Q&A: How to juggle the benefits and pitfalls of 5G security
We speak to Didier Wylomanski, Business Development Director for EMEA and 5G expert at Thales, about the opportunities and risks of 5G.
5G offers a whole host of opportunities but also poses a significant risk to security. Here’s how to stay safe. In this post we speak to Didier Wylomanski, Business Development Director for EMEA and 5G expert at Thales, about the opportunities and risks of 5G.
Q: What is the potential of 5G?
"Unlike 4G, which is largely a one-size-fits-all service, 5G will offer organisations unprecedented opportunity, flexibility, and choice. It will radically enhance the way enterprises use networking tools to capture and store data, but also increase the extent to which businesses can glean insights from data in order to drive their digital operations.
Importantly, 5G will enable IoT devices to generate and exchange a wide variety of both high and low value data at much greater scales and lower price points than 4G. The technology will also be able to drive ultra-low latency down to a few milliseconds and take advantage of edge computing to allow new use cases. Network slicing, not seen on such a scale before, will allow enterprises and service providers to operate off their own tailored 5G services, geared up to their specific requirements."
Q: So, what’s the risk?
"While the potential of 5G is significant, 5G also poses new risks to the security of enterprise data that organisations need to be prepared for. It is so important that we all think of breaches as a case of ‘when’ not ‘if’.
In terms of what this risk looks like, it is worth signposting that 5G is the first cellular generation to launch in the era of global cybercrime, which is often heavily funded by organised crime and nation states. The software and technology that has driven the digital economy over the last decade is the exact same tech that is being weaponised to steal, expose, compromise, or block access to data. If 5G is not built and used with robust protections in all use-cases, there is a risk that trust in the 5G ecosystem could be undermined. Businesses who want to benefit from the competitive advantage 5G promises, could find their data, operations, and reputation at risk.
SIGN UP FOR E-MAIL NEWSLETTERS
Get up to speed with 5G, and discover the latest deals, news, and insight!
Risks might come from many other angles, like from the criticality of data circulating in the mission-critical use cases that 5G will enable, the complexity of the 5G infrastructure – given that5G is the meeting point of the mobile communication technology evolution and the latest cloud-based virtualized IT technology evolution -, the spread-over architecture of data centres serving 5G use cases, from core to edge computing sites and up to the cloud, and finally the need for both connectivity providers and enterprises to comply with highly security demanding regulations and laws.
With 4G and other previous cellular generations, the most pressing risk to data, whether it be consumer or enterprise-owned, was that communications can be intercepted, and unauthorised actors can succeed in accessing network services. 5G has propelled the cellular industry forward on this front, ensuring end device authentication and encryption of sensitive subscriber permanent identification across the network are now staple parts of the approach to cellular security.
However, promises of 5G opportunity must be shared in tandem with guidance around the risks businesses may face when incorporating this technology into their operations. Companies will certainly look to the 5G ecosystem of providers to not only provide the connectivity, but also the associated security perspective. Nevertheless, ultimately, it’s their data and companies have to understand that this is their responsibility to protect it, just like companies have now understood the shared security responsibility model that applies to data in the cloud. Control and supervision of its security strategy applied to 5G is so a must for any company deploying 5G services."
Q: You mention that 5G has changed the game when it comes to how we should approach cyber-security. In what way?
"5G has forever changed how we think about cybersecurity but while the risks may be greater, there are still some important steps businesses should follow to ensure they have their best defence up against a potential cyberthreat.
Take the example of slicing services that Mobile Network Operators will be able to offer to their enterprise customers. There is no more possibility for Operators to commit on the physical isolation of each slice as with 5G, all core functions are now virtualized and based on so-called VNF (Virtualized Network Functions), deployed and instantiated as pure software running in Virtual Machines (VMs) or Containers. If such VNF’s and their associated data are left unprotected, this poses a risk of cross-contamination of malware and/or unauthorized access to data. For companies willing to benefit from what slicing offers, a true demonstration of the associated security and isolation of the tailored services, will be mandatory.
Similarly, for the 5G Multi-Access Edge Computing that will serve ultra-low latency use cases. The applications hosted at the edge of the network, deployed as small remote sites, will benefit from fewer physical protections than you would see in a centralised data centre. Companies will also face an increased attack surface. While MEC’s will help conserve costs and enhance performance, it is vital that any locally stored data is physically and logically securely stored, whilst being encrypted in such a way that can cope with the ultra-low latency requirements of the target use case.
Ultimately companies who wish to benefit from 5G service via the deployment of their own Private Mobile Network, which is a highly expected deployment model of 5G, will need to act as their own managed security services provider. This means they must deploy a security strategy which is under their full control just like they would have done for any their traditional IT systems. In practice, this includes ensuring the privacy of their communications, the internal access control to applications and data, and their protection of data at rest and in motion.
What are the key takeaways for businesses and IT professionals looking to start using 5G?
"5G will be secure –or will simply not be. Thus building a 5G world we can all trust is a must.
The most important thing for businesses and IT professionals to know is that parts of our current understanding of data security needs to adapt to meet the demands of 5G technology. 5G will expand the attack surface area, with data being located anywhere between a few metres from its origin, or miles away in the cloud.
Advanced security controls, such as encryption applied to data at rest or in transit, will also need to be applied to the 5G selected service deployment, everywhere through the network – from the radio access network to edge computing sites, to the core and up to the cloud.
Encrypting data is an important first step, but not the only one. It is the equivalent of locking the front door and putting the keys under the mat. Businesses must ensure they keep control and fully secure the entire life cycle of their encryption keys, establishing a truly mastered security strategy over their 5G services.
While such security strategy will be vital for the protection of the 5G service itself, companies must not forget to act on the protection at their application layer in the case of IoT services, implementing end-to-end protection from the device to the application thru mutual authentication and encryption of the exchange data."
Didier Wylomanski is Business Development Director for EMEA and 5G expert at Thales. With over 25 years’ experience at Thales and Gemalto, Wylomanski is a veteran of the security industry. He has held various management positions in the mobile communications, IoT and cybersecurity business. He holds an Engineering Degree from the Ecole Nationale Supérieure de Physique in Strasbourg, France, with a Master’s Degree in Advanced Automation.