Securing the RAN is paramount to protecting customer information and upholding national critical communication infrastructure availability.
In an Open RAN network, vulnerabilities and resulting exploits can occur from many sources – weak authentication and authorization mechanisms that allow an attacker to gain access to the network infrastructure and compromise O-RAN components, insecure APIs that expose services to external clients, insufficiently hardened cloud platform, insecure container images, not storing sensitive data securely, not enough segmentation in the network and insufficient runtime security measures to detect and mitigate live attacks on the network.
Security principles as the foundation for Open RAN security
The impact of threats can be minimized when a network is built based on well-established security principles. We define a consolidated set of security principles that form the basis for the Rakuten Symphony secure Open RAN architecture. These include:
- Trust no one – Implement “Trust no one, always verify” paradigm to always authenticate an entity before establishing trust.
- Assign the least privilege possible – Follow the Principle of Least Privilege (PoLP) to ensure that the user or service has the least privilege required to perform their assigned operation.
- Separate responsibilities – Implementing domain separation or security zones to group systems and resources with similar needs for information protection, access controls, and other security requirements.
- Protect against lateral movement in cloud infrastructures – Use security controls to detect and prevent lateral movement when attackers have successfully exploited a vulnerability to gain initial access into a container.
- Always secure critical data – Ensure protection of data-at-rest, data-in-transit, and data-in-use according to industry best practices.
- Secure by default cloud infrastructure and container workloads – The O-RAN system should be bootstrapped to be secure by default, and it should be up to the user to reduce their security – if they are allowed.
- Keep an eye on open-source software – Use industry best security practices, such as SBOM, when using open-source components to minimize risks.
Six pillars that build security into Open RAN networks
When building a mobile network according to only 3GPP and O-RAN Alliance specifications, some security-relevant areas remain unclear. Therefore, mobile network vendors and operators need to apply additional security controls to reach an appropriate level of hacking resilience.
Rakuten Symphony proposes a multi-pronged approach in defining a baseline set of security controls to securing an Open RAN network. These include:
- Zero-trust-based network access: Provide non-VPN based access to authenticate and authorize all access to the network. The access request may be for an application, a network device, or any underlying infrastructure, including cloud-native platforms. In addition, policy-based authorization is used to assign roles and relevant permissions to every user.
- Micro-segmentation: Implement security zones or trust zones to segment the network and isolate services of different security thresholds. For example, a service that has an interface to the public internet poses a different security challenge when compared to a service that is fully internal to the cluster. These services are therefore put in two different network segments with access control between them.
- Manage configuration drifts using automated techniques: Misconfiguration, caused intentionally or by accident, forms the root cause for most data breaches and security issues in today’s cloud computing environment. Security controls and mechanisms are therefore needed to automatically detect and remediate configuration drifts in a cloud-native environment.
- Protecting sensitive data: Put measures in place to protect sensitive data both in transit and at rest.
- Runtime observability for faster detection and incident response: Appropriate runtime security controls need to be put in place to detect and respond to runtime security events and incidents such as DOS attacks, etc.
- Continuous Vulnerability Management: Having automated tools to detect vulnerabilities in deployed software assets and implementing robust patch management processes to fix detected issues.
As we lead up to MWC23, we will continue to share our insights and best practice in the Covered Newsletter to keep Open RAN secure. In addition, you can visit us at the Rakuten Symphony Experience Zones at MWC23, and I look forward to chatting with you in detail.
