enabling the fabric of trust for network slicing · 13 enabling the fabric of trust for network...

ETSI Security Week 2018 – Anne-Marie Praden, Gemalto

13/06/2018

Enabling the fabric of trust for network slicing

cvcv

Enabling the fabric of trust for network slicing2

1

Flexibility

3

Scalability

2Optimization

4

Automation

5

Customization

6

Performances

MEC

NFV Slicing

ML/AI ZeroTouch13/06/2018


Slicing

The network slicing capabilities of 5G willenable enterprises to have their own autonomous 5G networks, each one customized to the enterprise’s unique requirements and backed up by an Service-Level Agreement.

A Network Slice Instance (NSI) includes all functionalities and resources necessary to support certain set of communication services thus serving certain business purpose. It may be composed of Network Slice Subnet Instance(s) (NSSI) which are formed of a set of Network Functions which can be either Virtual Network Functions (VNFs) or Physical Network Functions (PNFs).

13/06/2018

CENTRALCLOUD

Fixed orMobile/

backhaul wide Area Network

METROEDGES

LOCALEDGES UE

Local AccessNetwork

Challenges for the telecom operator’s 5G network


RESOURCESHARING BETWEEN

THE TELECOM OPERATOR AND

THE ENTERPRISE

ZERO-TOUCH AUTOMATION

Softwarizationof the network Integration of existing

and new local access networksMoving the intelligence

towards the edge

13/06/2018

5 principles for creating a fabric of trust in network slicing


1 Full autonomy of any given slice

2 Ability for enterprises to require authentication on each network slice

3 Guarantee of isolation of each slice (up to the end device) , and each VNF within each slice

4 Guarantee of isolation of the VNFs within a commissioned slicefrom the enterprise’s data and applications

5 Guarantee of protection of storage for Stateless VNFs

13/06/2018

CENTRALCLOUD

Fixed orMobile/

backhaul wide Area Network

METROEDGES

LOCALEDGES UE

Local AccessNetwork

Key capabilities to create trustworthy 5G virtualized networks


Softwarizationof the network Integration of existing

and new local access networksMoving the intelligence

towards the edge Customer controlled encryption of the VMsor containers runningin the network

Centralized lifecycle management of encryption keys leveraging the most reliable root of trust

Stored database encryption

Secure enclaves at the core and edge

Ultra-low latency encryptionof ‘anyhaul’ transport

Authentication and security in 5G device

13/06/2018

Customer controlled encryption of the VMs/containers running in the network


One of the key components of a trusted 5G architectureis the integrity of the virtualized infrastructure

and the confidentiality of the data flowing inside it.

The best guarantor of confidentiality and integrityin virtualized infrastructure is customer-controlled encryptionof the VMs or containers running in the network by means

of encryption of individual VM or container instances.

13/06/2018

5G / NFV INFRASTRUCTURE

HARDWARE RESOURCES (CPU, STORAGE, NETWORK)

A hypervisor provides a first level of isolation between co-located functions,based on logical separation secured by firewalls.

Protection of 5G Applications & Virtual Network Functions

Multi AccessEDGE

HYPERVISOR

13/06/2018Enabling the fabric of trust for network slicing8

5G / NFV INFRASTRUCTURE

Malicious code could leak data through the walls as functions are co-located on the same machine. Data-centric protection is required.


Multi AccessEDGE

HYPERVISOR

HARDWARE RESOURCES (CPU, STORAGE, NETWORK)



5G CORE / EDGE COMPUTE INFRASTRUCTURE

5G Network Manager &

Orchestrator (MANO)

ATTESTATION SERVER

Intel® Software Guard Extensions(Intel® SGX) Gemalto Protection Agent

The VNF and enterprise app security is provided by a Gemalto Protection Agent on each machine,propagated into the Intel® SGX secure enclave and certified by an attestation server.

Enabling the fabric of trust for network slicing10 13/06/2018

6 benefits of the 5G cloud security agent in SGX

1High performance, secure credential storage and key management assured by a Hardware Root of Trust

2 Confidentiality and Integrity protectionof VNFs and apps is assured at runtime

3Agnostic VM or Container-level protection for VNFs and enterprise apps

4Dynamic, Seamless & Secure migration of VNFs/apps from one machine to another

5 Simple Provisioningeases OEM integration and logistics

6 Protects VNFs and apps at the core andat the edge of the network

Enabling the fabric of trust for network slicing11 13/06/2018

Enabling the fabric of trust for network slicing

6 reasons why a Hardware Security module (HSM) provides a superior root of trust

12

1It is tamper-resistant. If it is tampered with, the device will shut itself down, rendering the keys inaccessible.

2It has its own security – intrusion detection and firewall – baked into the design.

3It allows a management of a large number of keys, essential feature for a scalable system such as Network Virtualization.

4It stores the keys in securely partitioned domains allowing a centralized use for multi-domain (eg slicing)

5Since the hardware is optimized for cryptographic processing,it won’t jeopardize 5G’s ultra-low latency targets.

6 It is already security-certified out of the box.

13/06/2018

eSIM in 5G devices: enabling the fabric of trust for network slicing


Network slicing authentication and security

To allow enterprises to leverage their credentials to pre-select network slices

To enforce device-level isolation for preventing malware spread from a slice to another

To support devices with access to multiple network slices by support of multiple sets of authentication & authorization credentials

13/06/2018

Download our whitepaper on 5G Network Security here

13/06/2018Enabling the fabric of trust for network slicing14gemalto.com/5g

Thank you

You can find me on


enabling the fabric of trust for network slicing · 13 enabling the fabric of trust for network...

Documents