The only certainties about cybersecurity in the telecommunications industry is that new vulnerabilities will be discovered and that attacks targeting telco infrastructure will continue. The questions, however, are far reaching:
- How will communications service providers respond to these threats and attacks? How complex will their security solutions and operations be?
- And how agile will the security response within a communication services provider be?
The answers to these questions are likely to be determined, at least in part, by the architecture of each provider’s 5G stack. And there are really only two main choices for that architecture: either vertical or horizontal.
If you’re deploying a 5G architecture these days, those two choices play out like this:
- Either a combination of multiple vertical stacks from various vendors that are interconnected to build a 5G solution that’s, in effect, a vertical patchwork.
- Or a horizontal architecture on which applications from multiple vendors use a common platform.
Most providers want to use multiple vendors, which drives competition among vendors and reduces risk for CSPs.
Multiple Vendors Can Create Multiple Vertical Stacks
A multi-vendor strategy is, of course, a necessary course of action, but if your underlying architecture is a vertical stack, you eventually end up with at least two vertical stacks, one for each vendor. More likely, however, is that your CSP ends up with five or more separate, siloed stacks, and some of them may in fact be closed proprietary systems that give a CSP little to no visibility into the systems’ internal functioning.
All these vertical services are interconnected to provide a complete solution. But the CSP has little control, nor much visibility, into the components of its vertical stacks — each will have a different internal architecture and set of components. Each vertical stack, for instance, might have different virtual networking solutions, which makes micro-segmentation different between the vertical stacks.
Complexity Spirals Upward with Each Vertical Stack
For each vertical stack at a CSP, the number of technology choices made by the vendors balloons — the choice of VIM, the hypervisor’s configuration, the networking solution, the monitoring system, the orchestration and automation framework, and so on. For example, authentication for accessing each vertical stack might be different, creating a multitude of access solutions that will be difficult to operationally maintain in a predictable way. Thus, the technical complexity of the overall 5G solution can increase by the number of vertical stacks, especially when it’s compared with a horizontal platform.
The radical increase in complexity that inherently accompanies a vertical architecture means that the complexity of the security solution also grows in the same fashion. And this complexity becomes difficult to manage. You will need multiple tools and multiple automation solutions. Each tool and solution will be unique to each stack, which in turn increases costs across the board and leads to skills issues across your organization’s teams.
How will you secure all these vertical stacks of solutions from different vendors? That’s nearly impossible to do, at least in a cost-effective, operationally viable way.
Overcoming Complexity by Going Horizontal
In contrast to a vertical architecture, a horizontal architecture shares a common platform using the same hypervisor and the same storage and networking solutions.
With this commonality, the same tools can be used for operational tasks like monitoring, alarm handling, fault handling, and troubleshooting. With a common platform and common operational tools, automation and orchestration also become easier.
And all this makes the whole stack substantially easier to secure. With a common platform that uses the same operational tools and the same automation tools, a common security solution and a holistic security posture becomes possible. The whole platform can then simultaneously implement new security features through software at the same time. These new security features can be additions and improvements, such as requiring the use of virtual trusted platform module (vTPM) across the entire platform.
When you have the commonality of a horizontal platform, it’s much easier to build a security solution around that architecture. Because the horizontal platform can already contain security measures that are built into the platform, it is far easier secure.
Benefits of a Common Horizontal Platform
A common horizontal platform drives a number of benefits, beyond the fact that the architecture itself is simplified, less expensive, and easier to maintain. It simplifies operations and the operations work around the platform, including operational efficiency as well as security.
Without a common architecture, you might have to manage multiple solutions, which would heighten complexity. Here’s an example: If you had to administer at least one container networking interface (CNI) for each vertical stack, management for the different CNIs would spiral out of control with complexity. With different CNI solutions for each stack, the security products for CNI and the patching work for them would multiply with each vertical stack, making it more expensive to buy, operate, and maintain.
In contrast, with a common horizontal platform, you can deploy everything using the same CNI solution. There’s only one stack to manage and only one solution for your CNI, which can be reused across the common architecture. And this same example generalizes to every security component, such as RBAC, data security at rest, data security in transit, API security, authentication and authorization, and so forth.
- Third-party security tools can usually work across the whole platform, such a solution for multi-factor authentication or a certificate authority and certificates. With a vertical solution, on the other hand, you don’t know at the get-go whether it will work across all the vertical stacks.
- With a common platform, security operations become much simpler, and your security response is much faster and more agile. For instance, you can apply the same patch for a vulnerability to the whole platform, instead of having to patch the same vulnerability on each vertical platform with a different patch in a separate way. In this way, commonality fosters DevSecOps.
Security and a Telco Reference Architecture
The VMware telco reference architecture is the most commonly deployed horizontal NFV solution in the telecom industry. The base components of the reference architecture are also deployed by financial institutions, governments, health care providers, and most of the Fortune 500 companies, all of which have just as high security requirements and are just as security sensitive as the telecom industry.
The large number of VMware customers has also created a third-party market for security products that can be used by CSPs within the telco reference architecture.
Telecom Security Shouldn’t Be an Afterthought
The security concerns of vertical solutions are almost never discussed by the vertical solution providers, so it might not factor into your discussions as much as it should, leaving security as an afterthought. But, in effect, security needs to be a primary thought, a primary question to be asked early on in discussions with vendors and architects.
With the fantastic opportunity of 5G, there is a once-in-a-lifetime opportunity for CSPs to benefit from new use cases and drive new revenue. But, as they say, with a great opportunity also comes great responsibility — these new 5G use cases and services must be presented in a secure way, for both the CSPs and their customers, from the beginning.
Previous Blog Posts and Papers on Telecom Security
This blog post is part of a continuing series of posts on security for telecom infrastructure and networks. Here’s a list of previous blog posts on security:
- Adapting to a Changing Landscape and Shifting Requirements with Built-in Security
- Evolution in Principle: Emerging Wireless Security Threats and the State of Cybersecurity
- To Take Full Advantage of 5G Investments, We Need to Think Differently about Network Security
- Stop, Think, then Do: Rethinking Security Architectures for 5G Networks
In addition, see our high-level solution overview titled Protect infrastructure with built-in measures and our technical white paper titled Intrinsic Security for Telco Clouds at the Dawn of 5G: An Integrated Approach to Helping CSPs Meet Emerging Security Standards.