Zero-trust architecture is rapidly becoming the go-to approach for security and information technology leaders to secure networks and applications. Its modern principles focus on protecting critical assets while removing implicit trust. With traditional security concepts, trust is assumed, creating possibilities for loopholes. The zero-trust approach implements the capabilities and functions of existing products and solutions already in the network and some not yet in the network.

According to a report by Cybersecurity Insiders and Fortra, some of the biggest drivers toward zero-trust are connected to protecting sensitive enterprise data from possible breaches, leaks and theft. As organizations aim to bolster security measures with a model like zero-trust, it is important to understand how their existing systems will complement and merge with a zero-trust model, specifically with voice networks and 5G core.

Core Pillars of Zero-Trust

A zero-trust architecture uses zero-trust principles to plan industrial and enterprise infrastructure and workflows. It operates based on the “never trust, always verify” approach, in that there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership.

Regulatory bodies such as the Cybersecurity and Infrastructure Security Agency (CISA) have worked to provide guardrails and clarity on zero-trust models to ensure the best approach. As defined by the CISA, the five pillars that define a zero-trust architecture are identity, network, application workload, data and device. These five pillars are based on a foundation of visibility and analytics.

• Identity – When managing users in a network, identity becomes the first and most important area to protect. Multifactor authentication, continuous authentication, biometrics and even privileged access management are all ways of managing identities and personas attempting to access data.
• Network & Environment – The network (including connected networks) should be considered borderless. With the zero-trust approach, assume there are no perimeters in the network. Then, security is applied throughout the network using techniques such as macro- and micro-segmentation and software-defined networking.
• Application Workload – It is crucial to start with secure development processes for application workloads. Continuous monitoring, software risk management and secure supply chain management are also other areas to consider.
• Data – The goal is to protect the data in the network. Tactics such as data labeling and tagging, encryption (at rest and in transit), access control and constant monitoring are examples of things that can be used to help secure the data in the network.
• Device – Devices attempting to access data should all be monitored closely. Mobile device management (MDM), patch management, device detection and compliance and endpoint detection and response should be used to manage devices that access data.

Information technology (IT) governance should also be considered in the context of achieving a zero-trust architecture. With this information, the IT organization can identify the value of ongoing employee training to ensure a zero-trust mindset is maintained in the development of applications, the consumption of data, and the systems used to enforce these policies.

Applying Zero-Trust to Voice Networks and the 5G Core

Voice Networks 

Applying zero-trust architecture as a concept in voice networks can be particularly challenging due to the unique requirements posed by voice-as-a-service, especially in the context of telephony. When seeking out voice services and solutions, consider utilizing solutions designed with zero-trust in mind, with multivendor compatibility, regardless of whether that ecosystem is on-premises or cloud-based. Authentication and authorization are necessary capabilities for both users and their devices to ensure that all voice traffic is encrypted throughout its life cycle.

The biggest hurdle when applying zero-trust principles to external voice network services is how they interact with voice network services outside of the organization, and it is not possible to control these external components directly. However, the strength of a zero-trust mindset is the assumption that any user, device or network can be untrustworthy, and applying that is paramount to securing the organization’s voice services.

One of the best approaches to this lack of end-to-end control is to focus on the voice calls themselves. Utilizing analytics solutions can help to resolve this challenge by dynamically learning the user and device characteristics from the behavior exhibited in voice calls.

5G Core 

In the context of managing 5G core networks, there are two main areas to consider for zero-trust principles: Operator interactions with network functions (NF) and interactions between NFs.  In both cases, authentication, authorization and accounting capabilities should be enriched with contextual data to determine whether a given configuration or communication should be taking place. Operators and NF instances should have unique identities that are verified for each interaction, both should have the least privileged access according to their necessary roles, and all data storage and transfer should be encrypted.

Maturing Into Zero-Trust Architectures

As companies move to a zero-trust architecture in their networks, they will be approaching implementation through three phases: Traditional, advanced and optimal. Each of these phases will enable another level of maturity. In the traditional phase, configurations and policies are managed manually, and automation is incorporated gradually as companies continue their implementation process. This phased approach allows a company to implement basic principles while planning and aspiring towards a more secure implementation as they continue forward.

As companies advance their maturity models, they will look to vendors to help them understand how to use their existing products and systems features and capabilities to move toward zero-trust. However, companies must keep in mind that zero-trust requires a true mindset shift within the organization. Zero-trust is not a product or a solution, and it cannot be bought. Zero-trust is also about the people – making sure all personnel understand its concept and the downfalls of implicit trust.