The 5G era will usher in a transformed network with a new set of security and privacy requirements. We discuss this evolving threat landscape with 5G MENA speaker, Sayed Wajahat Ali, who outlines the implications of this shift, the importance of a coordinated approach across the ecosystem, and the role of the consumer in driving forward change.
Sayed Wajahat Ali is head of telecoms and IT audit at du, where he is responsible for providing technical assurance across the entire IT Applications and Infrastructure, Network Infrastructure and Platforms, and Information Security across all infrastructure. His team focus on providing senior management assurance over the technical and process controls built across applications and infrastructure, and ensure the principles of confidentiality, availability, and integrity of information.
Re-engineering the concept of network security
With the advent of 5G and the idea of convergence, Sayed suggests that the concept of security will have to be re-engineered. Unlike the previous telecom technologies, 5G will have a vast array of applications connected to the network through the Internet of Things (IoT) and associated industries, which will result in a new threat environment. The security requirements for each of these services could vary greatly. Sayed argues, therefore, that "the concepts and controls that are associated with securing such a converged network will evolve".
This is compared to the black box security model currently deployed across various components within the network. “Traditional thinking when it comes to security has always been a dedicated network which has enough firewalls and filters at the end points to protect it from intrusion, and typical access based controls at an application layer. Most of the current security tools and mindset operate with this approach”, says Sayed.
With IoT the ecosystem is turned upside down
“With IoT the picture changes”, says Sayed. “By concept, you have multiple networks, varying vendors, across heterogeneous industries using various levels of hardware and software infrastructure with different security maturity levels connecting across a unified network. You no longer have an isolated banking infrastructure, separate online payment system and Telecoms Infrastructure, or separate electronic utility system. In fact, what you will have is all of these things connected together over one network, creating an end-to-end ecosystem”, say Sayed.
Across the IoT environment systems by design operate with the concept of sharing data, and so Sayed argues that attention will have to be paid to the principle of data security. With the idea of data monetisation more and more players will actively be involved in trying to access this data to profile customers and provide more business intelligence about the individual.
“The very idea of IoT is that data has to be shared, it has to flow; people have to be able to translate, convert and enhance that data for further use whether for operational connectivity or - by default - to use for further data monetising. So our entire security thinking has to change. We have to make people realise that traditional security practices are not going to work, and you have to start fundamentally by altering our framework and approach in an interconnected world”, argues Sayed.
Who or what will drive renewed thinking on security and privacy?
Regulatory and standards bodies certainly have an important role to play, argues Sayed. “I think bodies should play a significant role. The key momentum isn’t there yet, but it will come. We see regulators and standards bodies like NIST and eTOM making steady gains on this which will continue to be an enabler for the industry. At the moment security is conducted in a box within your company. It’s protected. It’s me protecting my interests in my domain. It’s vertical security and not threat modeling across the network which is the need for the hour. With IoT, unless you have a coordinated integration for upstream and downstream systems, the model does not work. Network operators will need to get out of this methodology of vertical security fixes”, says Sayed.
But Sayed also argues that a more intelligent consumer, whose eyes have been opened by recent privacy scandals including Edward Snowden and WikiLeaks, means we are in a different era. “Consumers are more demanding than ever. They want data protection, security, and privacy to be built into their consumer rights” argues Sayed.
According to Sayed, customers will “vote with their feet” by leaving services should they feel their rights are not being protected adequately. Therefore, built-in security measures and more coordinated security will need to be integrated into 5G technologies in order to drive consumer confidence. “Traditionally we have seen traction when the customer wants and understands what it is that they want”, says Sayed.
Securing a virtualised network
5G will also usher in a move from hardware to software combinations including SDN and NFV, and this virtualised network will create a whole host of new security challenges.
“Previously you could have a big firewall around your hardware. You could have application security controls that would limit your interactions with other systems. But now software will define the behavior of the network. 5G is an enabler of this concept. You have a very clear interconnected environment, which changes and alters as per demand – demand which will be automatically managed in the 5G world. We have to ensure that whilst this new era brings in a fresh approach to handling customer demands, the vulnerabilities this will bring need to be identified and mitigated on a real-time basis. We have to move away from what I like to call the slow and steady “Patching Approach” to newer alternatives”, says Sayed.
The fundamental importance of security and privacy thinking within 5G & IoT is something that Sayed wants to stress at 5G MENA, where he will be speaking further on the topic of security in the 5G era.
“We are all talking about this brave new world, with new ideas, concepts, and convergence. What I’m interested in is the practical implications, the methodologies, and the tools that vendors are bringing to the table that are realistic and will work. My interest is to see what is happening on the ground, not just in theory. I’m interested in seeing what’s happening outside my company – so in the vendor space how are they evolving and how are they coming together to manage this perfect storm of the future”, says Sayed.
Hear more from Sayed at 5G MENA, 30 April - 2 May in Dubai.