Why Open RAN needs a zero-trust approach to cybersecurity - Embedded.com

Why Open RAN needs a zero-trust approach to cybersecurity

The rise of network softwarization and cloud has encouraged a more diverse supply chain and consequently, the zero-trust approach is discussed as a possible way to address the cybersecurity risks that comes with it.

Connectivity demands have accelerated the rollout of infrastructure and provided an opportunity for new players to contribute to the telecoms supply chain. The groundbreaking changes offered by 5G and network virtualization provide opportunities for new vendors to contribute to hardware or software products across the stack. 5G has enabled the disaggregation of network components, creating an opportunity for mix and match between different suppliers.

This requires tight levels of software integration, which is often done via open interfaces. However, these changes cause cybersecurity risk levels to increase across the ecosystem. A vulnerability in a third party’s product or system may create an entry point into the entire network. This means we can no longer trust that vendors are fully secure, and we need to verify it. But how? A new approach to cybersecurity is needed for networks and the solution is to become zero-trust.

What is zero-trust security?

In the 1960s, as computers began communicating over networks, function took precedence over security. This was understandable as few networks existed and those that were functional were also quite isolated. Fast forward a few decades, and LANs, WANs and WLANs are everywhere. Generally, these networks establish trust and security through the old-school perimeter model.

The perimeter model mantra is that if you are on the inside of a network, then it is inherently assumed that you belong and are to be trusted. Essentially, networks based on the perimeter security model aim to achieve security through the use of firewalls, VPNs and DMZs as anyone on the inside of a perimeter isn’t considered a threat. The arrival of the cloud is the point at which the traditional perimeter model began to fall apart. As employees went from being trusted users of networks to trusted remote users of networks, the perimeter went from looking like an attractive circle to an untraceable polygon.

The idea of zero-trust networks originated in the 1990s and began to garner widespread interest from large tech organizations in the 2000s. From 2019, it was recommended by the UK National Cyber Security Centre as well as the US Cybersecurity and Infrastructure Security Agency in 2021. The latest guidance from both public organizations states that new networks should be deployed using the principles of zero-trust.

Unlike the perimeter security model, in a zero-trust network an individual inside of a network is not assumed to be trusted and must continue to authenticate everywhere and for every request. Together, identification achieved through authentication and access control-based authorization, can help an organization move towards the zero-trust model of security.

ORAN is the key to zero trust

Mobile networks are the most commonly used and relied upon system. Therefore, as mobile networks move towards full virtualization and softwarization, they need to make the necessary changes to move away from the perimeter model.

As open interfaces become a reality in mobile networks, interoperability will become the new standard. The rise of network softwarization and cloud has encouraged a more diverse supply chain and consequently, the zero-trust approach is discussed as a possible way to address the cybersecurity risks that comes with it. This is the case with Open RAN. Open RAN is an evolution of the next generation radio access network (RAN) architecture, first introduced by the GSMA’s 3GPP. It is a fully disaggregated approach of the components that make up the RAN, but built entirely on cloud native principles.

The principle of Open RAN itself is based on open-source, interoperable interfaces, also known as open APIs. In Open RAN the entire radio network does not depend on one single vendor, rather multiple components from different suppliers that can communicate with each other through the defined Open APIs. This, coupled with the number of end-point APIs that are exposed to integrate the different components of Open RAN, result in classic perimeter security models not fit for purpose. This allows mobile network operators to reduce costs in deployments and mitigate against the security risk of national dependency on a small number of suppliers, given it inherently allows many more suppliers to exist.

Cybersecurity risks in an open API ecosystem

The disaggregation of functions increases the threat surface in mobile networks. Publishing an open API theoretically means that any developer can access exposed backend systems and it also risks bringing the existence of the exposure to the attention of hackers who might never have noticed a private API. In relation to the potential cybersecurity risks, Open APIs are one source of how our data is breached and shared with third parties. APIs are a protruding threat to the multi-supplier ecosystem that is O-RAN.

With the emergence of the internet of things, open interfaces and architectures, open APIs can be found in everything from mobile devices, smart TVs, and gaming consoles. The security risks of open APIs are not limited to hackers and malware. Open data and codes can lead to data sharing among applications. This is why APIs need to be cloudified through O-RAN processes in order to stimulate solution innovation for protection and future new business opportunities.

All in all, cybersecurity threats are at the forefront of social, political, and corporate discourse, and for good reason. Zero trust isn’t a silver bullet, but it’s a long overdue change in perspective. The biggest challenge moving forward isn’t necessarily the successful adoption of zero-trust design principles in new networks, but instead refactoring the old and monolithic networks in order to embrace the required changes.

Alexandros Roditis - Weaver Labs

Alexandros Roditis is a software developer and co-founder of Weaver Labs. Weaver Labs is a Web 3 startup which says it is democratizing access to telecoms infrastructure with 5G and blockchain. It is doing so by creating an open and shared marketplace of connectivity assets, using an innovative software layer that aggregates all the necessary components to build networks and access connectivity on-demand. Alexandros has a degree in computer software engineering from the University of Patras in Greece.

Related Content:

1 thought on “Why Open RAN needs a zero-trust approach to cybersecurity

  1. This article brings up an interesting topic. However, it reads as though some important section, of unclear size, was omitted. You outline the existing situation (perimeter-based security doesn’t work when ubiquitous WAN accessibility means a network doesn’t really have one any more), a new and desirable change that makes the serious problem into a seriously obvious problem (open interfaces within the WAN connectivity architecture), and then…?

    If this had appeared in a printed magazine, I’d be trying to figure out whether a page had gotten stuck together somewhere in the middle. Your conclusion _appears_ to be, “We need to double down on creating new potential attack surfaces while observing loudly and pointedly that this needs to be more secure”. What is missing?

    Log in to Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.