US federal agencies responsible for cybersecurity discuss the incidents in terms of “boom left” and “boom right”. “Boom” is the incident in the form of an attack or breach. The “boom” can vary greatly from known attacks to zero-day or new attacks. The “left of the arrow” is preparedness to defend against an incident and ensure processes are in place to respond and recover. This phase inherently focuses on known attacks and vulnerabilities. ‘Boom right’ is the response to the incident.

Solarwinds was a new attack discovered in December 2020 that combined multiple zero-day attacks allowing a malicious actor to exploit the software supply chain, gain access to resources, perform network reconnaissance and move laterally through the network to expand the reconnaissance mission. A significant output from Solarwinds was a comprehensive forensic press from U.S. federal agencies driven by the guidelines of Executive Order (EO) 14028, Improving the Nation’s Cybersecurity [1].

Solarwinds has focused on Zero Trust

Solarwinds has been an inflection point for cybersecurity, especially as services migrate to the cloud. Perimeter-based defenses add value to securing assets, but they are insufficient on their own. Security controls should be implemented assuming the adversary is already inside the network to detect and prevent lateral movement, reconnaissance, and data theft. This is important to consider for cloud-based 5G deployments, as 5G will be a general enterprise and societal digital platform that supports critical infrastructure, critical applications, public safety, smart manufacturing, the connected car, and other real-time, low-latency use cases. . 5G is the first cellular technology designed for the cloud where the expanded attack surface could create an opportunity for a cyberattack that has greater impact, while lowering risk tolerance.

The increased risk of cyberattacks has led to increased interest in Zero Trust Architecture (ZTA) for cloud-based 5G deployments. The principles of a Zero Trust Architecture (ZTA) for 5G cloud deployments are based on perimeterless security in which each asset implements security controls. In October 2021, the Cybersecurity and Infrastructure Security Agency (CISA) of the United States Department of Homeland Security (DHS) released its “Security Guide for 5G Cloud Infrastructures”. [2] based on the work of the Enduring Security Framework (ESF) 5G Cloud Task Force. This is the first publication from a government agency worldwide that provides guidance for a security posture that specifically connects 5G, Cloud and ZTA.

Elements of an ZTA for 5G Cloud Deployments

Secure 5G cloud deployments must implement the security features that are part of a zero-trust architecture, including:

• Continuous monitoring and logging
• Threat Detection and Response (TDR)
• Data encryption and integrity verification of data at rest, data in motion and data in use
• Micro-segmentation and isolation, including tenant isolation and container isolation
• Strong authentication using TLS 1.2 or 1.3 with PKI X.509 certificates on network interfaces and multi-factor authentication for users. [It is worth noting that CISA added single-factor password-based authentication to its List of Bad Practices in August 2021.]
• Supply chain security in which vendors and upstream vendors implement a secure software development lifecycle, DevSecOps, and continuous integration/continuous deployment (CI/CD)
• A chain of trust based on a hardware root of trust using HSM
• Additionally, perimeter security, which has successfully protected networks and should continue as a component of a ZTA

Figure 1. Security Features for a 5G Zero-Trust (ZTA) Cloud Architecture

CISA’s work is based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 Zero Trust Architecture [3], which defines a ZTA as having no implicit trust in an asset based on ownership, physical location, or network location. This is important for securing 5G, especially the Radio Access Network (RAN), where historically the thinking of mobile network operators has been, the RAN is mine, runs on my network, and resides on my property. As RAN functions virtualize and migrate to the cloud, such as Ericsson’s Cloud RAN [4] for example, each function must be an independently secured asset that does not rely on perimeter protection. 5G cloud deployments can reside in a third-party facility, such as with Multi-access Edge Compute (MEC), a 3^rd-the part can manage the infrastructure, and the software platform has components from other 3^rd-parts with potential vulnerabilities. This requires a zero-trust mindset for 5G cloud deployments. Fortunately, 3GPP has specified that 5G includes many security features that align with NIST’s 7 Principles for a ZTA.

New resource and recommendations from 5G Americas

5G Americas recently published its “Security for 5G” article. [5], providing recommendations for the security of 5G cloud deployments, including an analysis of the alignment of 3GPP security requirements with the NIST ZTA, which is summarized in the graphic below. Ericsson played a key role as co-lead author of the 5G Americas article, written in conjunction with 5G security experts representing other 5G Americas members, including US mobile network operators.

Figure 2. Alignment of 3GPP security features for 5G with the NIST 7 principles for a ZTA

The 5G Americas paper, the third in its series of security papers, makes the following four key recommendations for securing 5G networks:

• Build 5G networks with an ZTA complemented by perimeter security to provide protection against internal and external threats.
• Implement a 3GPP version 16 5G autonomous network to benefit from security enhancements that support a zero-trust architecture and follow CSRIC VII recommendations.
• Follow industry best practices for secure cloud deployments, including secure CNFs, orchestration, automation, APIs, and infrastructure. These best practices apply to private, public, and hybrid deployment models.
• Think of supply chain security as a component of 5G security. Use trusted vendors who follow industry best practices for secure development processes.

A 5G security posture must continually evolve to adapt to ever-changing threats and new security control tools and techniques. Security considerations must be taken into account when migrating from 5G to cloud-based deployments, due to the large attack surface of the cloud. 5G Americas provided key recommendations for secure 5G cloud deployments that align well with CISA’s guidance for 5G cloud deployments based on the principles of an ZTA. A secure 5G cloud deployment integrates ZTA with a secure supply chain, secure software development processes, strong authentication, strong data protection, continuous monitoring and logging, and industry best practices for cloud security . A strong ZTA-based security foundation will help ensure that 5G delivers on its promise to society.