Nowadays one of the most used terms in the field of telecommunications, transactions and any interaction between entities is trust. Trust, totally linked to security since several security properties are based on it, consists of a series of characteristics that allow establishing confidence in an entity. These characteristics are, mainly:
- That entity is who/what it says it is.
- It is configured and behaves as expected.
- It has allowed access to the requested resource.
- It can perform the actions that is currently taking.
One of the main challenges is that, traditionally, once an entity gained access, for example, to a network, the previous characteristics were assumed for as long as that entity had access. This meant that, over that time, that person or machine could carry out malicious actions, such as escalating privileges, leading to a security breach. Furthermore, initially a person may meet the previously mentioned requirements, but after a while and during their connection to the network, some of these characteristics may be compromised.
To address the above commented challenge, the concept of trust has been fully adopted on the security posture resulting in what is called Zero Trust architecture. The main feature of this new philosophy is to question a series of points each time a resource is requested. Specifically, the identity of the user and the identity and health of the device. In this way, the network ensures that the person is trustworthy, that the infrastructure from which the request comes is not compromised and that the device is in a normal state. Logically, a series of policies that are constantly updated are used to determine this. The network progressively learns and improves the way in which possible anomalies can be detected. By almost completely reducing the trust of an IT environment, the risk of malicious presence and behaviors is also greatly reduced. This is why it is called Zero-trust, since it is an approach where no user, device or resource is trusted.
Zero-trust architecture represents an evolution on the security approach. Traditionally, , through elements such as firewalls or gateways, a perimeter of security and trust could be established in the infrastructure. As users migrated to mobile devices, perimeters began to become more difficult to distinguish. And finally, these perimeters completely disappeared with the rise of cloud computing and the Internet of Things. The adoption of a Zero Trust network architecture brings us closer to not only not needing these perimeters, but also to achieving other very notable advantages:
- It enables organizations to improve their business agility by securely embracing the cloud.
- It leaves no unprotected parts in the infrastructure as it covers all possible points of attack, from users to endpoints, subnets and resources.
- Requires less administration, skills, and costs than other types of network defenses.
- It is capable of detecting potential risk behaviors that would normally be very difficult to detect through traditional processes.
In HORSE project, trust is considered in different core modules of the architecture to ensure its maintained cross-domain. We introduce a new module for 6G systems that is dedicated to implementing the primitives for the provision of trust. This module, called RTR (Reliability, Trust and Resilience Provisioning), is in charge of the authentication and authorization of the different parties but also, the identification and assessment of security risks implementing and applying mitigation and prevention tactics for security issues detected. This is not a surprise, since currently all environments must have either clearly defined trust characteristics or a module specifically dedicated to it.
In addition to the implementation of trust in infrastructures, it is possible to implement trust mechanisms and strategies in any software or component. For example, also in the context of the HORSE architecture for future 6G wireless and computing systems, an asset called e-Licensing Manager was presented, which could complement and help the RTR module. It allows xNF (Network Functions) vendors to be able to monitor the use of their software products by telecom under different licensing schemes, to better control their benefits. This use of software products occurs in a trustworthy manner, since there is constant control that the person or entity that instantiates and is using the software component (e.g. xNF) has the right to do so.
There are many reasons that lead us to implement trust strategies, also due to the habits that users have adopted in the last decade. Many purchases that a user makes occur on the Internet, sometimes from another user. These transactions require trust measures. Access to valuable resources through digital currency platforms also needs these types of strategies. In general, the evolution of the way in which users use their devices and their online habits forces us to create scenarios where the identity of the elements is constantly verified, both to protect end users and platforms and networks.