As 2020 ramps down and the world looks forward to a return to normalcy in 2021, communications service providers (CSPs) will undoubtedly aggressively focus on deploying, scaling and securing their 5G core (5GC) standalone (SA) footprint.

In order to understand the extensive scope of the security impacts of the introduction of the 5GC SA, Heavy Reading launched the "5G Core Security Market Leadership Study" (MLS) in 3Q20. The survey-based study developed with sponsors A10 Networks, Ericsson, Hewlett Packard Enterprise (HPE) and NetNumber attracted 115 global survey respondents and addressed a broad range of security topics encompassing security investment priorities and threat mitigation strategies.

Multiple standards

As documented in the previous three blogs on standalone security, effective 5G security strategies will hinge on the ability to seamlessly run security capabilities anywhere in the cloud. Ensuring the interworking of open interfaces as well as open platforms will be critical. In response, standards bodies such as the Third Generation Partnership Project (3GPP) and GSM Association (GSMA) have been very active over the past five years in creating the numerous security-focused specifications necessary to provide the foundational base to support interworking.

In order to assess 5G standards readiness, the survey respondents were asked to provide input on the implementation status of the key security specifications listed in the figure below. The input provides several valuable insights.

The first is that only a small percentage (11% to 16%) of respondents are relying on vendor compliance to drive their 5G security implementation strategy. Heavy Reading considers this finding a positive trend since it confirms each CSP has their own distinct 5G security standards-based strategy.

Additionally, the two largest groups of data inputs confirm that CSPs are implementing most or all of the applicable specifications (21% to 38%) or some of the specifications (32% to 41%) before commercial launch. Realistically, these implementations will enable CSPs to secure all corners of the 5G cloud.

The third observation is that all the specifications listed are important. While 3GPP TS 33.511 had the greatest level of commitment to implementing before commercial launch (38% + 33%), the support for all nine specifications in the list is strong enough to confirm each one is relevant on some level for ensuring the security of 5G networks.

Overall, these data points validate that CSPs are committed to adopting a broad range of security specifications, which can only be interpreted as a positive turn in their push to deploy open and interoperable networks.

Implementing 5G security specifications

Figure 1: Question: When do you plan to implement the following 5G security specifications? (n=105-108)
(Source: Heavy Reading)

Single key management solution

Operating secure connections between the 5GC SA networks of collaborative CSPs requires authentication, integrity protection and encryption — and thus a trustable key management infrastructure. Sometimes this extra dimension is initially overlooked and must be implemented at the last minute with unforeseen costs. Deployment of a single key management solution for the inter-network services for 5G will simplify this extra dimension to limit complexity and recurring costs.

While a number of important standards will play a role in 5G security, CSPs will continue to harmonize certain security capabilities within these specifications to simplify overall security enforcement. One capability that meets this criterion is key management.

Key management is a fundamental consideration because it enables CSPs to exchange key material to validate users and secure services. The value of the ability to centralize and centrally control account, key and certificate management was reinforced several times in the survey, including in the question below.

This question was designed to assess the value of supporting a single key management solution for future security initiatives focused on the control plane (N32 operator-to-operator security) and user plane (N9 operator-to-operator security), inter-carrier fraud or even ID spoofing (STIR/SHAKEN). Based on the range of "yes – single key management is vital" responses (64-81%) shown in the figure below, there is little doubt that a single key approach is viewed as highly desirable in numerous scenarios. The greatest perceived value is for 4G and 5G inter-public land mobile network (PLMN) signaling security solutions (81%), which reinforces that 5G key management is not only 5G network-specific, but must also address interoperability with previous generation mobile networks.

Figure 2: Question: Should there be a single key management solution for all future initiatives that require service providers and carriers to exchange key material in the following scenarios? (n=104-109)
(Source: Heavy Reading)

Looking for additional information?

Plan to watch this archived version of a recent webinar where we presented more of the research data from this study. You can register here.

Download the accompanying white paper here.

— Jim Hodges, Chief Analyst, Cloud and Security, Heavy Reading

This blog is sponsored by NetNumber Inc.