Spotlight on Tech

Why we believe you must adopt Zero Trust Network Access

By
Nagendra Bykampadi
Head of Security Architecture and Standards
Rakuten Symphony
February 23, 2023
4
minute read

Cloud-based Open RAN network function deployments are becoming increasingly prevalent due to the flexibility these deployments offer in scaling and the advantages of porting traditional telecom applications to a cloud-based microservices model. 

With this shift, the network's security is paramount, and zero-trust network access (ZTNA) must be used to implement security controls for user and API-based access to network functions. 

Traditional VPN technology allows authenticated access to Open RAN infrastructure and applications, but it is challenging to implement "Least Privilege Access" that authorizes user access to required resources only. Once the VPN user is authenticated, the user has network-level access to all the resources in the Open RAN network. This is a cause for concern as a malicious, but authenticated, VPN user can now move laterally within the network to gain intelligence on the topology of services running on the network and cause insider attacks.

Zero Trust Network Access (ZTNA)

An alternative to VPN is ZTNA, which provides network access to authenticated users with access to each system controlled dynamically using policies for internal and external users in the same manner. 

The policies act as authorization rules for applications, devices, and servers and work as access control rules with a default deny policy. This is in contrast with VPN, where rules are defined at the network (IP) layer, and the user is authorized to access any application/device/machine of the network once the user is authenticated.

There will likely be a transition from traditional VPN-based access supported by one monolith perimeter security to ZTNA-based access with a micro-perimeter protecting each target resource. Additionally, during the transition period to ZTNA, there will be deployments with a hybrid approach where perimeter firewalls, DMZ and VPN will be present and can be used as a hybrid/backup solution with/for ZTNA.

Privileged Access Management (PAM)

Another exciting trend under the ZTNA umbrella is to use PAM (Privileged Access Management) solutions. A PAM solution provides credential less access to Open RAN network elements by acting as a proxy between external users and target devices. This implies that credentials are not provided to external users, thus avoiding credential leaks common today in a PAM-less environment.

Another advantage of PAM is the session recording capability that can be turned on for authenticated/authorized privileged users for audit and digital forensics. This allows the monitoring of privileged users as needed.

Zero trust API access

APIs (Application programming interfaces) are an essential entry point to Open RAN services and applications. Therefore, securing the API endpoints and providing access to authenticated and authorized consumers are required to achieve zero trust access.

API security is achieved using a secure transport and implementing OIDC/OAuth-based API access. This enables the authenticated users/services to obtain an access token and provide it to a resource server that verifies the token - in the case of APIs, it could be an API gateway.

The API gateway performs the authorization check based on the presented access token's contents and allows/denies access to the API endpoint. Thus, the API gateway can implement gating conditions for several API endpoints across different Open RAN microservices/applications for incoming API requests, provide a security mechanism for single sign-on, and prevent unauthorized access and DoS attacks.

Conclusion

The above-described Zero-trust access solutions enable a way to perform dynamic policy updates for remote applications/devices and API access. Moreover, the attack surface is reduced due to the default deny policy, and lateral movement from a breached device to other network elements is prevented. A whole raft of benefits can be obtained by adopting this approach.

Due to the granular access management provided by ZTNA and logging and recording all the activities an end-user performs, any suspicious behavior can be determined in real-time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Open RAN Security
zero-trust-model
Symphony
Future of Telecom

Subscribe to Covered, a Newsletter for Modern Telecom

You are signed up!

Thank you for joining. You are now a part of the Rakuten Symphony community. As a community member, you will receive news, announcements, updates, insights and information in our eNewsletter.
How can we help?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Notice for more information.