The focus of the 5G-ENSURE Security Architecture is on a logical and functional architecture, motivated by general trends such as network deperimeterisation as well as the strong dependency of 5G systems on software defined networking and virtualisation in general.
The security architecture builds on and extends the current 3GPP security architecture. The “logical dimension” of our architecture first of all captures the security aspects associated with the various domains involved in delivering services over 5G networks. This part is therefore also strongly associated with the 5G-ENSURE trust model. Additionally, the logical part captures the security aspects associated with network layers and/or special types of network traffic which, in our architecture, are associated with different strata. The “functional dimension” of our architecture comprises a set of security capabilities required to protect and uphold the security of the various domains and strata. In the functional dimension, we build on the 3GPP defined security feature groups and introduce security realms. 5G-ENSURE has extended and refined these concepts to adapt to a 5G context.
One of the goals of the architecture work within 5G-ENSURE has been to clearly provide rationale for the architecture’s structure and features. High level security problems relevant in a 5G context are first identified, and then broken down into a manageable set of security objectives for a 5G security architecture. From these objectives the high-level architecture is derived and only after that stage do detailed requirements enter the discussion (many of them defined in the work on risk assessment, mitigation and requirements).
The 5G security architecture models the network and its security functionality in terms of domains, strata, security realms and security control classes. The security architecture design is based on security objectives related to the architecture itself. The security architecture is extensible and flexible and can be adapted to future developments in 5G networking as new domains, strata, security realms and security control classes are defined to capture new network architectures, services and functions.
The applicability of the security architecture has been demonstrated by mapping the 3GPP 5G logical network architecture and the 5G-ENSURE developed enablers onto the security architecture.
Guidance on how to implement required security controls is also given in a discussion of design principles and recommendations.