The service-based architectures and cloud-based computing that comes with 5G enable the use of zero-trust architectures and networking. With a zero-trust model, no trust is implicitly granted to system elements, resources, assets, network perimeters, or network connections. Before a session begins or a connection is established, authentication and authorization discretely govern access to networks and resources. This model deploys multiple layers of verification to prevent data breaches and limit lateral movement within a system or network.
Adhering to zero-trust tenets
According to NIST SP 800-207, a zero-trust architecture adheres to seven technology-agnostic tenets:
All data sources and computing services are considered resources.
All communication is secured regardless of network location.
Access to a resource is granted on a per-session basis.
Access to resources is determined by a dynamic policy.
The integrity and security posture of all assets are monitored.
Dynamic authentication and authorization govern resource access.
The current state of assets, network infrastructure, and network traffic is tracked to improve security policies, context awareness, and enforcement.
For more information, see NIST SP 800-207.
By adopting a zero-trust model, Open RAN can protect interfaces and APIs, obtain telemetry across clouds, and impose context-specific security measures through network slicing.
Implementing a zero-trust architecture
The prerequisites to efficiently implement the far-reaching tenets of a zero-trust architecture are as follows:
A common horizontal multi-cloud platform
Security mechanisms and controls that are built into the RAN stack and its network
Automation to dynamically apply and adjust security measures
In Telco Cloud Platform RAN, management interfaces and APIs are secured by using the built-in security features of VMware vSphere, including authentication, access control, authorization, and certificates.
To support VNFs and CNFs, the zero-trust model can be implemented by using automation to create and manage Kubernetes clusters and to onboard, deploy, and update RAN network functions.