Zero Trust Architecture enabled by 3GPP security

In many countries, mobile networks are now seen as an essential part of national infrastructure. Billions of users and subscribers rely on the availability and trustworthiness of mobile networks. Mobile networks are thus a welcome target for attackers. The evolving threat landscape also requires constantly enhancing ways of analyzing and improving the security posture of networks.

Many of the underlying ideas and requirements of Zero Trust Architecture have already been introduced and specified by 3GPP during previous generations, and will continue to evolve going forward towards 6G.

What is Zero Trust and Zero Trust Architecture (ZTA)?

Zero Trust is a concept that can be paraphrased as "Never trust, always verify." A Zero Trust Architecture (ZTA), as described by the American National Institute of Standards and Technology (NIST), is "an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement."

Security standardization and ZTA are important tools in the current threat landscape

Standardization fora such as 3GPP are important for the standardization of security enablers but also serve as platforms for raising awareness and exchanging views among companies, and between companies and regulators. ZTA is important because it provides a structural framework for analyzing and improving the security posture of a network, particularly in mitigating the lateral movement of attackers.

ZTA aims for securing networks in operation

The primary target of an attacker on a mobile network is the network itself in operation. Therefore, the goal of ZTA is to enhance the security of deployed networks. Standardization alone will not provide a ZTA, but it is an important phase. It supports the other phases necessary for achieving holistic telecom security, namely implementation, deployment, and operations, by providing enablers for interoperable implementations of security features, and fundamental security requirements.

There are several Standard Development Organizations (SDOs) that are relevant for mobile networks, with complementary scope. The 3GPP focuses on interoperability specifications for fundamental features of mobile networks such as the (secure) connection of user devices to the network, or the (security of) interfaces between network internal entities. The specifications of SDOs do not provide a cookbook with a complete description of (secure) mobile network deployments. There are many different settings for the deployment of mobile networks, and operators and vendors together find the solutions for addressing them. However, standardization offers many important benefits, particularly transparency and interoperability, read more under: Security standards and their role in 5G - Ericsson.

ZTA as a framework for analyzing and enhancing 3GPP network security

ZTA provides a set of principles that are useful for protecting a network's resources. The principles are general and need to be mapped to the relevant scenario. Just as standardization is not a cookbook for (secure) mobile network deployments, ZTA is also not a cookbook for a complete security analysis and security solution for a mobile network deployment. However, ZTA is a very helpful tool.

The first step of every analysis is the choice of an architectural model for the mobile network under analysis. A network in operation is a complex system, so any kind of analysis needs to be performed on a simplified description, that is to say, a model of the network. Considering only the standardized aspects of a network leads to further simplification but also a generalization, that is, the analysis applies to all networks that implement the standard. The trend is that the models used in standardization become more detailed to cope with the emerging threat landscape.

The following four models are relevant in the discussion of ZTA for 3GPP networks. In the figures, the terms applicable to 5G networks are used as an example. The models, however, are applicable just as well for other generations of 3GPP networks.

Figure 1: User device centric architectural model

Figure 2: Network centric architectural model. UE = User Equipment, that is, user device. gNB = Next Generation Node B, that is, 5G radio base station. AMF, AUSF, UDM, SMF and UPF are examples of 5G architecture core network functions

Figure 3: Management plane centric architectural model

Figure 4: Cloud native deployment centric architectural model

The user device centric architectural model is the simplest and is used in the classical way of analyzing the security of mobile networks. The user device is considered untrusted; the network is considered trusted as soon it has been authenticated by the user device. Many of the early and fundamental security mechanisms use this trust model, for example, user device authentication or radio interface security. Usually, the user device centric view does not involve a human user, just the device that the user operates.

The network-centric architectural model became more important from 3G. In the network-centric model, the network is not automatically considered trusted, and, therefore, security mechanisms for network internal security need to be specified, such as cryptographic protocols for protection of network internal interfaces. All entities in the network-centric model are machines, no human user is involved.

The management plane and cloud native architectural model are important when analyzing how specifications relate to deployment and operation. The management plane centric model includes the network management into analysis, and the human user that operates the management plane. In the cloud native deployment centric model, the network entities are not only seen as conceptual entities, but the whole deployment with its underlying layers is included in the view.

When ZTA for 3GPP networks is discussed, it is crucial to be clear about the model used for the analysis. As we will see, early 3GPP security specifications are applicable in the user device centric model, later security specifications apply to the network centric model, and the most recent trend is to apply the management centric model as well.

Enablers for Zero Trust Architecture in 3GPP security specifications

ZTA enablers were introduced to 3GPP security specifications in stages, following the different generations of 3GPP networks. Many of the enablers were specified before the term Zero Trust Architecture was coined.

Figure 5: Examples of enablers for Zero Trust Architecture in 3GPP's 5G security specifications

The air interface between the UE (user equipment, that is, the user device) and the network is encrypted since 2G (GSM). Since 3G, the UE-network communication is also mutually authenticated and the control plane communication over the air interface is integrity protected. The key separation between security domains (such as radio, serving and home network) was introduced in 4G. In the 5G timeframe, integrity protection of the user plane communication over the air was introduced.

Protection of network internal interfaces using IPsec was first specified in 3G. With 5G, additional protection of the core network control plane (5G Service-Based Architecture, SBA) was introduced, using security protocols such as TLS and OAuth. Another improvement in 5G was the support of DTLS for the protection of control plane interfaces of the radio network. 

3GPP SA3 also conducted studies specifically on Zero Trust Architecture. The first study, captured in 3GPP TR 33.894, performed an evaluation of the current security mechanisms with respect to the seven tenets of the Zero Trust Architecture, based on a network centric model. The follow up study, captured in TR 33.794, focused on security monitoring and policy enforcement, using a management plane centric model. Both studies focused on the 5G SBA.

Security in general and Zero Trust Architecture specifically are a journey. The next step in 3GPPs ZTA journey is continued work on security monitoring, and of course ZTA for 6G.

More about 3GPP security and ZTA

3GPP SA3 is the security working group in 3GPP, responsible for security and privacy of 3GPP technology such as 5G, 4G and IMS. The 3GPP SA3s specifications are the foundation for authentication and secure communication between user devices and mobile networks, subscriber identifier privacy, and secure communication internal to mobile networks.

ZTA is described by NIST in the document SP 800-207, which also introduced the seven tenets of ZTA, for example, "all communication is secured regardless of network location." Another important document provided by the American Cybersecurity and Infrastructure Security Agency (CISA) is the ZTA maturity model (ZTMM), with its ZTMM Pillars (Identity, Devices, Networks, Applications & Workloads, Data) and ZTMM Stages (Traditional, Initial, Advanced, Optimal).

Take-home message

ZTA enablers were introduced to 3GPP security specifications in stages, following the different generations of 3GPP networks. Many enablers were specified before the term Zero Trust Architecture was coined. The latest enhancements, including improved protection of network internal interfaces, were done in 5G. We expect further enhancements for 6G.

The threat landscape for mobile networks currently shows a very high level of risk. Standardization, in 3GPP and other SDOs, and ZTA are tools for improving mobile network security.

Standardization is an enabler of ZTA in deployment and operations, which are other pillars to achieve network security. The benefits of standardized solutions are interoperability and transparency.

Choosing the right architectural model, for example user device, network, management plane, cloud native deployment centric, is crucial for analyzing the security posture of a mobile network architecture.

Read more:

Read more about Network security standards.

Read more about Zero-Trust for Telecom.