The rise of 5G brings various security challenges to the network and an enterprise. The previous use of cloud technology was in large data centers. As we move toward intelligent edge and 5G, that data center becomes distributed to tens of thousands of points across the country, essentially creating an attack vector. This brings security concerns for service providers operating such a network on the enterprise side and similar concerns for private 5G and in cases where 5G is used in a commercial enterprise.
Security at the Edge vs. Data Center Security
Data centers are hyper-secure environments because they are located in one building with rigorous security protocols from security guards and building access to firewalls and secure interfaces. When data is moved to the edge, a single server is now moved to thousands of locations in small bunkers. For example, most people drive past telco bunkers that host telco infrastructure every day. Site security is much different because anyone could walk up to one of these small bunkers and break-in. Thus, because of its highly distributed nature, security at the edge poses new challenges for cloud technology.
5G providers are responsible for securing the edge because the ability to attack the infrastructure also means that applications running on the edge of the network are vulnerable. The things that we’ve come to expect in our daily lives need to be driven by applications hosted at the edge. Therefore, they need to be secured.
Ensuring Security Conformance at the Edge
The 5G network is comprised of both fixed hardware and software-defined vendors. The industry has taken a technology that used to be a bespoke metal appliance that a company sold like Ericsson or Nokia. Now, disaggregate that into a virtualized stack where conventional off-the-shelf Intel servers are running virtualization infrastructure, and then applications come in from the telco vendors that provide the telecommunications functions, and you have a disaggregation of an appliance into layers of technology. This disaggregation, along with bringing in partnerships and standards for how security is established at integration points, helps to ensure security conformance.
O-RAN Brings New Security Specifications to the Industry
Because O-RAN breaks down software components and functional components into independent, smaller pieces with open interfaces between them, it’s easier to test and harden those individual components and then secure the interfaces between them. O-RAN then presents the opportunity for a higher security solution. At the same time, dis-aggregation creates an increase in the RAN attack surface as there are more opportunities for attack. The O-RAN Alliance Security Task Group (STG) works with O-RAN ALLIANCE Working Groups (WGs) to tackle security challenges on all O-RAN interfaces and components to ensure a secure solution.
Design Engineers Tackle Vulnerability Points
As a design engineer looks at building and deploying a highly dis-aggregated system – fully distributed across a wide geography – they must look at every layer of that solution and ensure it’s uniquely secure. They build from the lowest layers of the network solution up to the highest levels, so they must build the security layers in tandem.
For example, looking at the lower layers, you may have trusted platform modules on an Intel server as quick assist technology for cryptographic key storage and a secure UEFI boot on servers. Next, the virtualization layer with Kubernetes and secure control plane connections with centralized infrastructure as code to prevent attacks at the edge. Finally, at the application layer, the design engineer would need to then secure that application and its protocols that run between it as it runs on that environment. So design engineers need to think about security as not a layered security problem and work every piece of that to closure – resulting in a complete secure solution without a weak link in the chain.
Trade-Offs in 5G Performance and Security
Typically, the more secure you make something, the less it performs. The key is to find the balance. We want to be pragmatic with security but also ensure that the solution protects against relevant attack vectors. For example, certain attacks can come into the CVE compliance in a Linux operating system – some only come through a user interface yet are deployed on private land. That’s not a relevant attack vector. So, companies need to be very aware of how their product will be used to make those appropriate trade-offs. Otherwise, you’ve taken an unnecessary performance penalty for implementing that security. Therefore, it is imperative to understand the scope of a security problem and design the solution appropriately to meet those requirements to ensure the best possible performance.
Conclusion: Looking to the Future
A single person can’t watch for all potential attacks, so automated software is needed. However, beyond automation, AI will become a necessary layer of security because of its learning capability to automatically recognize aberrant trends and events happening in places we may not have thought to look. Humans can’t effectively look at all of the data. Therefore, an AI system will be needed to watch over all of the KPIs for the running infrastructure and identify aberrant trends and their causal relationship to any other events that may be happening. Because of the massive scale, network components will be secured by artificial intelligence and machine learning as we go into the years ahead.