Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
March 25 | San Francisco: Join CSA & Cloudflare to unpack OpenClaw, Moltbook, and shadow AI risks →

Where to Start with Zero Trust in Cellular Networks

Published 03/09/2026

Home
Industry Insights
Where to Start with Zero Trust in Cellular Networks

If you’ve ever tried to “do Zero Trust” in a cellular environment, you’ve probably hit the same wall: the scope is enormous.

You’re not securing one enterprise network. You’re dealing with user equipment, a distributed RAN, transport, a cloud-native 5G core, OSS/BSS platforms, and the underlying virtualization infrastructure. That’s before you even get to roaming interconnects, exposure APIs, and partner ecosystems.

So where do you start? CSA’s new Enabling Zero Trust for Cellular Networks publication makes the case that the starting point isn’t a new tool or diagram. It’s a method: define the protect surface, then prioritize it so you can execute Zero Trust iteratively.

In this blog, we’ll zoom in on the first step of that process: defining the protect surface. Specifically, how to prioritize protect surfaces to drive a practical Zero Trust rollout for cellular networks.

 

Your Unit of Action is the Protect Surface

In Zero Trust, the protect surface is the fundamental unit of analysis. In cellular environments, protect surfaces align to functional systems and subsystems, including User Equipment (UE), RAN, Transport, Core, OSS/BSS, and NFVI. Instead of talking about “the network” (which is basically infinite), you anchor Zero Trust to the operational building blocks that actually run mobile services.

This is a two-part task:

  1. Build a high-level inventory of functional systems.
  2. Evaluate each surface through three lenses to produce a rank-ordered list for Zero Trust execution.

Those three lenses are easy to explain to both security teams and business stakeholders:

  • Business/Service Criticality: Impact on customers, SLAs, and regulatory obligations if compromised
  • Current Security Maturity (Vulnerability): Strength of authentication, encryption, hardening, monitoring, exposure
  • Resilience: Redundancy/failover posture, single points of failure, and recovery capability

This approach prevents "boiling the ocean." It ensures iterative Zero Trust implementation starts with the most critical and least secure/resilient systems first.

 

Prioritization

A lot of Zero Trust conversations fail because they skip prioritization. Everything becomes “critical,” and the program turns into a never-ending architecture exercise.

Instead, the goal is not to treat every surface equally, but to rank them based on three lenses.

Score each protect surface on a 1–5 scale per lens (Criticality, Maturity, Resilience), where higher means greater concern. The combined score becomes a composite risk value, and then you can group surfaces into tiers. That tiering becomes your execution roadmap.

 

A Practical Tiering Approach

We propose using three tiers:

  • Tier 1: Most critical and least secure/resilient → addressed first
  • Tier 2: Important, but moderate maturity/resilience gaps
  • Tier 3: Lower impact or already mature → addressed later

Make sure your team doesn't turn tiering into yet another segmentation religion. These tiers are not a new segmentation model. These tiers are an ordering mechanism for the Five-Step Zero Trust cycle.

Telecom engineers already have plenty of segmentation models. What they often lack is a shared, defensible way to decide what to secure first.

 

Tier 1 Examples

1) Core Network Systems

The core is the operational heart of the network, spanning 5G core functions like AMF, SMF, and UPF. It also includes subscriber databases, policy control, and support platforms. 5g core network security principles include:

  • Applying least privilege
  • Using fine-grained identity
  • Implementing runtime workload protection

Treat each network function as a first-class citizen for access control, identity, and continuous validation. Drill down from broad zones into specific subsystems and network functions. This helps you define precise microsegmentation boundaries and function-specific policies and trust relationships.

 

2) Interconnect / SEPP (Roaming)

Even without getting deep into roaming architecture in this blog, the prioritization logic holds. Roaming is a cross-operator trust boundary, and trust boundaries are where attackers love to live.

For interconnects, “assume breach” is a design requirement. If you’re doing Zero Trust for cellular networks, you can’t treat roaming as a partner network that is implicitly safe.

 

3) RAN

The RAN is the distributed edge that links UEs to the core. Zero Trust here involves:

  • Implementing micro-segmentation of baseband and signaling traffic
  • Verifying Open RAN components
  • Enforcing east–west visibility across DUs, CUs, and RUs.

If you can’t see east–west movement in the RAN, then you can’t enforce least privilege there. Visibility and policy enforcement go together.

 

Tier 2 Examples

Tier 2 protect surfaces are still business-critical, but they typically show stronger baseline security controls or better inherent resilience than Tier 1 systems. For example:

 

1) Transport Networks

For transport networks, Zero Trust focuses on granular flow authorization, strong encryption in transit, and continuous traffic monitoring to prevent unauthorized lateral movement across domains. While these networks already rely on segmentation and encryption, Zero Trust pushes operators to validate every connection and to assume compromise.

 

2) OSS/BSS Platforms

OSS/BSS platforms are similarly important. They manage provisioning, billing, orchestration, and operational control across the cellular environment. These systems are in Tier 2 because, while compromise would have significant business impact, they often benefit from strong identity controls and centralized access management compared to real-time network functions.

 

Tier 3 Examples

Tier 3 protect surfaces are addressed later in the Zero Trust rollout.

 

1) User Equipment (UE)

For UE, Zero Trust capabilities such as device identity validation, posture checks, and behavioral analytics are often already embedded into SIM/eSIM authentication and mobile security controls. You can (and should) strengthen these controls over time. However, UE compromise typically has a smaller blast radius than core or interconnect systems.

 

2) Network Functions Virtualization Infrastructure (NFVI)

NFVI components may also land in Tier 3 when strong isolation, hardware-rooted trust, and workload security controls are already in place. In these cases, Zero Trust enhancements focus on continuous attestation, monitoring, and enforcement consistency, rather than foundational redesign.

 

An Operational Protect Surface List

Protect surfaces map directly to how cellular networks operate (and how adversaries think). In cellular networks, protect surfaces must align with the functional systems that enable business operations. These are the most attractive to adversaries.

Across major surfaces, Zero Trust looks like:

  • UE: Validate device and SIM/eSIM identity, check integrity and posture, apply behavioral analytics before access is granted
  • Transport: Strong encryption in transit, granular flow authorization, continuous monitoring to detect lateral movement
  • NFVI: Hardware-rooted trust, workload isolation across VMs/containers, continuous attestation

 

How to Use This in the Real World

Here’s a practical interpretation of our approach:

  • Inventory protect surfaces as functional systems (UE, RAN, Transport, Core, OSS/BSS, NFVI, etc.)
  • Score each surface on Criticality, Security Maturity, and Resilience using a consistent 1–5 scale
  • Tier the results to create an execution sequence, starting with most critical and least secure/resilient
  • Use that tier list to drive the next steps:
    • Step 2: Transaction flow mapping (control plane vs user plane, east–west vs north–south)
    • Step 3: Policy enforcement architecture (where PDP/PEP decisions happen)
    • Step 4: Policy creation

This is how Zero Trust stops being a philosophical statement and becomes an implementation program with a clear first sprint.

Cover of Enabling Zero Trust for Cellular Networks

 

The Full Blueprint

The full publication goes much further than this blog, including:

  • A five-step Zero Trust implementation process for cellular environments
  • Detailed transaction flow mapping guidance across trust boundaries
  • Policy enforcement architecture concepts tailored to telecom interfaces and zones
  • A concrete Zero Trust policy example for the UPF
  • Ongoing monitoring and maintenance activities aligned to telecom-critical components and protocols

If you’re building Zero Trust for cellular networks, make sure to check it out.

Enterprise ArchitectureZero TrustData SecurityVirtualization

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Introductory Guidance to CCM
Agentic AI as the New "Insider Risk"
Using Zero Trust to Secure Enterprise Information in LLM Environments
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Secure your cloud data with Zero Trust Training
Related Articles:
Building a Declarative Governance Framework for the Agentic Era

Published: 03/05/2026

How to Secure AI in the Enterprise: A Practical Framework for Models, Data, and Agents

Published: 03/03/2026

Zero Trust for Agentic Pipelines That Touch Cloud Production

Published: 02/27/2026

Core Collapse

Published: 02/26/2026