adopted. Networks take care of network access, and |
security issues. For the services and users, building an E2E |
service providers deal with service access. |
data security chain could be a way to reduce the reliance |
|
Diversified Identity Management
Ÿ Legacy cellular networks rely on( U) SIM cards to
|
on individual link security and simplifies security management. |
manage user identities and keys. In 5G, equipments |
Open Up Security Capabilities, and provide security as a |
such as sensors, wearable devices, and smart home |
Service |
devices are possibly either too small or too cheap to |
Security management, for instance, managing identities, |
accommodate( U) SIM. Now the time has come to find a |
performing authentication, defending against denial of |
new way of managing device identities, for instance, |
service( DoS) attacks, and protecting confidentiality and |
produce, assign, and apply lifecycle management on | |
device identities. | |
Ÿ Combination of device identity and service identity | |
In the new identity management framework, an | |
identity consists of a device identity and a service | |
identity. Each device identity( also called physical | |
identity) is globally unique and may be assigned to a | |
device at the manufacturing phase. Service identities | |
are assigned by service providers or networks. A physical identity may correspond to one or more service identities. |
integrity of service traffic, is a general request to vertical industries. However, perhaps not all industry players have the capabilities to build security management on their |
Ÿ From device-based management to user-based |
own, either due to economic burdens or technical |
management |
challenges, etc. Utilizing security service could be a good |
It leaves to users to decide which of their devices is |
choice to these players. |
allowed to access the network and which service is allowed to use. As an example, devices of a same user may share bandwidth quotas with each other in either online or offline manner. |
On the other hand, Telecom networks have relatively nice work in the security capabilities( i. e. authentication, identity & key management) and are trusted by users after years of commitment in services. It is a good opportunity |
Service-oriented Security |
for networks to provide their security capabilities as a |
Ÿ Build E2E Security |
service to vertical industries. For instance, networks could |
Differentiated security for different services |
authenticate service access and return the authentication |
5G systems are going to be service-oriented. This implies |
result to vertical industries. |
that there will be a special emphasis on security |
It is the network ' s choice either to deploy the security |
requirements that stem from the angle of services. For |
service on a cloud platform or simply built it into a virtual |
instance, remote health care requires resilient security |
network slice of the vertical industry who has bought the |
while IoT requires lightweight security. It is quite |
security service from networks. Security capabilities can be |
reasonable to offer differentiated security to different |
seamlessly built into business flows of vertical industries. |
services. |
• Isolate Virtual Network Slices |
Flexible security architecture to support security |
For virtual network slices, each of which handles a different |
attributes for different network slices |
type of application service to facilitate flexible resource |
If differentiated security is offered, then flexible security |
orchestration and scheduling, there is a need to isolate |
architecture is needed to support E2E protection for |
slices from each other to prevent their resources from |
different service, based on network slicing architecture. |
being accessed by network nodes in other slices. For |
Network manages different E2E security capabilities, |
instance, patients in a health care slice desire to allow only |
including strength of security algorithms, ways to derive |
doctors access their health data, and they are reluctant to |
and negotiate secret keys, and mechanisms for protecting |
see their data accessed by someone in other slices. |
confidentiality and integrity. Within a virtual network slice, |
The isolation statement is also applicable to virtual network |
security capabilities could further be distributed. |
slices with the same type of application service. For |
A Uniformed security management framework for multifrom |
instance, enterprise A may hope to block other enterprises |
vendor environment |
using its resources, although these enterprises are |
In cloud environment, software and equipments of |
served by a same type of virtual network slices. |
network infrastructure come from more than one |
The isolation effect for service and data in the virtual |
equipment vendors, which relatively complicate the |
network slices could approach to the user experience in |