Home »  blog »  Network-Services-at-the-edge-can-be-protected-by-zero-trust-framework---Vinay-Sharma--Regional-Director--India-and-SAARC--NETSCOUT-

Network Services at the edge can be protected by zero trust framework - Vinay Sharma, Regional Director, India and SAARC, NETSCOUT


Over time, organizations have faced a significant surge in cyber threats and incidents of data breaches. The conventional security framework, primarily focused on fortifying the organizational perimeter against external threats, is proving inadequate. Today's work environment, marked by the prevalence of mobile devices, cloud technologies, and remote work arrangements, has made traditional perimeter defenses ineffective. Thus, there's a pressing need for a fresh security approach, exemplified by the Zero Trust Security Model. This architecture represents a series of security principles meticulously crafted to safeguard digital assets, services, and communications within an evolving landscape where the concept of perimeter has largely dissolved.

What is Zero Trust Network Access?

Zero Trust Network Access is the key technology associated with Zero Trust Architecture.  In this era of 5G networks, the wireless industry is hedging the edge by implementing new zero trust network access (ZTNA) security standards to help protect their networks and services. ZTNA is one component of the secure access service edge (SASE—pronounced “sassy”) security architecture designed to provide safe remote access for applications, data, and services based on well-defined access control policies.

Components of SASE deployments

  •        Next-generation firewall as a service (NGFWaaS): Cloud-hosted firewalls running as virtual network functions (VNFs) and offered as a service
  •        Secure web gateway (SWG): Network security technology, whether deployed on-premises or in the cloud, serves as a vital intermediary between subscribers and the internet. Its primary role is to enforce enterprise usage policies and safeguard corporate web assets.
  •        Cloud access security broker (CASB): Provides a comprehensive security suite that includes all aspects from cloud-based infrastructure to access control management, safeguarding data, and preventing threats across connections to the internet, software as a service, and internal applications.
  •        Zero trust network access (ZTNA): Imposes strict limitations on remote access to an organization's applications, data, and services, utilizing criteria such as user identity, usage context, device identification, and behavior, extending across cloud environments through meticulously outlined access control policies employing a zero-trust methodology.

Why is the zero-trust approach apt?

In the SASE framework, operators are increasingly adopting a zero-trust approach primarily by embedding security policies into devices by using an application programming interface (API).  This integration restricts and authenticates access for any subscriber’s location.  The zero-trust security architecture safeguards the cloud edge by scrutinizing all devices and software before permitting connection to network resources, thereby reducing risks across the 5G network.  ZTNA offers operators to hedge the edge with robust policies, safeguard the network, and subscribers and ensure end-to-end security.  Adhering to these standards will enable organizations to promote reliable security practices and cultivate a resilient and secure 5G network ecosystem.

End-Through-End Mobile Network Security, beyond Zero Trust

In the domain of 5G and the next-generation wireless networks, the scope of threat detection, mitigation, and tracing expands beyond the confines of zero-trust edge authorization. Mobile networks have emerged as the primary gateway to the internet, driven by their enhanced speeds, efficiency, convenience, and dependability. Regrettably, the surge in mobile traffic and the proliferation of connected devices have led to a rise in threat incidents for mobile operators, blurring the lines between mobile and wireline networks. Yet, effectively monitoring this mobile traffic encounters several challenges, including:

  •         Tunneling:  The utilization of the GPRS Tunneling Protocol (GTP) to facilitate traffic passage through radio and core networks presents challenges in real-time and scalable monitoring of user-plane traffic and threat detection.
  •         Correlation and attribution: To effectively attribute, mitigate, and trace threats, there's a need for real-time and scalable correlation between user-plane traffic and associated users and devices.

Suitable solution to address the 4G/5G Security Challenge

Global wireline internet service providers (ISPs) require a robust solution incorporating traffic monitoring, reporting, threat detection, traceback, and mitigation capabilities. Dynamic mapping of mobile IP addresses to identities in the user plane is imperative for extracting real-time actionable insights regarding traffic patterns and potential threats. The solution should provide equipment visibility across 4G and 5G non-standalone and standalone networks, independent of vendors. Furthermore, scalability is crucial to safeguarding the performance and availability of mobile data services.