Ericsson has announced that its Cloud RAN offering has passed the independent Network Equipment Security Assurance Scheme (NESAS) audit that makes it "fully compliant with the security requirements defined by global standards organizations, GSMA and 3GPP".
Ericsson's Head of Product Area Networks, Per Narvinger stated:
With 5G rollouts accelerating across the world, 5G network security is rapidly becoming a key topic among regulators, authorities, service providers and their consumer and business customers. Security is a key cornerstone in the design of our products and with the software and hardware disaggregation, it is even more important that security is built in from the start. I am therefore pleased that Cloud RAN is now confirmed NESAS-compliant as it adds another layer of credibility and trustworthiness to our Ericsson radio access network (RAN) portfolio.
The press release from Ericsson says that conformance with NESAS is an essential element of its Security Reliability Model, SRM. As maintained by an Ericsson technical paper, Security Considerations of Cloud RAN, Cloud-based RAN deployment is a significant measure towards a "more open RAN architecture" as it can deliver "inherent security advantages such as isolation and geographical redundancy".
Nonetheless, the cloud is also liable to bring new security risks that should be taken into account. Along with traditional attacks against the RAN and Core, vulnerabilities in the cloud infrastructure including third-party hardware, host operating system, container engines, and microservices are prone to exploitation in cloud-based RAN and Core deployments.
Ericsson Cloud RAN adheres to the GSMA NESAS - Development and Lifecycle Security Requirement version 2.0. The press release also mentions that Ericsson's NESAS compliance processes went through a complete audit by a GSMA-approved, independent auditor.