secure, it should now be simpler to secure them. If you’ve implemented your next-generation architecture properly, you should be able to use uniform policies for everything and manage and enforce them centrally.
Stay Ahead of the Threat
For all the innovative things we can do with the next generation of service provider networks, 5G and beyond, it would be foolhardy to overlook the new security concerns that come with them. But while the threats are real, they don’t have to disrupt your customers (or even your weekend).
At VMware, we’ve long argued that security can’t be a bolt-on feature that gets added after the fact. Rather, sound security needs to be built into every aspect of how you design and operate your architecture. We’ve also long argued that virtualization makes this job easier—and it should be easier still with next-generation 5G networks. When you have a horizontal, end-to-end abstraction layer overlaying your infrastructure, it becomes much easier to both monitor your environment and to enforce policy in a uniform, holistic way. Data privacy, ingress-egress inspection, micro-segmentation—all these things are now just policies you define at the software layer. And they can now be applied in the same way, everywhere, across even the most complex heterogeneous multi-vendor architectures.
Want to learn more about the steps VMware is taking to secure operator environments for 5G and beyond? Download our Intrinsic Security for Telco Clouds overview. And, for an in-depth technical exploration of this topic, see the VMware white paper Intrinsic Security for Telco Clouds at the Dawn of 5G.