Operationalizing Zero Trust in 5G Architectures: Moving Beyond the Perimeter

Securing large-scale communication networks has historically been difficult because these environments evolve faster than the trust models used to protect them. As 5G systems become increasingly software-defined, cloud-native, and API-driven, the traditional security challenge has expanded from localized perimeter defense to the protection of a deeply interdependent ecosystem. Recent state-sponsored threat activity, such as the Salt Typhoon campaign, has demonstrated how adversaries exploit trusted connections and management paths for long-term persistence in critical communications infrastructure.

To address these structural vulnerabilities we compiled a report, proposing a concrete, 5G-specific implementation model that adapts the CISA Zero Trust Maturity Model to the realities of modern telecommunications.

The Synergy of Defense-in-Depth and Zero Trust

A foundational premise of our paper is that defense-in-depth and zero trust are complementary, not competing, philosophies and specifically:

• Defense-in-depth provides the necessary structural distribution of security controls, such as physical infrastructure protections, hardened radio nodes, segmentation, and transport encryption, across the ecosystem.
• Zero trust governs how trust should be explicitly verified, narrowly authorized, and continuously reassessed across those established layers.

A 5G environment may deploy transport protections like IPsec or TLS and authenticate subscribers, but these layered controls alone do not guarantee zero-trust outcomes. An overprivileged orchestration account or a compromised internal workload could still exploit excessive implicit trust if dynamic policy and workload identity are not enforced.

Why 5G Demands a Distinct Zero Trust Framework

A mature 5G deployment diverges significantly from legacy mobile networks, necessitating a paradigm shift in how trust is evaluated:

• Service-Based Architecture (SBA): The 5G core utilizes a service-based architecture where network functions expose services over interconnected interfaces. A security failure in API authentication or authorization can have systemic impact.
• Cloud-Native Platforms: The introduction of container orchestration, CI/CD pipelines, and software supply chain artifacts means these elements are now part of the telecom trust model.
• Edge Computing (MEC) and Network Slicing: Multi-access edge computing pushes workloads and data processing closer to the user, while network slicing introduces logical separation that requires explicit policy enforcement to ensure true isolation.
• O-RAN Disaggregation: The disaggregation of the RAN introduces open interfaces and software-driven control structures (such as xApps and rApps) that expand the attack surface and multiply trust transitions.

A Telecom-Specific Maturity Journey

We adapted the CISA pillars, Identity, Devices, Networks, Applications and Workloads, and Data into a telecom-specific maturity profile. Our roadmap outlines five implementation levels:

1. Level 0 - Traditional Telecom Trust: Trust is inferred from network location or prior authentication, with coarse segmentation.
2. Level 1 - Foundational Zero Trust Controls: Strong identity, authenticated service-to-service communications, and baseline segmentation are established for critical domains.
3. Level 2 - Policy-Driven 5G Segmentation: Access relies on explicit policy, workload identity, and scoped authorization.
4. Level 3 - Adaptive and Continuously Verified 5G: Telemetry, behavioral analytics, and automated responses inform near real-time trust decisions.
5. Level 4 - Optimized and Autonomous Zero Trust Operations: Cross-domain policy orchestration, continuous assurance, and dynamic trust re-evaluation are fully operationalized.

Validation over Aspiration

Zero trust maturity must be demonstrated through measurable validation rather than inferred solely from vendor capabilities or architectural intent. Our paper emphasizes evaluating implementation through rigorous metrics, confirming that anomalous behavior is detected and unauthorized lateral movement is contained. Validation strategies must combine configuration reviews, adversarial simulation, transaction testing, and response testing.

Implementing zero trust in 5G is not an immediate, overarching transformation but a staged progression beginning with high-value domains like the 5G core, management planes, and the cloud platform. By grounding this transition in established standards from NIST, 3GPP, and O-RAN, network operators can build a measurable, highly resilient ecosystem capable of withstanding advanced persistent threats.

Read the full publication to explore the detailed control mappings, operational evaluation criteria, and recommended PDP/PEP placements.