Palo Alto Networks’ Scott Stevens on how to stay secure in a 5G environment

American cybersecurity major Palo Alto Networks recently turned its sights on securing 5G networks and IoT devices, two areas that are touted to be the forerunners of the Industry 4.0 revolution.  

Several players in India’s telecom sector are already preparing to be a step ahead of the competition. For example, Bharti Airtel and Huawei are already deploying 5G microwave networking technology in India. Vodafone Idea, Bharti Airtel and Reliance Jio are slated to showcase specific use cases for 5G technology at the Mobile World Congress currently in progress at New Delhi.

With the 5G wave expected to hit international markets soon, Scott Stevens, senior vice president, global systems engineering at Palo Alto Networks, spoke to TechCircle on what enterprises need to do now in terms of security for a secure and smooth transition to 5G. 

Edited excerpts:

Where is India in terms of 5G technology currently? 

It is definitely early days and the Indian advancement is pretty consistent with the global scenario. 5G is just beginning. We will see the networks evolve in probably a few years until we can see a full 5G rollout in the entire country.  Most countries are maybe only six months apart in terms of the level of 5G achieved. Some of the American and European carriers are running faster in 5G, but it is just getting started now. My ‘phone in the US pretends it is on 5G but it doesn’t really exist yet!

Since it is early stages for 5G security, does it need attention right now?

 I think it does (need attention) and there are a couple of reasons. When the 4G networks were designed we were still using flip phones and mobile devices were not that powerful. We didn’t have as much compute power in the network. Most of the infrastructure that built 4G were proprietary operating systems and big sheet metal products that were very unique to what they did. There could be different cyber-attacks on them but they were difficult.

When we look at 5G, both the aspects have changed. We now have devices that are more powerful and are hence more prone to malware attacks. With IoT we will have many devices to deal with.

 But the interesting evolution with 5G is that a lot of the control infrastructure that makes 5G work is now being virtualized and hosted on Linux platforms. This is really good in terms of scalability and driving down the costs of 5G but it creates new risks in terms of vulnerability at the operating system level and the software level that run these 5G networks. 

There are many new entities that will crop up with the advent of 5G and we need to start thinking about those aspects right now.

How does the security aspect change when the end user is also involved in the circle and how will the IoT boom impact it?

In 5G and existing 4G networks, computers are attached to the network. Today, mobile phones and tablets are powerful and are capable of being hacked or attacked directly.  

So if my phone has malware on it, I need to figure out how to deal with that. Is it my problem or is my 5G operator going to make me understand that I have been infected? Can they can offer me solutions to secure my device?

Similar concerns happen in IoT. They are not powerful computers but are simple devices that are prone to attacks. There are instances where IoT devices were infected and used to launch attacks. To attack other services and devices. We need to think about protecting the devices.

What is the newer approach that needs to be taken towards 5G security?

If I were to decompose 5G, there are two sets of concerns that we need to have here. One side we need to think of 5G from the telecom cloud perspective. Where are they hosting these applications that drive value and where are they putting in the new distributed 5G compute. The focus for 5G is the same focus on data center security or cloud computing security. How we secure all of the applications on the infrastructure.

The other side of 5G is realizing how we can secure the infrastructure itself, not just the compute portion of it but the flow of the calls and the data going through it. There are more standard conversations that we have there if we are familiar with the whole 5G infrastructure. How do we secure the connections from one mobile operator to another and the connections between all the mobile devices, IoT devices back to the core of the 5G operator? 

Hence a basic breakdown is how we protect the infrastructure and all of the compute that goes within the infrastructure.

 Can you brief us about the zero-trust model and its challenges in adoption?

Zero trust is an amazing architecture to design the security around. It’s taken a while for the thought process to be adopted in the industry but every security vendor now is talking about zero trust.

We tend to think of security as how to build a perimeter between the network and everything outside of the network. The philosophy of zero trust is different. What zero trust advocates is start where the data resides and start with securing the most important data first instead of starting at the centre.

For example, security for the patient records for a hospital or the IP and R&D research work of a technology company needs to be designed first. Figure out how to segment the most critical data away from everything else within the network and then control access to that. Start at the center and move out like an onion, until you reach the perimeter. In the end, zero trust is a pretty effective framework.