Cellular, IoT and enterprise security converge on private 5G networks, where the stakes are higher and the threats are bigger
Frank Satterwhite, founder and principle of cybersecurity firm 1600 Cyber, sees private 5G as the convergence point for technologies that have evolved separately over time.
“Cell, IOT, and enterprise security were almost in entirely separate buckets,” he said. “Today’s there’s a convergence at 5G. This presents more problems – more attack surfaces,” he explained.
“5G is a critical component of this transformation,” he said. But the number of devices being deployed daily grows as billions worldwide come online, making the scope of work to protect enterprises from potential threats almost staggering in its scope.
For Nancy Wang, general manager of data protection and governance for Amazon Web Services, it’s about having actionable security intelligence to understand how to respond, when presented with attacks. Wang believes a foundational approach is essential for businesses to protect themselves as they deploy private 5G.
From the perspective of Dave Mor, CEO at private cellular security firm OneLayer, it’s more straightforward.
“Private 5G is just another enterprise network that you own,” he said. It comes with the same attendant benefits, challenges, and responsibilities as any other corporate network, and a few unique ones that demand mindfulness from his clients.
The three security experts recently traded observations and general recommendations for best practices during Arden Media’s Private Networks Global Forum.
A foundational approach
“When we think about securing customer’s data as they’re being processed or generated at the edge, we know IoT devices are subject to a lot of attacks. If we are serious about evangelizing 5G and fast connectivity and all the goodness that comes from being super-connected, we also need to think about our protection strategy about setting safety perimeters and guardrails of how data is processed, accessed, and secured at the edge,” said Wang.
As a public hyperscaler, Amazon Web Services’ clientele includes Fortune 500 companies and other businesses that operate in tightly regulated environments. So device and data security is more than a bolt-on, said Wang, it’s the start of the conversation. This starts with a foundational approach to network security using tools like SSL and basic encryption as building blocks.
“The first step to having a holistic security approach is around asset visibility,” said Wang. The problem with onboarding 5G at scale is the magnitude of those devices, she added.
“With this proliferation of many devices joining your network and using all these devices using different 5G bands, what used to work will no longer work. You need a more platform-aligned approach around device security for 5G.”
Wang said it’s important for organizations to implement a policy engine with the framework to understand what’s operating in the environment.
“What do you want to do with your data, and how do you want to secure it,” she asked. “Which actors can do what to what data, and what actions are you going to allow and deny?
“That becomes a foundation of your security playbook,” she said.
“Data is no longer traveling as far, it’s being processed at the edge,” said Satterwhite. This requires a more targeted and tactical approach to security to make sure data stays safe. Securing the perimeter and managing this data presents a new set of problems and opportunities, he added.
There are security threads to tie together when devices operate on both IT and cellular networks, said Mor.
“First, the architecture is different. The devices communicate with the cellular core in a much more centric approach. Secondly, the identifiers of the device are different,” he said.
An enterprise network will use Internet Protocol (IP) and Machine Address Code (MAC) addresses to identify individual devices, while cellular networks rely on International Mobile Subscriber Identity (IMSI) identifiers, he noted. Such issues need to be mitigated in order for devices and data to stay visible and secure.
Mor notes that enterprise security deployment and needs may vary on the endpoint connection. Sophisticated devices, such as computers used by home workers connecting remotely to enterprise networks, are capable of more autonomy.
“But in most of the critical networks, the IoT devices are less sophisticated,” he explained. That drives a need for network-driven security that doesn’t depend on on-device functionality.
Wang and Mor both agree that at a basic level, enterprise security must provide effective device and service visibility, and context-based segmentation in order to offer protection.
“You need to identify the device, wherever it is connected. And once you have that, you can build all the security solutions on top of that,” said Mor.
Context is everything
Securing IoT data in a 5G pipeline requires a more holistic understanding than a simple gated approach to authentication, said Mor. Context-driven security using network automation tools like Zero Trust Network Access provide a solution.
“We are not protecting IoT devices with cellular protocols. We are protecting IoT devices with security tools. And that’s in my perspective the main gap that we are seeing in the private cellular domain,” said Mor.
“It’s harder to identify the devices with this shift in the architecture, and if you can’t identify the devices that affects your ability to authenticate and then understand what context they need to connect,” agreed Satterwhite.
Zero Trust Networking requires more than simple authentication. The entire approach to security is predicated on a contextual understanding of how the device operates and what its user needs, exposing only that functionality for that instance. This helps to reduce potential threat surfaces.
“If you are talking about a zero trust approach, the authentication is only the first layer. Then you need to authorize, you need to understand the context of the device, its destination and behavior,” said Mor.
Setting up a zero-trust perimeter around mission-critical workloads is important, Wang said, but so is understanding what is mission-critical and where it is. “Where are your dev secrets, and where are your crown jewels,” she asked.
That context changes between public and private networks, the experts agree. Regardless of the medium, device visibility and a contextual understanding is essential. The device’s visibility must maintain consistency.
Public networks also affect threat exposure, Mor noted. It’s a lot of work to go after devices on public networks, usually with limited gain. The cost value proposition for bad actors changes dramatically if they’re able to penetrate a private network – it can be the difference between a highly automated production line dependent on a 5G workflow either running at capacity, or not at all.
For Wang, it’s about a “defense in depth” approach: Adding multiple layers of security controls to create a more secure operating environment. Constant monitoring, zero trust perimeters – at the end of the day, it’s all about reducing potential threat exposure to the barest possible minimum while preserving the speed, latency, and reliability needed to work at the speed of enterprise.
Wang notes the increasing interplay between between regulatory agencies and enterprises as an important consideration. As an example, she mentioned a client in Mexico who, due to local regulations, must duplicate any data maintained in a public cloud in a private cloud kept entirely offline.
“We’re seeing more of these business continuity controls that are coming out from regulatory bodies that are shaping how businesses see the security of their data,” she said.