Professional Documents
Culture Documents
The rise of diversified services, cloud architecture and massive Internet of Things
connections in 5G expose new security concerns and challenges. This research
provides CSP product leaders with help to pick the right security strategy for their 5G
deployment and product design.
Overview
Key Findings
■ 5G infrastructure’s heterogeneity and complexity require security to be dealt with at multiple levels and
across domains in an integrated way, which today’s piecemeal approach is insufficient to support.
■ Introduction of real time and ultrareliable low-latency communication (URLLC) vertical services, with
an elevated use of software-defined network (SDN)/network function virtualization (NFV)/cloud in 5G
mean a broader, more dynamic and multifaceted attack surface landscape.
■ The widespread need to access the network via smart devices, cloud services and edge computing
renders the perimeter security model insufficient.
Recommendations
For communications service providers (CSPs) building their 5G security strategy in the marketplace:
■ Shift the security mindset from “incident response” to “continuous response,” by implementing a
continuous adaptive security architecture.
■ Strengthen the 5G network security and identity and access management (IAM) by adopting a “zero
trust” concept. Additionally, budget and pilot microsegmentation and software-defined perimeter
projects.
Introduction
After years of anticipation, CSPs are now moving forward with 5G commercialization. As of mid-July
2019, there were 54 operators worldwide that had introduced 5G infrastructure into their networks
(source: Global mobile Suppliers Association [GSA]). In the meantime, expectation of 5G from various
industries is increasing since 5G introduces enhanced bandwidth, ultrareliable low latency
communication (URLLC) and as well as supporting massive Internet of Things (IoT) connectivity.
Cellular-based technologies have always been standards based and treated as “secure by design.” From
a standards point of view, 5G provides enhanced security features compared to the previous generation
— like introducing unified authentication, a more flexible security policy for diverse use cases, secure
service-based architecture and slice isolation, for example.
However, the 5G system goes beyond networks. The challenging traits of 5G networks to support novel
and diverse business requirements for vertical sectors have rendered current network security
approaches and identity and access management (IAM) inadequate (see Figure 1).
With IoT and Industry 4.0, a plethora of new device types will connect and access the network, which
introduces new dimensions of attack vectors and vulnerabilities. In addition, 5G’s low latency and high
bandwidth capabilities could be used to increase the potential scale of the attack, such as distributed
denial of service (DDoS). Also, 5G leverages a set of new technologies including SDN/NFV/cloud and
multiaccess edge computing (MEC) to provide more abundant and flexible on-demand network services
through slice customization, in order to support diversified service requirements. These new technologies
and multilayered architecture increase the attack surface, it also challenges the traditional IAM system
as well.
Addressing 5G security concerns will require a “defense-in-depth” proactive design, a new trust model
and also a continuous security approach. This research provides an overview of the key security
challenges in the 5G network from devices, services and a network architecture point of view. It also
presents solutions to these challenges and the future direction for security within the 5G environment.
Market Trend
As 5G moves from concept to reality, three key market forces have converged to drive the security
concern within the 5G era:
2. Diversified services
5G was designed to meet the unique requirements of the connected “everything,” which ranges from
wearables to smart cities. According to Gartner’s forecast, by 2023, the number of connected devices is
expected to reach 25 billion. This represents an enormous business opportunity for CSPs and because
of 5G, we can expect to see a much wider adoption of the IoT, but conversely it also brings more
sophisticated security attacks.
The significant issue that 5G precipitates in massive IoT is the increased bandwidth (more poorly
designed devices on the network) and ultra-low latency (that can now communicate with each other). An
attack can simply spiral out of control. Massive IoT securities can be divided into three main aspects in
5G, each with different implications to security:
1. Scale
2. Diversity
3. Criticality
With IoT and Industry 4.0 in mind, a plethora of new device types (see Figure 4) with less homogeneity
will be connected to the network together with a multitude of applications. Some devices are resource-
constrained that may not have been designed with effective security features. Some devices are
powerful and smart with the potential to be manipulated into triggering a more harmful attack. Existing
authentication mechanisms may be unsuitable, which is also due to heterogeneity among mobile
wireless devices and scalability issues. CSPs need to consider real-time device health attestation
combined with user authentication.
In addition, because devices, applications and architectures are developed and deployed by different
vendors, the absence of standards and a common architecture will increase security concerns. We can
envision an exponential increase of design flaws, from hardcoded credentials (where some devices have
a “master password” that anybody can exploit), to unpatched vulnerabilities (that allows skilled
attackers to control devices regardless of how it has been configured). Instead, simply relying on a
variety of point of solutions for security, with each designed to solve a specific type of problem proves
insufficient. A more holistic and integrated approach is necessary.
Furthermore, 5G enables more mission-critical use cases — such as connected car, smart factories and
even healthcare devices/applications. The potential scale of impact for these new mission-critical
scenarios will be much greater, with the potential to offer much higher speeds and bandwidth, reduced
latency, increased connection density and greater accuracy in location sensing (see Table 1 and “Exploit
the Innovation Opportunities Enabled by Future 5G Wireless”).
Hence, various security elements are necessary for 5G massive IoT, especially when considering the
criticality and intricacies of specific business applications (for example, installing/upgrading network
devices, supervisory control and data acquisition [SCADA] systems, policies and so forth). One of the
classic DDoS attacks example is illustrated in Figure 5.
SDN
“Softwarized” networks heavily rely on a logically centralized control. This centralized control
architecture also introduces new vulnerabilities. For example, if malicious applications are granted
access from a compromised controller, havoc can contaminate the network. In addition, SDN controller
updates or modifies the flow rules in data forwarding elements. This control information can be easily
identified, making it a visible entity in the network and marking it as a favorite choice for DDoS attacks.
NFV
Operational interference and misuse of shared resources are considered as key infrastructure-level
threats. Due to the common accessibility of physical infrastructure resources, an attacker can interfere
with operations of the infrastructure by inserting malware or manipulating network traffic. In addition,
NFV itself is vulnerable to virtualization-related threats, such as side-channel attacks, flooding attacks,
hypervisor hijacking and malware injection.
On the side of MEC, the main security concerns are in the context of the cloud-enabled IoT environment,
as well as the open APIs. For example, if sensitive security assets are compromised at virtualized
functions on the edge, an attacker could maliciously reuse them to gain connectivity or carry out
spoofing, eavesdropping, or data manipulation attacks. These attack methods are not necessarily new.
However, since the MEC is still emerging, the potential and gravity of security issues are yet to be entirely
understood. Therefore, when selecting vendors and before rolling out commercial large-scale edge cloud
deployment, CSPs should ensure security solutions are flexible enough to meet a broad range of threat
vectors at the time of initial deployment.
Open Source
Increasing use of open-source software introduces a whole new set of security challenges. This is
especially true in terms of keeping a consistent and coherent approach to security-by-design, and the
prevention of deliberate security flaws.
Network Slice
A network slice is defined as an independent end-to-end logical network that runs on a shared physical
infrastructure, tailored to dedicated services based on their requirements. These logical network slices
allow CSPs to provide networks on an as-a-service basis to meet the wide range of 5G use cases.
Operationalizing network slicing itself will prove very complex due to the multidomain and multitenant
context. It will become more sophisticated by adding security requirements for each slice. In addition,
network slicing is still a new and emerging concept; it has not yet had wide commercial deployments,
which means there are a lot of potential security uncertainties in the future.
Several potential security implications related to network slicing are listed in the following sections.
Resources Sharing
Although a fundamental premise of network slicing is that the network is carved into discrete, self-
contained units; in many cases, each slice must still leverage network-wide resources. When multiple
network slices are instantiated over a common hardware platform, slicing must isolate resources and
data on shared infrastructure. Isolation of slices from one another is an issue and the main security
concern involves bad actors gaining broader network access via a “lower” security slice.
Cross-Domain Security
The opportunity for a malicious attack to gain access to an array of other network resources through a
common entry point is limited in a traditional monolithic network architecture. However, network slicing
in 5G will offer it as an on-demand basis which leverages SDN-based orchestration to set up, be torn
down or altered. Therefore, a successful attack on a multidomain network orchestrator could provide an
entry point. which can lead to multiple network domains and/or slices.
■ A user's private information used in the network slice selection procedure may be intercepted or
eavesdropped.
■ Unauthorized users may connect as an insider to network slices they don’t have authorization for and
consume resources.
If there is no proper security mechanism for the authorization of network selection, this will expose the
network to different types of attacks (for example, impersonation and DDoS).
Technology Trends
5G security should go beyond network and standardization to consider its heterogeneity, diversity and
complexity as well. 5G security is a new and complex topic, it involves:
■ Standardization
■ End-to-end encryption
■ DDoS mitigation
■ Traffic segmentation
■ Endpoint protection
It is difficult to cover everything in one document. In this research, we will focus on the three pillars for an
effective 5G security strategy. (See Figure 6.)
CSPs today depend on several points of solutions for security, with each designed to solve a specific
type of problem. In this piecemeal approach, multiple solutions are siloed and unintegrated, which
hinders the time between attack detection and mitigation. In addition, the largely unintegrated layers of
protection prove difficult to manage.
5G’s multifaceted exploits mean managing 5G security is a balancing act between managing a wide
universe of devices and applications, requiring innovation and agility among the ever evolving landscape
of threats. Moreover, users’ security requirements can often change depending on the circumstances.
CSPs need a more comprehensive understanding of vulnerabilities and more wide-ranging protection
against a variety of threats.
Therefore, we recommend a defense-in-depth approach, which has the ability to connect all those
disparate silos and accelerate mitigation, built on analytics as the glue to integrate different
technologies — sharing the right intelligence with the right people at the right time. The end objective is a
security architecture — that with enhanced security orchestration — automates security, driven by
intelligence and analytics.
■ Monitoring the event from various security controls. Gain a holistic and centralized view of security
across the devices, IT, transport, radio and core network domain.
■ Orchestrating different security products to construct the context. Transforming previously siloed
information into a context-aware defense (including application awareness, identity awareness and
content awareness) with visibility and situational awareness. Reducing the time from detection to
protection.
■ Helping prioritize multiple concurrent items and incidents. Providing a consolidated and prioritized
view of overall threats, aiding security professionals in prioritizing risks and automating security
operations activities in the context of the attack surface and the business. Reducing labor and
mitigation costs, along with any confusion.
■ Increasing levels of security automation. The dynamicity in 5G networks — in terms of user mobility,
application use and data rate requirements, as well as variations in network conditions — require
autonomous operations that improve performance of the 5G services provided to all users of 5G.
The complexity and scale of the 5G ecosystem, combined with a lack of skills and training in software-
centric security, make artificial intelligence (AI) a critical feature of 5G security. Machine learning (ML)
and AI, enable CSP security teams to provide real-time response to threats across networks on a global
scale. For example, with the help of ML/AI, CSPs can identify unknown malware intruding their networks
and analyze it based on hundreds of malicious behaviors to deliver automated protections.
Therefore, embedding AI into the security operations is gaining in momentum nowadays and CSPs must
invest in ML and AI capabilities for their 5G security. In the meantime, CSPs also need to be aware that
poorly defined AI systems and algorithms themselves could actually increase the potential attack
surface and expose further security vulnerabilities.
■ 5G business that creates an urgent need for speed and agility, including information security and risk
management.
■ The threat environment in 5G continues to adapt and evolve with new types of threats and attacks
against new kinds of IT and business architectures.
■ Relying only on prevent-and-detect perimeter defenses and rule-based security, such as antivirus and
firewalls. This becomes less effective as organizations increasingly use cloud-based systems and
open application programming interfaces (APIs) to create modern business ecosystems.
To securely enable 5G business, security and risk management leaders need to embrace a strategic
approach where security is adaptive, everywhere, constantly. The key capabilities for security and risk
management professionals over the next decade will be to continuously discover, assess and adapt to
continual changing risk and trust levels. We need security infrastructure and security decisions to
become persistent and adaptive — enabling real-time decisions that balance risk, trust and opportunity
at the speed of 5G business (refer to “Seven Imperatives to Adopt a CARTA Strategic Approach”).
Gartner calls this strategic approach “continuous adaptive risk and trust assessment,” (CARTA), see
Figure 7 (also see “Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era
of Advanced Threats”).
In the context of 5G, adopting a CARTA-strategic approach means providing a foundation for security
and risk management leaders to:
■ Use more context, more visibility and more intelligence for continuous, adaptive risk-based decision
making, rather than the static, binary “allow or block” security decisions of the past.
■ Make continuous, adaptive and intelligent risk-optimized security control decisions for 5G services.
Proactively define acceptable levels of risk and trust when creating new business capabilities or
network slicing, and map this into adaptive security decisions when the business capability is made
operational.
■ Monitor in real time and continuously analyze endpoint behavior to identify bad actors’ access,
providing real-time threat indicators to potential insider threats.
■ Prioritize and filter — adaptive security allows IT teams to apply advanced analytics and machine
learning processes that can detect security breaches that would not be obvious by simply monitoring
■ Reduce the attack surface — adaptive security can shrink the size of the attack surface and limit the
amount of damage a threat can cause.
Build a New Trust Model and Identify Management Through Leveraging “Zero Trust”
Approach
A conventional security model operates on the “castle-and-moat” concept, which means it is hard to
obtain access from outside the network but everything inside the network is trusted by default. The
challenge of this approach is in its design to protect the perimeter, since once an attacker gains access
to the network, they have free rein over everything.
In 5G, the widespread need to access the network via smart devices, cloud services and edge computing
renders the perimeter security model insufficient. Key challenges include:
■ Internal users will consume more applications and SaaS services delivered from outside.
■ Trying to restrict access to applications and services for mobile users based on Internet Protocol (IP)
addresses is futile.
■ With cloud-native architectures using virtual machines (VMs), containers and serverless functions (see
“Security Considerations and Best Practices for Securing Serverless PaaS”), IP addresses are
transient, often with address translation used. (Typically, this is often the case in modern hybrid data
centers and public cloud infrastructure as a service [IaaS].)
Given the increased attack sophistication and insider threats of 5G, a new trust model approach is
required. An effective measure will be the use of “Zero Trust” networks, which work on the principle of
1
“never trust, always verify and enforce least privilege.”
Under the zero-trust concept, it should be established with a contextual assessment of the trust of user
and device, along with an assessment of the risk of the data, application or transaction being accessed.
For workloads and applications, trust should be based on a contextual assessment of the workload —
including the identity, the application/service running, the data being handled and any associated
tags/labels. These shifts and the need to reduce risk by reducing surface area from attack have driven
the significant interest in two zero trust networking projects (refer to “Zero Trust Is an Initial Step on the
Roadmap to CARTA”).
Microsegmentation
Microsegmentation is the practice of dividing security perimeters into small zones to maintain separate
access for separate parts of the network. For example, a network with multiple slicing living in a single
data center that utilizes microsegmentation may contain dozens of separate, secure zones. A person or
program with access to one of those zones will not be able to access any of the other zones without
separate authorization.
Advanced network microsegmentation solutions include dynamic segmentation and intelligent, intent-
based segmentation.
1. The first can dynamically and intelligently segment the network based on a variety of policies.
Segments can be zoned based on a physical location (such as a building or floor), to dynamically
shifting applications or workflows, or they can even be restricted to a single device.
2. The second is able to understand business intent and then dynamically apply security protocols
(including segmentation and inspection) at machine speeds. It also allows the detection of and
response to threats occurring anywhere across the distributed environment, dynamically adapting the
policies governing a network segment.
In Gartner’s adaptive attack protection architecture used in CARTA research (see Figure 8), the red box in
the upper right corner indicates zero-trust networking in the form of microsegmentation projects.
In a world where anywhere, anytime access to applications and services from any device exists, CSPs
need to reconsider access strategy. The vision of software-defined perimeter is to design a network
where there is no “inside” or “outside” from the user’s perspective. In this model, the user doesn’t have to
work out the method of access based on the context of where they are, what time of day it is or what
type of device they are using. The network determines this for them.
In Gartner’s adaptive access protection architecture used in CARTA research (see Figure 9), the red box in
the upper right corner indicates the initial security posture of default deny. Users have no implicit access
until an assessment of the user’s credentials, device and context are completed.
Vendors to Watch
As the 5G security market is emerging, it crosses hitherto separate markets and involves the
transformation of how capabilities are delivered, so it is not possible to compile a comprehensive list.
We recommend that attention be paid to these vendors in particular, due to their current involvement in
the CSP 4G and 5G domains — Allot, Cisco, Ericsson, F5 Networks, Fortinet, Huawei, Intel, Juniper
Networks, Nokia, Palo Alto Networks, VIAVI Solutions, Verizon (acquired PrecisionAccess from Vidder),
among others.
For vendors in security orchestration, automation and response solution please refer to “Market Guide
for Security Orchestration, Automation and Response Solutions.”
For vendors in zero-trust networks please refer to “Market Guide for Zero Trust Network Access.”
4G fourth generation
5G fifth generation
AI artificial intelligence
CCTV closed-circuit TV
CP control plane
IP Internet Protocol
2
squared kilometers
MITM man-in-the-middle
ML machine learning
ms milliseconds
UE user endpoint
UP user plane
VM virtual machine
Evidence
1
J. Kindervag, “A Wake-Up Call for Zero Trust: Interview With Tony Scott, Former Federal CIO,”
SecurityRoundtable.org, 11 April 2019.
Include 5G and Next-Generation Wireless in Roadmaps to Elevate In-Store Retail Customer Experience
Survey Analysis: Product Leaders Must Have a Robust 5G Plan to Meet Expectations of End Users
What 5G Requirements Do Manufacturing Industries Have?
Ask These Four Questions About Enterprise 5G
Starting Now, Supply Chain Leaders Should Assess the Potential for 5G Mobile Communications
Networks
Tech CEOs Must Prepare Their Digital Strategy for 5G
© 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission.
It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact.
While the information contained in this publication has been obtained from sources believed to be reliable, Gartner
disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research
may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not
be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner
prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on
Independence and Objectivity."