enabling the fabric of trust for network slicing · 13 enabling the fabric of trust for network...
TRANSCRIPT
ETSI Security Week 2018 – Anne-Marie Praden, Gemalto
13/06/2018
Enabling the fabric of trust for network slicing
cvcv
Enabling the fabric of trust for network slicing2
1
Flexibility
3
Scalability
2Optimization
4
Automation
5
Customization
6
Performances
MEC
NFV Slicing
ML/AI ZeroTouch13/06/2018
Enabling the fabric of trust for network slicing3
Slicing
The network slicing capabilities of 5G willenable enterprises to have their own autonomous 5G networks, each one customized to the enterprise’s unique requirements and backed up by an Service-Level Agreement.
A Network Slice Instance (NSI) includes all functionalities and resources necessary to support certain set of communication services thus serving certain business purpose. It may be composed of Network Slice Subnet Instance(s) (NSSI) which are formed of a set of Network Functions which can be either Virtual Network Functions (VNFs) or Physical Network Functions (PNFs).
13/06/2018
CENTRALCLOUD
Fixed orMobile/
backhaul wide Area Network
METROEDGES
LOCALEDGES UE
Local AccessNetwork
Challenges for the telecom operator’s 5G network
Enabling the fabric of trust for network slicing4
RESOURCESHARING BETWEEN
THE TELECOM OPERATOR AND
THE ENTERPRISE
ZERO-TOUCH AUTOMATION
Softwarizationof the network Integration of existing
and new local access networksMoving the intelligence
towards the edge
13/06/2018
5 principles for creating a fabric of trust in network slicing
Enabling the fabric of trust for network slicing5
1 Full autonomy of any given slice
2 Ability for enterprises to require authentication on each network slice
3 Guarantee of isolation of each slice (up to the end device) , and each VNF within each slice
4 Guarantee of isolation of the VNFs within a commissioned slicefrom the enterprise’s data and applications
5 Guarantee of protection of storage for Stateless VNFs
13/06/2018
CENTRALCLOUD
Fixed orMobile/
backhaul wide Area Network
METROEDGES
LOCALEDGES UE
Local AccessNetwork
Key capabilities to create trustworthy 5G virtualized networks
Enabling the fabric of trust for network slicing6
Softwarizationof the network Integration of existing
and new local access networksMoving the intelligence
towards the edge Customer controlled encryption of the VMsor containers runningin the network
Centralized lifecycle management of encryption keys leveraging the most reliable root of trust
Stored database encryption
Secure enclaves at the core and edge
Ultra-low latency encryptionof ‘anyhaul’ transport
Authentication and security in 5G device
13/06/2018
Customer controlled encryption of the VMs/containers running in the network
Enabling the fabric of trust for network slicing7
One of the key components of a trusted 5G architectureis the integrity of the virtualized infrastructure
and the confidentiality of the data flowing inside it.
The best guarantor of confidentiality and integrityin virtualized infrastructure is customer-controlled encryptionof the VMs or containers running in the network by means
of encryption of individual VM or container instances.
13/06/2018
5G / NFV INFRASTRUCTURE
HARDWARE RESOURCES (CPU, STORAGE, NETWORK)
A hypervisor provides a first level of isolation between co-located functions,based on logical separation secured by firewalls.
Protection of 5G Applications & Virtual Network Functions
Multi AccessEDGE
HYPERVISOR
13/06/2018Enabling the fabric of trust for network slicing8
5G / NFV INFRASTRUCTURE
Malicious code could leak data through the walls as functions are co-located on the same machine. Data-centric protection is required.
Protection of 5G Applications & Virtual Network Functions
Multi AccessEDGE
HYPERVISOR
HARDWARE RESOURCES (CPU, STORAGE, NETWORK)
13/06/2018Enabling the fabric of trust for network slicing9
Protection of 5G Applications & Virtual Network Functions
5G CORE / EDGE COMPUTE INFRASTRUCTURE
5G Network Manager &
Orchestrator (MANO)
ATTESTATION SERVER
Intel® Software Guard Extensions(Intel® SGX) Gemalto Protection Agent
The VNF and enterprise app security is provided by a Gemalto Protection Agent on each machine,propagated into the Intel® SGX secure enclave and certified by an attestation server.
Enabling the fabric of trust for network slicing10 13/06/2018
6 benefits of the 5G cloud security agent in SGX
1High performance, secure credential storage and key management assured by a Hardware Root of Trust
2 Confidentiality and Integrity protectionof VNFs and apps is assured at runtime
3Agnostic VM or Container-level protection for VNFs and enterprise apps
4Dynamic, Seamless & Secure migration of VNFs/apps from one machine to another
5 Simple Provisioningeases OEM integration and logistics
6 Protects VNFs and apps at the core andat the edge of the network
Enabling the fabric of trust for network slicing11 13/06/2018
Enabling the fabric of trust for network slicing
6 reasons why a Hardware Security module (HSM) provides a superior root of trust
12
1It is tamper-resistant. If it is tampered with, the device will shut itself down, rendering the keys inaccessible.
2It has its own security – intrusion detection and firewall – baked into the design.
3It allows a management of a large number of keys, essential feature for a scalable system such as Network Virtualization.
4It stores the keys in securely partitioned domains allowing a centralized use for multi-domain (eg slicing)
5Since the hardware is optimized for cryptographic processing,it won’t jeopardize 5G’s ultra-low latency targets.
6 It is already security-certified out of the box.
13/06/2018
eSIM in 5G devices: enabling the fabric of trust for network slicing
Enabling the fabric of trust for network slicing13
Network slicing authentication and security
To allow enterprises to leverage their credentials to pre-select network slices
To enforce device-level isolation for preventing malware spread from a slice to another
To support devices with access to multiple network slices by support of multiple sets of authentication & authorization credentials
13/06/2018
Download our whitepaper on 5G Network Security here
13/06/2018Enabling the fabric of trust for network slicing14gemalto.com/5g
Thank you
You can find me on
13/06/2018Enabling the fabric of trust for network slicing15