《ABI Research:2023年5G网络中的隐私与数据安全白皮书(英文版)(10页).pdf》由会员分享,可在线阅读,更多相关《ABI Research:2023年5G网络中的隐私与数据安全白皮书(英文版)(10页).pdf(10页珍藏版)》请在三个皮匠报告上搜索。
1、PRIVACY&DATA SECURITY IN 5G NETWORKSA Rocky Road Ahead for 5G Security5G is opening up a whole new set of opportunities for connectivity.However,privacy and data security concerns are set to play a key role as new vendors and new technologies emerge to capitalize on 5G capabilities.This expansion,ad
2、ded to the significant architectural changes,will make for highly complex networks,exposing new vulnerabilities and greater risks.Currently,about 15%of MNOs globally have rolled out 3GPP-compatible 5G networks in 30 different countries,with less than 5%having deployed 5G SA in public networks.ABI Re
3、search forecasts that,in 2027,average 5G adoption will reach 56%.Security investment in 5G networks is still very much incipient.The brunt of security spending is primarily by MNOs,as they focus on securing the various aspects of the networks(e.g.,edge,RAN,and core).In time,they will leverage those
4、investments to create new security value propositions for enterprise clients,generating new revenue.They will be joined eventually by third-party providers,network security vendors,hyperscalers,and other vendors in offering security solutions to enterprise clients.ABI Research forecasts total 5G net
5、work security revenue to practically double between 2023 and 2026,going from US$3.9 billion to US$9.2 billion in those 3 years(see Chart 1).This is in line with 5G adoption for half the worlds operators by that time.CONTENTSA Rocky Road Ahead for 5G Security.1First Steps in Standards .3Identifying G
6、aps,Risks,and Challenges.5Security Approaches:Technologies and Vendors.7Building Effective Data-Centric Trust Models.9PRIVACY&DATA SECURITY IN 5G NETWORKSMichela Menting,Research DirectorPRIVACY&DATA SECURITY IN 5G NETWORKSChart 1:Total 5G Network Security Revenue by Region World Markets:2023 to 202
7、6(Source:ABI Research)Integrating security functionalities is critical within 5G networks.At the standardization level,the 3rd Generation Partnership Project(3GPP)has worked to ensure that security forms a core part of the standards.However,that is only the first step.How that security will be deliv
8、ered and implemented in practice will be a different matter altogether.There are likely to be significant challenges that stakeholders will need to overcome,from the Network Equipment Providers(NEPs)and Mobile Network Operators(MNOs)to the software developers and cybersecurity vendors that are engag
9、ed in building those networks.NEPs and MNOs need to address issues related to user authentication,access controls,and data protection in order to protect privacy in 5G networks.Much of the onus will be on NEPs and MNOs to address issues related to user authentication,access controls,and data protect
10、ion;ultimately,all stakeholders will need to leverage security technologies in order to build a zero-trust network.Whether this is done by monitoring threats,managing security policies,or building in hardware roots of trust,the challenge will first be to identify where security is required before fi
11、nding the most appropriate solution and deploying it successfully.Thales 5G Security WP Draft Network security hardware forms a large part of the initial revenue opportunity,as MNOs are not ready to go all-in on a service model from a security consumption perspective.But as 5G SA becomes more establ
12、ished,with pay-as-you go(Operational Expenditure(OPEX)security models set to grow in parallel.Operators will be keen to offer security hardware that is integrated with their 5G networks,enabling software and services that can be subscribed to at will by end users.2.1722.2774.810.7011.0051.4041.935.9
13、661.2621.6432.045.110.194.312.475-1,000 2,000 3,000 4,000 5,000 6,0002023202420252026(US$Billions)Asia-PacificEurope,Middle East,and AfricaNorth AmericaLatin America6 5 4 3 2 1 0 3.358 PRIVACY&DATA SECURITY IN 5G NETWORKSFirst Steps in Standards The first port of call is,therefore,understanding what
14、 the role of security is within the standardization effort and how that has progressed to date(see box 1 below).Past 3GPP releases have already covered some security aspects for Application Programming Interfaces(APIs),lawful interception,5G systems,Proximity Services(ProSe),SeCurity Assurance Speci
15、fications(SCAS),authentication and key management,Vehicle-to-Everything(V2X),network automation,edge computing,network slicing,location services,Security Assurance Methodology(SECAM),subscriber privacy,Industrial and Cellular IoT(CIoT and IIoT),Service-Based Architecture(SBA),Universal Terrestrial R
16、adio Access Network(UTRAN),Machine Type Communications(MTC),Ultra-Reliable Low Latency Communication(URLLC),and Wireless Local Area Network(WLAN),among others.The development of 5G security standards is still very much a work in progress,with most of it still being worked on in Standard Development
17、Organizations(SDOs).Spearheaded largely by 3GPP Technical Specification Group Service and System Aspects(TSG SA)within its dedicated workgroup(WG3)on security and privacy,SA3,the requirements and specifications are being delivered in phases throughout the various Releases 15 to 17.Security work is o
18、ngoing in Release 18(see box 2 below).3GPP approved the Release 18(Rel-18)package in December 2021,marking the official start of 5G-Advanced with the planned freeze date of this new release being December 2023.Rel-18s com-mercial launch is estimated to be around 2024/2025.For this release,SA3 is tas
19、ked with working on:Privacy of identifiers over radio access SECAM and SCAS for 3GPP virtualized network products and Management Function(MnF)Mission-critical security enhancements Phase 3 Security and privacy aspects of Radio Access Network(RAN)and SA features.Broadly speaking,SA3 is currently task
20、ed with completing the phased work already started in previous releases,as well specifying security enhancements for the Internet of Things(IoT)and vertical industries,and testing security in the new 5G network functions.The buck does not stop at 3GPP,however.Despite its key role,3GPP is not the onl
21、y SDO working on 5G security standards(see box 3 below).3GPP is joined by the International Telecommunication Union Standardization Sector(ITU-T)SG17,European Telecommunications Standards Institute(ETSI)Industry Specification Group(ISG)Mobile-access Edge Computing(MEC),ISG Network Functions Virtuali
22、zation(NFV),and ISG Zero touch network&Service Management(ZSM),Institute of Electrical and Electronics Engineers(IEEE),Next Generation for Mobile Network(NGMN)Alliance,GSM Association(GSMA),European Union Agency for Cybersecurity(ENISA),and National Institute of Standards and Technology(NIST).Table
23、1 splits out the security work being done by the relevant SDOs in the various 5G applications.PRIVACY&DATA SECURITY IN 5G NETWORKSThe breadth of topics addressed(Table 1)alone within the various SDOs work groups is a testament to the complexity of 5G networks,which are a stark departure from previou
24、s cellular generations.Stakeholders must contend not only with risks and vulnerabilities inherent to 4G that are being migrated over during the transition through 5G Non-Standalone(NSA),but also with new unknowns that will emerge in 5G Standalone(SA).Table 1:SDO Work on Security for 5G Applications(
25、Source:ABI Research)APPLICATIONSDOGeneral3GPP,ENISA,GSMA,ITU-T,NIST5G core network3GPP,NGMNRAN3GPP,NGMNRadio access3GPPNetwork infrastructure3GPP,ENISA,GSMANetwork slicing3GPP,ETSI,ITU-T,NGMNSoftware-Defined Networking(SDN)ENISA,IEEE,ITU-TNFVETSI,IEEE,ITU-TMEC3GPP,ITU-T,NGMNInteroperability3GPP,GSMA
26、Roaming3GPP,ENISA,GSMAUser Equipment(UE)IEEE5G services3GPP,NGMNSecurity controlENISA,ETSI,ITU-T,NGMN FraudGSMA,NGMNNon-public network3GPP,ITU-TOther3GPP,ENISA,GSMA,ITU-TAs a result,there will be instances where the security architectures or technologies proposed by SDOs may simply not work in pract
27、ice.As the migration is only in its initial stages,and achieving 5G SA is still some years away,there will be many future events where the theory enshrined in recommendations cannot be realistically implemented.Many security technologies developed for 3G/4G are not applicable anymore.New methods and
28、 different technologies need to be devised for data security in 5G.Further,there is the issue of security technologies,which have been developed for 3G/4G being extended into 5G.Many were implemented to resolve issues specific to those anterior cellular generations,but are simply not applicable anym
29、ore in the new network architecture.New methods and different technologies need to be devised for data security in 5G.The work being done in developing 5G security specifications and standards by the various SDOs is significant,but it is only a first step,and will not resolve all the challenges at i
30、mplementation.Beyond that,it is also important to remember that they are voluntary,published as recommendations or best practices;they cannot know for certain what security challenges may arise in the future once rollout is underway.This means that stakeholders,whether these are operators,NEPs,third
31、-party vendors,or customers,need to keep an open mind and be flexible about how they meet both standard requirements and their own requirements,without compromising performance,latency,or security.PRIVACY&DATA SECURITY IN 5G NETWORKSIdentifying Gaps,Risks,and ChallengesAt present,many traditional cy
32、bersecurity solutions do not adapt to cellular core networks,let alone 5G.Network security vendors must ensure that their technologies can be implemented in carrier-grade networks that can meet all 5G requirements of high performance and low latency.Currently,numerous security challenges need to be
33、resolved first before such solutions can be folded into the networks.Some of the challenges will be ported over from 4G in the initial hybrid phases of 5G NSA,but new threats are constantly emerging that will need to be addressed as well(Table 2).Table 2:Threats and Vulnerabilities in 5G Networks(So
34、urce:ABI Research)CORESignaling attackHijackingMan-in-the-middle attackConfiguration attackSaturation attackPenetration attackDenial of Service(DoS)&Distributed DoS(DDoS)Slice/resource theftMECBotnetsAPI exposureAttacks against shared hardware resourcesAbusive container privilege escalation Attacks
35、targeting poor isolation of Operating System(OS)/containers Tampering of software Unsecured internal interfacesUnsecured transport protocolsRANReset&Internet Protocol(IP)spoofingScanning attackSemantic information attack signal jammingIMSI catching attackIllegal interceptFlash trafficFake base stati
36、onReplay attacksUEUser identity theftSecurity key theftMalwareFirmware hacksDevice tamperingSpyware RansomwareBattery draining attacksIdentification breachResolving these issues will take time,and they can be compounded by several challenges on the standardization front.A first issue revolves around
37、 the nature of the standards.Work done on technical specifications by SDOs like 3GPP are essentially voluntary.They are enshrined as standards through mass market adoption,thereby becoming de facto standards.But there is no regulatory requirement to implement the standards per se;stakeholders are fr
38、ee to do as they please.Nonetheless,de facto standards can become compulsory if written into law by national authorities(and so becoming de jure standards).It is also possible for national SDOs to decide to deviate from those de facto standards and develop their own standards.With either of these ap
39、proaches,there is a potential for bifurcation in application.It is the mass market effect that places pressure on standard adoption;but countries with strong state control and large domestic markets can choose to go their own way.5G NSA5G NSA5G NSA5G NSAPRIVACY&DATA SECURITY IN 5G NETWORKSFurther,wi
40、thin the industry standards themselves,some of the security specifications are a requirement for certain stakeholders(e.g.,NEPs),but not for others(e.g.,operators).This means that there are different paces of adoption that ultimately depend on operator strategies and rollouts.Overall,the understandi
41、ng of the specifications can vary depending on stakeholders,and this impacts how they choose to apply them.Operators and NEPs have a conservative view of standard implementation,stemming from their traditionalist view of the market;i.e.,it is about direct implementation of the specs.They are often h
42、ighly resistant to any deviation from 3GPP recommendations.As newer vendors and other third parties enter the cellular space with 5G rollouts,their perspectives are more open.They view 3GPP specs for what they are:recommendations.Their intent is to improve on those where possible with other technolo
43、gies if they find them better adapted.5G is a significant change to a more open,flexible,and programmable ecosystem,which is opening up the infrastructure to new stakeholders and new types of users.This means that there are a lot of unknowns on how the technology will eventually be used and,therefor
44、e,the risks that will emerge.It also means that new players will bring new ideas and innovations to the fore that may require a different approach to how security is defined in 3GPP standards.Beyond that,there are other challenges that are broader in scope,stemming from socio-political issues that c
45、an,in turn,adversely impact standards development.In many industry-led SDOs,such as 3GPP,the effort is a multi-stakeholder-based process that requires long involvement,cooperation,and organization.External phenomena,such as trade embargoes and the pandemic,slowed progress significantly as work group
46、s could not meet as freely or as frequently as before.As such,for 3GPP,some security work stalled.Much of what was incomplete at the freeze in Release 17 was closed and moved to Release 18.The normative work on security features in Release 18 is advancing as expected,but progress on other areas(such
47、 as Security Identifiers(SIDs)is slower.However,the transition back to in-person meetings should help speed up standardization work in general.A security standard should be viewed as a start,a baseline;but it must not be an end-all,be-all to how security can be implemented.The world of standardizati
48、on is not so clear-cut with regard to the application of standards.Numerous factors can impact alignment.SDOs themselves are very aware of the importance of gaining mass market appeal and,therefore,must navigate a fine line between recommendation and prescription.Ultimately,a security standard shoul
49、d be viewed as a start,a baseline;but it must not be an end-all,be-all to how security can be implemented.Where shortcomings or limitations are encountered,relying on a strict interpretation of the specification may not help.Stakeholders need to be open and flexible about how to mitigate risks and r
50、esolve issues.There is a wealth of efficient and competent cybersecurity technologies that can be applied to 5G networks.To deprive the network of useful tools simply because they have not been explicitly laid out in the standard is counter-intuitive and will hurt the successful rollout of 5G networ
51、ks in the long run.Stakeholders need to look at the essence of what the security specification aims to achieve;if there are alternative,more efficient,or cost-effective ways of achieving those,then they need to be considered as valid solutions if they can meet the other requirements of latency and p
52、erformance that form the core improvements over past cellular generations.PRIVACY&DATA SECURITY IN 5G NETWORKSSecurity Approaches:Technologies and Vendors With 5G deployment still in its initial stages,and 5G SA ubiquity several years out,it is key now for stakeholders to really work on overcoming t
53、he challenges addressed in the previous section.Beyond a purely technical perspective,the key is to allow for more flexibility in order to create a truly holistic trust model that can span disaggregated telco workloads,including the hardware infrastructure,the virtualized functions,and the applicati
54、ons.Critical to that is accepting that various security configurations are possible in the different deployment models(public,private,and hybrid),from the UE,through MEC and RAN,and all the way to the core.Security has many roles to play within 5G networks,and new ones will arise with new rollouts a
55、nd technology maturity.From a privacy and data security perspective,a few key tenants can be highlighted here that are relevant today.User Authentication,Security,and Privacy:With an open and programmable infrastructure,the protection of user identity and user data becomes a very important capabilit
56、y,and forms a core requirement of 3GPP standards;mutual authentication between the networks and the devices,with networks outside of the operator domain,and internally as well.Subscriber privacy is guaranteed in 5G with the new Subscription Concealed Identifier(SUCI)function for Subscription Permane
57、nt Identifier(SUPI)that needs to be secured and used within secure Hardware Security Modules(HSMs),as are various 5G authentication mechanisms,such as MILENAGE and TUAK.Centralized Key and Data Access Policy Management:Keys will serve numerous purposes within 5G infrastructure,from encryption and co
58、de-signing to authentication and access control.Because of the large body of assets that will ultimately reside and transit through the network,a centralized orchestration platform will help to better manage those keys and associated policies.Encrypting Sensitive Data on Control,User,and Management
59、Planes:Whether the data are at rest,in use,or in transit,their security is critical.Sensitive data that must be protected at all times,whether that be signaling traffic,user data,or configuration and control commands for the RAN and core functions.Encryption becomes a vital protection mechanism that
60、 can provide not only confidentiality,but also integrity and replay protection between various interfaces and nodes.Privileged User Access Controls:The opening up of 5G networks means more parties engaged with and on the network.Access control becomes an important security mechanism to put in place
61、in order to minimize unauthorized access,and effectively manage a secure interaction of the various 5G components and users.Comprehensive Logging and Data Access Auditing:From,logging and auditing will have to be enabled with 5G in order to satisfy requirements that may stem from a regulatory compli
62、ance and company policy perspective for both network operators and vendors,as well as from enterprise users.Security Automation:5G promises to be the network to connect all things in all places all at once.The sheer number of assets and participants to manage from a security perspective will be over
63、whelming.Therefore,it is vital that security be automated as much as possible,as manual intervention and manageable will be impossible.Zero Trust:Implicit trust makes way for explicit trust,which leverages security controls,including mutual authentication,identity protection,access control,and data
64、protection,for all assets.These form some of the core tenants of the security requirements for creating a truly trusted 5G ecosystem.It should be the favored approach for all stakeholders investing in 5G.The specific technologies that can be leveraged to enable these concepts are varied in how they
65、can be deployed,such as via hardware,software,and services.Ultimately,they can be narrowed down according to the use of encryption solutions,to some extent,notably through the use of HSMs,encryption applications,and key management solutions.HSMs can provide a hardware root of trust for the most stri
66、ngent compliance PRIVACY&DATA SECURITY IN 5G NETWORKSrequirements.Dedicated software solutions can provide low-latency and minimal bandwidth impact for high-priority applications.Deploying these solutions effectively means finding the right vendor with trusted technologies that are adapted to 5G.Wit
67、hin the encryption space,security leaders,such as Thales,offer a number of solutions that can meet the specific challenges in 5G privacy and data protection:Luna Network HSM,CipherTrust Transparent Encryption(CTE),and High Speed Encryption(HSE)(Figure 1).Figure 1:Thales Solution Mapping(Source:ABI R
68、esearch)Thales Luna HSM provides a tamper-proof hardware root of trust with which to issue,secure,and manage keys and secrets through robust access control mechanisms,enforced separation of duties,and security domains encryption mechanisms.Luna HSM integrates with virtual platforms,such as Docker co
69、ntainer and VMware,among others,as well as with most other third-party authentication platforms.Thales CipherTrust Transparent Encryption(CTE)can be leveraged to protect persistent data for container deployment(e.g.,Kubernetes)and storage(through container storage interface-compatible solutions from
70、 Amazon Web Services(AWS)and Azure,among others).CTE-Container Storage Interface(CSI)offers centralized key management for multi-cloud deployments,privilege access controls,and encrypted backups,as well as comprehensive logging and Security Information and Event Management(SIEM)integration and analy
71、tics.Thales High Speed Encryption(HSE)is suitable for physical and virtual infrastructures and endpoints,offering policy-based encryption for Layers 2,3,and 4 simultaneously with a complete separation of security functions from the transport layer.With low overhead and without the need for tunnels,i
72、t does not require changes to Layers 3 to 4 protocols,nor does it impede proprietary Quality of Service(QoS),routing,Protocol Extension Protocol(PEP),or other tags.HSE outperforms IPSec/MACsec and supports a wide range of network use cases(including network slices).All Thales solutions are post-quan
73、tum ready,supporting all NIST quantum algorithm finalists,and enabling Thales to include new quantum safe key agreement mechanisms in its product lines.Luna Network HSMLogging and AuditingHardware root of trustUser Authentication and PrivacyPublic Key Infrastructure(PKI)Secure subscriber ID privacy
74、Authentication vector generationKey ManagementSecuring Sensitive DataCrypto APISecure Signing CipherTrust Transparent Encryption with Centralized Key ManagementSecuring Unstructured Sensitive Data In files/folder/volumes on serversIn persistent volumes in Kubernetes deploymentsUser Access ControlsPr
75、ivileged,approved,and admin user controlLogging and AuditingData access audit logsKey ManagementKey lifecycle managementHigh Speed EncryptionSecuring Sensitive DataData in motion/transit for network infrastructureTransport security in interconnects in 5G transport and vertically to edge cloud Loggin
76、g and Auditing Auditable chain of custody for key material&root of trustPRIVACY&DATA SECURITY IN 5G NETWORKSBuilding Effective Data-Centric Trust Models Network security hardware forms a large part of the initial revenue opportunity,as MNOs are not ready to go all-in on a service model from a securi
77、ty consumption perspective.But as 5G SA becomes more established,pay-as-you go(Operational Expenditure(OPEX)security models are set to grow in parallel.Operators will be keen to offer security hardware that is integrated with their 5G networks,enabling software and services that can be subscribed to
78、 at will by end users.An important and mature market is springing up around building security tools that can accurately identify,respond to,and mitigate the emergent risks to 5G.This will continue to be an important and necessary part of cybersecurity as a discipline.But the costs of implementing th
79、ese solutions can be offset significantly if security can be designed and embedded into technologies right from the start.5G presents a unique opportunity,as a nascent technology,to strategize about security at the standardization and design phase,and to integrate new concepts into the architecture
80、in order to build a truly robust trust model.SA deployments,in particular,are synonymous with new 5G Next Generation Core(NGC)deployments,which will likely introduce new security mechanisms and requirements,because SA will enable new types of services,including network slicing.These will require com
81、pletely new security processes and will also enable Security-as-a-Service to enterprise clients.Data-Centric 5G security solutions need to deliver end-to-end encryption and authentication to help organizations protect sensitive data from users and IoT,to radio access,to the edge,in the core network
82、and data stores,including containers.Consequently,the new 5G ecosystem will prove to be much more complex than previous generations:open,multi-vendor,disaggregated,and virtualized.These are all great for innovation and growth,but they also open up new threat vectors,expose new risks,and multiply vul
83、nerabilities.Many will be unknowns,so it will be key for stakeholders to be both adaptable and open in how they embed and deploy security.Security strategies must not be rigid or uniquely check-box based;risk assessment must be continuous,and security deployment must be flexible.It will be costly an
84、d highly damaging to wait until risks emerge before addressing them.Data-centric 5G security solutions need to deliver end-to-end encryption and authentication to help protect data across fronthaul,midhaul,and backhaul operations as data moves from users and IoT devices,to radio access,to the edge(i
85、ncluding multi-user edge computing),and,finally,into the core network and data stores,including containers.Security should not be viewed simply from a risk minimization perspective.Security technologies can be great enablers for 5G networks for all stakeholders.Embedded security can allow the creati
86、on of new revenue streams as well;configuring and tailoring the various technologies to enterprise demands,use cases,and deployment models can provide a Return on Investment(ROI)for 5G operators,network providers,and vendors alike.Security should be viewed as an opportunity,not just to create truste
87、d models,but to add value to 5G in a way that can match its promise of being faster and more performant than any other Internet service to date.The key to achieving this is to ensure that security is part and parcel of that vision,from design to deployment.ABOUT ABI RESEARCHABI Research is a global
88、technology intelligence firm delivering actionable research and strategic guidance to technology leaders,innovators,and decision makers around the world.Our research focuses on the transformative technologies that are dramatically reshaping industries,economies,and workforces today.2023 ABI Research
89、.Used by permission.ABI Research is an independent producer of market analysis and insight and this ABI Research product is the result of objective research by ABI Research staff at the time of data collection.The opinions of ABI Research or its analysts on any subject are continually revised based
90、on the most current data available.The information contained herein has been obtained from sources believed to be reliable.ABI Research disclaims all warranties,express or implied,with respect to this research,including any warranties of merchantability or fitness for a particular purpose.Published February 2023 ABI Research Inc.157 Columbus AvenueNew York,NY 10023Tel:+1 516-624-