Cybersecurity Regulation: A Global Overview of Standards and Regional Approaches Influenced by Legal Systems

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

NOTE: this is the second part of the short analisys I have been required,  enjoy :-)

https://www.linkedin.com/embeds/publishingEmbed.html?articleId=9050930498525188000&li_theme=light

Introduction

In today’s increasingly interconnected world, where digital infrastructures underpin critical sectors like healthcare, finance, and energy, robust cybersecurity regulation has become paramount. Cyberattacks are growing in both frequency and sophistication, making it crucial for countries and regions to implement strong cybersecurity frameworks. These frameworks are shaped not only by the evolving nature of cyber threats but also by the underlying legal systems that influence how laws are drafted, interpreted, and enforced.

Legal systems—whether civil (Roman law), common law, or socialist law—play a significant role in shaping regulatory approaches. For instance, the European Union’s civil law tradition results in highly codified and comprehensive cybersecurity regulations, while the United States, operating under common law, tends to develop more flexible, sector-specific laws. China’s socialist legal system, with its focus on state control and data sovereignty, enforces stringent cybersecurity standards.

This article explores widely accepted international cybersecurity standards and region-specific regulations, with a focus on the EU’s evolving cybersecurity landscape, including the NIS2 Directive, DORA, and other key regulations. It also examines how different legal systems impact the implementation of cybersecurity frameworks, particularly in critical sectors like healthcare and finance.

---

Widely Accepted Cybersecurity Standards

International cybersecurity standards serve as the foundation for many national regulations, providing a common language for addressing cybersecurity risks. Several globally accepted frameworks are referenced across industries, helping organisations manage and mitigate cyber threats.

ISO/IEC 27001 – Information Security Management Systems (ISMS)

ISO/IEC 27001 is a widely recognised standard for information security management, offering a systematic approach to protecting sensitive data, managing risks, and ensuring cybersecurity resilience. This standard is particularly relevant for critical sectors such as healthcare and finance, where data protection is paramount.

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF), developed by the U.S. National Institute of Standards and Technology (NIST), provides a flexible, risk-based approach to managing cybersecurity risks. It is composed of five core functions: Identify, Protect, Detect, Respond, and Recover. While originally designed for critical infrastructure sectors in the U.S., it has been widely adopted internationally due to its comprehensive approach.

CIS Controls

The Center for Internet Security (CIS) Controls offer practical, action-oriented guidelines for mitigating cyber threats. These controls are used by organisations around the world to align their cybersecurity practices with industry best practices, particularly in sectors that handle sensitive data.

ISO/IEC 27701 – Privacy Information Management

Building on ISO/IEC 27001, ISO/IEC 27701 addresses privacy information management. It helps organisations that must comply with data protection regulations like the General Data Protection Regulation (GDPR) integrate privacy controls into their broader cybersecurity strategies.

---

Cybersecurity Regulations in the European Union (EU)

The European Union has developed one of the most comprehensive and prescriptive cybersecurity frameworks in the world, heavily influenced by its Roman law tradition. The EU’s approach to cybersecurity is codified in several key regulations and directives aimed at harmonising standards across its member states. These regulations are essential for securing critical sectors such as healthcare, finance, energy, and transportation.

NIS2 Directive (2022)

The NIS2 Directive, which updates and replaces the original Network and Information Systems (NIS) Directive of 2016, significantly strengthens cybersecurity requirements across the EU. NIS2 expands the scope of the original directive, covering more sectors and requiring operators of essential services (OES) and digital service providers (DSPs) to implement stronger cybersecurity measures.

Key aspects of the NIS2 Directive include:

• Expanded scope: NIS2 applies to additional sectors beyond the original NIS Directive, including healthcare, energy, transport, banking, and digital infrastructure.
• Stricter incident reporting: Organisations must report significant cybersecurity incidents within 24 hours of detection.
• Enhanced cooperation: The directive encourages greater cooperation between member states, including information sharing and coordination during cyber crises.
• Cybersecurity risk management: NIS2 mandates that organisations adopt advanced cybersecurity measures, conduct regular risk assessments, and ensure that cybersecurity is integrated into their broader business operations.

The European Union Agency for Cybersecurity (ENISA) plays a key role in supporting the implementation of NIS2 by providing guidance, coordinating responses to cross-border incidents, and facilitating cooperation between member states.

General Data Protection Regulation (GDPR)

While the General Data Protection Regulation (GDPR) is primarily focused on data protection, it has significant implications for cybersecurity. GDPR sets out strict requirements for the processing, storing, and securing of personal data, particularly in critical sectors like healthcare and finance. Organisations must implement appropriate technical and organisational measures, such as encryption and pseudonymisation, to safeguard personal data.

A key challenge in applying GDPR within the EU’s civil law system is the regulation’s common law origins. The flexibility inherent in GDPR’s language has led to differing interpretations across member states, requiring ongoing clarification from the European Data Protection Board (EDPB) and national data protection authorities (DPAs). This has created a need for continuous guidance and harmonisation efforts across the EU.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a groundbreaking regulation aimed at enhancing the cybersecurity resilience of the financial services sector across the EU. DORA focuses on ensuring that financial institutions are equipped to withstand, respond to, and recover from cyberattacks and other operational disruptions.

Key aspects of DORA include:

• Cybersecurity resilience testing: Financial institutions are required to conduct regular cybersecurity resilience tests, including penetration testing and vulnerability assessments.
• Third-party risk management: DORA mandates stringent oversight of third-party service providers, particularly those that supply critical ICT services to financial institutions.
• Incident reporting: Financial institutions must report significant cybersecurity incidents to their national authorities within a strict timeframe.

Cybersecurity Act (2019)

The Cybersecurity Act, enacted in 2019, establishes a European cybersecurity certification framework for ICT products, services, and processes. The goal of the act is to enhance trust and security in digital products and services across the EU. ENISA is responsible for managing the certification process and ensuring that products and services comply with EU cybersecurity standards.

The Cybersecurity Act also enhances ENISA’s role as the EU’s central cybersecurity agency, giving it a stronger mandate to support member states, coordinate responses to large-scale cyber incidents, and provide guidance on implementing cybersecurity regulations.

Payment Services Directive 2 (PSD2)

The Payment Services Directive 2 (PSD2) introduces stringent cybersecurity requirements for the financial sector, particularly regarding online transactions and digital payments. PSD2 mandates strong customer authentication (SCA) for electronic payments and sets cybersecurity standards for third-party payment service providers (TPPs). Financial institutions must ensure that all customer data is protected in compliance with GDPR and other cybersecurity regulations.

---

The Role of Legal Systems in Shaping Cybersecurity Regulation

Different legal systems—whether Roman law (civil law), common law, or socialist law—greatly influence how cybersecurity regulations are structured, interpreted, and enforced. These legal traditions shape the regulatory approaches of regions like the European Union, the United States, and China.

Civil Law Systems (Roman Law)

In civil law systems, such as those in the EU, regulations are codified and prescriptive, with detailed rules that apply uniformly across all jurisdictions. The EU’s legal system, based on Roman law, has led to the development of comprehensive cybersecurity frameworks such as NIS2, DORA, and GDPR. However, the application of GDPR—a regulation rooted in common law principles—has led to challenges in interpretation, as civil law systems typically prefer strict codification over flexibility. This has required ongoing clarifications from EU regulatory bodies like the EDPB and national DPAs.

Common Law Systems

In contrast, common law systems, such as those in the United States, are more flexible and rely on precedent and judicial interpretation. The U.S. cybersecurity landscape is characterised by a patchwork of sector-specific regulations, such as HIPAA for healthcare and GLBA for finance, as well as voluntary frameworks like the NIST Cybersecurity Framework. This flexibility allows for quicker adaptation to emerging cybersecurity threats but can lead to inconsistencies across sectors.

Socialist Legal Systems

China’s socialist legal system prioritises state control and national security. The country’s Cybersecurity Law and Data Security Law impose stringent requirements on data localisation and cybersecurity, particularly for operators of critical infrastructure. The government’s focus on controlling data flows and protecting sensitive information is a central feature of China’s regulatory approach.

---

Cybersecurity Regulation for Critical Sectors

Healthcare Sector

The healthcare sector is highly regulated due to the sensitivity of personal health information (PHI) and the potential life-threatening consequences of cyberattacks on healthcare systems.

• HIPAA (U.S.): The Health Insurance Portability and Accountability Act (HIPAA) requires U.S. healthcare providers and their associates to implement administrative, physical, and technical safeguards to protect electronic personal health information (ePHI).
• GDPR (EU): In the EU, healthcare providers must comply with GDPR when processing health data. GDPR mandates strict security measures, such as encryption and access controls, to ensure that patient data is protected.
• NIS2 Directive (EU): Healthcare providers in the EU are also subject to the NIS2 Directive, which strengthens cybersecurity requirements for operators of essential services (OES), including healthcare organisations. NIS2 mandates incident reporting, regular risk assessments, and the implementation of advanced cybersecurity measures.

Financial Sector

The financial sector is a frequent target for cyberattacks due to the volume of sensitive financial data it handles. Financial institutions are subject to strict cybersecurity regulations aimed at protecting consumer information and ensuring the resilience of financial systems.

• GLBA (U.S.): The Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to implement cybersecurity safeguards to protect consumer financial data.
• PSD2 (EU): The EU’s Payment Services Directive 2 (PSD2) mandates strong customer authentication (SCA) for electronic payments and requires financial institutions to implement robust cybersecurity measures.
• DORA (EU): The Digital Operational Resilience Act (DORA) focuses on ensuring the cybersecurity resilience of the financial sector. Financial institutions are required to conduct regular cybersecurity testing, monitor third-party risks, and report incidents.

---

Conclusion

As cyber threats continue to grow in complexity and scale, cybersecurity regulation must evolve to protect critical infrastructure and sensitive data. Global standards like ISO/IEC 27001 and the NIST Cybersecurity Framework provide essential guidelines, while region-specific regulations—such as the EU’s NIS2 Directive, DORA, and GDPR, the U.S. HIPAA and GLBA, and China’s Cybersecurity Law—address the unique risks faced by critical sectors like healthcare and finance.

In the European Union, the challenges of applying common law-inspired regulations like GDPR in a civil law environment have underscored the importance of regulatory bodies like ENISA and the EDPB in providing continuous guidance and harmonising interpretation across member states. As organisations worldwide strive to build cybersecurity resilience, cross-border cooperation, and alignment with both global standards and local regulations will remain key to addressing the evolving cyber threat landscape.

Appendix: principal regulations per geographic area

Here’s a breakdown of specific regulations covered in the article, focusing on cybersecurity and critical services across different regions:

1. European Union (EU)

• General Data Protection Regulation (GDPR): Aimed at protecting personal data and ensuring data security, GDPR sets strict guidelines for data processing, including requirements for encryption, breach reporting, and user consent. It applies across sectors but has specific importance in healthcare and finance, given the sensitivity of personal data.
• NIS2 Directive: Expands the original NIS Directive, increasing the scope to cover more critical sectors such as healthcare, energy, and digital infrastructure. It introduces stricter requirements for incident reporting, cybersecurity risk management, and harmonises cybersecurity standards across member states.
• Digital Operational Resilience Act (DORA): Focused on the financial sector, DORA ensures that financial institutions are equipped to handle cyberattacks and operational disruptions. It mandates continuous testing of cybersecurity resilience, incident reporting, and third-party risk management for critical financial services.
• Cybersecurity Act (2019): Establishes a European cybersecurity certification framework for ICT products, services, and processes, enhancing trust and security in digital products across the EU. ENISA’s role is also expanded under this act to facilitate cross-border cooperation and incident response.

2. United States

• NIST Cybersecurity Framework: A voluntary but widely adopted framework designed to manage and reduce cybersecurity risks. It consists of five core functions (Identify, Protect, Detect, Respond, and Recover) and is frequently referenced by federal agencies and critical infrastructure operators.
• HIPAA (Health Insurance Portability and Accountability Act): Mandates strict protection of personal health information (PHI) in the healthcare sector. It requires healthcare organisations to implement safeguards, encryption, access controls, and regular security assessments.
• GLBA (Gramm-Leach-Bliley Act): Focused on financial institutions, GLBA requires measures to protect consumers’ financial information. It mandates encryption, multi-factor authentication, and data privacy policies for financial institutions.
• FISMA (Federal Information Security Management Act): Governs federal agency information security, requiring agencies to develop, document, and implement information security programs. It is sector-specific but critical for managing the cybersecurity risks of federal agencies.

3. China

• Cybersecurity Law: Imposes strict data localisation and cybersecurity requirements on all sectors, with particular emphasis on critical infrastructure. Companies are required to store data locally, undergo cybersecurity assessments, and ensure government oversight on cross-border data transfers.
• Data Security Law: Regulates the collection, storage, and transfer of data, especially focusing on protecting state interests and critical information infrastructure (CII). Like the Cybersecurity Law, it requires data localisation and security assessments.

4. United Kingdom

• NIS Regulations: Following Brexit, the UK implemented its own version of the NIS Directive, which focuses on the protection of critical infrastructure, including healthcare and financial services. The regulations include incident reporting and cybersecurity risk management.
• UK GDPR: Mirroring the EU GDPR, the UK GDPR ensures data protection standards remain high post-Brexit, focusing on protecting sensitive personal data across sectors, including healthcare and finance.
• FCA Guidelines (Financial Conduct Authority): Financial institutions in the UK are required to follow FCA cybersecurity guidelines, ensuring resilience against cyber threats through continuous monitoring, incident reporting, and strict cybersecurity controls.

5. Singapore

• Cybersecurity Act: Requires operators of critical information infrastructure (CII) to comply with stringent cybersecurity measures. These include incident reporting and regular risk assessments to prevent and mitigate cyber threats.
• MAS TRM Guidelines (Monetary Authority of Singapore): Focused on the financial sector, these guidelines require financial institutions to implement robust cybersecurity measures, including vulnerability assessments, penetration testing, and encryption of sensitive data.

6. Japan

• Cybersecurity Basic Act: Establishes guidelines for securing critical infrastructure and promoting collaboration between the public and private sectors. It mandates that companies in critical sectors adopt cybersecurity measures and report cyber incidents.
• FSA (Financial Services Agency) Regulations: Focuses on cybersecurity in the financial services sector, requiring firms to implement robust risk management practices, encrypt financial data, and perform continuous cybersecurity resilience testing.

#CybersecurityRegulation #NIS2Directive #DORARegulation #ISO27001 #GDPRCompliance #CyberResilience #HealthcareCybersecurity #FinancialCybersecurity #ENISA #DataProtection #NISTFramework #CybersecurityStandards

Shrems II, Data transfer, and the USA: wheels are rolling.

Probably everyone now has, at least, heard about the EJC sentence called Shrems III that basically rules out the possibility to use Privacy Shield infamous agreement to allow data transfer between EU and USA based on the fact that the USA does not provide enough guarantees EU data will be protected.

If you don’t know (but you should) here my previous article:

https://thepuchiherald.com/2020/07/17/ops-privacy-shield-bye-bye/

After the sentence one of the question was: what now?

Will a Grace period be offered to survive this? (lot of companies were transferring data using privacy shield to USA)

And most of all does SCC will be enough?

The answer my friend, is blowing in the wind...

er no actually there have been some FAQ form the EDPB that should call to action fel local authorities.

According to the new FAQs of the European Data Protection Board on #SchremsII decision, if you want to transfer personal data to the US under the SCCs or other means, you will have to notify the data protection supervisory authority. This approach will oblige companies to perform a massive amount of work since the notification will have to be definitely accompanied by an assessment as to the adequacy of the data transfer mechanism. Are companies and SA ready to handle this large amount of work?

https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

While some Authorities do have not yet reacted (and this is not a surprise for Italians, I am afraid) some others (wonder who) have made a statement that clarifies the doubts that can eventually rise up and not solved by the EDPB’s FAQ.

The Conference of German Supervisory Authorities (DSK) issued its statement yesterday about the consequences of the #Schrems II judgment that, as we can imagine, is completely aligned with the EDPB position. There are some points that are critical on the matter:

dskshremsDownload

Data transfers based on the Privacy Shield are no longer allowed and all companies must immediately suspend them

This is a critical point since I am quite sure there are companies that do not even know their data were delivered to the USA under Privacy Shield. I would like to remind you that if an audit from the authority knock at your door something like: “I don’t know”, “I don’t remember” will not save you. GDPR requires that you, company, prove you have done your duty in a concrete, effective way, so not paper compliance here allowed. Just to make life easier I would love to remind you also that this is not just the German way, and sooner or later the other authorities will align with such requirements.

Transfers based on the SCC require an assessment of the adequacy of the context and the supplier

And here we have the headache since it is not “optional” the assessment is mandatory. This comes as an obvious consequence to the fact in the EDPB FAQ it is written to be allowed SCC’s transfer should be communicated to the authority. Now this means, for some of you so naive that was thinking, I can send a mail to the authority telling, “hey chap I use SCC do not worry” does not work like this. For some reason they want you to prove you did your duty.

The use of SCC for the transfer of data to the United States, in the absence of additional guarantee measures, it is not sufficient to legitimize the activity

And of course, if you send your data to a country that does not guarantee the privacy of EU citizens and residents, well, your duty is kind of complex. And let be clear and brutally honest (while usually I am obscure but kind rotfl) this will require the active cooperation of the vendors that offer you services because you need solid proofs and not just paperBS.

There is no “grace period”

And this means you need to do this right fucking now.

And just for the sake of my Italian fellow countrymen, this means that even if our authority is under a sleeping spell and did not react yet, you have to act nevertheless because again an audit will knock and you will have show you’ve done the right thing. But the “garante” did not tell us nothing will not be an excuse to avoid non-compliance (with the relative consequences).

Time for DPO to start working and earn their money 😂🤣 (Is a joke I know many DPOs already do something)

The IoT Files: the call for 5G

I have been recently interviewed on 5G issues and this made me realize how confusing is the knowledge and understanding about 5G.

Most of the time, when I heard on mainstream media comment about 5G I find form one side apologetic wonders of how this or that vendor with 5G can solve all human problems, form the other side fears related strictly to the fact that 5G today means Chinese or European vendors, for the first time in years the USA is not leading technologically a strategic sector.

even lesser I heard about the link between 5G and IoT and what this means.

Generally speaking, most of the discussions on IoT are focused on devices and not as a system, as well in most of the case I seldom find consideration related to 5G implementation and security. This is quite annoying from my point of view since security in IoT (I wrote about that on The IoT files) is more than the single device security and 5G security issues are not related to Huawei spying us.

And to say the truth from my point of view (Italian and European) would not make much difference if the spy comes from China, Russia, the USA, or the UK.

The first problem I to understand if there is a relationship between IoT and 5G. Well, the relationship is kind of simple: with the current technologies, the IoT is hardly limited due to connectivity, IP and bandwidth issues. 5G aim is to overcome those limitations offering broadband connectivity that can support IoT needs. this will require investment, change of business models and…wait to read this go to my previous IoT articles, I called them the IoT files because there is so much thing to say an article can not cover everything.

Turning back to the point so, 5G is the technology that can glue IoT in terms of connectivity, but what does it mean? Well, when we listen to 5G we listen to how we can create smart cities, how we can connect cars together so they drive better and safer with autonomous drive and so on.

5G is exactly about this, allowing all this to happen.

All typos are because I never read slides back, lol forgive me

Almost everything you heard about IoT requires 5G to become reality because current mobile broadband would not be suited to cover those needs, we are not talking about a test with a few cars that can communicate over 4G but billion of devices somehow interconnected with different priority needs, bandwidth needs, security, and privacy needs.

Basically anything that is recently referred to as “SMART something” and IoT will be bound to a technology that will allow fast, secure and reliable data connections.

As of now, 5G is the answer but, there is a problem, the champions of 5G technology aren’t from the USA and the biggest player is Chinese (Huawei holds the highest number of patents on 5G technology).

All typos are because I never read slides back for proofreading, lol forgive me 😂

This thing that can be irrelevant is actually the big issue at the moment, so big that all serious consideration on 5G is demanded as an afterthought in a second-level line of consideration.

Geopolitical technology and economic issues are at the moment the rising stars, make enough rumor to cloud judgment and to move attention to serious issues.

I am not saying that those are no problems, and I agree nations should try to defend themselves, but targeting the wrong point on 5G will not help to address correctly “ab Initio” the complex problem that 5G will bring home. and the main reason behind this is that if you ask what is 5G, the answer is…just a faster mobile network.

If speed would be the only reason behind 5G I would kindly agree that geopolitical issues are the obstacles, but 5G is not just “speed” is way more and the 5G security issue goes beyond the specifics of the connectivity offered at broadband level but goes into the core of what 5G has been designed for: services.

All typos are because I never read slides back, lol forgive me

we use to think that broadband mobile develope was only more speed, but actually, speed has never been the only target, speed and services always have developed hand in hand.

from a mobile perspective, 1G was offering 2.4 kbps and was designed to allow mobile phones, it was no less, no more than an extension of your home wired phone. Basic voice services and an analog protocol, low bandwidth was all we needed. issues were more at the infrastructure level so no time to bare with things that were not even in customer imagination at that time.

the real revolution arrives with 2G, it’s broadband, it’s digital (GSM, CDMA), can carry data, more stable…a revolution. we were able to send text, see caller number who was not enjoying it? and some mobile phones start to offer even a graphic screen and games (like “snake”). who really care about speed, that actually moved from 2,4 kbps to an astonishing 64 kbps?

The nice thing about 2G is the introduction of the idea that mobile phones can be so much more than a simple device to phone, and text messaging was there to prove it.

You see when the consumer space sees the opportunity for cool kinds of stuff that can make the market big, the vendor will follow. With the pressure of the internet and the new services a new need for data rise up and here you have 3G.

3G was not only tremendously faster than the predecessor but was designed with the need to transfer data.no simple text messages, you can have internet in your phone now.

Again the real difference with 2G was not “speed” but the kind of services you were bringing on board. so as a natural evolution from the old internet we moved to the new one with video, streaming, chatting and so on. A new class of services was required here the need for something more, something new 4G.

And as a matter of fact, besides the speed, the real need for 4G (or the not so cool but hey better than nothing 4.5G) was video capability.

The services drive the speed so the speed is just a consequence of the needs the technology has to address.

But if we limit to consider just the usual way we use the internet (facebook, youtube, YouPorn, LinkedIn, wechat-weixin, WhatsApp, Instagram, ticktock and so on) we could just add some megabytes more to our 4G (is what 4,5G does by the way) but here comes IoT.

IoT brings way more devices on the internet, with their needs in terms of bandwidth, connectivity, quality of services. all of this requires new technology, and being ambitious why then not thinking to make this technology able to address even the LAN\WAN realm?

This is not so stupid, the telcos have always tried to gain space in the LAN\WAN market, money can be a huge driver, the telco activities with the enterprise was related to offering connectivity to internet and voice service. The revenues for analog voice services were hight but VoIP lower dramatically the incomes since it was cheaper putting Telcos in a difficult position. If internet broadband services for home users have been a good business it requires substantial infrastructure investments that are not always covered by the revenues, hence the digital divide.

But 5G can turn all this upside down, justifying the investment that was not so cool, because 5G means all in telcos hands!

All typos are because I never read slides back, lol forgive me

If 5G is the backbone of IoT and Smart X this means an incredibly big market for telcos, since telcos will provide 5G connectivity. this is why telco vendors are so interested in 5G, alas this is a world also where security has always been a secondary issue if not a neglected one, so we cannot expect that security will be addressed correctly if other players will not put their nose in.

From this point of view governments and regulators could play a key role in leveraging security and privacy by design and by default in the 5G world design, alas at the moment all seems to be more focused on boring geopolitical issues than the real stuff

All typos are because I never read slides back, lol forgive me

In the 5G challenges, there are a few that are easy to spot if we understood that 5G is the IoT backbone. Without the lousy arrogance to think to be exhaustive here some that should, at least, taken into serious consideration:

1) fast connectivity between devices, this accordingly to the device\service need. not all IoT devices are born equal in terms of bandwidth, data processing, quality and sensitivity of data an so on, being able

2) segregation of traffic, that means every group of device that are under a specific service instance should have its traffic isolated and protected from the other ones. I would not enjoy my personal photo shared everywhere if the IoT device is my home HDD storage where I put them. segregation of traffic is the minimum level of security we have to think of when we plan a broadband multiservice environment.

3) Quality of service is a key factor here, even if the bandwidth is incredibly hudge this does not mean that there will be no latency or bandwidth bottlenecks, and some services have to be granted no matter what, telemedicine, telesurgery just to name a couple should be prioritized upon watching youtube.

4) authentication and authorization are not less important, we need in a heterogeneous environment bein able to authenticateand authorize with the correct level of permission every single device on every single service it needs to access and with its user ownership. failing this point will means access to anyone…

5) multivendor environment, this can seem a minor issue but in an ever-growing connected devices-users-services environment being able to reassure all the stuff will work seamlessly is not so easy. maybe someone remembers issues with a famous leading network gear vendor and the nic auto speed detection protocol? standard not always mean standard, but this can open a serious breach to operativity and security if not addressed correctly.

6) not all will be 5G at the beginning, and probably when the legacy world will end we will be on 6G (which will rid of part of the infrastructure leveraging peer to peer connection directly at the device level), 7G with 5G as the old stuff. so 5G will have to deal with ethernet as well as 4G as well as what will come in the future. A gateway between the different technologies is not so simple since service definition can differ.

7) in particular, the existing mobile environment and LAN/WAN battlefield should be carefully considered, form one side we still have 3G, form the other side LAN\WAN vendor will fight back to keep their domains intact. so will be an interesting battle where again, standards and regulators could drive a little light at the end of the tunnel (hoping it is not the train)

and more could be mentioned but if I want to continue better to stop with this list.

if you are here to read means you are interested in the subject, I am impressed and thankful 🙂

So the backbone for IoT will be, at least at the beginning, 5G network wich, just to be clear, is still on implementation. If we think of what is IoT definition:

The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.

we can try to assume then that internet connectivity will be more and more 5G

All typos are because I never read slides back, lol forgive me

which should now clarify why speed is just one of the many issued of 5G and why 5G is not just bare connectivity but something should manage services. so now we should understand what this “service” word means here.

Basically a service is a mix of devices, connectivity, data, process and users that can be grouped somehow. There can be thousands, millions, billions of services under this simple definition (i know is mine but worth everyone to understand the point).

the main point is that services are not all the same: HTTP browsing can be a service under 5G and video broadcasting as well, the 2 are different in nature and in terms of requirements.

All typos are because I never read slides back, lol forgive me

different services require different needs and for once speed can be a good example to understand the point: what is speed?

the very concept of speed can vary from service to service, so consider the automotive and smart road ideas. In this scenario, we will have a small piece of critical data exchanged from one car to another and/or the infrastructure that has to be processed and transmitted as fast as possible. seems easy but we should consider that the cars are moving and the traffic can be largely unpredictable (I don’t know when someone will decide to get into the car to go somewhere, I can not predict if external issues will modify viability as crossing pedestrian, not in the dedicated areas, problems with the state of the road, holes, weather, flood, heartquake, superman vs batman and so on)

So here speed means very low latency, quick authentication and authorization, fast address resolution, and reliability at least. probably I should add geolocation and other critical missing point but I think we have an idea.

On the same hands if I have to move a big chunk of data, well speed means mainly bandwidth, QoS and conflict resolution if more agents/objects/users are trying to move the same os nearby data. so if you are trying to align your data center with your new cloud one and you want to move some Coperbyte of data and as well your neighborhood want to do this well we have to manage the bandwidth somehow…

Of course, if the need is just to browse and watch movies your needs are focused (remember we are in 5G) on DNS response and video-voice sync.

But since in a billion IoT devices there can be billions of services that at the moment do not exist, we need to create an environment able to define the need in advance (or wait for 6G for new services implementation).

so broadening the argument here 5G for IoT should, at least:

1)Segregate different services

A different class of services should be independent one to the other

Services should be arbitrary and the service set required should be one of the services definition parameters

2)Allow QoS for critical ones

Not all services are the same, internet browsing is not a running truck on a highway, a surgical operation is not like watching porn on your phone

3)Provide strong security and management featured for each service

Service should be identified

Authorization and authentication of service and users should be available and effective

4)Take into account security and privacy by design and default

and so on

Different scenarios on 5G require different analyses take as an example 3 easy to spot: your home environment, smart road, LAN\WAN substitution.

I love the home example because is something even not IT freak can understand. the photo depicts the world before and after 5G

if you have the internet at home you are probably in this scenario:

We have one router to connect to the internet

•All devices internally connect via wifi/LAN

•When devices need to talk one to the other they use their internal IP network on a private subnet

•When devices need to talk to the internet the call the router.

•Internet router interface through ISP to the internet offering some security services and NAT

•Smart devices like smartphones use a double connection wifi internal/sim external

•…

We know if we want to see what we have in our local storage we move data internally (At least we hope so) our gateway to the internet is our router which (should) provide some basic security stuff as firewalling and a minimum authentication at least for wifi internal connectivity. We live in a private network where connectivity is basically ethernet and wi-fi and we go on the internet with a natted address shared by all devices. Probably we have some devices that do not have a real internet exposition, other that goes just to search updates, some that connect to a web service to allow you to check and configure things and finally some that go to the internet by themselves for unknown reason (Alexa like, ROTFL). Ah, do not forget your smartphone that has both wi-fi and your 4G\4.5G connection with apps to manage both your internal LAN and the web interfaces of your LAN devices.

what 5G will change here? of course everything absolutely everything.

Everything is already on the internet

•All devices are able to connect directly to the 5G network and have public addresses

•Providers of 5G connectivity can be different and bound to users and/or device

•Devices need to know their «internal» realm in order to understand which device can be trusted or not for internal communication

•Different 5G providers have to guarantee device interoperability, segregation and security as devices were in a segregated LAN

•Internet communication should be controlled and monitored as it was a single one

Autonomous driving and smart roads are actually as fun as home networks but for the opposite reason, here we are talking about something does not exist yet, and the few test and implementation, by all means, are not a serious example of what means interaction of IoT vehicles.

the reality at the moment is simple:

•Cars do not talk to each other

•Cars do not talk to the road infrastructure

•Roads use sensors for limited scope (traffic light, street light)

•Limited information is provided by broadband connectivity (as Radio Traffic where available)

•Internet connectivity provided by car SIM or smartphone

•Some app can connect to the internet and provide indications as navigators do

•Some apps can provide autonomous analysis of traffic

•…

while in a 5G world:

•All vehicles are 5G connected

•Different car-service interact with road infrastructure

•Cars and car devices are equipped with 5G capabilities from different 5G providers

•They need to be bound with the owner\owners

•They need to recognize trustable information data source

•They need to interoperate independently from the 5G provider

•They need to cover the services even when crossing country borders

•…

with 5G is clear the need for fast reliable ubiquitous and vendor\provider independent connectivity.

maybe we should expect virtual sim configured to comply driver need, but what if 2 or more people share the same car? and what kind of interaction with your smartphone and other smart devices?

let explore some consideration on the most slippery of the 3rd example, trying to move from LAN\WAN to 5G (the telcos’ dream)

What we have today (more or less):

•There is an internal (LAN) and an outside

•internal services are protected by firewalls and other security technologies

•Connectivity is provided through NIC or WI-Fi using TCP/IP protocol leveraging usually private addressing and natting to reach outside resources

•Internal resources are accessible directly internally or through a web service\web interface externally

•Resources external to the LAN are accessible trough router/firewall upon natting and authentication/authorization

•Users external to the LAN connect to the internet through mobile broadband or through Wifi

•To connect to internal resources users are identified and connected through VPN or other secure means to the LAN

•…

do I really need to describe what is the current situation? lol 🙂

what would change with 5G?

•Almost all devices are 5G connected

•Connectivity is provided by different 5G providers and can be public (using public infrastructure) or private (5G infrastructure is local)

•Interoperability has to be guaranteed regardless 5G provider or device manufacturer

•Interoperability has to be guaranteed with LAN/Ethernet previous environment

•Segregation of the internal devices has to be guaranteed as in a LAN

•Security devices should be able to work seamlessly regardless of the hybrid LAN/5G environment

•Mobile users should be able to be part of the internal network for the services in use even if they are using their own device

•…

this scenario requires a careful understanding since we have all the security problems we have in a normal network implementation plus the fact all devices can reach the internet directly and are directly exposed because of their addressing, segmentation requires multiple levels since some segment can be internally nested to others (something like we today use VLAN) and all this should communicate with the legacy world, since it is not credible an immediate takeover of 5G against LAN\WAN. Moreover, all legacy security world should be able to interoperate with the new one.

this kind of scenario is compatible with a full cloud adoption less agile with hybrid or full local implementations.

Here security and privacy issues rise up to the next level since the disintegration of the concept of LAN, started with the introduction of mobile users and BYOD, extend to almost every node but with less clear control of what is going on.

5G security, if we understand some of the implications I mentioned before, embrace a way larger concept than what people generally think. Here we are not just thinking how to secure an encrypted communication channel, which is, by the way, a clear basic requirement, but extend on how to broker, manage and control services that run on 5G.

I do not have an easy answer to this, I have seen different proposals to address such problems, as an example a central security service broker that takes into account all the request and, accordingly to rules, AI, magic and tricks solve everything.

Of course, this service broker, hypervisor or call it as you like should be able to communicate with external entities, demand part of its configuration to third parties and so on. we are entering the realm of the NFV security (if of any interest you can read my post on “NFV network function virtualization security considerations“) with some issues more. and the attack surface is way wider than a simple: I can no trust Chinese equipment.

time t go to sleep, if you read all this till here thanks, comments are very welcome

Antonio

On IoT I also wrote:

The IoT Files: Intro

The IoT Files: IoT and Security

The IoT Files – IoT and Privacy

The IoT Files – Infrastructure

The IoT Files – IoT Business Models

The IoT Files: Culture

The IoT Files: is a small OS good for security?

The IoT Files: The need for cryptography in IoT

The IoT Files: the call for 5G

I have been recently interviewed on 5G issues and this made me realize how confusing is the knowledge and understanding about 5G.

Most of the time, when I heard on mainstream media comment about 5G I find form one side apologetic wonders of how this or that vendor with 5G can solve all human problems, form the other side fears related strictly to the fact that 5G today means Chinese or European vendors, for the first time in years the USA is not leading technologically a strategic sector.

even lesser I heard about the link between 5G and IoT and what this means.

Generally speaking, most of the discussions on IoT are focused on devices and not as a system, as well in most of the case I seldom find consideration related to 5G implementation and security. This is quite annoying from my point of view since security in IoT (I wrote about that on The IoT files) is more than the single device security and 5G security issues are not related to Huawei spying us.

And to say the truth from my point of view (Italian and European) would not make much difference if the spy comes from China, Russia, the USA, or the UK.

The first problem I to understand if there is a relationship between IoT and 5G. Well, the relationship is kind of simple: with the current technologies, the IoT is hardly limited due to connectivity, IP and bandwidth issues. 5G aim is to overcome those limitations offering broadband connectivity that can support IoT needs. this will require investment, change of business models and…wait to read this go to my previous IoT articles, I called them the IoT files because there is so much thing to say an article can not cover everything.

Turning back to the point so, 5G is the technology that can glue IoT in terms of connectivity, but what does it mean? Well, when we listen to 5G we listen to how we can create smart cities, how we can connect cars together so they drive better and safer with autonomous drive and so on.

5G is exactly about this, allowing all this to happen.

All typos are because I never read slides back, lol forgive me

Almost everything you heard about IoT requires 5G to become reality because current mobile broadband would not be suited to cover those needs, we are not talking about a test with a few cars that can communicate over 4G but billion of devices somehow interconnected with different priority needs, bandwidth needs, security, and privacy needs.

Basically anything that is recently referred to as “SMART something” and IoT will be bound to a technology that will allow fast, secure and reliable data connections.

As of now, 5G is the answer but, there is a problem, the champions of 5G technology aren’t from the USA and the biggest player is Chinese (Huawei holds the highest number of patents on 5G technology).

All typos are because I never read slides back for proofreading, lol forgive me 😂

This thing that can be irrelevant is actually the big issue at the moment, so big that all serious consideration on 5G is demanded as an afterthought in a second-level line of consideration.

Geopolitical technology and economic issues are at the moment the rising stars, make enough rumor to cloud judgment and to move attention to serious issues.

I am not saying that those are no problems, and I agree nations should try to defend themselves, but targeting the wrong point on 5G will not help to address correctly “ab Initio” the complex problem that 5G will bring home. and the main reason behind this is that if you ask what is 5G, the answer is…just a faster mobile network.

If speed would be the only reason behind 5G I would kindly agree that geopolitical issues are the obstacles, but 5G is not just “speed” is way more and the 5G security issue goes beyond the specifics of the connectivity offered at broadband level but goes into the core of what 5G has been designed for: services.

All typos are because I never read slides back, lol forgive me

we use to think that broadband mobile develope was only more speed, but actually, speed has never been the only target, speed and services always have developed hand in hand.

from a mobile perspective, 1G was offering 2.4 kbps and was designed to allow mobile phones, it was no less, no more than an extension of your home wired phone. Basic voice services and an analog protocol, low bandwidth was all we needed. issues were more at the infrastructure level so no time to bare with things that were not even in customer imagination at that time.

the real revolution arrives with 2G, it’s broadband, it’s digital (GSM, CDMA), can carry data, more stable…a revolution. we were able to send text, see caller number who was not enjoying it? and some mobile phones start to offer even a graphic screen and games (like “snake”). who really care about speed, that actually moved from 2,4 kbps to an astonishing 64 kbps?

The nice thing about 2G is the introduction of the idea that mobile phones can be so much more than a simple device to phone, and text messaging was there to prove it.

You see when the consumer space sees the opportunity for cool kinds of stuff that can make the market big, the vendor will follow. With the pressure of the internet and the new services a new need for data rise up and here you have 3G.

3G was not only tremendously faster than the predecessor but was designed with the need to transfer data.no simple text messages, you can have internet in your phone now.

Again the real difference with 2G was not “speed” but the kind of services you were bringing on board. so as a natural evolution from the old internet we moved to the new one with video, streaming, chatting and so on. A new class of services was required here the need for something more, something new 4G.

And as a matter of fact, besides the speed, the real need for 4G (or the not so cool but hey better than nothing 4.5G) was video capability.

The services drive the speed so the speed is just a consequence of the needs the technology has to address.

But if we limit to consider just the usual way we use the internet (facebook, youtube, YouPorn, LinkedIn, wechat-weixin, WhatsApp, Instagram, ticktock and so on) we could just add some megabytes more to our 4G (is what 4,5G does by the way) but here comes IoT.

IoT brings way more devices on the internet, with their needs in terms of bandwidth, connectivity, quality of services. all of this requires new technology, and being ambitious why then not thinking to make this technology able to address even the LAN\WAN realm?

This is not so stupid, the telcos have always tried to gain space in the LAN\WAN market, money can be a huge driver, the telco activities with the enterprise was related to offering connectivity to internet and voice service. The revenues for analog voice services were hight but VoIP lower dramatically the incomes since it was cheaper putting Telcos in a difficult position. If internet broadband services for home users have been a good business it requires substantial infrastructure investments that are not always covered by the revenues, hence the digital divide.

But 5G can turn all this upside down, justifying the investment that was not so cool, because 5G means all in telcos hands!

All typos are because I never read slides back, lol forgive me

If 5G is the backbone of IoT and Smart X this means an incredibly big market for telcos, since telcos will provide 5G connectivity. this is why telco vendors are so interested in 5G, alas this is a world also where security has always been a secondary issue if not a neglected one, so we cannot expect that security will be addressed correctly if other players will not put their nose in.

From this point of view governments and regulators could play a key role in leveraging security and privacy by design and by default in the 5G world design, alas at the moment all seems to be more focused on boring geopolitical issues than the real stuff

All typos are because I never read slides back, lol forgive me

In the 5G challenges, there are a few that are easy to spot if we understood that 5G is the IoT backbone. Without the lousy arrogance to think to be exhaustive here some that should, at least, taken into serious consideration:

1) fast connectivity between devices, this accordingly to the device\service need. not all IoT devices are born equal in terms of bandwidth, data processing, quality and sensitivity of data an so on, being able

2) segregation of traffic, that means every group of device that are under a specific service instance should have its traffic isolated and protected from the other ones. I would not enjoy my personal photo shared everywhere if the IoT device is my home HDD storage where I put them. segregation of traffic is the minimum level of security we have to think of when we plan a broadband multiservice environment.

3) Quality of service is a key factor here, even if the bandwidth is incredibly hudge this does not mean that there will be no latency or bandwidth bottlenecks, and some services have to be granted no matter what, telemedicine, telesurgery just to name a couple should be prioritized upon watching youtube.

4) authentication and authorization are not less important, we need in a heterogeneous environment bein able to authenticateand authorize with the correct level of permission every single device on every single service it needs to access and with its user ownership. failing this point will means access to anyone…

5) multivendor environment, this can seem a minor issue but in an ever-growing connected devices-users-services environment being able to reassure all the stuff will work seamlessly is not so easy. maybe someone remembers issues with a famous leading network gear vendor and the nic auto speed detection protocol? standard not always mean standard, but this can open a serious breach to operativity and security if not addressed correctly.

6) not all will be 5G at the beginning, and probably when the legacy world will end we will be on 6G (which will rid of part of the infrastructure leveraging peer to peer connection directly at the device level), 7G with 5G as the old stuff. so 5G will have to deal with ethernet as well as 4G as well as what will come in the future. A gateway between the different technologies is not so simple since service definition can differ.

7) in particular, the existing mobile environment and LAN/WAN battlefield should be carefully considered, form one side we still have 3G, form the other side LAN\WAN vendor will fight back to keep their domains intact. so will be an interesting battle where again, standards and regulators could drive a little light at the end of the tunnel (hoping it is not the train)

and more could be mentioned but if I want to continue better to stop with this list.

if you are here to read means you are interested in the subject, I am impressed and thankful 🙂

So the backbone for IoT will be, at least at the beginning, 5G network wich, just to be clear, is still on implementation. If we think of what is IoT definition:

The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.

we can try to assume then that internet connectivity will be more and more 5G

All typos are because I never read slides back, lol forgive me

which should now clarify why speed is just one of the many issued of 5G and why 5G is not just bare connectivity but something should manage services. so now we should understand what this “service” word means here.

Basically a service is a mix of devices, connectivity, data, process and users that can be grouped somehow. There can be thousands, millions, billions of services under this simple definition (i know is mine but worth everyone to understand the point).

the main point is that services are not all the same: HTTP browsing can be a service under 5G and video broadcasting as well, the 2 are different in nature and in terms of requirements.

All typos are because I never read slides back, lol forgive me

different services require different needs and for once speed can be a good example to understand the point: what is speed?

the very concept of speed can vary from service to service, so consider the automotive and smart road ideas. In this scenario, we will have a small piece of critical data exchanged from one car to another and/or the infrastructure that has to be processed and transmitted as fast as possible. seems easy but we should consider that the cars are moving and the traffic can be largely unpredictable (I don’t know when someone will decide to get into the car to go somewhere, I can not predict if external issues will modify viability as crossing pedestrian, not in the dedicated areas, problems with the state of the road, holes, weather, flood, heartquake, superman vs batman and so on)

So here speed means very low latency, quick authentication and authorization, fast address resolution, and reliability at least. probably I should add geolocation and other critical missing point but I think we have an idea.

On the same hands if I have to move a big chunk of data, well speed means mainly bandwidth, QoS and conflict resolution if more agents/objects/users are trying to move the same os nearby data. so if you are trying to align your data center with your new cloud one and you want to move some Coperbyte of data and as well your neighborhood want to do this well we have to manage the bandwidth somehow…

Of course, if the need is just to browse and watch movies your needs are focused (remember we are in 5G) on DNS response and video-voice sync.

But since in a billion IoT devices there can be billions of services that at the moment do not exist, we need to create an environment able to define the need in advance (or wait for 6G for new services implementation).

so broadening the argument here 5G for IoT should, at least:

1)Segregate different services

A different class of services should be independent one to the other

Services should be arbitrary and the service set required should be one of the services definition parameters

2)Allow QoS for critical ones

Not all services are the same, internet browsing is not a running truck on a highway, a surgical operation is not like watching porn on your phone

3)Provide strong security and management featured for each service

Service should be identified

Authorization and authentication of service and users should be available and effective

4)Take into account security and privacy by design and default

and so on

Different scenarios on 5G require different analyses take as an example 3 easy to spot: your home environment, smart road, LAN\WAN substitution.

I love the home example because is something even not IT freak can understand. the photo depicts the world before and after 5G

if you have the internet at home you are probably in this scenario:

We have one router to connect to the internet

•All devices internally connect via wifi/LAN

•When devices need to talk one to the other they use their internal IP network on a private subnet

•When devices need to talk to the internet the call the router.

•Internet router interface through ISP to the internet offering some security services and NAT

•Smart devices like smartphones use a double connection wifi internal/sim external

•…

We know if we want to see what we have in our local storage we move data internally (At least we hope so) our gateway to the internet is our router which (should) provide some basic security stuff as firewalling and a minimum authentication at least for wifi internal connectivity. We live in a private network where connectivity is basically ethernet and wi-fi and we go on the internet with a natted address shared by all devices. Probably we have some devices that do not have a real internet exposition, other that goes just to search updates, some that connect to a web service to allow you to check and configure things and finally some that go to the internet by themselves for unknown reason (Alexa like, ROTFL). Ah, do not forget your smartphone that has both wi-fi and your 4G\4.5G connection with apps to manage both your internal LAN and the web interfaces of your LAN devices.

what 5G will change here? of course everything absolutely everything.

Everything is already on the internet

•All devices are able to connect directly to the 5G network and have public addresses

•Providers of 5G connectivity can be different and bound to users and/or device

•Devices need to know their «internal» realm in order to understand which device can be trusted or not for internal communication

•Different 5G providers have to guarantee device interoperability, segregation and security as devices were in a segregated LAN

•Internet communication should be controlled and monitored as it was a single one

Autonomous driving and smart roads are actually as fun as home networks but for the opposite reason, here we are talking about something does not exist yet, and the few test and implementation, by all means, are not a serious example of what means interaction of IoT vehicles.

the reality at the moment is simple:

•Cars do not talk to each other

•Cars do not talk to the road infrastructure

•Roads use sensors for limited scope (traffic light, street light)

•Limited information is provided by broadband connectivity (as Radio Traffic where available)

•Internet connectivity provided by car SIM or smartphone

•Some app can connect to the internet and provide indications as navigators do

•Some apps can provide autonomous analysis of traffic

•…

while in a 5G world:

•All vehicles are 5G connected

•Different car-service interact with road infrastructure

•Cars and car devices are equipped with 5G capabilities from different 5G providers

•They need to be bound with the owner\owners

•They need to recognize trustable information data source

•They need to interoperate independently from the 5G provider

•They need to cover the services even when crossing country borders

•…

with 5G is clear the need for fast reliable ubiquitous and vendor\provider independent connectivity.

maybe we should expect virtual sim configured to comply driver need, but what if 2 or more people share the same car? and what kind of interaction with your smartphone and other smart devices?

let explore some consideration on the most slippery of the 3rd example, trying to move from LAN\WAN to 5G (the telcos’ dream)

What we have today (more or less):

•There is an internal (LAN) and an outside

•internal services are protected by firewalls and other security technologies

•Connectivity is provided through NIC or WI-Fi using TCP/IP protocol leveraging usually private addressing and natting to reach outside resources

•Internal resources are accessible directly internally or through a web service\web interface externally

•Resources external to the LAN are accessible trough router/firewall upon natting and authentication/authorization

•Users external to the LAN connect to the internet through mobile broadband or through Wifi

•To connect to internal resources users are identified and connected through VPN or other secure means to the LAN

•…

do I really need to describe what is the current situation? lol 🙂

what would change with 5G?

•Almost all devices are 5G connected

•Connectivity is provided by different 5G providers and can be public (using public infrastructure) or private (5G infrastructure is local)

•Interoperability has to be guaranteed regardless 5G provider or device manufacturer

•Interoperability has to be guaranteed with LAN/Ethernet previous environment

•Segregation of the internal devices has to be guaranteed as in a LAN

•Security devices should be able to work seamlessly regardless of the hybrid LAN/5G environment

•Mobile users should be able to be part of the internal network for the services in use even if they are using their own device

•…

this scenario requires a careful understanding since we have all the security problems we have in a normal network implementation plus the fact all devices can reach the internet directly and are directly exposed because of their addressing, segmentation requires multiple levels since some segment can be internally nested to others (something like we today use VLAN) and all this should communicate with the legacy world, since it is not credible an immediate takeover of 5G against LAN\WAN. Moreover, all legacy security world should be able to interoperate with the new one.

this kind of scenario is compatible with a full cloud adoption less agile with hybrid or full local implementations.

Here security and privacy issues rise up to the next level since the disintegration of the concept of LAN, started with the introduction of mobile users and BYOD, extend to almost every node but with less clear control of what is going on.

5G security, if we understand some of the implications I mentioned before, embrace a way larger concept than what people generally think. Here we are not just thinking how to secure an encrypted communication channel, which is, by the way, a clear basic requirement, but extend on how to broker, manage and control services that run on 5G.

I do not have an easy answer to this, I have seen different proposals to address such problems, as an example a central security service broker that takes into account all the request and, accordingly to rules, AI, magic and tricks solve everything.

Of course, this service broker, hypervisor or call it as you like should be able to communicate with external entities, demand part of its configuration to third parties and so on. we are entering the realm of the NFV security (if of any interest you can read my post on “NFV network function virtualization security considerations“) with some issues more. and the attack surface is way wider than a simple: I can no trust Chinese equipment.

time t go to sleep, if you read all this till here thanks, comments are very welcome

Antonio

On IoT I also wrote:

The IoT Files: Intro

The IoT Files: IoT and Security

The IoT Files – IoT and Privacy

The IoT Files – Infrastructure

The IoT Files – IoT Business Models

The IoT Files: Culture

The IoT Files: is a small OS good for security?

The IoT Files: The need for cryptography in IoT