Security Challenges Facing the Shift to 5G

We are at the threshold of remarkable growth and opportunity in the mobile space. 5G is becoming commercially available, and due to pent-up demand there is strong momentum in the global 5G market. Given the promise of incredibly fast speeds, huge payloads, and highly reliable services supporting more devices than ever, it’s no surprise that service providers are investing heavily in 5G. And the growth of these interconnected devices is being accelerated with the advent of new services for enhanced mobile broadband, multiaccess edge computing, IoT, and smart solutions.

Indeed, the number of cellular IoT connections is expected to increase at an annual growth rate of 27 percent, reaching 4.1 billion in 2024. These cellular IoT connections and fixed wireless access (FWA) subscriptions support new use cases, meaning they will come on top of growing mobile subscriptions. New IoT services will also address diverse and evolving requirements across a wide range of use cases in different verticals, including utilities, smart cities, transportation, logistics, agriculture, manufacturing, and wearables.

To support this evolution, massive IoT cellular technologies such as NB-IoT (Narrowband IoT) and Cat-M1 (LPWAN (low-power wide area network) cellular technology built specifically for IoT) are taking off and driving growth in the number of cellular IoT connections worldwide. And as the IoT application market begins to widen, even more advanced use cases requiring enhanced network capabilities are beginning to emerge.

These new use cases—and the need to support a magnitude increase in bandwidth and ultralow latencies— are driving the evolution of traditional hierarchical service provider architectures to a flatter, cloud-based architecture where services can be offered from the edge of the mobile core network.

A shift in the core architecture

Traditionally, the core of the mobile network was run from a handful of datacenters. All mobile traffic was hauled into the core before providing access to service provider-delivered application services—such as end-user account applications and walled garden applications—or sent over the internet to third-party cloud networks or services. These networks were designed to handle hundreds of millions of connections and deliver megabit connection speeds.

However, in order to meet the challenges of billions of connected devices, gigabit connection speeds, and ultralow latencies—while delivering rich context around data transiting the mobile network—service providers must now rapidly increase network capacity and deployment agility. Adding to these challenges is the requirement for additional compute—all while avoiding raising costs and/or lowering the reliability and availability of the infrastructure and services.

Cloud service providers have already demonstrated that it is possible to quickly and reliably deliver services at massive scale and capacity to both enterprise customers and consumers. Mobile service providers are adopting a similar approach, but with a twist. They plan to deliver services from thousands of edge clouds rather than from a few mega-capacity central clouds. And to support agility in service delivery, there is also a heavy focus on the programmability of the network to make dynamic changes—add/delete/update—anytime and anywhere.

The adoption of virtual and cloud-native technologies to support these initiatives means opening the service provider stack to open-source technologies. At the same time, new service use cases require support for extensive web-based application delivery frameworks, with a heavy emphasis on APIs to connect different service layers together. These new architectural changes and open technologies open up a Pandora’s box of security issues that service providers have never had to consider or deal with before, at least not at the scale and complexity that this new transformation demands.

Key security use cases

A properly engineered service provider mobile core needs to consider the need for specific security controls early in its lifecycle. These early considerations are driven by security principles and policies established by the service providers, as well as by industry best practices, regulations and laws imposed by oversight and governing bodies. They are also the result of the need to tightly integrate security and systems together for issues like dynamic adaptability and scale, which are far more difficult to achieve when deploying security as an overlay later in the lifecycle. These drivers, together with the assessed risks to the business and its assets, give rise to security controls needed to identify and manage a wide range of risks and threats.

Today, with the movement to virtual infrastructures and cloud-based architectures that rely on open technologies, there is a significant need for security capabilities that go well beyond the traditional safeguards provided by stateful firewalls. The attack surface of this emerging infrastructure extends far beyond physical assets, backhaul and fronthaul, signaling, roaming, charging, and internet interfaces. Service providers also need to secure the virtual infrastructure and cloud platforms. And with new strategies such as network slicing, service providers have to be able to accommodate the complete end-to-end isolation of slices, in addition to the agile and dynamic allocation of end-to-end resources to multiple tenants running different services with varied requirements.

Another new concept arising from 5G transformation is edge clouds designed to deliver high bandwidth and low latency applications. These edge clouds will also need to support multiple tenants and specialized IoT applications that don’t run in the central cloud. However, from a security perspective, their policies and enforcement will need to be consistent with those in the core. This will require centralized orchestration combined with autonomous edge security to ensure both consistency and time to respond.

The most important consideration of the 5G threat landscape is that it includes far more than the volumetric DDoS attacks and signaling protocol-specific hacks of the past. It also includes advanced persistent threats, lateral propagation, web application layer vulnerabilities, API security, and more. As a result, service providers need to ensure that the diverse set of security requirements imposed by this new architecture—along with the related use cases and services supported by their core networks—can be adequately addressed by their security solutions. And they need to be part of a single security framework rather than a separate, isolated set of solutions that can cause additional overhead as well as issues related to configuration and orchestration. Ensuring that these solutions are fully integrated and automated ensures consistent and effective security to protect infrastructure assets and revenue generating services.

What’s Next?

5G presents service providers with tremendous opportunities for new business growth in the area enterprise services. However, these new services will require the adoption of virtual and cloud-based technologies that will open up an entirely new set of challenges and risks to the infrastructure and services.

To succeed in the highly competitive 5G market, Service Providers will have to adopt a rapid architectural shift to open, virtual, and cloud infrastructure. Securing such a hybrid ecosystem calls for broad, integrated, and automated capabilities only found in a security fabric approach.

Learn more about securing 4G, 5G and Beyond with Fortinet.