Cloud-based Open RAN network function deployments are becoming increasingly prevalent due to the flexibility these deployments offer in scaling and the advantages of porting traditional telecom applications to a cloud-based microservices model.
With this shift, the network's security is paramount, and zero-trust network access (ZTNA) must be used to implement security controls for user and API-based access to network functions.
Traditional VPN technology allows authenticated access to Open RAN infrastructure and applications, but it is challenging to implement "Least Privilege Access" that authorizes user access to required resources only. Once the VPN user is authenticated, the user has network-level access to all the resources in the Open RAN network. This is a cause for concern as a malicious, but authenticated, VPN user can now move laterally within the network to gain intelligence on the topology of services running on the network and cause insider attacks.
An alternative to VPN is ZTNA, which provides network access to authenticated users with access to each system controlled dynamically using policies for internal and external users in the same manner.
The policies act as authorization rules for applications, devices, and servers and work as access control rules with a default deny policy. This is in contrast with VPN, where rules are defined at the network (IP) layer, and the user is authorized to access any application/device/machine of the network once the user is authenticated.
There will likely be a transition from traditional VPN-based access supported by one monolith perimeter security to ZTNA-based access with a micro-perimeter protecting each target resource. Additionally, during the transition period to ZTNA, there will be deployments with a hybrid approach where perimeter firewalls, DMZ and VPN will be present and can be used as a hybrid/backup solution with/for ZTNA.
Another exciting trend under the ZTNA umbrella is to use PAM (Privileged Access Management) solutions. A PAM solution provides credential less access to Open RAN network elements by acting as a proxy between external users and target devices. This implies that credentials are not provided to external users, thus avoiding credential leaks common today in a PAM-less environment.
Another advantage of PAM is the session recording capability that can be turned on for authenticated/authorized privileged users for audit and digital forensics. This allows the monitoring of privileged users as needed.
APIs (Application programming interfaces) are an essential entry point to Open RAN services and applications. Therefore, securing the API endpoints and providing access to authenticated and authorized consumers are required to achieve zero trust access.
API security is achieved using a secure transport and implementing OIDC/OAuth-based API access. This enables the authenticated users/services to obtain an access token and provide it to a resource server that verifies the token - in the case of APIs, it could be an API gateway.
The API gateway performs the authorization check based on the presented access token's contents and allows/denies access to the API endpoint. Thus, the API gateway can implement gating conditions for several API endpoints across different Open RAN microservices/applications for incoming API requests, provide a security mechanism for single sign-on, and prevent unauthorized access and DoS attacks.
The above-described Zero-trust access solutions enable a way to perform dynamic policy updates for remote applications/devices and API access. Moreover, the attack surface is reduced due to the default deny policy, and lateral movement from a breached device to other network elements is prevented. A whole raft of benefits can be obtained by adopting this approach.
Due to the granular access management provided by ZTNA and logging and recording all the activities an end-user performs, any suspicious behavior can be determined in real-time.