By Chris Christou and Joseph Bull, Booz Allen Hamilton
SPONSORED – U.S. government organizations racing to adopt 5G mobile technology must overcome significant security blind spots. Although most government and enterprise organizations know security is critical when migrating workloads to the cloud, the intersection of cloud security and 5G security is still unfamiliar territory. Gaining greater perspective can help organizations apply leading practices to safeguard systems by design.
Recent research commissioned by Booz Allen sheds light on the learning curve that many organizations face. The survey encompassed 175 individuals involved in the development, analysis, and review of U.S. cybersecurity practices and policies. Respondents included mostly federal and military personnel, as well as stakeholders in think tanks, non-governmental organizations, lobbying roles, and the legislative branch.
While many respondents (82%) ranked cloud security among the most important aspects of cybersecurity, fewer (60%) said the same for 5G security. The White House has stressed the stakes for securing 5G networks “could not be higher.” The survey findings suggest that information technology specialists, program and project managers, administration and operations personnel, and others with cyber-related roles are still absorbing this message.
The irony is 5G networks are intended to be cloud native: Organizations need to apply cloud security leading practices to 5G infrastructure itself, in addition to securing the network and applications by design. What’s more, the cloudification of mobile networks is greatly expanding the attack surface to include data centers and open-source software. It’s getting easier for less sophisticated threat actors to target mobile networks. Threat vectors related to 5G cloud infrastructure include software/configuration, network security, network slicing, and software-defined networking.
Most survey respondents (62%) said they had limited knowledge of 5G security. And respondents were roughly split on whether they had limited or substantial knowledge of zero trust—a leading security mindset that is ideal for 5G. Embracing zero trust is about stepping up and owning the risk that threats can emerge inside, not just outside, traditional network boundaries—and it’s about proactively countering these risks. This shift in mindset is needed even as efforts to build, deploy, and use 5G technology are still taking shape.
The Department of Defense, for example, is working to deploy private 5G solutions for a wide range of use cases. And as one of DOD’s partners, Booz Allen is at the forefront working with DOD to build the 5G infrastructure and conducting the prototyping based on specific 5G-enabled use cases. But this large-scale push to build and manage such infrastructure and define use cases—almost like a mobile carrier would—is new territory for the department. And many organizations are still assessing how they will use 5G, let alone how they will secure it.
While there is no “easy button” for 5G cloud infrastructure security, organization leaders can look to guidance from the Cybersecurity and Infrastructure Security Agency and the National Security Agency. This guidance shows how to bring a zero trust mindset into 5G cloud endpoints and growing multi-cloud environments: It covers preventing and detecting lateral movement, securely isolating network resources, data protection, and ensuring the integrity of cloud infrastructure.
In addition, here are five steps to guide organizations interested in developing private 5G networks:
Build a secure foundation: Start protecting 5G infrastructure, software, and all network elements by developing a zero trust architecture that is fit for purpose—and by embracing key principles for software supply chain security (given 5G is software centric). In addition, agencies should invest in talent with the technical expertise needed to accomplish this work.
Issue further guidance as needed: Seek out governing documents (such as those listed above) for guidance on how to securely design a 5G cloud-based infrastructure. As 5G is deployed, seek out other emergent guidance/requirements. For example, a document like the Cloud Computing Security Requirements Guide, which has been used extensively over the last several years to drive DOD cloud impact level requirements, may need to be extended to account for edge cloud scenarios. Further, officials may need to release new security technical implementation guides specific to 5G cloud and infrastructure components.
Put cloud security into action: Ensure that standards and guidance are translated into more granular requirements and implemented in security controls. While organizations should ensure they implement required controls, they should also evaluate the applicability of controls listed as “optional” since these may be needed to better harden the infrastructure and mitigate vulnerabilities.
Invest in advanced cyber defenses: Implement continuous monitoring and sophisticated analytics to detect and counter advanced threats—including determined nation-state actors pursuing strategic objectives. Many monitoring solutions are geared more toward network performance and optimization, and fault isolation. Nevertheless, the monitoring solution must also provide the security analytics needed to stop and/or mitigate sophisticated attacks.
Stress test systems before adversaries do: Subject 5G systems to realistic penetration testing involving advanced adversary tradecraft. Stay ahead of threats by using red teams to proactively uncover previously unknown vulnerabilities.
The next few years will see more and more deployments of 5G-based cloud infrastructure and devices. As these projects progress, leaders should use these five steps, zero trust and security-by-design principles to safeguard these leading-edge systems.
This is paid, sponsored content. Interested in a sponsored post in The Cipher Brief? Contact Erika Hipkins at email@example.com to find out how to get your content in front of 36K national security professionals.