By Sree Kortala and Liia Sarajakoski, Palo Alto Networks
Migration to the cloud and the arrival of 5G have digitally transformed both how we do business and how we live our lives, while Zero Trust has presented us with the opportunity to transform how we view cyber defense. Zero Trust for 5G is an opportunity to modernize and rebuild our technology platform and the ways in which we use it. This new method of defense does more than simply protect assets sustainably. It offers an opportunity to transform what we do and how we do it.
Organizations were just beginning to fully embrace digital transformation until they found that the old security models were holding them back. Consider the following facts:
Meanwhile, learned habits are not serving us well. Over the years, security has been trained to look for point solutions. Faced with a “threat du jour,” security has responded in kind with a corresponding “vendor du jour.” Resource constraints and cybersecurity failures, however, have spotlighted a need to look at cyber defense in a new way. Zero Trust’s emphasis on eliminating implicit trust and requiring validation of each access request offers us a way forward.
By definition, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Zero Trust for 5G removes implicit trust regardless of what the situation is, who the user is, where the user is or what application they are trying to access.
The impact of Zero Trust on network security specifically protects the security of sensitive data and critical applications by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention and simplifying granular user-access controls. Where traditional security models operate under the assumption that everything inside an organization’s perimeter can be trusted, the Zero Trust model recognizes that trust is a vulnerability.
In short, Zero Trust for 5G presents an opportunity for service providers, enterprises and organizations to re-think how users, applications and infrastructure are secured in a way that is scalable and sustainable for modern cloud, SDN-based environments and open-sourced 5G networks. Delivering the Zero Trust Enterprise means taking Zero Trust principles, making them actionable and effectively rebuilding security to keep pace with digital transformation. This is something that Palo Alto Networks is uniquely positioned to deliver with a broader, higher quality set of capabilities.
A security platform requires a great foundation. 5G network operators need a robust and comprehensive security strategy that encompasses all traffic across signaling, data and application layers.
While implementing 5G security and employing Zero Trust principles, service providers have a chance to improve security with multiple tactics:
Our approach to 5G security at Palo Alto Networks begins with complete visibility and security enforcement across the entire network. Intelligent security is driven by correlation between the signaling and data layers to identify users and devices. Machine-learning-based and cloud-based threat intelligence provides rapid response to threats. In addition, these security capabilities need to be embedded at every location of the distributed cloud — core data centers, network edge and multi-access/mobile edge clouds.
To secure cloud-native network functions (CNF) workloads in the cloud, we acquired cloud security companies Twistlock and Bridgecrew and integrated them into Prisma Cloud. This provides shift-left and runtime protection capabilities for hosts, containers and serverless. We have also integrated identity-based micro segmentation capabilities into Prisma Cloud. These capabilities can be applied to secure the compute infrastructure in a cloud-native 5G architecture, while the CN-series for 5G will secure the 5G service layer and the application layer.
As the industry’s first next-generation firewall (NGFW) built specifically for Kubernetes environments, CN-Series firewalls leverage deep container context and 5G context at scale to protect the 5G services layer. This ensures our customers have access to a complete security for a cloud-native 5G stack. The software 5G firewalls can be deployed on any cloud platform — private or public, at operator core network or at the mobile edge cloud — making it a versatile distributed 5G security framework.
By embedding Zero Trust security principles into every access request and transaction, we believe that users, applications and infrastructure are liberated to perform at peak ability, freeing 5G enterprises and 5G customers to realize the promise of digital transformation securely and with confidence.
After years of piling on one “best-in-class” security tool after another, Zero Trust provides a North Star for organizations to execute better strategy and procurement. Deploying a Zero Trust architecture (ZTA) supports a smoother, more efficient path to digital transformation. This enables organizations to protect assets more confidently:
Zero Trust makes the idea of context and constant verification paramount, which inherently provides security improvements:
Organizations can see other tangible benefits of Zero Trust in areas like IoT (Internet of Things). Since these devices are being deployed en masse and have very little built in security, they present a lot of risk. Unit 42 research reported 98% of all IoT traffic is unencrypted, exposing personal and confidential data on the network. Additionally, 57% of IoT devices are vulnerable to medium or high-severity attacks, making IoT the low-hanging fruit for attackers. 5G speeds will also be leveraged by adversaries.
Adopting a “least privilege, least access” approach reduces this risk by ensuring that each device only has access to what it needs for its singular job (i.e. security camera, MRI machine, etc.).
Enterprise networks can gain further precise control by positioning a next generation firewall (NGFW) inside the mobile network directly, providing the same level of management and control of a 5G segment as any other segment of the enterprise network. This extends enterprise security policies into the 5G network. NGFW provides full visibility and control on the 5G service layer, including user data traffic. Customers can activate threat prevention, wildfire, other subscriptions and create policies based on user/device requirements.
Zero Trust is a journey, like a security maturity model. We see it as our job to help customers define what the journey looks like and then help them put the pieces together to measure their progress.
We have engaged a wide range of customers worldwide across multiple verticals with our Zero Trust Professional Services. All of their needs vary.
Some customers had not embarked on this journey yet, so we put together full transformation plans for them that included a combination of our expertise, architecture planning and our market-leading security solutions. Others had started a Zero Trust project or pilot, so we were able to come in and work with them on their desired state. All of these customers included common goals around verifying all users, devices and applications, as well as implementing context-aware access control and continuously monitoring for threats.
Many organizations can find the Zero Trust transformation overwhelming (particularly in the midst of 5G implementation) and difficult to achieve. We have worked diligently at Palo Alto Networks to set up our design services and professional services to be vendor agnostic and ready to help customers based on where they are in their Zero Trust journey.
Learn more about 5G security for service providers, 5G security for enterprises, as well as our approach to Zero Trust.