PARTNER CONTENT: Telco security leaders face a challenging future. Not only must they support essential new revenue-generating plans, but they must do so against the backdrop of a rapidly expanding attack surface, a fast-evolving threat landscape, and growing IT and business complexity. It’s a world in which the old certainties of perimeter-based cybersecurity are gone. And one which Zero Trust was built for.

But the journey to Zero Trust is a complex, multi-year endeavour. And one which must feature encryption to protect data and continually and securely authenticate users and devices. The question is how to achieve this kind of strong encryption in a future-proof way that aligns with Zero Trust. It must be dynamic, standards-based and agile enough to mitigate the security risks of today, and tomorrow.

Why it matters

Zero Trust is not a new concept. But thanks to a push by the US government, and the incorporation of Zero Trust principles into Secure Access Service Edge (SASE) offerings, adoption has gained momentum over recent years. It speaks to the IT environment that many telcos and enterprises currently operate: one embracing cloud and edge computing, Internet of Things (IoT) and remote or hybrid working.

It is a world in which the idea of building a wall around enterprise IT assets and defending them from external threats has become virtually obsolete. Instead, the Zero Trust mantra is to assume breach, never trust and always verify. Among other things, it relies on micro-segmentation of networks to contain the blast radius of potential breaches, and dynamic access management to understand who is accessing what, from which device/machine, and when. Encryption is mandated in this approach, to safeguard data at rest and in transit, and support micro-segmentation, least privilege access and device and user identity checks.

“You’ve now got stuff in the cloud. You’ve got a variety of different technologies at the edge. You’ve got people working remotely. You’ve got all sorts of different scenarios that don’t really lend well to the old castle-and-moat model,” explains Arqit Director of Professional Services, Phil Burn. “Never trust, always verify is about continuously checking endpoints in different ways to make sure that you know they’re trusted rather than just being inherently trusted. It’s asking questions like, what is the endpoint? What resources is it accessing? Who is accessing them? Where are they located? What time is it? And is that normal?”

In mitigating risk like this, Zero Trust is as relevant to a public telco network as a 5G private network. And it aligns neatly with the risk-based approach to cybersecurity that global regulators increasingly want to see from organisations. The potential use cases are almost limitless.

The problem with traditional solutions

The challenge for telcos is making this a reality without compromising on scalability, performance and security. The legacy hardware and software that permeate most networks make the Zero Trust transition challenging, time consuming and resource intensive. That’s why security leaders are looking for solutions which are lightweight, standards-based and support existing protocols—reducing the need for “rip and replace”.

The Zero Trust Access (ZTA) philosophy demands that all traffic should be encrypted, encryption keys should be rotated often, and that a “crypto-agile” approach is needed to stay ahead of emerging threats. That is a big ask for many existing market solutions. Public Key Infrastructure (PKI)-based offerings (asymmetric encryption) offer automation and usability but are not “quantum safe”. In time, this means data could be unmasked by cryptographically relevant quantum computers (CRQCs). Already, experts believe threat actors are performing “harvest now, decrypt later” attacks.

On the other hand, symmetric, pre-shared encryption keys are more robust, but are usually long-lived and therefore less secure. In Zero Trust, being able to quickly revoke keys suspected of being compromised is essential. This is more difficult with many symmetric key systems. And their long-lived nature is anathema to “least privilege”, which requires a more granular approach to access control.

Zero Trust plus quantum safety

This is where the Arqit SKA-Platform™ comes in. The platform uses a lightweight software agent to enable the endpoints themselves to generate unique keys in order to authenticate devices and establish secure network connections. It introduces fully symmetric authentication and encryption keys, to add protection from quantum attacks. But they also have the advantage of being ephemeral (short lived). This means they can be rotated as often as needed to mitigate the risk of device spoofing, and support the kind of continuous verification and least privilege policies that are central to Zero Trust.

Transitioning to Zero Trust can harm user experience and productivity, and add unnecessary administrative complexity, if not done correctly. That’s why the Arqit platform prioritises both security and usability via a heavily automated, software-based solution that can be simply and centrally managed. In fact, everything from authentication to encryption can be automated to help slot into existing systems, and even support the kind of single-pane-of-glass approach favoured by Italian telco Sparkle.

“We’re really keen on just bringing trust all the way down to the endpoint. There’s no ‘human in the loop’, which means a huge amount of the key management burden just disappears. It’s all automated in the background for you—which also minimises the risk you would get by letting people have access to keys,” says Burn.

“It comes back to those three boxes of ‘security, efficiency and integration’. Anything public key-based loses some of the security, even with the development of post-quantum algorithms. There are solutions that are a lot less dynamic, such as those dependent on pre-shared keys. Whereas we ensure devices generate their own unique authentication keys, and we can group them dynamically, so it’s easy to revoke access if you don’t trust one endpoint. When we generate encryption keys to secure networks, they are established directly between the devices themselves with no human in the loop, which is extremely secure and in line with the ethos of Zero Trust.”

The Intel difference

Crucially, the Arqit SKA-Platform also supports high-performance, security-first Intel processors. The firm’s Enterprise Segment Manager, Michihiro Koyama, explains that encryption requires a great deal of “mathematical problem solving”, which in turn demands specially designed chips.

“Sometimes in the past, if you tried to do encryption on your PC hard drive, it would take a lot of computational resources and slow down the applications running on it. But we’ve designed multiple acceleration technologies that mean encryption is no burden—no performance degradation,” he continues.

“We also created Confidential Computing; an enclave in the computer platform designed for processing secrets that no one can tamper with. Use of this enclave to secure encryption keys is part of the Zero Trust reference architecture we established.”

The Arqit-Intel combination is proven to utilise these capabilities to achieve post-quantum computing and Zero Trust without compromising on performance, while supporting networks that can scale rapidly at the edge and in the cloud, adds Arqit’s Burn. And with the Intel NetSec Accelerator Reference Design, it can fit a smart PCIe “server on a card” on to existing server infrastructure—meaning legacy hardware can be upgraded at less time and low cost.

Getting started

All of these capabilities have been subject to the highest scrutiny, conforming to industry standards from NIST (SP 800-71), CNSA (Suite 2.0), FIPS (140-2) and many more, for extra assurance and interoperability. The Arqit SKA-Platform is also “crypto agile”—meaning the underlying cryptographic primitives can simply be upgraded or replaced as standards (and threats) evolve.

“For us it’s about deploying software that runs on Intel in lots of ubiquitously different places. We’re very lightweight, so we don’t interfere with how the hardware works, and we slot into existing protocols that are already supported in lots of different form factors,” Burn explains.

“We’re all about encouraging a phased approach to Zero Trust: a step-by-step mindset rather than a rip and replace approach.”

Intel’s Koyama agrees.

“Zero Trust is not just about deploying SASE or another application and you’re done,” he concludes. “Transitioning from the old castle-and-moat model to a Zero Trust framework takes many years. There will be no 100% Zero Trust moment; it’s a continuous journey.”

The journey starts here.