By Randeep Raina, CTO, Nokia India
In today’s digital world, where the internet has become a part of life, growing digitalization and networking has also seen incidents of cybercrime and data breach becoming more and more common. Cyber threats are constantly evolving, becoming more sophisticated and harder to detect.
India ranks amongst some of the most cyber attacked countries in the world. As per the Ministry of Electronics and Information Technology, there have been close to 7 lakh cyber-attacks reported in the country in 2020 (till Aug).
Importance of digital trust and key attributes
CSPs are relying on 5G to generate new revenue streams by offering new/ innovative services to end consumers, enterprises, and businesses. Their success depends partly on their ability to build ‘digital trust’ in the eyes of their customers by ensuring that their confidential enterprise or personal data is safe. The security needs will vary with the user and type of service, for example, the security needs of a retailer will be different from those of an enterprise, e.g., financial organization. 5G will allow connecting millions and millions of new IoT end points and devices to the network. The lagging security protection of many IoT devices can offer the opportunities for launching cyber-attacks through a much greater number of access points.
Adaptation, speed, integration and automation have emerged as the key attributes for 5G security. A flexible and adaptive 5G security solution will be needed to be able to respond to the sophisticated cyber-attacks. Integrated security solutions complemented by technologies like AI/ ML, analytics and automation can quickly spot the threat and alert the security apparatus for swift and timely action.
Delivering end to end security
5G architecture is broadly built up of Distributed/ Cloud RAN, Edge Core and Cloud Core. End-to-end security, from the mobile core to the edge of the network to end point devices, is vital to protect the network and associated services.
5G standards were developed on the principle of ‘Secure by Design’- more security features were included in the standards so as to offer an inherent higher level of protection on network level to consumers and networks. 3GPP 5G standards can meet the security needs to a great extent within the 5G network, but the situation can be different once the device or application connects to the internet.
Fig. 1: Each 5G network component has its own security requirement
5G relies on techniques such as mutual authentication, signed software delivery from a trusted source to ensure authenticity, certificates, keys and encryption to manage endpoint security.
Further, analysing traffic patterns to detect anomalies using artificial intelligence, firmware upgrade and traffic throttling also help to minimize the risks significantly.
Radio and transport security
5G base station can be securely bootstrapped by CSP-run Public Key Infrastructure (PKI) for authentication, encryption and integrity to protect traffic against manipulation and eavesdropping.
Internet Protocol Security (IPsec) is used to protect the communication between the RAN and core network.
Telco cloud security
Protecting and assuring the integrity of the virtualization layer and overall cloud platform software requires robust, security-aware implementation of the VNFs including physical separation where needed
Further, virtual firewalls help to provide perimeter security and network internal traffic filtering, while security zones can be logically and/or physically separated. Selected traffic and stored data can also be protected by encryption.
5G core network security
Dividing the 5G Service Based Architecture (SBA) core into various network security zones enables traffic between zones to be controlled, monitored and its data integrity enforced. The SBA of the 5G core includes mutual authentication between network functions using Transport Layer Security (TLS) with certificates.
Another key aspect is to provide security at the main entry and exit points, for example, N2 interfaces at AMF or N32 at SEPP.
Network slicing allows to efficiently provision of different levels of performance and security to users of different services/ slices at scale. For example, an isolated network slice can be created to minimize the risk of confidential enterprise or personal data being leaked.
Each network slice spans the device, radio, access, transport and core, to the application servers in a data centre – security must be designed, provisioned, audited, managed and reported continuously end-to-end.
Security operations with SOAR and Nokia offering
Effective security operations are based on tools that meet the performance demands of virtual networks and support other requirements, such as elastic scaling. The key principles of Security Orchestration, Analytics and Response/Reporting (SOAR) include:
- Constantly measure security posture and risk levels
- Control and limit access to key operational systems and assets
- Detecting threats earlier in the mitigation chain
- Rapid response to minimize the impact of cyber-attacks
Adaptive Security Operations from Nokia NetGuard is an enriched SOAR suite designed to help security operations teams to fully understand the business risks, improve their decision making and better control costs. Providing end-to-end security, the suite integrates audit compliance, privileged access, threat intelligence, network based malware detection, and certificate management.
Nokia’s integrated security offering covers the complete 5G solution, including radio, transport, core, telco cloud, IoT and devices, and network slicing. The entire cycle of security is covered – assessment, prevention, detection and response. Whether a CSP wants to keep security operations in-house or outsource that to a trusted partner, Nokia provides the services and solutions needed to build trust in the 5G era.
Nokia’s security offering is complemented by its unmatched track record in ethical behaviour- recognized as one of the World’s Most Ethical Companies in 2021- fourth consecutive year and for fifth time overall.