Transcript: The security challenges of cloud-native 5G

The words ‘Transcript: The security challenges of cloud-native 5G’ with ‘cloud-native’ highlighted in yellow and the others in white, against a sepia image of a 5G mast shot from below against dark storm clouds.
(Image credit: Future)

This automatically-generated transcript is taken from the ITPro Podcast episodeThe security challenges of cloud-native 5G'. We apologise for any errors.

Rory Bathgate

Hi, I'm Rory Bathgate.

Jane McCallion

And I'm Jane McCallion.

Rory

And you're listening to the IT Pro Podcast, where today we're discussing the challenges the telco industry faces through cloud adoption.

Jane

Communications service providers can harness a range of benefits by building out 5G networks using cloud-native elements such as microservices and containers. These include reducing capital expenditure, making networks more scalable and flexible, and improving network stability.

Rory

Moving mobile network services to the cloud, however, is not without its complications. Those with large legacy security plans, or with complex network layouts, could face the prospect of being exposed to vulnerabilities as part of their cloud migration.

Jane

Today, we're speaking to Bart Salaets, EMEA Field CTO at app and multi-cloud security company F5, to find out what firms can do to address these concerns. Bart, welcome to the show.

Bart Salaets

Thank you, lovely to be here.

Jane

So could I start off by asking what is cloud native 5G? What are we actually talking about here?

Bart

So what we're talking about when people talk about cloud-native, it's all about starting to adopt cloud-native technologies, which in most cases means we're gonna move to Container technologies. If you look at the history, the telco industry went through. Most or all service providers, built their core networks using dedicated appliances from let's say, the typical vendors in this industry. And every appliance was fine-tuned to the capabilities it needs to do, it was dedicated hardware, and there was no interchangeability between the different network functions. Then we had the wave of what is called NFV, network function virtualization, which was kind of the first step to start trying to standardize on common off-the-shelf hardware. Then using virtualized network functions, right? So you have off-the-shelf servers from companies like HPE, Dell, IBM, whatever. And then you start on top of a hypervisor, you start deploying virtual network functions to deliver, let's say, a completely virtual experience. The next step now is to move away from let's say, these virtual network functions, which were called VNFs when abbreviated, to CNF which is cloud-native network functions, which is now based on Container technologies, in the hopes to make things even more efficient, because NFV hasn't been as successful as everybody wanted it to be. So the 5G architecture is really defined to be cloud-native, making use of microservices, making use of container technologies, and Kubernetes environments, similar to what the industry the IT industry has, has adopted. So we go from physical to virtual, and now to containers, which is, which is cloud-native. And 5G is really the driving force behind that evolution.

Rory

So what are some of the biggest concerns for a telco which is moving to a cloud-native model?

Bart

I think there's a there's a lot of concerns. And they're not only just technical they're also, let's say, organizational because if you look at the ultimate goal, what service providers want to achieve is they want to be able to run their network just like a cloud provider runs a cloud infrastructure. So being very agile, having everything on the same cloud platform, having all these tools to easily install new network functions where you need them when you need them. But if you really want to build such an infrastructure, you need to also completely rethink how you're organized. Because today, all these functions are delivered as vertical stacks, right? You have a vendor that provides an appliance with a function on top of it. And the people that are running these functions are responsible for the full stack from the power to the racking and stacking to the configuration through the operations, etc. If you move to this cloud-native model, you essentially need to have a platform team that runs an entire telco cloud platform, and then you have the functions making use of that platform. So organizationally, it's a big step. Second, skill-wise, it is a big step because this requires a completely new set of skills that telcos have to invest in because these are skills that they typically didn’t have. Running a cloud network is very different from running a traditional network. And then thirdly, to your point, is anything related to security right? This time type of cloud-based architecture, which is quite open, introduces a whole new set of security challenges that they haven't experienced before. So it's a very complex undertaking from many different angles.

Jane

So there's a lot of, I guess, downsides is one way of putting it, there are a lot of challenges to think about, as you've just outlined. What are some of the benefits in that case? Why would a telco wish to switch to cloud-native in the face of those challenges?

Bart

I think it's all about agility, right? I think telco networks have been fairly, I would say, static environments, with a lot of silos between, let's say, access, aggregation and transport and coordinate working. And it was very time-consuming to build new services for customers. I think when you look at the IT world, where they came from with, let's say, traditional apps, it took weeks or months to introduce new applications to the world. Now with cloud-native technologies, they brought that down to hours, and even minutes in some cases, bringing new applications and I think the telco industry wants to go the same way, they want to be much faster, bringing new digital services, to customers. And for some of these new digital services, you also need to have a much more agile network to be able to cope with that. 5G provides things like network slicing, it provides a whole new suite of new use cases everybody talks about, self-driving cars and things like that which are popular topics. But even if you look at private 5G, there are a lot of new enterprise use cases that can be tapped into by telcos and they will need to be very agile to take on that market. So it's all about agility, and to a certain extent, also efficiency, right? Because if you can build your whole network on a limited number of hardware devices, that makes things way more efficient and cost-optimized as well. So those are the two things that in my opinion; it's the agility to bring new services to market, and second it's to bring more efficiencies into the operations.

Rory

I'm wondering how much of these benefits business customers of telcos will see. Will there be a change in capabilities or operations on a business level?

Bart

Yes, and that's another element that 5G actually introduces. I think in the past telcos built networks, and then enterprises were making requests for certain services and then the telco would build it for them. With 5G, you also have open APIs that allow business partners to interact directly with the network and the previous example of 5G network slicing is actually a good example of that. So the network becomes way more agile, and with these APIs you will have business partners that won't be able to configure certain elements of a network configuration. So that gives the business partners a more agile operational model. And it will give them also the capability to directly interact with the network and get the functionalities from the network that they actually want. So that is definitely something that is going to be something the industry has never done before. And I’m really looking forward to seeing how that further develops.

Jane

Is that something we're going to see soon or is this a bit the way that 5G itself and IoT were, say, five to seven years ago? Yeah, when they were the emerging technology that everybody wanted to talk about, but we couldn't find any real use cases yet because the standard didn't exist.

Bart

Yeah, I mean, the reason it all takes time is obviously first service providers are still building out their 5G networks, right? And there are different steps to take to get to a full-blown what is called the ‘5G standalone network’. And most service providers are still on that journey getting there. You really need to have that full-blown end-to-end 5G standalone network to start benefiting from these really advanced capabilities with the open APIs, etc. So that's, that's the reason why it's taking a bit of time. We will probably see the first commercial use cases… Yeah, I can't really put a date on it because there are so many factors driving deployments, not least licensing spectrum, etc. But we're hoping to see some of those, at least from a trial perspective, during this next year.

Rory

I'm curious. Earlier, you mentioned there are some specific security concerns. To our earlier point, I was wondering if you could specify some of those and go into a bit more detail about why those arise as a result of this migration.

Bart

Yes, so security concerns, as I said, if you built a cloud platform and on top of this cloud platform, you're gonna deploy CNF, cloud-native network functions from different vendors, then obviously that cloud platform introduces a new set of security challenges that telcos were not exposed to before. Because in the past they were all closed systems from the different vendors, each providing their capabilities. And I mean, at F5 we we obviously have our toes in both areas, we have a very big business in the IT world where we are protecting applications, IT workloads. Now we see the same types of technologies being adopted in the telco space. And here, it's about protecting CNF C's or networking workloads, if you want to call them that way. So we kind of see a lot of similarities between them. Because at the end of the day, protecting workloads on top of a cloud platform, whether it's an IT application, or whether it's a cloud-native network function, intrinsically they bring the same types of security challenges. So one of these challenges is first in the area of protecting the infrastructure itself. So if you're running a cloud network, let's say in 5G, it's going to be a Kubernetes environment where you run containers and Kubernetes is your container orchestration platform. That by itself brings vulnerabilities because it's connected to the IP network, it's accessible to certain people, and you can have people coming into your Kubernetes environments, doing things they shouldn't be doing and therefore compromising these very critical networking functions that are living in that environment. So in the IT industry, we have things like cloud workload protection platforms, which are really about monitoring that infrastructure, seeing that nothing is happening and obviously, there's a lot of telemetries and AI and machine learning to try to figure out is the behavior we see in this environment is that normal behavior or is there something going on that requires attention and so on. So, these types of technologies we see will become adopted in the telco world as well because they will need to protect these these these types of things. And these are things that are five we are looking at to see what is it that we have in the IoT space and what is it that we may have to adjust a little bit that may be specific for telco similarly, within these environments, you now have all these CNF functions communicating with each other. So, you need to provide, and they may they might not sit at the same location right you have CNS in different locations that need to communicate with each other, so now, you need to securely interconnect these CNFs across this IP backbone. And if you look at the technologies in the IT world, you have things like, without wanting to go into too much detail here, you have things like Kubernetes ingress functions, you have things like service meshes in Kubernetes. Most of these functions are very much developed with an IT mindset in this environment you have IT applications which are speaking HTTP as a protocol. Now, in 5G, with service-based architectures, they also defined most of the communication to be HTTP based, which is good because that means that we can leverage a lot of the things we have from the IT world into the telco world. However, there are still some specific telco protocols that are there like SCTP as an example, and then at the higher level, you have diameter GTP some of these protocols will still be needed in this environment and the IT security functions, and the IT traffic management functions are not supporting some of these things. So what we at F5 did is we looked at “Okay, what is it that we need to augment in our IoT-based solutions to make them suitable for the telco solutions?” So, therefore, we see that for the Kubernetes ingress function, you need some telco great capabilities like supporting these protocols, providing some security functions for these protocols to get traffic into the cluster, and then for the CNF to CNF communication and secure communication, unique network visibility, etc, we have augmented the service mesh capabilities to make those telco-grade as well. So what we see is that we can leverage a lot of traffic management and security capabilities from the IT world in this new telco 5G service-based architecture. But there are some tweaks that have to be done to make it fully capable to deal with all the protocols and functions that you need in those environments.

Jane

It strikes me that there's an element of sort of one technology being imposed on another here, you're almost doing a square peg into a round hole type thing fitting together, what telcos are, what they need, and the cloud. I can see why that would present problems., whenever you come across this there are always some kind of difficulties, vulnerabilities, whatever. Are we likely to see in the future, and it might be a bit early for this question, but some kind of a bit more of a converged evolution going on, where we get something that works together a bit more smoothly than what you're describing right now?

Bart

I think most service providers, including ourselves, are on this journey, right? There's a lot of learning to be done while going through that. And even if we look at what some of our customers are doing, not everybody is doing is following the same approach. What I described is like the ultimate model where you build a telco cloud, and on top of this telco cloud you host all the CNFs from the typical industry vendors in this space, and they are all nicely cooperating with each other. It's a complex thing to do. Some service providers are taking a slightly different route, and that is often due to the fact that it's complex, they may not have all the skills in-house yet to run such a cloud platform. So we see this motion that they sometimes look at, “I'm not going to build this cloud platform independent from my vendors yet, but I'm going to purchase the whole stack from the vendor”. Like if I have a certain 5G function, I'm not going to decouple the hardware and let's say the container infrastructure from the function, I'm going to buy the entire stack from the vendor. So that is obviously a less risky approach, because now you're you can still just like buying an appliance, you put all the responsibility for the full stack to that single vendor that provides that. So it gets you the 5G functions, they are cloud-native because they run on Kubernetes. But they run on that vendor’s stack. And it will interconnect with stacks from other vendors, so it's less risky, you're a bit less exposed to some of these things. But on the downside of it, it doesn't really give you that full cloud behavior, right, you don't have that ability to start running this whole system as a cloud. But for many service providers, this is kind of a first step for getting into it. And while they do that, they need to build up the skills and ultimately get to the model. I don't think anybody doubts that the ideal model is to run it as a full cloud, but it's all dependent on if you have the skills in-house. In some cases, there are country regulations also which prevent you from putting different CNFs from different vendors on the same platform due to local regulations. So there's a lot of moving parts. And it's a very valid question. So it's going to take take a couple of years, definitely, before we get to the ultimate model, and the pace of getting there will be different for different service providers.

Jane

And thinking again about security I was just wondering, when it comes to the type of attack, I guess, the type of malicious actor that might be faced? Are we talking about the classic ‘man-in-the-middle data theft’ type thing? Or sort of trying to cause disruption? Or is there still a question mark over this? Or do we not want to give anybody any ideas?

Bart

So if you look at the security attacks that can happen to, let's say, telco networks in general of course you have the attacks that telcos experience today. I mean, with 5G, and with cloud-native architecture, those don't change. I mean, you have attacks coming from the internet, but now it's with more and more people connecting IoT devices, cameras, and with IoT use cases that are introduced by the service providers themselves. They also are vulnerable to attacks coming from the inside of their networks with compromised IoT devices as an example. So they need to protect themselves now not only from the internet side but also from the user side because they do not control what users are connecting to the network. So that is the same, obviously with cloud-native. Yeah, as I said, you introduce new vulnerabilities by the openness of the architecture, by the fact that you would be running a cloud platform that can be compromised. And from that perspective, it's a bit similar to the evolution that we see in the IT world. In IT, we come from this perimeter-based security control, the approach to the zero trust model, right? It's not because you're in the network that you can be fully trusted. And I think telcos are going to adopt a similar type of approach, it is not because somebody has inside the network that they can be trusted to access just any function in that network. So that's why you need these security layers at the Kubernetes level to make sure that even employees cannot have access to things they shouldn't have access to, that they're not running things in these environments that shouldn't be running there. So that zero trust approach is going to be very important in telco networks as well, once you move to such an open architecture as the 5G network. What exactly those potential attacks could be? Yeah, I wish we could predict them all because then it would be easier to protect ourselves against. But yeah, some of the things that we see in the enterprise world can probably be seen in telco worlds as well, because of the IT nature of this new way of building networks.

Jane

And I suppose, you know, it's very easy to fall into the trap of thinking of security as just being about malicious actors. But, you know, kind of doing something unintentionally, is equally possible and probably more likely.

Bart

Absolutely, I think a lot of research has evidence that misconfigurations can lead to lots of problems. Even in enterprise, you see that many attacks originated from people inside the organization. So you know, if you build a network with standalone discrete devices, where every device does a specific function and is managed by a particular team, in some ways it's easier to protect than if you built a much more open cloud infrastructure where many people are coming together, putting their stuff on it. So that presents a new set of challenges that will have to be taken into account. And 3GPP by itself defines a lot of security for the network functions themselves. And it's great, there's a lot of security baked into that. But it doesn't really define the infrastructure on top of which you're running your things. It doesn't really define how you should manage your Kubernetes, security, etc. So there we can learn a lot from the IT world and bring those elements as I said earlier, things like cloud workload protection, that's not something that is defined by 3GPP. But there are things that we learned from the IT world that we can bring into the telco space, as well.

Jane

So you mentioned earlier that AI and automation are being used by telcos for security purposes. Can you go into some more detail about how telcos are deploying these across their networks for both security purposes and anything else they're up to as well?

Bart

I think there are different ways of using AI and ML in telco networks. One element is, let's say, vendors like F5 have sophisticated security solutions. Like the one I mentioned earlier, cloud workload protection is really monitoring activity at the Kubernetes layer, finding out what is happening, collecting a lot of telemetry, and then using machine learning AI techniques to identify malicious behavior and then taking taking action on it. So those are solutions provided by vendors such as a five and other vendors, where the AI ML is not within the domain of the telco itself. It's in our domain. It's our way of enriching our security capabilities and making sure we are on top of let's say the increasing sophistication of the attacks. Cloud workload protection is one example of that, but also anything related to bot mitigation. Anti-fraud, which is a serious concern in telcos as well. That's where you use these techniques. Then there are of course, a lot of telcos that have their own AI and machine learning initiatives where they collect telemetry and data from the network from customer behavior to the extent of what they're capable of doing and capable of capturing because, with SSL encryption, there is obviously a lot of things that they cannot see anymore. And they obviously tried to also monetize all the knowledge that they have from the network, how it works to optimize the network, from customer behavior, because that may be interesting data that they could leverage to introduce new services. And they use AI and ML for those purposes. That is outside of our domain, that is within their own domain, but obviously, telcos have massive amounts of data around customer behavior, etc. That is interesting to market, right? I've seen examples where telcos are also offering APIs to business partners, where with these APIs they can get information, not about individual customers because obviously, GDPR laws would not allow them to do that. But they can give aggregated data that gives businesses insights into some use cases, right? I've seen examples where telcos are, let's say, they know where people are based on their cell phones and they know more or less the types of profiles. So they know where, for instance, business people aggregate. That could be interesting data for anyone that wants to create a new coffee shop that is, let's say, catering to business people as an example. Right? So those are types of things that they can start leveraging. So AI and ML will obviously give a lot more new insights to them.

Jane

There's that fairly standard kind of behavioral monitoring, though, from both sides of that, whether that's from checking that, you know, I don't suddenly go from being in the home counties in England to suddenly making a purchase in Thailand. That kind of level of security but also, you know, “oh, did you know that every Wednesday she buys a sandwich from Co-op? Maybe we could deliver her a nice deal”. It's still that kind of fairly familiar standard-type stuff going on?

Bart

Yeah, exactly.

Jane

Well, unfortunately, that's all we have time for this week. But thank you once again to Bart Salaets from F5 for joining us.

Rory

As always, you can find links to all of the topics we've spoken about today in the show notes, and even more on our website at itpro.com.

Jane

You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the ITPro Podcast wherever you find podcasts. And if you're enjoying the show, why not tell a friend or colleague about us? 

Rory

You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the ITPro Podcast wherever you find podcasts. And if you're enjoying the show, why not tell a friend or colleague about us? 

Jane

We'll be back next week with more from the world of IT, but until then, goodbye.

Rory

Goodbye.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.