Development of a Security Program for Apple around 5G Technologies: CIS8018–Strategic information security
Introduction
Apple Inc. has decided to bring 5G technology in all three models in the year 2020 in an attempt to offer competition for Android phones. The company has not agreed to introduce compatible iPhones in 2019, which may be because of security issues. 5G network is faster, and it may cause security issues and concerns for Apple and other stakeholders. The current security state of Apple has been discussed in the previous assessment, but this assessment has focused on the future state of security landscape in the country. For this purpose, titles and current roles of current security personnel of the company have been discussed, and suggestions for improvement have been made. However, the recommendations have not been prepared only for identification of the needs for improvement. The purpose of the suggestions is to help the company plan how to incorporate changes so that threat identification and risk assessment by the company can be done effectively. Thus, this paper has an aim to develop a security program for Apple by focusing on their current security system. Then, a plan for the security mechanism would direct how the development of the program would help the company to ensure security and privacy.
Current Roles and Titles of the Security Personnel:
Chief operating officer of Apple Inc. is responsible mainly for security features in products because it is the domain of operations of the product. The chief operating officer reports directly to the CEO of Apple and operations as well as customer support activities come under his jurisdiction. The security features for the safety programs are aimed at focusing on the security and privacy of customers. Thus, the security features of Apple’s products ensure that the information and privacy of customer cannot compromise. The company is known for not compromising on privacy, and it has taken a strong stance over it. Due to this focus, the company is considered to be having a top priority of privacy and security. Personnel and departments working on protection of products of the company are dedicated to making security at the priority (Haselton, 2019).
Continuous changes at Apple show that they have a focus on security. For example, they have removed support for SHA-1 signed certificates which were being used by Transport Layer Security. App Transport Activity or ATS ensures best practices and policies so that Apple platforms can ensure secure communication interface for users. More actions are also taken for security. For instance, changes have been introduced in iOS 12 and MacOS Mojave. These changes are connected with the consistent focus of the company for ensuring a secure platform. This security of the platform would help effective and safe usage of products. Several job titles and their roles in this department include security assessor, technology security program manager, software design engineer for information security, and information security analyst jobs. These titles and characters show that the company has a priority for safety.
Suggestions for Improvement:
The suggestion for improvements in existing security measures in place for the company includes opening up for 5G technology because this shift in new technology would open concerns of security for the company’s systems. The company has announced that all of its three sets in 2020 would be having 5G then, it should work on security and privacy as well. Therefore, the suggestion for improvement for the company is not in the past or present system. But it is based on future expectations and trends in the industry. It is the strength and unique characteristics of cellular networks and smartphones that they have ensured security solutions for the society, and public communication has become more trustworthy. Encrypted chats and communication allow users to be free in their use of smartphones and cellular devices so that they can secure their communication. However, the company can further extend the security to consumers in their communication if it has such a mechanism for its business structure. When, the company is going to introduce 5G in the next year, and it has bought the 5G modem business from Intel. There is a need to think of new requirements and new security models for the company. The priority in these suggestions for improvement is for enabling Apple to incorporate changes for 5G technology. The 5G technology implementation and the resulting impact on security, provide new circumstances and issues for the company. The company has to equip itself to accommodate changes due to 5G technology.
In the following, the paper presents how the company can implement these changes. Plan to incorporate changes would focus on the technology which is not underused by the company at the moment. However, Apple Inc. is going to bring 5G technology compatible smartphones next year.
Plan to Incorporate these Changes:
Research evidence suggests that 5G systems would lead to the evolution of mobile communication in the future. At present, Apple Inc. does not have compatible smartphones for this technology. Therefore, this paper offers a plan for the company to incorporate changes in its business. Earlier technologies in mobile communication provided voice and data communication security and privacy, and 5G technology would provide security to this level of communication already. However, it has to cover new cases and industries too to provide connection and network for the whole society. The field needs research and standardization. Therefore, the company should work on the possibility and suitability itself. It should conduct a study of the security of overall society to offer security and privacy at large. The cloud technology and the Internet of Things have pushed society to realize expanded and broader needs for security (Ericsson, 2019).
LTE and its evolution is part of the growth and development of 5G. However, LTE and its evolution have worked on security and privacy, but 5G would cover core and management system as well. Thus, the effectiveness of 5G technology is higher than even LTE. However, previously used technologies and their security systems should be considered as well, so that the need for 5G and its security can come to the surface. Before planning, it is to ensure whether 5G introductions feel the necessity to introduce new security requirements, and the identification of these requirements needs to be worked out. There is a question of security under 4G and its resemblance to 5G security. Moreover, it is to note whether previous design approaches for Apple Inc. products are valid, or they would be changed to fewer than 5G technologies.
Security under 2G and 4G technology:
Emerging threats and the need for enhanced security led to the introduction of security features in GSM systems almost three decades ago. These security measures included encryption of radio interface which was sufficient for the needs of GSM systems. For reducing the risk of fraud, temper resisted SIM card added to the system. Finally, privacy issues included security measures so that no one can identify subscribers. 3G technologies further increased the level of security, and mutual authentication was possible during this period of technology. Encryption got the role and presence more profoundly into the network, which made systems more secure and private. In the result, one could not be able to raise threats for radio base stations. In the era of 4G LET, which is going on at the moment for Apple Inc products, more threat reducing mechanism got in place. The data encryption went further, deeper to base stations which made it difficult and hard to cause physical break-ins. However, in essence, security systems and program were the same in both 3G and 4G LTE. 3G and 4G LTE security programs have fulfilled expectations and goals, but they might not be enough for 5G. So, a new security program is needed (Ericsson, 2019).
Changes to be introduced to Develop Security Program:
For introducing changes in the security program around 5G technologies, Apple Inc should take drivers for 5G into consideration. The most crucial security issues would trust in connectivity in the high connectivity interface of 5G. Introduced changes would cover industries as well because 5G is not going to apply to individuals only. Apple Inc has many benefits and application for its security system when it would adopt 5G technology. Some examples may hint how it is needed. If a manufacturer in the automobile industry wants to offer management services for manufactured cars, then it has to adopt various systems in this regard. Hundreds of individual devices would need a connection to the 5G network, and the security network should cover all of them.
5G technologies would affect other technologies, and consequently, the new systems would enter the operations and management of Apple Inc. Cloud and virtualization technologies are as examples which would come as essential technologies. In the result, many concerns over security would emerge. Application programming interfaces or APIs would be used and accessed by third party users, along with individual users. Shared hardware platforms and third-party software execution would be needed. During all these changes, security measures present in 4G technology may not be sufficient, but they would make the system exposed to threats. Therefore, Apple Inc has to bring changes around such platforms as well (Yang et al., 2015).
The level of impact of 5G is broad enough to affect the security, privacy, and legal areas of the company. It has a more critical role in society, and it would lead to more regulation involvements in the company’s operations and designs. If the company does not offer proper security design or program, then there is absolutely a high chance that it has to compromise on privacy. It is although the company has reacted to the government’s demand to have access to one of their devices. Apple Inc denied, but in the case of 5G technology use, it may be more difficult for the company to resist such demands (Hodges, 2019).
Fig. 1 Network Architecture of 4G and 5G
Source: https://www.juniper.net/assets/us/en/local/pdf/whitepapers/2000743-en.pdf
Figure 1 shows that network architecture in the result of 5G technology is much different from 4G technology. Therefore, Apple Inc. has to introduce security architecture in line with this network architecture.
Fig. 2 Attack surface with the result of 5G
Source: https://www.juniper.net/assets/us/en/local/pdf/whitepapers/2000743-en.pdf
Figure 2 shows that there are more areas and surfaces which can be attacked. Apple Inc should be aware of these possible attack possibilities and can ensure attack prevention and threats for 5G technology applications.
ISO Security Standards used by the Organization:
Apple Inc. already has security standards in place, and ISO security standards are among the most prominent and notable. The company has made the data available for the security of its iOS platforms. When security standards used by the company searched, it comes to know that it has many standards to ensure security. Here, ISO security standards have been discussed only.
Apple has got ISO 27001 and 27018 certifications for the security management system of information. The security management system covers the infrastructure, operations, and development of several products and services of the company. Some products and services include iCloud, FaceTime, Apple School Manager, iMessage, Siri, Managed Apple IDs, iTunes U, and Schoolwrok. The ISO certification has been issued for the company from the British Standards Institution, and it has been granted in recognition to the company’s sincere and serious efforts to do so. It has also been published on the website of the British Standards Institution that the company complies with ISO 27001 and ISO 27018. These standards enhance security for various products of the company. The planned security program for the company around 5G would get assistance from these certifications because the company already has a network of certifications. But these are not enough, and there should be a change in security management in light of 5G technology (Support.apple, 2019).
However, the company does not need to abide by the ISO standard for its 5G technology because it is 3GPP which has developed standards for the security of 5G networks. 3GPP is an international organization with the obligation to govern standards for cellular and mobile devices. Thus, the model for Apple is from 3GPP, and it would ensure the security and privacy of the network by Apple Inc. Therefore, this model is suitable for the company, and further reasoning for its suitability is going to be mentioned in the following.
The reasoning of Suitable Security Model:
3GPP has developed the standard for security measures for cellular and mobile devices, and it has a number of attributes which can help Apple to introduce. At the moment, its suitability is for 4G and LTE networks, but it may be applied to the functional 5G network. However, it may not be suitable for a standard to govern both 4G and 5G simultaneously. Therefore, there is a standard for 5G technologies alone, which makes it more specific and focused on the technology. 3GPP has noted that the whole industry has focused on the standard because this standard would commence commercialization of 5G technology in products. The standalone specification of the 5G New Radio has been sign3ed by the 3GPP, and next-generation cellular networks would emerge quickly.
According to the 3GPP website, 5G security for 3GPP was approved by finalizing Non-Standalone specifications for 5G new radio. In the result, 5G phase 1 was completed. These specifications of standalone and non-standalone systems show that they offer unmatched security for the system. The reasoning of the 5G security model is that it has been based on the 4G mobile communication system. In order to ensure security for the system of 5G systems, a number of threats have been taken into consideration. For example, 5G security architecture has been designed to be integrated with 4G security architecture. However, assessment of security and threat prevention has been revised. It is to ensure the security from attacks on security interfaces, user plane, and replay, a man in the middle, signaling plane, privacy, inter-operator security issues, and masquerading. The suitability of the standard has been given in the next section. But the reasoning of the suitability has been said that reassessment has been made in the 5G security system so that it can be compatible with the needs of Apple Inc (Atat et al., 2017).
Suitability of Certification:
In order to ensure the suitability of the certificate developed by 3GPP, this section highlights its attributes and benefits. The relevance of the security model is that it is aligned with 4G LTE technology and system as well. Because of which the company does not need to overhaul its whole design and operation mechanism. The non-standalone NR security has the attribute to use EPC infrastructure as well; therefore, there is no need to replace 5G radio-based technology. NR, which is a new radio technology, is the second radio access technology. The principle of security is also in line with the specifications of security for dual connectivity of 4G.
From the non-standalone NR security, 3GPP has evolved into a standalone 5G system too, and for this purpose, the trust model has been developed. The suitability of trust design lies in its effectiveness. It has been noted in figures too, that there is a trust model in roaming and non-roaming scenarios. The relevance of the chosen certification is because of its standalone and non-standalone specifications and features. Apple Inc. can incorporate these designs and certification into their security model. In this way, the company can ensure the security mechanism for its products and operations after the adoption of 5G technologies (3GPP, 2018).
Fig. 3 Trust Model of non-roaming scenario
Source: https://www.3gpp.org/news-events/1975-sec_5g
Fig 4. The trust model of a roaming scenario
Source: https://www.3gpp.org/news-events/1975-sec_5g
Justification by Threat Identification and Risk Assessment:
The certification of 5G technology security models and certification for Apple Inc. is that the company should have a mechanism through which it can ensure the safety and security of its 5G compatible smartphones and products next year. The company can develop its architecture as well, but at the moment, it can utilize the one developed by 3GPP because of its features of non-standalone and standalone security features. The company is using 4G technology at the moment and planning to switch to 5G technologies in the future. Therefore, it should get a certification and security model which can work for 5G exclusively as well as the one which can integrate 4G technology and 5G technology. Existing standards of Apple Inc may evaluate risk assessment as it has ISO certifications.
Moreover, it can further ensure a risk assessment by measures from3GPP. In this way, the company can provide the mechanism to deal with risks. These risks are mainly related to roaming services, communication between individuals and businesses, and cloud technology. These features of the trust model by 3GPP may help Apple Inc to move from 4G technology to 5G technologies successfully (Gartenberg, 2018).
More security related issues for 5G technology include security assurance, identity management, 5G radio network security, flexible and scalable security architecture, energy-efficient security, and the most important is cloud security. Threat identification and risk assessment in light of 5G technology may not be appropriate for Apple Inc. and its products only. It is the question of networked society where the company may play a significant role. Therefore, the company needs to move to 5G technology with this perspective. However, it has to work on its trust model as well, so that it cannot compromise on the security and privacy of its products and services.
Conclusion:
The paper concludes that Apple Inc. is going to introduce smartphones and products which are compatible with the 5G system and technology. The introduction of 5G technologies would not be the same case for the company as 4G because the whole system of security and infrastructure would change with this introduction. In order to have this context in mind, a security program for the company has been developed in this paper. The certification for the company’s 5G technology is the one which has been developed by 3GPP. Chosen certification has the ability to integrate 4G and 5G as well as it has the ability to be a standalone 5G security system. The paper recommends Apple Inc to switch to this security program and model so that it can easily switch from 4G to 5G. In the future, the company should develop its security system as well, so that it can keep working on its security and privacy. The company should not compromise on these features of its products as it ensures privacy and security.
References
3GPP, 2018. 3GPP 5G Security. [Online] Available at: https://www.3gpp.org/news-events/1975-sec_5g [Accessed 29 September 2019].
Atat, R. et al., 2017. Enabling cyber-physical communication in 5g cellular networks: challenges, spatial spectrum sensing, and cyber-security. IET Cyber-Physical Systems: Theory & Applications, 2(1), pp.49-54.
Ericsson, 2019. 5G security – scenarios and solutions. [Online] Available at: https://www.ericsson.com/en/white-papers/5g-security-scenarios-and-solutions [Accessed 29 September 2019].
Gartenberg, C., 2018. The 5G standard is finally finished with new standalone specification. [Online] Available at: https://www.theverge.com/2018/6/15/17467734/5g-nr-standard-3gpp-standalone-finished [Accessed 29 September 2019].
Haselton, T., 2019. Apple will add 5G to 2020 iPhones to compete with Android, top analyst says. [Online] Available at: https://www.cnbc.com/2019/07/29/apple-iphone-models-to-support-5g-in-2020.html [Accessed 29 September 2019].
Hodges, J., 2019. 5G Security Strategy Considerations. [Online] Available at: https://www.juniper.net/assets/us/en/local/pdf/whitepapers/2000743-en.pdf [Accessed 29 September 2019].
Support.apple, 2019. Product security certifications, validations, and guidance for iOS. [Online] Available at: https://support.apple.com/en-us/HT202739 [Accessed 29 September 2019].
Yang, N. et al., 2015. Safeguarding 5G wireless communication networks using physical layer security. IEEE Communications Magazine, 53(4), pp.20-27.