Are mobile network operators concerned about security in their NFV deployments?
According to a recent Heavy Reading survey, 62 percent of service providers are very concerned about security for their network function virtualization deployments, out-ranking other well-documented NFV flashpoints such as OSS integration and orchestration. This strong response also reflects the broad industry realization that NFV fundamentally challenges the assumptions of traditional security architecture and requires new approaches to stay ahead of the evolving threat landscape. In short, new functionality is required to strengthen protection levels, increase agility and visibility, and to automate detection, analysis and response to increased threats today and the network evolves for NFV, 5G and IoT.
We call that capability “automated visibility”, and it is the subject of a recent white paper by Heavy Reading.
The paper, “The Evolution of Security: Harnessing the Power of Automated Visibility,” encompasses four key concepts:
- Real-time visibility across all network peering points and interfaces.
- Automation of threat detection and analysis, with updates of signatures propagated in minutes.
- Automation of threat intelligence collection, through the cloud, from a large base of enterprises, service providers and other threat feeds.
- Automation of dissemination of security policy and signatures to a vastly distributed network.
With automated visibility, service providers can jump ahead of cybercriminal capability, gain operational efficiency and provide deeper protection to their networks and subscribers.
Other industry organizations have also addressed challenges in security into evolving networks. The Cloud Security Alliance’s recent “Security Position Paper – Network Function Virtualization” stated “… traditional security models are static and unable to evolve as network topology changes in response to demand. Inserting security services into NFV often involves relying on an overlay model that does not easily coexist across vendor boundaries.”
The perimeter-based security approach in traditional mobile network relies on standards-defined, compartmentalized network elements and interfaces. In contrast, a virtualized network is borderless and based on software. Once malware intrudes into a virtualized network, it can potentially move across VMs and attack other critical functions.
The shift to NFV and 5G, the growth of IoT, as well as the dynamic threat landscape has many implications for service providers in defining their security posture:
Over-provisioning of capacity is no longer effective against DDoS. Botnets can be recruited from multiple service provider networks and millions of lightly protected devices, and attacks drawn from such a large base can quickly exceed provisioned capacity. Software-based functions are even more susceptible to volume overloads. Over-provisioning increases costs.
Scheduled updates of security signatures is not sufficient: Cybercriminals can quickly change malware and weaponized media news in minutes, leveraging the latest automation tools, off-the-shelf malware and public cloud capacity. Manual response processes of any kind are too slow. Threats need to be immediately identified and then responses uniformly propagated throughout the network. Manual processes will also diminish the operational efficiency desired from NFV investment.
Service providers can no longer focus on just threats from the “outside”, (i.e, the internet), as threats can come from inside the subscriber base as well: Attacks can be generated from subscriber devices authenticated within the network, through roaming partners or Wi-Fi. Now all peering points, network interfaces and insertion points are vulnerable. In virtualized, distributed networks, there are many, many more VMs, each representing a pinhole for possible infection.
Automated visibility, with other next-generation security capabilities, is required to address these new challenges, establish an effective security posture and maintain it as the network is virtualized and evolves to support 5G.
 Heavy Reading Annual Security and MSSP Market Perception Study