In ISACA’s 5G Privacy: Addressing Risks and Threats white paper, the authors summarize the evolution and architecture of 5G networks and offer several best practices to mitigate security and privacy threats, like privacy exposure, unauthorized access, crossborder and data flows.
For instance, user identity exposure is a unique threat that can discover the identity and location of people via unique identifiers. Threats like these introduce new privacy concerns that might contravene many regulations, like the US State of California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA).
5G’s open and adaptable architecture and enabling technologies, like software-defined networking (SDN), network functionality virtualization (NFV) and network slicing, will create apprehensiveness within the security community and influence research and developments toward suitable security controls. Today, most privacy concerns result from the enormous volume of devices and consumer identifiers traveling across the 5G network. Moreover, SDN, the Internet of Things (IoT), cloud, containerization, and microservices are components supported by 5G networks. The mass adoption of these technologies and the lack of skilled professionals may unintentionally create numerous privacy threats for consumers and businesses.
When evaluating 5G’s impact on privacy, the authors stated that it is best to separate privacy into three classes: data privacy, location privacy and identity privacy. Data privacy concerns are relatively straightforward. Privacy concerns focus on the confidentiality, integrity and privacy of massive amounts of sensitive data traversing the 5G network, like personally identifiable information (PII) or financial information. Location privacy deals with tracking users’ locations, habits and routines to improve a company’s services or advertisements. Unfortunately, this potential threat vector could enable cyber threat actors to track users via their devices and habits. Lastly, identity privacy involves using devices, systems, or user attributes to gain access to 5G networks and digital services. Many online services require extraneous information about the user’s identity, which presents yet another possible threat to privacy.
5G introduces unique ways to materialize modern threat vectors, like man-in-the-middle attacks and supply chain risks. This paper also discusses how a user’s personal information traverses several providers before it reaches its destination, increasing the probability of data incidents or breaches of PII. A lack of visibility into the security posture of each provider creates uncertainty for GRC, IT audit and cybersecurity professionals. Subsequently, this scenario is further complicated when data resides in shared environments (physical and virtual), utilizes the same network infrastructure and leverages numerous integrations, application programming interfaces (APIs), and proprietary digital platform connectors found in modern communication platforms like Microsoft Teams and Slack.
From a nation-state security perspective, 5G network’s open and adaptable infrastructure could introduce concerns about sufficient cryptographic protections and strong authentication. Unfortunately, necessary security protections can impact the performance of data transmissions and services. In response, many providers prioritizing availability may neglect fundamental security protections. To make matters even more complicated, third-party service providers are now intertwining their services with 5G architecture. Due to the lack of visibility that the industry currently has in third-party services, 5G might further obfuscate the security posture and introduce challenging technical considerations for assessors who don’t have expertise in this domain yet.
ISACA’s 5G and privacy white paper provides a few mitigations for unauthorized data access threats and data breaches. For instance, to support privacy regulations, the paper suggests “establishing advanced dynamic and continuous consent processes and notifications that guard users’ rights to rectification, erasure, and notification.” Even though 5G utilizes 256-bit encryption, the authors recommend continuously pushing toward advanced levels of encryption when possible. This also applies to data in transit; implementors and assessors should confirm the latest versions of transport layer security (TLS) are in place to protect sensitive data.
To summarize, resilient 5G network security requires a change in mindset and culture. In other words, enterprises must consider the risk of adoption on the front end and avoid the “implement first, think later” philosophy that has likely existed in their organization for many years.