Thales banner

Securing 5G Networks

The 5G era is brimming with new opportunities, opened up by enabling high throughput ultra-low latency and massive machine type communication use cases. As the networks transition from proprietary to software-centric based on open source and open architecture to meet these needs, new security risks are being introduced.

Almost ten years on from the launch of 4G, 5G will be the first cellular generation to launch in the era of global cybercrime. This cybercrime activity is heavily funded by organised crime and nation states. This is an era in which software that has contributed so much to driving the digital economy over the last ten years, is also routinely being weaponised to steal, expose, compromise or block access to data whether it is at rest or in motion.

So while telecom operators and enterprises certainly look to the 5G ecosystem of network equipment providers, cloud providers, vendors and systems integrators to help realise the opportunities of 5G, they also expect guidance from that same ecosystem around how to understand and mitigate any new risks that the 5G architecture may pose to their data security posture.

5 key components of a Trusted 5G Architecture

1. Core network: with the new Core Network, each network function no longer resides in its own isolated, secure hardware. Instead it now resides in software as a Virtual Network Function (VNF) or Cloud-native Network Function (CNF) running on shared virtualised infrastructure with other VNFs/CNFs and applications.

2. Multi-Access Edge Compute (MEC): brings application hosting from centralised data centres down to the network edge, to address low latency and bandwidth. These new services are expected to address a wide variety of verticals including healthcare, manufacturing, retail and media/entertainment.

3. Backhaul/fronthaul/mid-haul: is the part of the network that links the RAN components, the core network and the small subnetworks at the edge of the network. These now need to support high throughput and low-latency data transfer.

4. Subscriber Authentication and Privacy: with new capabilities such as network slicing, Mobile Network Operators need to provide high assurance subscriber authentication and 5G subscriber privacy (SUPI/SUCI) services.

5. Management layer: OSS / BSS: Operations Support System, covers Order Management, Network Inventory Management and Network Operations, while the Business Support System (BSS) primarily consists of Order Capture, Customer Relationship Management and Billing. These systems managing sensitive data are expected to evolve to support 5G networks.

Foundation of Digital Trust for 5G

When the 5 key components are left unprotected, the underlying infrastructure, sensitive operations and copious amounts of sensitive data processed are at risk. Thales security portfolio can help address these risks.

  • Luna Hardware Security Modules (HSMs)
  • High Speed Encryptors (HSE)
  • CipherTrust Transparent Encryption
  • CipherTrust Manager

With 5G networks being built on software based paradigms, the need for a Root of Trust (RoT) to ensure security from the infrastructure layer to the application layer is an important factor to consider. Additionally, utilising Luna HSMs for PKI-based infrastructure security can future-proof your deployments with post-quantum crypto-agility.

In parallel, the need for high assurance security for subscriber privacy and authentication is expected to grow along with the adoption of network slices for enterprises/industry verticals. Luna HSMs can be leveraged to ensure high-assurance security & audit compliance for:

  • 5G subscriber privacy mechanisms in the core
  • Subscriber authentication at the core
  • Centralised FIPS-certified RoT for virtualised infrastructure and sensitive processes in the core and edge: PKI C.A. e.g. Openstack CA, Istio service mesh, CNF package signing, Firmware code signing, TLS/SSL interception, TLS/SSL offloading & secrets/cert management tools

Given the need for 5G networks to meet ultra-low latency and high throughput requirements from cell sites to the edge and core, securing data in motion can be quite a challenge. Thales HSE, with its flexible and easy to manage interface, can secure data in motion for the mobile backhaul with the following capabilities:

  • High throughput with low overhead at speeds up to 100G
  • Microsecond latency
  • Trusted end-to-end authenticated encryption in layers 2, 3 and 4
  • FIPS-certified solution with quantum resistant/ready cryptography

With 5G, different types of data will be processed at locations from edge to the network core. Ensuring sensitive data security while minimising impact on time to market is key. CipherTrust Transparent Encryption can help as it can ensure granular access control on sensitive data without the need to modify any applications. It can be leveraged to:

  • Secure sensitive data in MNO core with granular access control across multi-vendor VNFs/CNFs running in the virtualised infrastructure
  • Secure enterprise’s sensitive data processed in the edge cloud
  • Secure sensitive data in MNO OSS/BSS

While encryption ensures data security, crypto key management is an essential element of the overall solution. Leverage CipherTrust Manager for software-based centralised crypto key lifecycle management. MNOs could benefit from centralised key lifecycle management and visibility to meet internal/external compliance requirements while building out core or edge networks for the following integrations:

  • HCI-level encryption, for e.g. Cloudian HyperStore, VMware vSAN/VMCrypt, Nutanix, Dell EMC ECS, NetApp Cloud ONTAP
  • Storage-level encryption for e.g. DellEMC Data Domain, DellEMC PowerEdge, NetApp FAS, HPE Proliant/StoreEasy (iLO)*, HPE 3PAR, HPE Primera, IBM DS8000 Series, Dell EMC PowerMax, Dell EMC PowerStore
  • Native database encryption (TDE): for e.g. IBM DB2, MongoDB, Oracle MySQL
  • Linux key management (LUKS)
  • Thales data protection portfolio: Transparent Encryption to Application level encryption and tokenisation

Thales can help

Due to the way in which these modern networks are being built, protection need to be baked into the network and made available to enterprises to give them the foundation of trust they need to unlock high levels of investment in new 5G use cases.

Thales Cloud Protection and Licensing is working with Telcos, Solution Integrators and Network Equipment Providers to help build trusted 5G networks. Contact us to discuss how Thales is working collaboratively with its partner ecosystem to enable the value of 5G in trusted architecture.

Related Resources

A New Trust Model For The 5G Era - White Paper

A New Trust Model For The 5G Era - White Paper

5G promises to be rich in new business models for users and the ecosystem key players (telecom operators, network & cloud vendors, system integrators…). Some of the requirements that exciting new 5G use cases impose on the storage, compute and network domains introduce...

Build a strong foundation for data  privacy and security with CipherTrust  Data Discovery and Classification - Solution Brief

Build a strong foundation for data privacy and security with CipherTrust Data Discovery and Classification - Solution Brief

Today, the volume of enterprise data is exploding across industries. We talk about petabytes, and even exabytes, of data strewn across data centers, file shares, databases, cloud storage and backups. However, few organizations have the necessary visibility into their sensitive...

Thales Luna Network HSM - Product Brief

Thales Luna Network HSM - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance.

CipherTrust Manager - Product Brief

CipherTrust Manager - Product Brief

CipherTrust Manager enables organizations to centrally manage encryption keys for Thales CipherTrust Data Security Platform and third party products. It simplifies key lifecycle management tasks, including secure key generation, backup/restore, clustering, deactivation, and...

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...

Data in Motion Security Through a 5G Infrastructure - White Paper

Data in Motion Security Through a 5G Infrastructure - White Paper

Today’s networks are an interconnected menagerie of diverse mediums. Copper, Fibre, WiFi, Satellite and LTE are just a few examples of the diverse paths that data packets can travel through on the way to their final destination. Beyond these wired and wireless links, there are...

Data in Motion Security Through a 5G Infrastructure - Solution Brief

Data in Motion Security Through a 5G Infrastructure - Solution Brief

5G networks have unique requirements for both security and performance. From signaling and control plane data to the enduser experience, efficient use of bandwidth, low latency, and low jitter are non-negotiable mandates. 25-year-old security solutions, such as IPsec and VPN,...