We are pleased to welcome guest blogger Patrick Donegan, Principal Analyst with cyber security analyst firm, HardenStance.
Earlier this year, Palo Alto Networks commissioned HardenStance to undertake research into the market in vertical industry use cases of 5G, as well as supporting security requirements and emerging security business models.
A key take-away is the importance of network visibility across many agriculture, transport, automotive, energy, health and factory automation use cases, leveraging private 5G networks as well as telco-delivered 5G ‘slices.’
As the pioneer in application layer firewalling, providing network visibility has always been central to Palo Alto Networks’ core value proposition so naturally they were pleased with this high level finding. What was striking about the conclusions, though, is just how much further the definitions and requirements of network visibility will need to be extended to secure 5G deployments effectively.
As they invest in dedicated 5G use cases, organizations need as much visibility as possible into what is an increasingly complex environment. At the same time they also need to ensure that attackers have as little visibility as possible. It’s useful to frame these requirements as the ‘Four Ps’ of 5G network visibility – visibility into Packets, Permissions, Perimeters and Partners.
#1 ‘P’ for Packets
Visibility into packets is the most familiar. Telcos don’t need to inspect every single packet traversing their network at L4-L7. But the proliferation of connected devices in the 5G era, the growing volume and sophistication of cyber threats, and the increasingly open, dynamic and distributed nature of the 5G network, gives telcos new incentives to invest in application layer security with 5G.
Depending on the level of risk associated with the sector of industry, the specific use case, and the value of the data generated, many enterprises should also be motivated to invest in L4-L7 visibility themselves. They can deploy and manage that independently. Or they can buy it in as a premium service from a telco or other managed provider to protect against highly targeted, heavily obfuscated, application layer attacks including zero day attacks.
#2 ‘P’ for Permissions
Permissions are a critical new front in the battle to give cyber security practitioners more visibility. In the case of 5G network slices, simple authentication and authorization will be multi-layered and will vary by use case. Primary authentication will necessarily be done by the telco. An EAP TLS-based network-specific slice authentication will necessarily be done by the enterprise itself. An authentication or authorization onto an external data network could be done by either party.
As shown with the momentum behind applying Zero Trust principles in cyber security, best practice no longer allows individuals, devices or applications to have open, binary, permissions to access whole suites of corporate applications or data assets indefinitely. Rather, Zero Trust mandates that permission to access resources must be accorded on a far more granular basis and must be subject to continuous authentication and authorization. Critically, permissions must also adapt dynamically to changes in context because without context, visibility is obscured.
Zero Trust is certainly at a nascent stage in terms of real-world implementations. Most organizations have yet to apply first Zero Trust principles anywhere yet – and when they do it should typically be with specific projects rather than as any kind of organization-wide IT ‘master-plan.’
There’s no generally-applicable reason why an enterprise should wait to try out Zero Trust principles elsewhere in their organization before implementing them in a 5G deployment. By virtue of 5G use cases being greenfield deployments, there may even be advantages in doing so.
#3 ‘P’ for Perimeters
By now it’s a cliché that the traditional security perimeter is no longer effective. The new perimeter or the new far edge of the network can be an IoT ‘thing’ now because compromising it can serve as an initial point of entry for attackers into an organization’s network.
The Coronavirus pandemic has triggered a rapid shift to home working, creating tens of millions of other highly distributed edges, perimeters or “enterprise branch offices of one”. Distributed enterprise use cases of 5G that leverage Multi Access Edge Computing (MEC) are just one more component in the accelerating move of networking and security to the edge. This is widely referred to now as the Secure Access Services Edge (SASE) market space.
In the 5G context, it becomes increasingly important for telcos and enterprises to have visibility into these perimeters as the basis for immediate threat detection and mitigation. Depending on the exact mix of inbound and outbound traffic, this kind of context-aware security policy enforcement at the 5G edge can reduce the risk of allowing malicious traffic to traverse the network.
#4 ‘P’ for Partners
Supply chain vulnerabilities are top of mind at the start of 2021, following the Solar Winds hack at the end of last year. When it comes to visibility into the domains of supply chain partners, a careful balance has to be struck between plenty of visibility to harden one party’s security and too much visibility that poses a risk to an ecosystem partner. This applies in the relationships between multiple stakeholders in 5G deployments including telcos, enterprise customers, vendors and public cloud providers.
In the case of the relationship between a supplying telco and an enterprise customer using network slices, the default position of many enterprise CISOs will be to want as much visibility as possible into their network slice. They will want visibility into the telemetry and logs from their slice. Some would ideally like those telecom feeds normalized in some way so that they can be ingested and integrated into their enterprise SOC environment to give end to end visibility across on-premises, public cloud and 5G cloud domains.
Investing in a dedicated private telco slice will allow for greater visibility into a network slice than in a shared public slice use case where the slice is shared with other businesses. For example, it may be possible for an enterprise to negotiate deploying a sensor in their own private slice for visibility, whereas that’s very much less likely to be viable with a shared public slice.
If telcos want to aggressively grow the network slicing business, they are going to have to take customer requirements into account when defining the level of visibility into the network slice that they allow. Moreover, they’re going to need to do that systematically as part of a standard commercial offer – not just for their largest, most important, customers.
Clearly telcos have to ensure strong protection against giving customers visibility into things they have no need to see. But grey areas are going to emerge that will require deft commercial negotiations between telcos and enterprises. To give one example, allowing some form of snapshot-in-time view of events within the slice rather than real-time visibility could provide a basis for compromise for enterprise customer requirements such as for their supply chain auditing.