With growing network performance requirements as 5G unfolds, how rigorous are your ground-up security processes?
With unmatched reliability, capacity and low latency, the new generation of 5G cellular networks now being rolled out in lead countries like the US bring the promise of connecting everything from sensors and systems to robots and platforms, in order to form an automated ‘whole’ that operates in mission-critical environments.
They also bring new and sizable security risks relative to what we have known just in recent times.
For years, telecommunication networks were essentially isolated networks built on proprietary telecom protocols. Now, they are migrating to Internet-facing, all-IP networks with standardized protocols. Fed by automation and virtualization, this major technology shift unfolding has both significantly shortened development and deployment cycles and given bad actors a much broader canvas – more opportunities in a network – on which to seize vulnerabilities.
Thus, this technology shift challenges everyone, from industry to regulators to consumers, to evolve the way we approach security and mitigate risks.
With a long track record of producing secure products for mission-critical networks, the Nokia brand, as one rooted in our Finnish history, has long been a byword for trust with our customers.
Even so, the learning, and the doing, never stop, given the challenges of implementing strong product security in today’s fast-evolving technology landscape. This has meant learning that it is not enough to just have process controls and deliverables, nor enough just to have mandatory technical requirements and expecting things to be implemented.
While having a security development process and a set of technical security requirements is a good start, none of these matter if you do not follow up, measure and observe the level of implementation – and have everyone, up and down an organization, committed to maintaining rigorous security practices and policies.
Our lessons learned are continuously built into what we call Design for security (DFSEC) – Nokia’s way of creating products from the ground up; from the initial development stage that address the security challenges of today and those we believe we will see tomorrow.
Nokia’s Design For Security (DFSEC)
As a proactive approach by design, DFSEC standards, tools and processes ensure that security and privacy are implemented before a product is ever built in any of our business groups.
We have built over time a catalogue of security requirements, grouped per priority and severity, that are mandatory in every product. This forms the proactive core of our DFSEC process, which is also informed by our external engagement in industry forums like 3GPP and with customers and regulatory bodies. Taken together, all the various inputs are incorporated into Nokia’s mandatory security requirements.
Our products are then assessed to establish a security baseline and to define roadmaps on security, privacy and interoperability; and later subjected to rigorous testing using both internal and commercially available tools. Wherever feasible, we utilize both static and dynamic code analysis as well as strong cryptography to ensure the integrity of our products throughout the development cycle.
Now, we understand that even the best software, rigorously tweaked and tested over and over again, could end up being shown later to have an exploitable flaw, and Nokia continuously monitors public and private sources for indications that our own software or 3rd party software embedded in our products could have a security vulnerability. Vulnerabilities are graded on a scale in the context of each product, and our R&D teams take a variety of actions to troubleshoot these. This applies across all our R&D teams, who in turn are accountable for adhering to the DFSEC principles while we monitor the compliance centrally.
Automation is also essential for the development process and security enforcement. We aim to provide developers with automated feedback about potential security problems in their code at the earliest possible stage of development; and seek to automate network vulnerability scans and various application security tests to ensure they are regularly and consistently executed. As we do that, early stage indicators and more comprehensive product tests are tracked by our R&D and security management teams to enable rapid intervention where it is needed. In cases of non-compliance, Nokia’s security department can issue a veto on a product – and, we have no qualms about doing that; the cost of poor quality is simply too high for our customers.
There will always be work ahead for us and for all relevant stakeholders on the security front, as bad actors look for the next new vulnerability to exploit. Still, as we move forward in the 5G era, the systems we have in place through DFSEC give us a very solid center of gravity for effectively optimizing our security checks and delivering the type of reliable and secure products our customers have long come to expect from Nokia.
Share your thoughts on this topic by joining the Twitter discussion with @nokia and @nokianetworks using #security #5G #cybersecurity