Zero trust (ZT) is a concept that no digital system or human user, whether external or internal, can be trusted, regardless of ownership and location. ZT architecture (ZTA) is a plan to implement ZT in a digital system or network of digital systems. ZTA is based upon two core principles:
- No digital system can be implicitly trusted based upon its ownership or location.
- Perimeter security alone is insufficient.
Each digital system, as an asset, must be secured as a micro-perimeter.
U.S. NIST guidance for a ZTA is general to digital systems. The NSA Enduring Security Framework (ESF) and CISA “Security Guidance for 5G Cloud Infrastructures” offer best practices to “bring a Zero Trust mindset into 5G cloud endpoints and growing multi-cloud environments” [2]. Relevant industry bodies for 5G, specifically 3GPP and O-RAN Alliance, are in the process of forming requirements that align with a ZTA. ATIS convened a study group to assess zero trust for 5G with the goals to form relevant requirements, identify potential gaps, and recommend areas for standardization.
The ATIS 5GZT study was informed by the work at NIST, CISA, and 3GPP and subject matter experts on zero trust from organizations that are stakeholders in 5G network security. There are 10 key findings of the ATIS study:
- ZTA is a plan based upon the concept of zero trust. It is important that 5G Systems (5GS), as critical infrastructure, strive toward the goal of a ZTA.
- There are multiple use cases for zero trust in 5G as the standards continue to evolve.
- Multiple U.S. federal agencies are addressing zero trust. The relevant agencies for 5G zero trust are WH ONCD, DoC NIST, DHS CISA, and the NSA ESF
- Enduring Security Framework’s “Security Guidelines for 5G Cloud Infrastructures” provides a playbook for adapting NIST ZTA to 5G. The guidance in this document should be considered by 5G standards bodies.
- Each of the NIST seven tenets for ZT can be applied to a 5G ZTA. Different industry bodies may have the scope for any of the tenets. The seven tenets are relevant for the end-to-end 5GS, including RAN and Core. 3GPP should expand its consideration of ZTA beyond the 5G Core (5GC) and also encompass the 5G RAN and potentially the UE, for which ZTA is applicable.
- NIST’s ZT logical components include a Policy Decision Point (PDP) and Policy Enforcement Point (PEP) that can be mapped into existing 5G network functions (NFs) and implemented as logical functions within a network function acting as a microperimeter.
- 5G, as specified by 3GPP, is the most secure generation of mobile technology to date. Many security features of 5G align with a ZTA. Further evolution of mobile
technologies is expected to evolve toward a ZTA, beginning with 6G. - 5G ZTA is characterized by 12 Security Control Groups. This is an opportunity for further standardization. Areas for further study are Continuous Monitoring, Anomalous Behavior Detection, Policy Management, TDR/EDR, and Threat Intelligence.
- Cloud security best practices are evolving to support the security needs of 5G and other critical infrastructure.
- Enhanced security capabilities are needed to support security operations in the ZTA environment.