How can mobile network operators innovate enterprise secure connectivity by applying the 5G technologies?

5G opens new opportunities for enterprises as it offers unparalleled speed, low latency, high capacity, and ultra-reliable networks. These characteristics have led to the development of a range of enterprise use cases such as smart factory and real time remote diagnostics. At the same time, a growing number of enterprises and industries are moving toward the mobile-first strategy to enable seamless connections for employees and enterprise devices. Simultaneously, there is a rise in the use of private cellular networks (PCN) enabled with 5G to support enterprise and industrial use cases. These trends open opportunities for MNOs to offer value-added security services with connectivity to enterprises and help them reduce their pain in managing over-the-top (OTP) and point-type security solutions that they use to protect enterprise devices and networks.

Enterprise challenges with security

In recent years, there has been an increasing number of cyber-attacks targeting enterprise networks and their devices. At the same time, national regulators are promoting and enforcing strict security practices such as Zero Trust Architecture (ZTA) for enterprises to limit these attacks. These drivers together with the enterprise’s move towards the mobility-first strategy demand security solutions that can fulfill the regulators' requirements and protect enterprises from cyber-attacks at ease. Unfortunately, many of today’s enterprise connectivity and security solutions are disjointed, sourced from multiple channels, and integrated by separated teams. These result in increased deployment and operational complexity, poor usability, and excessive costs. The Information Technology (IT) industry is trying to address these challenges by adopting the Secure Access Service Edge (SASE) approach.  

What is Secure Access Service Edge?

With an increasing adoption of cloud, mobile workforce, and edge computing many enterprises are moving towards using integrated security and networking solutions defined by the industry as Secure Access Service Edge (SASE). SASE combines networking and security functions so that users, devices, and applications can securely connect to remote services relying on the integrated security functions.

The integration of security functions with connectivity offers consistent and comprehensive security compared to any point security solutions. SASE embeds security functions such as firewall, web filter, intrusion detection system, and secure web gateway. Delivering these embedded security functions as a service relieves enterprises from the pain of managing complex point security solutions. SASE offerings are usually deployed in a cloud to protect employees’ devices and enterprise assets from threats arriving from the Internet or intranet. Thanks to these benefits, many enterprises have already moved or are planning to use SASE-based solutions. 

Why do over-the-top SASE solutions not fit well in many use-cases?

The traditional SASE offerings are over-the-top and, in many cases, require that the devices have agents installed to route the enterprise traffic. Security functions included at SASE use the identity of the agent to make access decisions on the enterprise traffic. Unfortunately, the deployment of the agent is complex and tedious in many instances. From multiple earlier experiences, we know that many Internet of Things (IoT) type devices do not support the installation of an agent. Moreover, this agent typically forwards all traffic to a SASE Point of Presence (PoP) node which makes access decisions for the enterprise traffic. Depending on the SASE and cloud providers, the PoP may be found far away from the device location or the enterprise premises. The location of the PoP affects the Quality of Service (QoS) for the enterprise connectivity.

How can mobile network operators help?

Instead of relying on traditional SASE from an external cloud, the MNOs can host SASE by deploying it in or close to the packet core network. By doing this, MNOs can offer enterprise-grade connectivity with security offerings from a managed SASE stack. Enterprises can then buy this service from the MNOs as a one-stop shop. Let us look at a few concrete benefits of using a SASE offering provided by an MNO.

Most of today's SASE offerings rely on over-the-top identities or agent identities to make access decisions. But when deployed together with the MNO’s connectivity solution, instead of using those identities, one can use the telco identities e.g., IMSI, and MSISDN, which are also secured by hardware (SIM card) protection. Thereby, these identities are less prone to compromise than for example username/password. We can then make access decisions for individual employees/devices based on SIM identities and there is no need for an extra identity solution.

One of the main functionalities of the agent in an over-the-top SASE solution is to pass the enterprise traffic to a nearby SASE POP which makes access decisions for the enterprise traffic. Instead of this approach, the MNO’s network can use the existing functionalities to steer the enterprise traffic to specific data networks, some of which can be dedicated to each enterprise. For example, APNs (4G) and DNNs (5G) can be used specifically for enterprises so that MNOs can steer the traffic to different data networks without explicitly relying on an agent on the device. The data networks can then pass the traffic to an MNO edge SASE POP. By carefully selecting the SASE PoP near the MNO edge, MNOs can provide guaranteed end-to-end QoS for the enterprise traffic.

In 5G SA, the MNO-managed SASE offering can be further combined with the network slicing which provides extra isolation and QoS guarantee throughout the slice. This is an attractive option for security-conscious enterprises that are looking for network traffic isolation along with the SASE security functions.

“Ericsson’s strategy is to empower MNOs to offer differentiated connectivity to the enterprise customer segments. Network slicing is the key technology offered by 5G to enable the differentiated connectivity, enhancing the connectivity with security SLAs is one of the demands by the enterprises and the Ericsson is committed to enable the desired solutions to meet the customer demands.”
Monica Ponticiello, Strategic Product Manager, Ericsson Dynamic Network Slicing solution.

An example 5G-assisted SASE solution

We at Ericsson developed a Proof-of-Concept (PoC) for a 5G-assisted SASE to realize the above-mentioned benefits. This PoC utilizes the MNO’s capabilities such as network slicing, 5G core control plane information, and existing 5G management tools to enhance the SASE offering delivered by MNOs.  

The core functionalities of the PoC are divided into three parts: 

• Orchestration and security management
• 5G core control plane integration
• 5G user plane integration

Orchestration and security management: In the PoC, we use orchestration and security management tools that already exist in many MNO networks. We utilize the Ericsson Business Support System (BSS) for managing enterprise relations and as a front-end for fulfilling service requests of enterprise customers and MNOs. Next, we use the Ericsson Service Orchestrator and Assurance (ESOA) to manage the life cycle operations such as instantiating a SASE function and performing day-0 to day-N configurations for security functions included within the SASE offering. The benefit of using the combined BSS and ESOA is that it offers a single pane of glass which simplifies MNO’s operational processes for provisioning the SASE functionalities for the enterprise and activating the enterprise devices to use the SASE functionalities.

In the PoC, Ericsson Security Manager (ESM) takes the role for security management. It configures and manages the enterprise-specific security policies for the SASE security functions. ESM continuously monitors the applied security policies and reports deviations when it detects any unwanted modifications. ESM also monitors enterprise traffic for abnormalities including potential threats to the enterprise and co-relates these threats with threats received from other nodes within the MNO network.

“Ericsson Security Manager is the 5G cybersecurity platform that addresses the needs of next-generation security operations by making security visible and automating security processes. The benefits provided by ESM can be expanded to address enterprise use cases and 5G-assisted SASE is one such concrete use case.”
Kari-Pekka Perttula, Strategic Product Manager, Ericsson Security Solutions.

Together, this setup simplifies and automates: 

• Onboarding of the SASE functions and life-cycle-related operations
• Provisioning of enterprise and their devices to the SASE functions
• Managing enterprise-specific security policies within the SASE functions 

5G core control plane integration: The control plane contains information about the devices, subscriptions, and sessions. We integrate the 5G core control plane with the SASE security functions and deliver the enterprise-related control plane information, e.g., UE (User Equipment) IP address, DNN info, and subscriber identity to an enterprise-specific SASE security function. In this process, we ensure that the control plane information is only available to a dedicated enterprise-specific security function to limit the exposure of sensitive information.

The enterprise-specific SASE security function utilizes the received control plane information to make access decisions for the enterprise traffic. Specifically, this enables Zero Trust (ZT) access decisions on the enterprise traffic, and it can be performed without installing an agent in the device or an extra identity solution.

5G user plane integration: We integrate traffic passed from the 5G user plane to the SASE security functions at the N6 interface (i.e., at the traffic breakout point of 5G UPF).  In this process, we isolate or slice each enterprise traffic at the N6 interface with an enterprise specific DNN and forward the traffic arrived at the DNN to a dedicated SASE security function allocated to the enterprise. This ensures traffic from one enterprise is isolated from the other in transit and in processing at the SASE security functions. Combined with network slicing, this design choice offers end-to-end enterprise traffic isolation.

Summary

SASE addresses some of the major difficulties in enterprise connectivity such as the complexity of disassociated networking and security solutions. We believe MNOs can enhance a SASE offering by utilizing their unique assets. Our demonstration proves that MNOs can add values such as strong security based on SIM identity and better QoS compared to the existing over-the-top SASE offerings. Thereby, the 5G-enhanced SASE offering can simplify and accelerate the enterprise’s journey towards the adoption of SASE.

Learn more:

Learn more about staying ahead in this evolving landscape in our 5G security blog series.