Building a chain of trust from the device to the cloud Christian Kuhn, Senior Director, Business Development DNAC - 16 November 2017

Size: px

Start display at page:

Download "Building a chain of trust from the device to the cloud Christian Kuhn, Senior Director, Business Development DNAC - 16 November 2017"

Georgiana Gallagher
6 years ago
Views:

1 Building a chain of trust from the device to the cloud Christian Kuhn, Senior Director, Business Development DNAC - 16 November 2017

2 Trust is vital and it s what we provide enabling our clients to deliver a vast range of trusted digital services for billions of individuals and things. 2

3 5G comes with new security challenges BUILD FROM SECURITY SOLUTIONS FROM 3G/4G NEW SEGMENT-SPECIFIC SECURITY NEEDS NETWORK OPERATIONS CRITICAL COMMUNICATIONS AND V2X Begin with principles of authentication, integrity, confidentiality and privacy from 3G/4G Adapt for NFV and Multi-Access Edge Computing Security Architecture should be adapted to the needs of each slice IoT ENHANCED MOBILE BROADBAND MASSIVE IoT 3

4 Gemalto s role in Network Security & Software Licensing OUR SOLUTIONS User authentication and trusted identities Data encryption and key management Cloud and virtualization security Gemalto secures the device and enhances security of the virtualized network whilst guaranteeing licensing management Software Monetization 4

5 Network Security Should Rely on Certified Elements such as Hardware Security Modules SERIALIZED TAMPER EVIDENT STICKERS CERTIFICATIONS TAMPER RESISTANT SCREWS INTRUSION DETECTION SWITCHES ON LID INTERNAL BAFFLES TO PREVENT PROBING TAMPER RESISTANT I/O MOUNTS DYNAMIC CRYPTO RESOURCE CRYPTO HYPERVISOR TAMPER RESISTANT FAN MOUNTS HARDWARE SECURITY MODULE 5

6 Key Issues in 5G Virtualization Security OSS / BSS 1 Network slice isolation SERVICE, VNF & INFRASTRUCTURE DESCRIPTION ORCHESTRATOR Virtualization security VNF integrity verification during on boarding of VNF VNF EMS 1 EMS 2 EMS 3 VNF 1 VNF 2 VNF VNF MANAGERS Low Latency Interconnect with Multi-Access Edge Secured/measured boot & security enclaves for sensitive VNFs 5 NFV1 VIRTUALISATION LAYER VIRTUAL COMPUTE HARDWARE RESOURCES COMPUTING HARDWARE VIRTUAL STORAGE STORAGE HARDWARE 1 VIRTUAL NETWORK NETWORK HARDWARE 9 4 VIRTUALISED INFRASTRUCTURE MANAGER NFV M&O Physical and logical protection of Security Assets on motherboard Discovery mechanism of Security Hardware & characteristics (Openstack EPA) Run-time VNF Integrity verification Migration of VNF using security features 6

Mobile security chain: key architectural elements 1 Network slice isolation SERVICE PROVIDER MOBILE EDGE SERVICE PROVIDER SERVICE PROVIDER MOBILE CORE l VNF1, VNF2 5G MOBILE EDGE MOBILE EDGE VNFa,

7 Mobile security chain: key architectural elements 1 Network slice isolation SERVICE PROVIDER MOBILE EDGE SERVICE PROVIDER SERVICE PROVIDER MOBILE CORE l VNF1, VNF2 5G MOBILE EDGE MOBILE EDGE VNFa, VNFb Slice 1 Slice 2 Network providing seamless IP connectivity suited to my reliability, availability, mobility and security needs Conforms to SLA Applications are running and data analysis take place at core and the edge 7

Strong Trust Establishment between Virtual Functions 2 3 Virtualization security, VNF integrity verification during on boarding of VNF MULTI-ACCESS EDGES NFV MANAGEMENT & ORCHESTRATOR (MANO) CORE

8 Strong Trust Establishment between Virtual Functions 2 3 Virtualization security, VNF integrity verification during on boarding of VNF MULTI-ACCESS EDGES NFV MANAGEMENT & ORCHESTRATOR (MANO) CORE HARDWARE SECURITY MODULE HARDWARE SECURITY MODULE Trigger Mutual Authentication between the MANO and resources Trigger Mutual Authentication between all virtualised elements on the same slice which interact Verify integrity of each function vs what was installed by the MANO vs image stored in VNF Manager 8

9 Strong Trust Establishment between Virtual Functions 2 3 Virtualization security, VNF integrity verification during on boarding of VNF MULTI-ACCESS EDGES NFV MANAGEMENT & ORCHESTRATOR (MANO) CORE HARDWARE SECURITY MODULE HARDWARE SECURITY MODULE 4 Implement integrity and confidentiality protection so that instructions and data cannot be compromised/modified 9

10 Is the connection from the Core to the Multi-Access Edge Secure? 4 Low Latency Interconnect with Multi-Access Edge 10

11 With 5G slicing isolate the communications between functions 4 Low Latency Interconnect with Multi-Access Edge MOBILE EDGES CORE Provide confidentiality and integrity protection for all data and virtual functions HSE HIGH SPEED ENCRYPTION HSE Provide confidentiality and integrity protection for all data and virtual functions 11

12 Protection of Applications & VNFs 5 Secured/measured boot & security enclaves for sensitive VNFs HYPERVISOR HARDWARE RESOURCES (CPU, STORAGE, NETWORK) NFV INFRASTRUCTURE A Hypervisor provides some basic level of isolation 12

13 Protection of Applications & VNFs 5 Secured/measured boot & security enclaves for sensitive VNFs HYPERVISOR HARDWARE RESOURCES (CPU, STORAGE, NETWORK) NFV INFRASTRUCTURE Malicious A code Hypervisor could be provides implemented some level to hack of isolation through the walls 13

14 Protection of Applications & VNFs 5 Secured/measured boot & security enclaves for sensitive VNFs HYPERVISOR HARDWARE RESOURCES (CPU, STORAGE, NETWORK) NFV INFRASTRUCTURE Secure Malicious enclaves A code Hypervisor ( Hardware could be provides Mediated implemented some Execution level to hack of Environment ) isolation through the walls in the CPU increase isolation between the VNFs but are limited in capacity 14

15 Protection of Applications & VNFs 5 Secured/measured boot & security enclaves for sensitive VNFs HYPERVISOR HARDWARE RESOURCES (CPU, STORAGE, NETWORK) Cloud HSM(s) NFV INFRASTRUCTURE 15 A Secure local or Malicious enclaves cloud-based A code ( HMEE ) Hypervisor HSM could tethered in be provides the implemented CPU to some the increase Enclave level to hack isolation of could isolation through increase between the walls the security VNFs level of the system for operations such as Key Generation or Mutual Auth. between functions

16 Protection of Applications & VNFs 5 Secured/measured boot & security enclaves for sensitive VNFs HYPERVISOR VNF Protect Agent HARDWARE RESOURCES (CPU, STORAGE, NETWORK) Cloud HSM HSM(s) NFV INFRASTRUCTURE 16 A Secure A HSM VNF Malicious tethered enclaves Protection A to code ( HMEE ) Hypervisor the Agent, could Enclave hosted in be provides the could implemented itself CPU increase some the level to Hardware the hack isolation of security isolation through Mediated between level the of walls Execution the system VNFs Environment for operations can be such tethered as Key to real Generation HSMs based or Mutual in the Auth. cloud between allowing functions for elasticity and scalability

17 Advantages of VNF Protect Agent 5 Secured/measured boot & security enclaves for sensitive VNFs Container based protection, seamless interworking for VNFs or apps being deployed in various clouds Cloud based key management system means it s scales easily VNFs can be transferred from machine A to B seamlessly without deletion, recreation Flexible control mechanism, no single ownership structure => Centralised management (vs isolated, distributed hardware mechanisms) 17

Network Function scalable licensing CLOUD

18 Software Licensing Management How to forge sustainable business relationships between multiple stakeholders in a complex 5G environment APPLICATION PROVIDERS On-premise and cloud B2B applications NETWORK VENDORS Virtual Network Function scalable licensing CLOUD PROVIDERS Cloud services and applications The importance of security, protection, licensing, usage and entitlement management solutions is critical in helping the industry monetize their software and driving disruptive business models 18

19 Usage Based Pricing COMPANY PROFILE Name: Industry: Country: Revenues: Ericsson Telecom Supplier Sweden $US 9.8 BN REQUIREMENTS 1. Pay- per- use pricing models. 2. Mass usage data collec>on. 3. Telco- grade high availability and ultra- high performance. 4. En>rely hosted and operated by Ericsson. SENTINEL DELIVERABLES THE GEMALTO SOLUTION 1. Sen>nel Cloud 2. Consul>ng services 3. Integra>on Support 4. Customiza>ons 5. In- house opera>on of Sen>nel Cloud Back- Office EMS Define En>tle Ac>vate Report Sen$nel SCC License Usage Aggregate Sen$nel Client SCS API RunFme Device App License

20 Device Security per 5G Segment FOR THE MAIN 5G SUB-SEGMENTS, WE NEED TO ANALYSE: Device Capabilities (consumption/processing/memory...) Connectivity Cost (device) Connectivity Cost (recurring subscription) Type of service provider data in transit FOR THE ABOVE, WE NEED TO DETERMINE THE FOLLOWING REQUIREMENTS: Data Protection / Confidentiality Privacy / Anonymity Denial of Service Protection Anti-Clone mechanism WE THEN APPLY SECURITY SOLUTIONS (END-TO-END) 20

21 Segmenting Security Needs of Major 5G Use-Cases Security Needs (MNO/SP) Sub. Authentication Anti-DoS Confidentiality Sub. Authentication Anti-DoS Authenticity ID/Privacy Sub. Authentication Confidentiality+ ID/Privacy+ Integrity+ Anti-DoS Authenticity Sub. Authentication Confidentiality++ ID/Privacy++ Integrity++ Device FW Integrity Anti-DoS Authenticity Sub. Authentication Confidentiality+++ ID/Privacy+++ Integrity+++ Device FW Integrity Anti-DoS Authenticity Credentials Protection Complimentary Core Security to reinforce SOFTWARE IN TRUSTED ENCLAVE / SECURE ELEMENT WALLED GARDEN / OUT-OF-BAND MGMT / TOKENISATION / A.R.M. / S.F.U Basic Sensors Broadband Modem Set-Top Box Auto Info-tainment Industrial Basic Smart Wearable Retail (PoS) Laptop Smartphone/tablet Auto Telematics Home Automation Industrial Critical Medical Wearable Metering/Critical Sensors Public Safety/1st Resp. Military Remote Surgery V2X S.F.U.: Security Firmware Upgrade A.R.M.: Active Risk Management 21

22 It s important to find the right balance PROTECT IDs device Secure Element Software in Trusted Enclave Active Risk Management Out of Band Tokenisation Security Firmware Upgrade MANAGE IDs AND GRANT ACCESS core END-TO-END MOBILE NETWORK + SERVICE PROVIDER SECURITY FRAMEWORK RISK 22

23 Weaker Security at Device: Reinforce Core If a device does not support a Secure Element (cost, data worthless ) PROTECT IDs device Software in Trusted Enclave Active Risk Management Tokenisation Security Firmware Upgrade MANAGE IDs AND GRANT ACCESS core END-TO-END MOBILE NETWORK + SERVICE PROVIDER SECURITY FRAMEWORK RISK 23

24 Stronger Device Security: Core adapted accordingly If the SP data in transit requires normal to best-in-class security PROTECT IDs device Secure Element Security Firmware Upgrade MANAGE IDs AND GRANT ACCESS core END-TO-END MOBILE NETWORK + SERVICE PROVIDER SECURITY FRAMEWORK RISK 24

To conclude Virtualization brings new challenges in securing your core and edge clouds. Adapt appropriate security per network slice blueprint.

Choose your end-to-end security architecture wisely based upon the value of the data being transmitted and don t only consider the device bill of materials.

25 To conclude Virtualization brings new challenges in securing your core and edge clouds. Adapt appropriate security per network slice blueprint. Establish trust between functions, encrypt all data at rest or in transit. Choose your end-to-end security architecture wisely based upon the value of the data being transmitted and don t only consider the device bill of materials. Gemalto is focused on security at the device, multiaccess edge and the core with an appropriate footprint per 5G segment meeting both MNO and Service Provider requirements. We re working with the entire industry to continue to secure next generation mobile communications. 25

26 Thank you Paul Bradley, Head of 5G Gemalto Mobile Services & IoT Christian Kuhn, Senior Director, Business Gemalto Enterprise & Cybersecurity 26

ARM processors driving automotive innovation

ARM processors driving automotive innovation Chris Turner Director of advanced technology marketing, CPU group ARM tech forums, Seoul and Taipei June/July 2016 The ultimate intelligent connected device