“There’s really no runway to consider security as an afterthought after the product rollout any more.”
So Sunil Ravi, Chief Security Architect for Versa Networks, observed in a recent conversation with 6GWorld.
“As you roll out a product or service you have to make sure it’s secure because the window of opportunity needed to exploit a vulnerability is very, very short. It’s been reducing over time. And the amount of damage that can be inflicted is very serious – it’s way too high, simply not affordable in this day and age.”
This is the challenge facing Ravi. He is fortunate to be with Secure Access Service Edge (SASE) and SD-WAN provider Versa, where he has been involved from the outset in designing security architecture for their enterprise clients’ services. Working from home has changed the nature of enterprise networking considerably, according to Ravi.
“All these people were sat at one location and work-from-home used to be the exception rather than the norm. The pandemic has replaced that with being the norm rather than the exception. That presents a unique problem in itself, that we have to focus more on the edge rather than on the access and securing one location.”
This had a dramatic impact on Versa Networks’ own position, making them build out a fresh service in a matter of weeks.
“We had to have a distributed infrastructure, but not many enterprises can afford to have a global distributed infrastructure as part of their global IT implementation. That’s not their primary purpose. That’s where we step in – we drive economies of scale by providing that infrastructure as a service. That’s something we were able to quickly adapt to the demands of the enterprises during the pandemic.”
Distributed computing is nothing new, as it has been a phenomenon driven by cloud adoption, but the pandemic has brought out new issues for enterprises using distributed computing models to run their businesses during lockdown.
“Consider enterprises trying to wrap their heads around the problem of security when their platforms and applications reside on infrastructure that they don’t have any control over, and then the devices being used are coming from many different locations and those devices are no longer in their control. How do you get this whole situation fully secured, how do you understand whether everything is alright, how do you estimate the risk and so on? It’s compounded the security problem exponentially.”
5G’s software-based flexibility has been a blessing for the establishment of distributed private networks. This does, however, have ramifications for security as the complexity of the environment grows and enterprise networks interact with the broader telecoms environment.
“The primary problem area that we have seen partners or customers asking us to address is to be able to create a segmentation or micro-segmentation between all these different networks. Because as network adoption in 5G, and in future 6G, takes place networks are becoming more dense and more high-speed. The cross-connects are growing exponentially, so the primary requirement we are targeting at the moment is to be able to segment the networks, prevent lateral movement and be able to automatically identify vulnerabilities and mitigate them,” Ravi noted.
The approach, as a result, is complex.
“We apply artificial intelligence to do behavioural analysis on all these different slices to be sure that we have established a baseline behaviour and we can identify anomalous behaviour and enforce prompt remediations. Then we also need to have secure pipes – cryptography is also a very important part of this equation. Because of the distributed nature of the problem we need to build an entire end-to-end secure pathway between the compute nodes,” Ravi explained.
“That’s where SD-WAN comes into play to dynamically enable the secure bandwidth between these nodes. On top of that we specifically enforce that segmentation and provide the granular access control that’s needed, as well as threat mitigation. These are all the specific areas where we’re working.”
Combining Networking and Security
5G services were promoted for not just high speeds but low latency, while demands on future networks will include moving away from best-effort IP networking. At the same time, security functions are only gaining in significance and in the variety of techniques. How can services be inspected and secured while at the same time meeting increasingly stringent demands for low latency?
“There are definitely a lot of mission-critical applications that are sensitive to network anomalies like jitter, packet loss or latency which kill the user experience. The way that these applications are designed – whether they’re digital twins or connected cars and all these applications – they tend to reuse multiple protocols that are purpose-built for different part of the application,” Ravi observed. “Each of these protocols that they use would have specific security requirements and the more security processing is involved, the greater the impact on performance.”
What is the solution, therefore?
“We tend to address the security at the control layer, not the session – the area where the real-time processing happens. That way we ensure that there is adequate security provided within that model and application, and at the same time since we blend in the network elements if we identify any SLA violations we can automatically fail over or take additional SD-WAN actions that mitigate that and make it more fault tolerant, and provide the user experience as it needs to be.”
This combination of network and security co-management is clearly an opportunity for telecoms players to distinguish themselves strategically from other IT and cloud providers. There is a school of thought suggesting that 5G will act as the model for future telecoms networks, and that “telco” will end up as software applications running on a distributed network of compute and storage. If that is the case, does Versa offer a model for future telecoms providers?
“Some industry stalwarts say software is eating the world, and I would definitely agree with that at this point in time, but it’s always like a pendulum. We have to have the right mix of hardware and software. We tend to ignore one versus the other,” Ravi commented.
“There are some things software does that hardware cannot match, because we lose the agility; and there are some things that hardware can perform very well that software cannot match. We need to blend the right hardware and software capabilities, so when we design and build our software we build it with the right abstraction layer so that if the hardware does provide those capabilities we offload those functions to the hardware.”
Overall, though, Ravi sees the transition towards software as a positive for the telecoms sector.
“The majority of telco infrastructure is hardware-based, or at least it used to be hardware based, and now a shift is going towards software-based to make telco more agile and able to blend with the edge compute space. If you take any cues from how hyperscalers and the cloud evolved, they have infrastructure-as-a-service, platform-as-a-service and software-as-a-service. I would see something along similar lines happening in telco.”
In this case, Ravi notes, there could be good opportunities for collaboration at the infrastructure layer to deliver coverage and capacity, but then innovation and competition at the platform layer. Application platforms, databases and more could be tailor made for specific domains such as digital twins, autonomous vehicles, drone flights and more.
“For each of these applications to be realised they need specific platforms on which these applications can be built, and that’s where there could be lots of innovation”, he enthused.
Security, as a question of perimeters and prevention of harm, is a well-established field. However, we are starting to see more emphasis on the concept of resilience, exploring how to minimise harm and restore capabilities if any problems do occur. While the two seem complementary, there is a philosophical distinction between them – building resilience, after all, could be seen as admitting defeat. 6GWorld couldn’t help but ask Ravi about his views.
“Resilience is definitely a very loaded term. You can’t really take a holistic approach to that space, you have to slice-and-dice. We have resilience at the network layer, where SD-WAN comes and accommodates a lot of performance; if some network element was unreachable or a lot of impairments happen along certain paths you can react to that. Actually, you can use the data along these different paths and then build some AI into that, to not only react to impairments but actually predict or even realise certain remediation measures before a problem has happened; so it’s an interesting space and definitely it needs to be thought through in more detail.
“There’s a delicate balance between the two, and as we go along the path of blending network and security together, layering in new technologies and techniques – the faster networks, the AI/ML – we can build in ways that are more reactive or more predictive, and then some intent-based networking and self-healing. There are a lot of things that can come into play as we go on.”
Alex Lawrence is Managing Editor at 6GWorld. His mission is to bring together stakeholders from across industries, countries and disciplines to make sure that, as technology evolves in the coming decade, it’s meeting the changing demands of society, government and business.
He has been involved as a professional nosy person in the telecoms sphere since 2004, with short detours through industrial O&M and marketing.
If you’d like to talk to Alex about your ideas or projects he’d love to hear from you. @animalawrence or firstname.lastname@example.org.