Shared responsibility model key to solving 5G security problem
By Alex Scroxton
Organisations are increasingly alert to the need to adjust their overall cyber security posture as 5G mobile networks move from the trial stage to an operational reality over the next 18 months or so, but communications service providers (CSPs) can do more from their perspective, and ultimately, the optimal route forward will likely be to adopt a model of shared responsibility for 5G security.
This is according to a report produced by AT&T Cybersecurity – previously known as Alienvault – which was conducted alongside analysts from 451 Research and studied attitudes to 5G security among more than 700 chief information security officers (CISOs) – all in organisations with more than 500 employees – in Australia, India, North America and the UK.
Although 5G boasts a number of features designed to improve overall cyber security – such as support for stronger over-the-air encryption, subscriber identity protection and reduced risk of eavesdropping, it also brings with it a multitude of new risks.
Respondents to the survey said their top concern related to the potential for larger attack surfaces due to the massive increase in connectivity that goes along with 5G – cited by 44%. Other key concerns were the potential for more devices to access the network (39%), the extension of security policy to the internet of things (IoT) (36%), and authentication of such devices (33%).
Other worries included that perimeter security defences might be insufficient, that 5G might introduce as-yet unknown vulnerabilities, that automated changes might be made to the network, that the more ephemeral nature of workloads in a 5G environment might introduce vulnerabilities, and that the physical location of these workloads might be uncertain.
Expanding on the report’s findings in a blog posting, AT&T Cybersecurity head of evangelism and communications, Theresa Lanowitz, said she believed 5G would ultimately encourage a shared responsibility security model akin to the public cloud.
“The beauty of this is it shifts some security functions to the 5G service provider, freeing up enterprises from some concerns. The anticipated shared security model of 5G does require security pros to think differently, which will take time. However, the shifting of some security functions to the 5G service provider may provide great benefits for enterprises,” said Lanowitz.
“With the large number of devices associated with 5G, authentication and identity need to be considered in the scope of security, similar to the public cloud. The 5G service provider can help confirm device identity as well, because the network will know a device’s physical location. In a way, the 5G service provider uses the network itself as a security tool,” she added.
Lanowitz said that while introducing 5G networking affected many different technical areas, it was also an ideal opportunity to enhance and modernise approaches to security. For example, software-defined networking (SDN) and network functions virtualisation (NFV) technology will help organisations prepare for the sheer scale of 5G, but in parallel, there is no reason why security cannot also be virtualised and automated to some degree.
“5G has the potential to bring significantly more devices onto the network, expanding the attack surfaces and increasing the possibility of new threats,” said Lanowitz.
“Security organisations relying on manual security approaches likely will have a hard time keeping up. Security that is dynamic and automated will be able to quickly and effectively address the new security threats of 5G networks, and virtualisation can help provide flexibility to respond to unknown future threats.”