Chris Christou is a leader in Booz Allen’s secure cloud and information technology (IT) infrastructure business. He applies expertise to lead Booz Allen’s service offerings related to cloud solutions and security, 5G cellular networks, and IT infrastructure. Chris has more than 20 years of experience designing, testing, and deploying cloud environments, networks, and IT systems for commercial, civilian, and defense clients. Since joining Booz Allen in 2002, he has led projects related to the deployment of secure cloud environments, the design of software-defined networks (SDN), and the integration of unified communications systems.
Joseph Bull is a leader in Booz Allen’s cyber security business. He applies expertise to lead Booz Allen’s service offerings related to cyber security and 5G mobile networks. Joe has 20 years of experience designing, testing, and securing networks and IT systems for commercial, civilian, and defense clients. Since joining Booz Allen as an intern in 2002, he supported and led projects related to the deployment of SATCOM, software-defined networks (SDN), mobile network and handset security, and endpoint security.
5G Security: Seeing Through the Clouds
February 21, 2022 | Chris Christou and Joseph Bull
U.S. government organizations racing to adopt 5G mobile technology must overcome significant security blind spots. Although most government and enterprise organizations know security is critical when migrating workloads to the cloud, the intersection of cloud security and 5G security is still unfamiliar territory. Gaining greater perspective can help organizations apply leading practices to safeguard systems by design.
Recent research commissioned by Booz Allen sheds light on the learning curve that many organizations face. The survey encompassed 175 individuals involved in the development, analysis, and review of U.S. cybersecurity practices and policies. Respondents included mostly federal and military personnel, as well as stakeholders in think tanks, non-governmental organizations, lobbying roles, and the legislative branch.
While many respondents (82%) ranked cloud security among the most important aspects of cybersecurity, fewer (60%) said the same for 5G security. The White House has stressed the stakes for securing 5G networks “could not be higher.” The survey findings suggest that information technology specialists, program and project managers, administration and operations personnel, and others with cyber-related roles are still absorbing this message.
The irony is 5G networks are intended to be cloud native: Organizations need to apply cloud security leading practices to 5G infrastructure itself, in addition to securing the network and applications by design. What’s more, the cloudification of mobile networks is greatly expanding the attack surface to include data centers and open-source software. It’s getting easier for less sophisticated threat actors to target mobile networks. Threat vectors related to 5G cloud infrastructure include software/configuration, network security, network slicing, and software-defined networking.
Most survey respondents (62%) said they had limited knowledge of 5G security. And respondents were roughly split on whether they had limited or substantial knowledge of zero trust—a leading security mindset that is ideal for 5G. Embracing zero trust is about stepping up and owning the risk that threats can emerge inside, not just outside, traditional network boundaries—and it’s about proactively countering these risks. This shift in mindset is needed even as efforts to build, deploy, and use 5G technology are still taking shape.
The Department of Defense, for example, is working to deploy private 5G solutions for a wide range of use cases. And as one of DOD’s partners, Booz Allen is at the forefront working with DOD to build the 5G infrastructure and conducting the prototyping based on specific 5G-enabled use cases. But this large-scale push to build and manage such infrastructure and define use cases—almost like a mobile carrier would—is new territory for the department. And many organizations are still assessing how they will use 5G, let alone how they will secure it.
While there is no “easy button” for 5G cloud infrastructure security, organization leaders can look to guidance from the Cybersecurity and Infrastructure Security Agency and the National Security Agency. This guidance shows how to bring a zero trust mindset into 5G cloud endpoints and growing multi-cloud environments: It covers preventing and detecting lateral movement, securely isolating network resources, data protection, and ensuring the integrity of cloud infrastructure.
In addition, here are five steps to guide organizations interested in developing private 5G networks:
Build a secure foundation: Start protecting 5G infrastructure, software, and all network elements by developing a zero trust architecture that is fit for purpose—and by embracing key principles for software supply chain security (given 5G is software centric). In addition, agencies should invest in talent with the technical expertise needed to accomplish this work.
Issue further guidance as needed: Seek out governing documents (such as those listed above) for guidance on how to securely design a 5G cloud-based infrastructure. As 5G is deployed, seek out other emergent guidance/requirements. For example, a document like the Cloud Computing Security Requirements Guide, which has been used extensively over the last several years to drive DOD cloud impact level requirements, may need to be extended to account for edge cloud scenarios. Further, officials may need to release new security technical implementation guides specific to 5G cloud and infrastructure components.
Put cloud security into action: Ensure that standards and guidance are translated into more granular requirements and implemented in security controls. While organizations should ensure they implement required controls, they should also evaluate the applicability of controls listed as “optional” since these may be needed to better harden the infrastructure and mitigate vulnerabilities.
Invest in advanced cyber defenses: Implement continuous monitoring and sophisticated analytics to detect and counter advanced threats—including determined nation-state actors pursuing strategic objectives. Many monitoring solutions are geared more toward network performance and optimization, and fault isolation. Nevertheless, the monitoring solution must also provide the security analytics needed to stop and/or mitigate sophisticated attacks.
Stress test systems before adversaries do: Subject 5G systems to realistic penetration testing involving advanced adversary tradecraft. Stay ahead of threats by using red teams to proactively uncover previously unknown vulnerabilities.
The next few years will see more and more deployments of 5G-based cloud infrastructure and devices. As these projects progress, leaders should use these five steps, zero trust and security-by-design principles to safeguard these leading-edge systems.