Security Considerations for Private Mobile Networks

Enterprises need control over their data traffic on mobile devices, or else they risk compromising data security. Private mobile networks present a particular risk, using unsecured and unmonitored connections — leaving corporate data vulnerable. Therefore, a trusted network with guaranteed protections alongside high performance is required to fully ensure data security.

According to CCS Insight’s Service Provider 5G Strategies survey, published in December 2021, a major driver for adoption of private mobile networks is keeping data safe. For more information about this survey, please get in touch.

Enterprises using private mobile networks can implement authentication to protect their data assets; they can also set up internal security policies rather than relying on those of an outside provider. In addition, private mobile networks have the advantage of network isolation — enterprises can ensure sensitive data is stored on-premises. However, keeping data exclusively on-site would require infrastructure for data processing alongside the private network.

Alternatively, an enterprise could send some of its private mobile network data to the public cloud for processing, using encryption for additional security. Just because the enterprise has its own network doesn’t mean that data never leaves it — in other words, although private networks might be safer than public ones, it shouldn’t be assumed that there are no risks involved. Enterprises take different approaches to data processing, each with different security and privacy implications. Although a private network has obvious advantages over a public one, how secure it is depends mostly on where the data ends up.

One notable feature of 5G is its increased security compared with previous network generations — but despite that, private 5G networks still feature back-door security exploits and vulnerabilities. Security credentials haven’t been a prominent part of the 5G narrative so far. This isn’t to say that existing private mobile network solutions aren’t secure; rather, the safety requirements of private networks and the features that address them need to be better highlighted.

ZTE is one company emphasizing the security story. Its 5G private network solution, a multifaceted approach that it claims strengthens the security capabilities of 5G private networks, is intended to address a diversity of requirements in several industry sectors. Among the security functions the embedded 5G features can enhance are:

  • Access authentication using a unified authentication frame
  • Primary authentication through the latest relevant protocols, such as 5G-AKA and EAP-AKA
  • User plane security with flexible policies on session granularity and encryption
  • Mobility key management as wireless keys can remain inside 4G radio nodes to reduce data interruption and latency when switching to 5G

It’s also important for any solution to understand and mitigate threats to different 5G services. Standalone 5G services covered through a private mobile network include enhanced mobile broadband, massive machine-type communication and ultrareliable low-latency communication. Each of these has its own performance requirements, all coming with individual security challenges. ZTE addresses these in the following ways:

  • Enhanced mobile broadband. A user experience rate of 1 Gbps and a user peak rate of multiple Gbps are maintained through better security processing, with more efficient encryption, decryption and integration.
  • Massive machine-type communication. A connection density of 1 million end points per square kilometre needs ultralow power consumption; performance enhancements include lightweight security when the computing capability of low-power devices is minimal.
  • Ultrareliable low-latency communication. End-to-end delay needs a millisecond reliability of about 100%; this is achieved through high-bit encryption, as repeated encryption affects latency — so a low-latency security algorithm is necessary. Edge computing security architecture is also used.

Alongside more targeted performance and security solutions, there are multiple strategies and services offering broader protection for private mobile networks. Again, using ZTE as an example, these include:

  • Network segmentation: Often referred to as network isolation, this is the concept of creating virtual local area networks that separate assets and feature different security levels. ZTE enables network isolation inside private mobile networks, orchestrating resources on demand to achieve differentiated 5G network slices. Proper segmentation allows an enterprise to implement lateral security controls, restricting cyberattacks or malware to an isolated area of the network.
  • Multilayer subscriber binding: One of the strengths of private mobile networks is their stronger user and device affinity compared with Wi-Fi. But there are still problems surrounding device management — for example, the management of SIM provisioning. ZTE combines address, service and slice binding to enhance user identification, essentially tying an IP address to an individual device. This allows for specific security policies to be associated with that device.
  • Abnormal behaviour detection: ZTE’s platform supports the monitoring of device assets, as well as correlation analysis of security events, to identify non-typical behavior by devices on the network and create tailored security alerts.
  • Resiliency: Private mobile networks can be realized in many ways and include a variety of resiliency mechanisms. The common point is the highly secure separation and isolation of resources, ranging from a slice that features multiple redundant paths to a full campus solution where, in the event of an outage, access to a private slice hosted by a public network is supported.
  • Data security: This requires numerous considerations, such as who can access specific data, what they do with it, where it can be sent and how it’s stored. ZTE’s platform offers multiple services taking these factors into account; protections include security zone division and isolation, fine-grained access control, encrypted data storage and session-based encryption mechanisms.

Enterprise security requires a holistic approach, covering network security, device security and data security, alongside using a range of solutions and controls. Additionally, it should be dynamic, adapting to ever-evolving security threats.

When adopting a private 5G network these requirements remain paramount, even though the “private” nature of a private network has inherent security advantages. ZTE’s approach, which includes some granular functionality that offers fine-tuned control, appears to be a decent start; CCS Insight looks forward to what other companies may offer to remain competitive in this field.

We expect security to be a crucial element of private mobile networks, especially in enterprises with sensitive data applications. It’s vital that operators and solutions providers alike have clearly demonstrable security capabilities when promoting their private mobile networks.