Applying Zero Trust to 5G Changes Networking
The two burgeoning technologies may be made for each other.
The use of zero trust could prove to be a boon for 5G networks by providing vital security across networks made up of a variety of innovative devices and capabilities. Fully established zero trust could allow unprecedented network visibility and situational awareness while ensuring that potential attack points are closed to cyber marauders. Yet, implementing zero trust runs the risk of slowing down the network’s fast data flow if it is not applied properly.
With 5G, the number of devices connected will expand dramatically, but so will the attack surface. Many of the devices that will be attached to 5G networks will be nontraditional hardware, particularly those that are part of the Internet of Things (IoT). A security failure on one IoT device could threaten its entire network, so authentication mechanisms could become vital for 5G IoT devices.
“Given the number of devices, given the fact that we’re going to be so reliant on them for critical mission applications—not just voice and video—[zero trust is] really going to be critical,” declares Chris Christou, vice president and leader of 5G work at Booz Allen Hamilton.
“There are two ways of thinking about it,” Christou says. “The first one is, if I am building a 5G network … I should apply zero-trust principles in how I manage that infrastructure.” That would include the administrative functions involved, such as encrypting management and user data, as well as visibility and control automation and orchestration. “The second way is, if I am a user who might traverse 5G networks that I may or may not trust, how can I apply zero-trust principles over that with the right authentication mechanisms [and] the right data protection, since I am using infrastructure that is not trusted.”
Imran Umar, distinguished engineer and senior solutions architect with Booz Allen Hamilton, allows that the majority of the work his company has been seeing from its clients has been on traditional enterprise networks. These usually encompass legacy and new infrastructure, and owners must adopt and implement zero trust into this complex network. Even with this challenge, 5G is a game-changer, he states.
“It’s a new technology, and we have an opportunity to implement zero-trust principles such as conditional access, enterprise visibility, and automation and orchestration of the configuration of the administration network from the beginning—like a baked-in process,” he says.
“There are definitely complications for how you deploy zero trust on 5G networks,” Umar says. “You have to do it in a smart and effective way.
“Zero trust is a significant mindset change, where you’re making the assumption that the bad actor’s already in your network,” Umar states. “To overcome that, you start implementing things like conditional access, you’re doing proactive threat hunting, you’re continuously looking for the bad actor on your network.”
He adds that, just as cloud has become the new data center, 5G has the potential to become the new enterprise network. As that evolution happens, planners must develop a smart security strategy around it. 5G offers many options to customers, such as the ability to build their own core and private 5G network, so they must think through a zero-trust strategy in which they fully understand what is on their network. “They must make sure that each packet is inspected, make sure they have end-to-end encryption,” he says.
“This whole paradigm shift with 5G and zero trust kind of go hand in hand,” Umar states.
Christou offers that the biggest complication for implementing zero trust and 5G entails the new types of devices that will be connecting to the network. Another issue will be where data is hosted; currently, it can be in different locations closer to the edge. On a 5G network, it will need security along with access.
Umar notes that 5G will extend the network perimeter with data residing all the way down at the edge. And, 5G will enable a much greater amount of data. “Zero trust is all about enterprise visibility and control,” he explains. “As you get more data and devices adding on to your network, it becomes more complicated to monitor them.”
Device authentication to a wireless or cellular network differs from actual authentication to a primary network, Christou notes. Integrating other technologies into IoT devices also will be complicated, along with the visibility and analytics for them.
The 5G vendors must be certain they are implementing security features that define the standards. This applies to the encryption method being used for data in transit, how the system is authenticating and allowing privileged administration users to access the devices, Christou says. The security mechanisms must be implemented in the right way with support from the vendor community, he emphasizes.
Another challenge comes from whether 5G providers are implementing zero-trust measures in the right way. “It’s hard to certify whether they are implementing the right principles or not, but [they need to be] understanding whether they’ve applied those security standards to their network,” he says. “That’s why it’s so important to implement it as an overlay over those networks.”
This is especially important with the potential proliferation of private 5G networks, Umar adds. “To be able to apply those standards and security principles across the enterprise is going to be critical.”
He continues that the public ultimately may become a partner in zero-trust security by demanding it in 5G devices and systems. As 5G networks proliferate and new devices are introduced, the public will look more favorably at vendors adopting zero-trust capabilities. “As the public gets more and more familiar with the different types of security threats and starts using more 5G-enabled technology, organizations that implement a robust security architecture like zero trust are going to be looked at from a positive perspective,” Umar predicts.
To incorporate zero trust into 5G, one strategy is to make efficient use of data and analytics, Umar points out. This would involve intelligently applying a data strategy and an analytics strategy to provide the needed enterprise visibility across 5G. Achieving this could entail employing machine learning and artificial intelligence to correlate data across the network, he notes.
“There are definitely complications for how you deploy zero trust on 5G networks,” Umar says. “You have to do it in a smart and effective way.”
With 5G being a big enabler of IoT devices, new ones will emerge that will require zero trust. Planning for the appearance of these devices in terms of zero trust early on should be addressed, Umar continues. “Applying a data and analytics strategy on the edge will be key,” he offers. Traditionally, data would be collected into a central location for analysis and then “try to find a needle in a haystack,” but that model no longer works. “Given all the additional devices from IoT on your network, you need to be able to do analytics at the edge and to be able to provide real-time data for the analyst to make the necessary decisions as to whether an IoT device isn’t acting in a normal fashion.”
Network engineers could tailor their systems to take advantage of security. Capabilities such as network slicing, in which critical traffic would be routed through a network slice that has more security controls, might become part of general traffic, Umar says.
But with the advantages of zero trust comes one potentially large drawback. One of the big drivers of 5G is the speed of the network, and planners must be careful they do not sacrifice network performance by implementing all of the security measures required by zero trust, Umar points out. “You have to design your network in a smart way where you’re not compromising performance while still providing the necessary visibility.”
Currently, both the military and the commercial sector plan to exploit 5G capabilities as part of their future operations. Their needs are different, especially when it comes to security. Christou notes that the military is dictating 5G requirements and locating much of its networks on its own property, so its 5G is likely to be more secure and purpose-built for defense use cases. This applies both to performance and to hardening for security.
He mentions that discussions have taken place on the need for a 5G security architecture and requirements guide for Defense Department entities. This would help provide guidance for when these entities build their own private 5G networks.
On the commercial side, 5G will be aimed at the general public, so carriers will try to harden their infrastructure as well, he continues, although security best practices probably will not be as strict as in the military. Umar points out that use cases will be dramatically different, with commercial 5G networks having many more devices on the network with a greater amount of data and higher number of users in a more open architecture. On the other hand, the Defense Department will want a more secure network with full knowledge of which devices are connecting and whether they are patched and validated.
As 5G evolves, so will its security requirements. New types of devices will be part of 5G networks, and planners will need new ways of securing them. Both Umar and Christou agree that zero trust will grow with 5G as it advances. “The tools and techniques to implement zero-trust principles will continue to evolve over time,” Christou says. “5G could lead to new types of zero-trust technologies and products.”