1 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved.

Securing NFV

Rob Marson/Anton Kaska IEEE SRPSDVE Study Group

November 2014

2 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

What’s Missing?

3 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

•  Network as a shared pool of programmable resources

•  Management without borders

•  Agile IT processes for network and service management

•  Low Touch: more automation

NFV is a Significant Transformation of Networks and Processes

Many Benefits: Operations and Equipment Savings, New Service Innovations

4 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

Will the Promises be Realized?

•  NFV must become “operationalized”

•  Complex access and policy

management

•  New virtualized network vulnerabilities and threats

Security May Become the Major Barrier to NFV Adoption

5 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

Image: Cyan, ETSI

Virtual Network Functions require secure access. VNFs could belong to different end customers, users. Unique policies and access management needs.

Virtual Network Infrastructure supports all services: maintaining integrity is vital.

Multiple management interfaces to secure. Interplay, policies, etc.

Securing NFV: Many Layers and Dimensions to Consider

Multiple Management and Orchestration sub-domains. Multiple orchestrators and VNF Managers possible. Which systems can communicate to physical and virtual resources? To each other?

Implementations will Vary by Operator

6 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

POP/Office

Regional Data center

Premise NFVI

Service Provider

Managed CPE

Premises/Edge Data Center/CO Customer

VNF Service Provider

VNF Customer

VNF Service Provider

VNF

NFVI

Remote Data Center / CO

Customer VNF

Service Provider

VNF

•  Remote physical and virtual environments •  Protecting VNF and NFVI integrity vital •  Multi-tenancy management, access controls •  Domain isolation: CPE, NFVI and VNF

Don’t Forget Multi-Site NFV

7 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

Potential Security Implications

Observations Implications

Multi-tenancy Must ensure that users and autonomous systems have correct access privileges.

Multiple layers of interdependency between VNFs, NFVI, OSS

More policy management rules, more forensic logging.

Roles/responsibilities (some silos will continue to exist): no single recipe

Flexible access management systems needed: processes will vary by operator.

Autonomous systems, dynamic network configuration changes

Policies must extend to humans and machines, more logging, more snap shots required.

Multi-Site NFV: services extend beyond the data center, and over hybrid networks

End-to-End, service-oriented view of security necessary

8 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

NFV Security Must Not be a Weak Link

9 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

Complexity Should Not Outweigh Benefits

10 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved. | Restricted and Confidential

Some Parting Comments and Thoughts

•  Securing NFV must not be an after thought if full benefits are to be realized.

•  Flexible access management strategies needed: there is no single recipe, processes vary by operator, by service, by region.

•  The definition of Identity Access Management must extend to systems, as well as people.

•  People are not going away, humans will continue to access virtual networks.

•  What are some future compliance considerations?

NFV Transformation will Occur, The Degree of Success Depends on Making it Operational.

11 Copyright © 2014 Nakina™ Systems Inc. All Rights Reserved.

END