PRIVATE SECTOR PERSPECTIVE — Fifth-generation (5G) mobile technology will completely transform global telecommunications networks. Billions more devices, sensors, and systems will be connected worldwide. Downloads will be much faster, latency will be much lower, and the capacity to connect more devices to the network will skyrocket. For all its performance advantages, however, 5G will abruptly expand the nation’s cyber attack surface—a potential boon for U.S. adversaries. Recently published federal guidance could help cloud providers and mobile network operators manage emerging risks. The first step is embracing a leading cybersecurity mindset: It’s zero hour for zero trust.
Dr. Kristopher Hall is a Senior Lead Technologist at Booz Allen Hamilton where he leads 5G security efforts. He has more than 23 years of experience in software development, cyber security, and telecommunications with an emphasis in mobile networks.
Matthew Edwards is a Lead Technologist at Booz Allen Hamilton where he works on 5G security efforts as a vulnerability analyst, researching 5G protocols and security vulnerabilities. He has more than 11 years of experience in data analysis, scripting, cyber security, and telecommunications systems.
The zero trust model relentlessly questions the premise that users, devices, and network components deserve to be trusted just because they’re in the network. Zero trust has three core principles: assume a breach; never trust, always verify; and allow only least-privileged access based on contextual factors. This mindset is mandated for the federal government in Executive Order 14028. What’s more, it’s woven throughout the new 5G cloud cybersecurity guidance from the Cybersecurity and Infrastructure Security Agency and the National Security Agency.
The CISA/NSA guidance gives practical advice to service providers and system integrators that build and configure 5G cloud infrastructures. For instance, the four-part series covers preventing and detecting lateral movement—detecting threats in 5G clouds and preventing adversaries from using the compromise of one cloud resource to compromise an entire network. It also covers securely isolating network resources, including securing the container stack that supports the running of virtual network functions (VNFs).
Moreover, organizations looking to bring a zero trust mindset into 5G cloud endpoints and growing multi-cloud environments should leverage insights and existing tools. One example is a new report, published by our company, Booz Allen, Building Mission-Driven 5G Security with Zero Trust, which explains the pillars of zero trust—and how to use them, with governance, to understand the strengths and gaps in current capabilities, and to design actionable plans for improved security. Both the CISA/NSA guidance and the report are informed in part by the federal government’s published assessment of 5G threat vectors.
Embracing zero trust for 5G is a continuous process. Here are four complementary steps that organizations can employ on an ongoing basis to realize zero trust for 5G:
- Diagnose: It starts with taking stock of your current capabilities, evaluating their maturity and effectiveness relative to the threats you face, and identifying critical gaps.
- Design: Armed with a threat-centric understanding of where you are, set a target for where you need to be to reduce risk and use that target to align your zero trust strategy and roadmap.
- Develop: Support strategies with a zero trust architecture and technical designs and use vendor assessments to identify the right solutions for your needs.
- Deploy: Operationalize your design by configuring and integrating solutions that close critical gaps across the pillars of zero trust.
In addition, operators of 5G ecosystems need holistic security that includes zero trust architecture, 5G development, security and operations (DevSecOps), and a 5G workforce, as well as vulnerability research and embedded security.
To be sure, no single document provides a total solution for zero trust in 5G. Even the CISA/NSA guidance notes it does not provide a complete template—but it also stresses the best practices therein can enable significant progress.
With a zero trust mindset, the national security community—and the private sector—can protect highly connected devices and methods of network access. We can prepare today to secure emerging 5G-enabled capabilities. It’s time for organizations to take stock of their challenges and risks and set a path toward zero trust for 5G.
Join the new cyber ecosystem of experts across disciplines as we help bring a better understanding of cyber and technology to national security and business security. Subscribe to The Cyber Initiatives Group (CIG), today. Booz Allen is a Knowledge Partner and sponsor of the CIG.