Zero Trust Architecture for advancing mobile network security operations

Perimeter security alone is no longer sufficient for securing critical infrastructure due to evolving threats, including advanced persistent threats (APTs) from sophisticated adversaries. Once inside the network, the adversary could exploit vulnerabilities to move laterally undetected and perform reconnaissance or disrupt the network, if a monitoring system were not in place. The best way to prepare for evolving threats is to have a system aligned with a zero trust architecture (ZTA) that secures micro-perimeters across the entire mobile network and provides the ability to identify, protect, detect, respond, and recover from evolving attacks. Industry standards define technical capabilities that support a ZTA, but these capabilities need to be complemented with automated security operations to continuously achieve the desired security posture. This whitepaper describes a security management function that automates and orchestrates network security operations to help mobile network operators (MNOs) achieve a ZTA aligned with the US National Institute of Standards and Technology (NIST) Zero Trust Architecture¹ and US Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM). It also provides guidance for MNOs to implement the cross-cutting functions highlighted in the CISA ZTMM: visibility and analytics, automation and orchestration, and governance. The approach outlined is applicable to all MNOs that are integrating ZTA cyber hygiene capabilities and practices, particularly in the context of compliance with the NIS 2 directive in the European Union (EU), reference². We delineate the relevance of ZTA in the context of mobile networks; emphasize the criticality of 3GPP security functions, and highlight the necessity for a dedicated security management function in the implementation of ZTA within mobile networks. Lastly, the whitepaper also offers a comprehensive guidance, presenting a systematic approach that progresses from existing operational conditions to an ideal state that harnesses the power of AI for network-wide visibility and rapid response capabilities.

In recent years, a comprehensive transformation in computing infrastructure, threat landscape, and cybersecurity regulations have reshaped telecom networks. Regulators have heightened their focus on cybersecurity, particularly for critical infrastructure, where telecom networks play a vital role. To enhance cyber resiliency, regulatory bodies around the globe now advocate for ZTA to complement traditional perimeter-based defenses. ZTA was introduced and defined in the US NIST 800-207 Zero Trust Architecture¹ and its implementation is guided by CISA ZTMM³. ZTA operates on the principle of continuous verification and monitoring, assuming external and internal threats exist to the network. Its significance is further highlighted as it emerges in regulations, such as NIS2².

For the telecom industry, security has been a top priority in the development of 3rd Generation Partnership Project (3GPP) 5G specifications from the start. Recently, the need for ZTA in telecom networks has been recognized in the 3GPP examination of zero trust principles in mobile networks⁴, Alliance for Telecommunications Industry Solutions (ATIS) Enhanced Zero Trust and 5G paper⁵, and US DHS CISA, Security Guidance for 5G Cloud Infrastructures⁶.

Threats are constantly evolving and now leveraging artificial intelligence (AI) to conduct more sophisticated attacks. MNOs and governments are motivated to achieve a ZTA in critical infrastructure, including mobile networks. This, however, is not achieved through applying industry standards alone. While 3GPP standards provide foundational capabilities for zero trust in network functions (NFs) and interfaces, operational security is typically not in the scope of standardization. Correct implementation and configuration tailored to match each MNO’s network context, are crucial at network deployment and during network operations. Ericsson products provide necessary capabilities to deploy a ZTA and are on the ZTA journey along with MNOs and industry bodies, including O-RAN Alliance, 3GPP, and ATIS. Achieving a ZTA that complies with all the NIST seven tenets of zero trust and CISA ZTMM requires a high level of automation and visibility in mobile network security operations. Ericsson also provides a security management solution to help automate and orchestrate security operations toward achieving a ZTA that protects mobile networks from external and internal threats.

This whitepaper provides guidance for MNOs to implement key ZTA functions highlighted in the CISA ZTMM³: visibility and analytics, automation and orchestration, and governance - across the entire mobile network in operations. This whitepaper concludes that a tailored security operation and management approach designed for the telecom sector is required to address the complex nature of telco. Such a security management approach enforces continuous micro-perimeter protection of all network assets and diverse infrastructure, covering security posture management, threat detection, and anomaly detection with telco-specific threat intelligence, vulnerability management, and enhanced visibility through integration with the MNO’s existing security processes and systems such as SOAR and SIEM.

MNOs need to implement effective cybersecurity and resiliency practices for zero trust to be effective. When complemented with existing risk-based cybersecurity policies and guidance, ZTA can strengthen the mobile network’s security posture.

A good starting point for an MNO to implement ZTA is by referring to the seven tenets published by NIST and as shown in Figure 1.

Figure 1: NIST’s seven tenets of zero trust¹

NIST’s seven tenets of zero trust can be summarized for mobile networks with the following four principles of ZTA

• Network functions and architectural elements are resources secured as micro-perimeters.
• Trust is not assumed for any subject, whether human user or network asset, attempting to access a resource. Authentication and authorization are enforced on a per-session basis for external and internal subjects.
• Confidentiality and Integrity protection is provided for data in transit on external and internal interfaces, data at rest, and data in use.

• Continuous monitoring, logging, and alerting are implemented to detect security events and enforce dynamic security policies.

Achieving a ZTA is an incremental process and should be viewed as a journey implemented in stages. CISA ZTMM³ is published to complement ZTA by offering a roadmap for organizations to assess their current maturity level and provide guidance on steps to incrementally progress to higher maturity stages: Traditional, Initial, Advanced, and Optimal. These stages, as shown in Figure 2, are achieved for each of the five pillars – Identity, device, networks, applications and workloads, and data – and three cross-cutting functions – Visibility and analytics, automation and orchestration, and governance. These cross-cutting functions align with NIST tenets 4, 5, and 7 mentioned above.

In the landscape of mobile networks, ensuring a robust implementation of ZTA relies on effective security management to support secure deployment and operations. Building upon the challenges laid out in the previous chapter, this chapter illustrates the ideal controls required in a security management function. Furthermore, it provides insights into how an MNO can evaluate and enhance their current security management functions and governance to achieve ZTA maturity within their mobile network operation.

Security Controls for ZTA

Security management supports NIST’s Cybersecurity Framework (CSF) with the Govern, Identify, Protect, Detect, Respond, and Recover functions. These six functions can be achieved by adopting the 12 ZTA critical control groups identified by ATIS in⁵ and shown in Figure 5. These controls can be implemented through a combination of mobile industry standards and tailored operational security measures.

Figure 5: ZTA critical control groups⁵

The security management function enforces the security controls implemented across all mobile network domains (for example, RAN, Core, OSS, BSS, cloud infrastructure, and transport) to be in place and ties them into security operations workflows. The security management function also has its own security functions, such as posture management, continuous monitoring utilizing threat intelligence and AI/ML, and certificate automation and PKI.

Security management automates the process of onboarding network assets to the monitoring platform, orchestrates the protect and detect activities by including threat indicators based on multiple sources (for example, logs, cloud-native events, vulnerabilities, configuration status, and so on), and provides enriching context information to assist human and automated responses. MNOs can achieve round-the-clock visibility into the network security posture. This involves gathering and analyzing network-wide configuration status, logs, and events horizontally, while also comprehensively covering the entire MNO technology stack vertically. This approach supports the governance and monitoring objectives of ZTA.

Implementing ZTMM in mobile networks

The cross-cutting functions of the CISA Zero Trust Maturity Model (ZTMM) – Visibility and Analytics, Automation and Orchestration, and Governance – hold relevance for the telecommunications industry, especially concerning security management functions. The security management platform should meet the NIST tenets and CISA cross-cutting functions for the network to achieve a ZTA.

Implementing ZTA is a journey that runs through the stages of ‘Traditional,’ ‘Initial,’ ‘Advanced,’ and ‘Optimal’. It evolves from static policies and manual controls with limited visibility to dynamic policies with automated controls that leverage AI and continuous monitoring to gain network-wide visibility and faster response. Table 1 provides CISA ZTMM definitions for these three cross-cutting functions, with recommended tailoring for mobile networks.

Regular text = adopted from ZTMM

Bold text = addition of cross-cutting functions for mobile network context

Bold underlined = highlight of end-to-end security management and automation required in ZTMM

Table 1. Cross-cutting ZTA maturity for the mobile network (adapted from ZTMM³)

The Traditional stage is the perimeter-based security and the Initial stage is the first step on the ZTA journey. The following points provide recommendations to step through the stages of the ZTMM:

• To reach the Initial stage – Conduct a comprehensive risk assessment and define a targeted security posture accordingly. Implement continuous monitoring to compare the current security posture with the intended Emphasize the automation of log collection and analysis for NFs and the underlying cloud infrastructure.
• To reach the Advanced stage – Automate asset discovery for NFs, for example in the 5G Core and Radio Access Network (RAN). Enhance threat detection capabilities by deploying comprehensive methods, encompassing both agent-based and log-based detection, ensuring complete Implement mechanisms to identify rogue assets within the network that could potentially impact service availability. For effective network function identity management, establish a system that oversees the distribution, enrollment, and enforcement of public key infrastructure (PKI) certificates, while facilitating secure communication between NFs.

• To reach the Optimal stage – Establish comprehensive centralized security visibility and control across all telco nodes. Implement dynamic monitoring, enforcement, and policy updates with the help of AI/ML in response to threats or regulatory changes.

Security management should facilitate the MNO's progression through this maturity journey, adapting to evolving technology and shifts in the threat landscape. For instance, while a patch for a vulnerability might require time to be disseminated across all software, the security management tool can promptly adjust and enforce the acceptable baseline security configuration to mitigate the potential risk posed by the potentially unpatched vulnerability.

Regulators, MNOs, NF vendors, and industry standards bodies are pursuing a ZTA for mobile networks, which are considered critical infrastructure by many governments since they serve as the backbone of other digital services. NIST SP 800-207 and CISA ZTMM offer guidance that goes beyond the conventional focus on perimeter-based defense to achieve a ZTA with micro-perimeters that protect against emerging external and internal threats.

The CISA ZTMM cross-functional capabilities - visibility and analytics, automation and orchestration, and governance - are vital for achieving higher maturity in ZTA. These cross-functional capabilities and operational security are not covered in mobile industry standards but can be gained by deploying a dedicated security management tool or capability. This whitepaper provided guidance to implement security management to achieve a ZTA tailored to the unique context of mobile networks.

To successfully achieve ZTA in mobile networks, all industry stakeholders should collaborate on cybersecurity implementation, with consideration of network performance and availability. In North America, ATIS has embraced ZTA for mobile networks by consolidating 12 security controls and providing a set of recommendations for the industry to achieve a ZTA in 5G networks⁵.

Ericsson Security Manager is built as a security management function to meet this challenge, automating continuous enforcement of micro-perimeter protection from network deployment to operations and, thereby, facilitating the realization of a robust ZTA framework in mobile networks. Ericsson enables MNOs to achieve ZTA through three axes:

• securing products through the SRM,
• implementing security measures throughout delivery and deployment, and
• simplifying network security operations using the ESM, the single management point from which to implement, monitor, and report on ZTA across the end-to-end 5G

Implementing ZTA in mobile networks requires cybersecurity knowledge and deep domain expertise to meet regulatory guidance. With Ericsson’s robust product development and deployment practices, alongside utilizing tools like ESM as a telco zero trust keystone, MNOs can attain both cyber resilience and regulatory compliance within a ZTA.