Rakuten Symphony has written an 8,000 word Guide on Open RAN security – The Definitive Guide to Open RAN Security – that is now available to download on this page.
To find out more about the Guide and Open RAN Security as a topic, we spoke to Nagendra Bykampadi, who is Head of Security Architecture and Standards at Rakuten Symphony. He is also Co-chair of the O-RAN Alliance Security Work Group. We wanted to know why the company had produced the guide, who it was aimed at, and why you, our readers, should download it.
Why have you produced this Security Guide? Is it intended to sway policy debates, or serve as an operations guide, or a bit of both?
We created The Definitive Guide to Open RAN Security as a direct answer to the continued debate and swirling questions about whether Open RAN is secure. We know Open RAN is as safe as technology can be, because we’ve successfully secured more than 50,000 sites across our network in Japan. The techniques we’re using are rooted in cloud security strategies that have been long proven to keep other mission critical industries like e-commerce, finance, government, healthcare and others safe. As next-gen telecom networks are deployed, we hope this guide can move the industry past a conversation focused on ‘if’ to a more helpful one focused on ‘how.’ Open RAN security will continue to evolve but we believe there now exists a set of security measures comprehensive enough to serve as the basis for a sound Open RAN security strategy that can be deployed by any MNO.
We published this 8,000-word guide to dispel any notion there is not a clear path forward.
Can you explain what is fundamentally different about Open RAN security, compared to current or traditional operations – such that you saw the need for this Guide?
Any industry moving to a new architecture or operational model introduces new security risks that need to be protected. Open RAN is built on a foundation of open protocols alongside recommended cloud native technologies. O-RAN Alliance supplements 3GPP specifications by defining security requirements and controls for O-RAN specific interfaces and network functions. In the case of securing Open RAN, it is not as simple as relying solely on interoperability standards defined by O-RAN Alliance and 3GPP. Rather, we advocate for a holistic approach that augments standards compliant security measures with additional security controls that are based on well-known industry best practices. Coupled with continuous collaboration amongst ecosystem partners, the best security and privacy strategies can be set based on individual regulatory and market context. We published this 8,000-word guide to dispel any notion there is not a clear path forward.
The Guide says it is based on Rakuten Mobile’s experiences, and operations. Is that experience transferable to other operators?
The four years of experience that our guide is based on is 100% transferable to other MNOs. That is the beauty of working with open technologies and collaborating with the expanding communities that support them. In fact, these strategies define our approach to security in a range of greenfield and brownfield MNO engagements we support today.
Our guide identifies the specific principles and requirements that influence the security solutions we propose
If operators already have security practices in place for cloud native infrastructure, can they apply those to Open RAN workloads?
From the cloud native perspective, yes. The only addition with Open RAN is standardised protocol interfaces and API endpoints. Standard accessibility, security certification and zero trust policies can and should be applied. Protecting cloud native infrastructure is critical for protecting all of the workloads like Open RAN operating within the infrastructure. Our guide identifies the specific principles and requirements that influence the security solutions we propose. Solutions that are identified to protect the cloud native infrastructure are broadly based on a well known set of security practices already available and practiced in other industries. Therefore, there is nothing specific or unique to protecting Open RAN workloads. Operators are encouraged to use our guide as a reference when evaluating security practices and approaches.