WO2023280399A1 - Security service orchestration function interaction between telecommunications networks based on different deployment frameworks - Google Patents

Abstract

A method is implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S- SLA). The method includes receiving, by the SSOF, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA including a plurality of business service S-SLA requirements. The method also includes converting the business service S-SLA requirements to a S-SLA resource request. The method also includes transmitting the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP. The method further includes retrieving physical and virtual resources to provide the one or more requested business services from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

Description

SECURITY SERVICE ORCHESTRATION FUNCTION INTERACTION BETWEEN TELECOMMUNICATIONS NETWORKS BASED ON DIFFERENT DEPLOYMENT

FRAMEWORKS

TECHNICAL FIELD

The present disclosure relates generally to security orchestration and management communications, and more particularly to methods and devices for a security service orchestration function interaction between telecommunications networks based on different deployment standards.

BACKGROUND

Current 3rd Generation Partnership Project (3GPP) System architecture for the 5th Generation (5G) system, 3GPP TS 23.501, defines support for data connectivity and services enabling deployments to use techniques such as, e.g., Network Function Virtualization (NFV) and Software Defined Networking (SDN). The 5G architecture is defined as service-based interactions between network functions. 3GPP security architecture and procedures for a 5G system, 3GPP TS 33.501, specifies the security features and the security mechanisms for the 5G System and the 5G Core, and the security procedures performed within the 5G System.

Management and orchestration concepts and principles are described in several 3 GPP specifications, e.g., TS 28.530, TS 28.533 and TS 28.801. However, security orchestration and management are left outside the scope of 3GPP TS 23.501, TS33.501, TS 28.520, TS 28.533, and TS 28.801. 3GPP standardization does not deal with security concerns related to the deployment, configuration, or continuous operations of the technology. Secure orchestration and management of virtualization and general forms of security management (e.g., monitoring) are fundamental for 5G and beyond to operate robustly. Since there are no specifications for security management and orchestration interfaces in 3 GPP, vendor-specific, non-standard interfaces may appear which makes interoperability difficult, unstable, risky, and costly.

3GPP TS 28.801 describes the principles how an enterprise can make a service request with commonly agreed service types and attributes for service provisioning automation in its chapter 7.3. The technical specification (TS) describes how an enterprise can identify available business service types and respective attribute values to be specified for the service. It is described that this may involve several steps of negotiation to be finalized. It is explained that the network management systems at an operator should have the capability to assess the types of services it can offer knowing the network infra-structure capabilities and making it available to the service management functionality. The TS explains that there may be several levels of service type categorizations where each higher-level service category may have multiple sub categories to cover numerous possible customer service types. The TS does not specify security attributes as part of the sub-categories, nor does it specify how enterprises could include security attributes into their service request.

In the new ETSI Work item, ETSI NFV-SEC 024 draft, version 0.0.6, some NFV Security Management aspects are considered. However, the specification is still in very early phase and it only provides some high-level architectural principles for NFV- Management And Network Orchestration (MANO) and NFV Security Manager interworking.

Communication service providers (CSPs) are facing an increasing number of security and privacy threats against their infrastructure, data they process and their services. Without visibility to the security posture and protective measures provided to them by other CSPs, it is difficult to judge in reliable and repeatable manner if their security objectives on security service levels are met and if there is a need for additional mitigation of security risks. Without visibility to the security posture, it is difficult for communication service providers to commit and report to their enterprise customers if they meet security objectives for the business services the enterprises have purchased.

The following related issues can be identified particularly with the current 3GPP and NFV specifications:

1. ETSI NFV MANO describes how to manage virtual functions, but it does not know for which purpose it performs the management as it is not aware of service, security, and/or roaming context.

2. There is no mechanism for network MANO to get information and understanding of security requirements for virtual resources it should instantiate, and how to orchestrate and life-cycle manage those virtual resources from security perspective.

3. 3GPP describes network service requirements that will be realized in physical and/or virtual functions but there is no standardized way to communicate security service requirements based on Enterprise Security Service Level Agreement (S- SLA) to ETSI NFV MANO side.

4. ETSI NFV MANO or 3GPP management systems are not able to perform end-to-end security orchestration and management when they co-exist to execute fulfillment of security SLA’s for the different enterprises and network services.

5. Specifications do not describe, or no standardized mechanisms exist how to dynamically receive security requirements from enterprises and/or VPLMNs to provide these services via physical function, virtual functions or both functions

6. There are no security service categories or security attributes specified in 3GPP or ETSI for network services.

7. There is no mechanism standardized in 3GPP or ETSI for mapping the requested security capabilities to the network resources’ capabilities in order to instruct multiple (physical and virtual) security managers to configure security configurations of network resources accordingly.

8. Security SLAs are not visible to CSPs/MNOs communication service and network management & orchestration systems or ETSI NFV MANO. It is unknown for the management systems what are service specific security attributes and which party is responsible for their orchestration, configuration, management, and monitoring.

9. Specifications do not describe, or no other standardize mechanisms exist how to report compliance to requested security requirements back to enterprises and/or Visited Public Land Mobile Network (VPLMN).

SUMMARY

According to some embodiments of inventive concepts, a security service orchestration function (SSOF) provides capabilities for security orchestration for 3 GPP and ETSI virtualized communication systems in a standardized manner. The SSOF applies NFVI architecture into 3GPP 5G SBA implementation in telecom operator context. It proposes a way to orchestrate security capabilities and security attributes between NFV MANO and 3GPP 5G SBA enabling interworking between different standards or deployment frameworks. According to some embodiments of inventive concepts, a method is implemented by a security service orchestration function (SSOF) in a communications infrastructure that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA). The method includes receiving, by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA including a plurality of business service S-SLA requirements. The method also includes converting, by the SSOF, the business service S-SLA requirements to a S- SLA resource request. The method additionally includes transmitting, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP. The method further includes retrieving physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

According to some embodiments of inventive concepts, a computing device includes processing circuitry and a memory coupled with the processing circuitry. The memory includes instructions that when executed by the processing circuitry causes the computing device to receive, by a SSOF of a CSP, a communications service request from an enterprise or another CPS. The communications service request includes one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements. The memory also includes instructions that when executed by the processing circuitry causes the computing device to convert, by the SSOF, the business service S-SLA requirements to a S-SLA resource request.

The memory also includes instructions that when executed by the processing circuitry causes the computing device to transmit, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP. The memory further includes instructions that when executed by the processing circuitry causes the computing device to retrieve physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP. According to some embodiments of inventive concepts, a computing device is adapted to receive, by a SSOF of a CSP, a communications service request from an enterprise or another CPS. The communications service request incudes one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements. The computing device is also adapted to convert, by the SSOF, the business service S-SLA requirements to a S-SLA resource request. The computing device is also adapted to transmit, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP. The computing device is further adapted to retrieve physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication systems of the CSP.

According to some embodiments of inventive concepts, a method is implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA). The method includes receiving, by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements. The method also includes performing a query, by the SSOF, of a plurality of service templates. Each service template is associated with a different communication system deployment. The query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources. Each communication system deployment operates based on a different deployment framework. The method also includes mapping, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per business service to fulfill the S-SLA with the enterprise or the other CSP. The method also includes based on the security capability mapping, providing, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment. The method further includes monitoring, by the SSOF, the security attributes for compliance of the S-SLA.

According to some embodiments of inventive concepts, a computing device includes processing circuitry and a memory coupled with the processing circuitry. The memory includes instructions that when executed by the processing circuitry causes the computing device to receive, by a SSOF of a CSP, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA including a plurality of S-SLA requirements. The memory also includes instructions that when executed by the processing circuitry causes the computing device to perform a query, by the SSOF, of a plurality of service templates. Each service template is associated with a different communication system deployment. The query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources. Each communication system deployment operates based on a different deployment framework The memory also includes instructions that when executed by the processing circuitry causes the computing device to map, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per service to fulfill the S-SLA with the enterprise or the other CSP. The memory also includes instructions that when executed by the processing circuitry causes the computing device to, based on the security capability mapping, provide, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment. The memory further includes instructions that when executed by the processing circuitry causes the computing device to monitor, by the SSOF, the security attributes for compliance of the S-SLA.

According to some embodiments of inventive concepts, a computing device is adapted to receive, by a SSOF of a CSP, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA including a plurality of S-SLA requirements. The computing device is also adapted to perform a query, by the SSOF, of a plurality of service templates. Each service template is associated with a different communication system deployment. The query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources. Each communication system deployment operates based on a different deployment framework. The computing device is also adapted to map, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per service to fulfill the S-SLA with the enterprise or the other CSP.

The computing device is also adapted to, based on the security capability mapping, provide, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment. The computing device is further adapted to monitor, by the SSOF, the security attributes for compliance of the S-SLA.

According to some embodiments of inventive concepts, a method is implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA). The method includes receiving, by a SSOF of a first CSP of the plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request includes a specific level of security attributes that the enterprise requests are fulfilled in roaming situations. The method also includes performing a capability mapping between security attributes in the S-SLA request and a common security baseline capability template of the first CSP. The method also includes implementing, as a result of the capability mapping, the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP. The method further includes requesting, by the SSOF of the first CSP, the business service including specific security capabilities from the second CSP.

According to some embodiments of inventive concepts, a computing device includes processing circuitry and a memory coupled with the processing circuitry. The memory includes instructions that when executed by the processing circuitry causes the computing device to receive, by a SSOF of a first CSP of a plurality of CSPs, a S-SLA request from an enterprise for a business service. The S-SLA request includes a specific level of security attributes that the enterprise requests are fulfilled in roaming situations. The memory also includes instructions that when executed by the processing circuitry causes the computing device to perform a capability mapping between security attributes in S-SLA request and common security baseline capability template of the first CSP. The memory also includes instructions that when executed by the processing circuitry causes the computing device to implement, as a result of the capability mapping, the business service as a multi -operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP. The memory further includes instructions that when executed by the processing circuitry causes the computing device to request, by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

According to some embodiments of inventive concepts, a computing device is adapted to receive, by a SSOF of a first CSP of a plurality of CSPs, a S-SLA request from an enterprise for a business service. The S-SLA request includes a specific level of security attributes that the enterprise requests are fulfilled in roaming situations. The computing device is also adapted to perform a capability mapping between security attributes in S-SLA request and common security baseline capability template of the first CSP. The computing device is also adapted to implement, as a result of the capability mapping, the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP. The computing device is further adapted to requesting, by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

Certain embodiments may provide one or more of the following advantages:

• Ability to centrally orchestrate security capabilities and features in a 3 GPP and ETSI virtualized communication systems for various network functions, network entities and services independent of their type (e.g., 3GPP, ETSI).

• Ability to collect, share and expose security SLA information with other network functions.

• Ability to apply SSOF to business service context or other mobile network service context that consumes different types of MNO physical and virtual resources. • Ability to request and enforce common and consistent security categories and security attributes for a 3 GPP and ETSI virtualized communication systems and future generations networks in a coordinated way.

• Ability to map requested security capabilities to the network resources’ capabilities in order to instruct multiple network (physical and virtual) security managers to configure security configurations of network resources accordingly.

• Separation and isolation of security orchestration from service orchestration contributes to defense in depth principles, separation of duties and latest progress visible in draft specifications.

• Provides standardized interfaces and reference points for security service orchestration for network services and underlying network functions.

All the above advantages are applicable for a 3 GPP and ETSI virtualized communication systems in general. The proposed solution is applicable to privacy related orchestration in similar way as for security orchestration.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this application, illustrate certain non-limiting embodiments of inventive concepts. In the drawings:

Figure l is a block diagram of an example of a security service orchestrator and security management module according to some embodiments of inventive concepts.

Figure 2 is a block diagram of an example of a computing device according to some embodiments of inventive concepts.

Figure 3 is a block diagram illustrating an example of a security service orchestration function (SSOF) incorporated in the management architecture of mobile networks when combining 3GPP and ETSI architectures according to some embodiments of inventive concepts.

Figure 4 is a flow chart of an example of a method of operation of a SSOF according to some embodiments of the inventive concepts. Figure 5 is a flow chart of an example of a method of operation of a SSOF interacting with support security management functions according to some embodiments of inventive concepts.

Figure 6 is a flow chart of an example of a method of operation of a SSOF in a combined ETSI and 3GPP environment according to some embodiments of the inventive concepts.

Figure 7 is an illustration of an example of SSOF orchestration in a combined ETSI and 3GPP environment according to the exemplary method 600 in Figure 6.

Figure 8 is an illustration of an example of security services mapping for end-to-end business services according to some embodiments of inventive concepts.

Figure 9 is an illustration of an example of a service template-based resource request according to some embodiments of inventive concepts.

Figure 10 is an illustration of an example of security setting policy sharing according to some embodiments of inventive concepts.

Figure 11 is a flow chart of an example of a method of operation of a SSOF for slicing across communication service providers according to some embodiments of inventive concepts.

Figure 12 is an illustration of a SSOF transferring security attributes for slicing across communication service providers according to the exemplary method in Figure 11.

DETAILED DESCRIPTION

Inventive concepts will now be described more fully hereinafter with reference to the accompanying drawings, in which examples of embodiments of inventive concepts are shown. Inventive concepts may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of present inventive concepts to those skilled in the art. It should also be noted that these embodiments are not mutually exclusive. Components from one embodiment may be tacitly assumed to be present/used in another embodiment.

The following description presents various embodiments of the disclosed subject matter. These embodiments are presented as teaching examples and are not to be construed as limiting the scope of the disclosed subject matter. For example, certain details of the described embodiments may be modified, omitted, or expanded upon without departing from the scope of the described subject matter.

The embodiments of inventive concepts described herein use a 3GPP and ETSI virtualized communication system as an example as illustrated in Figure 3. However, the inventive concepts are applicable to any communication system based on network elements and appliances that use virtualization.

Security service level agreement (S-SLA) enablement and enforcement in a 3GPP and ETSI virtualized communication systems is implemented as Security Service Orchestrator Function (SSOF) 102 in Figure 1. The SSOF 102 provides a mechanism to orchestrate security capabilities and security attributes between NFV MANO and 3GPP 5G SBA enabling interworking between different standards.

Negotiable security attributes can be categorized based on the main security principles: confidentiality, integrity, authentication and authorization, availability, expanded with separate categories for isolation and data sovereignty. Examples of negotiable security attributes categories and examples of exact attributes include:

• Confidentiality attributes (C) ensure that the service is protected from unwanted information disclosure, e.g., packets/traffic are not possible of disclose outside the service. Different crypto algorithms and strength for those algorithms can be requested. Examples for confidentiality attributes that can be requested for the services include e.g., different strengths for Advanced Encryption Standard (AES): AES-128, AES-192, AES- 256 and Triple Data Encryption Algorithm (TDES).

• Integrity attributes (I) ensure that the service integrity can be preserved, e.g., packets/traffic are not tampered with or replaced without noticing. Different integrity algorithms and strength for those algorithms can be requested. Examples of integrity attributes that can be requested for the services include, e.g., different strengths for Secure Hash Algorithms (SHA): SHA-2, SHA-3, SHAKE128, SHAKE256.

• Authentication and authorization attributes (AA) ensure that only authorized persons, user accounts and network elements can interact with the service. Different authentication and authorization mechanisms for the service can be requested. Examples of authentication and authorization mechanisms include, e.g., multi-factor authentication for users, strong Key based authentication, Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC).

• Availability attributes (A) ensure that the service and network functions providing the service remain accessible all the time for authorized users. Different availability mechanisms can be requested. Examples of availability mechanisms are extra security functions to be instantiated or activated, e.g., PSF, VSF.

• Isolation attributes (IS) ensure that the service resources are not shared among other network users or services, e.g., information transferred is isolated from that of other service users. Different isolation mechanism can be requested. Example of isolation mechanisms are service specific isolation to ensure none of the network resources are shared with other customers.

• Data sovereignty attributes (DS) ensure that the data always stays within specific jurisdictions or data centers. Different data sovereignty mechanisms can be requested. Example of data sovereignty attributes include, e.g., requesting allocation of network resources only from allowed IP domains, anonymization and pseudonymization of data if it is not possible to route the data traffic entirely within the specified jurisdictions. Data sovereignty attribute may also indicate that a data object should be dropped if the data object is moving to a forbidden jurisdiction, or before the data object can be transferred to another jurisdiction, the data object is split into smaller parts.

• CSP Interworking attributes ensure that a specific security service level agreement is fulfilled between CSPs. Examples of interworking attributes exchanged between communication partners include: o IP Address of IPsec gateway (GW) for Network Domain Security /Internet Protocol (NDS/IP) traffic between network security domains (exchanged over Za interfaces). o Security parameters for N32 interface between the Security Edge Protection Proxies (SEPP’s) of a VPLMN and a HPLMN in roaming scenario when Stand Alone (SA) deployment is used. o IP address for IPX provider in case of data roaming and signaling, e.g. Non-Stand Alone (NSA) deployment for LTE Diameter signaling or Non-service- aware general-purpose connectivity for bilateral operator requirements.

Traditionally, telecommunication equipment is provided as physical equipment (software and hardware bind together) which are managed by an Operations Support System (OSS) of a Mobile Network Operator (MNO). Virtualization technologies support network function realization by software only which are managed by virtualization management and orchestration systems such as NFV MANO of an owner of the virtual resources.

The 3 GPP system includes a variety of different entities to deliver mobile services which can be provided via physical entities, partially virtualized (e.g., via SDN) or completely virtualized entities. All these different entities need to be managed and orchestrated using integrated 3GPP & ETSI NFV MANO management architecture (Figure 3) to provide new mobile services.

The security management and orchestration for mobile services that are realized by mixed resources is not well achieved in practice. These services typically include configuration and monitoring of PNF application specific parameters (3GPP mobile service related), VNF application specific parameters (3 GPP mobile service related) and VNF deployment specific parameters (non-3GPP mobile service related) to provide the fully end-to-end security. One reason end-to-end security management and orchestration is problematic is the lack of providing service specific security attributes based on customer S-SLAs to different management systems. The SSOF 102 contributes security service-related parameters for both traditional networks and virtualized service management and orchestration systems.

Figure 1 is a block diagram of an example of a security service orchestrator 100 and security management module 104 according to some embodiments of inventive concepts. In the example in Figure 1, the security service orchestrator 100 includes the SSOF 102. Also, in the example in Figure 1, the security service orchestrator 200 is shown as a component of a CSP 103. In other examples, the security service orchestrator 200 and/or SSOF 202 are a separate component associated with the CSP 103. In other examples, e.g., the example in Figure 12, each CSP includes a SSOF 102. The security management module 104 includes supporting security management functions 106. Examples of operations or functions of the supporting security management functions 106 will be described with reference to Figure 5. The SSOF 102 includes a northbound interface, Nssof reference points 208, used towards enterprises and other PLMNs or CSPs. As illustrated in the example in Figure 1, the SSOF 102 includes a first Nssof reference point 120a configured to interface with other PLMNs (VPLMNs) or other CPSs for negotiation and exchanging information on S-SLA security attributes and a second Nssof reference point 120b configured to interface with enterprises for negotiation and exchanging information on S- SLA security attributes. The SSOF 102 also includes a southbound reference point 122 for interacting with the supporting security management functions 106. The Nssof reference point 120a includes the Nssof-CSP reference point with interfaces Nssof S-SLAOrchestrationCSP and Nssof_S-SLAComplianceCSP. The Nssof reference point 120b includes the Nssof-Enterprise reference point with interfaces Nssof EnterpriseS-SLAOrchestration and Nssof EnterpriseS- SLACompliance.

The SSOF 102 also includes an Os-Ssof reference point 124 and an Sm-Ssof reference point 126 for interacting between 3 GPP and NFV architectures as described in more detail with reference to the example in Figure 3.

The following NF services are specified for the SSOF 102 as illustrated in Figure 1 :

Figure 2 is a block diagram of an example of a computing device according to some embodiments of inventive concepts. In accordance with some examples, the CSP 103 includes a computing device 200. In some examples, the SSOF 102 is embodied on a computing device that is the same as or similar to the computing device 200. In some examples, the SSOF 102 and the supporting security management function 106 are embodied on the same computing device or separate computing devices that are the same as or similar to the computing device 200. The exemplary computing device 200 in Figure 2 includes minimal components for performing the inventive concepts described herein. The exemplary computing device 200 includes processing circuitry 203, a memory 205 and a network interface circuitry 207. The processing circuitry 203 may control network interface circuitry 207 to transmit communications through network interface circuitry 207 to one or more network nodes of the communications systems in the example in Figure 3 and/or to receive communications through the network interface circuitry 207 from one or more network nodes to perform the inventive concepts described herein. Moreover, modules may be stored in memory 205, and these modules may provide instructions so that when instructions of a module are executed by processing circuitry 203. In some examples, the memory 205 coupled with the processing circuitry 203 includes instructions that when executed by the processing circuitry 205 causes the computing device 200 to perform at least some of the functions of the methods described herein. In some examples, the methods described herein as being performed by the SSOF 102 and the supporting security management functions 106 are embodied in and performed by one or more computing devices that are the same or similar to computing device 200. For example, the SSOF 102 and the supporting security management function 106 are embodied on the same computing device 200 or separate computing devices 200. The exemplary computing device 200 in Figure 2 includes minimal components for performing the inventive concepts described herein. In other examples, the computing device 200 may include other component and/or additional components.

A mobile network is composed of physical and virtualized network elements. Security service specific aspects for both virtual network functions (VNFs) and physical network functions (PNFs) shall be passed between 3 GPP Management system for physical network elements and ETSI-MANO security management for virtualized (VNF) and containerized (CNF) network elements. Hence the management of network functions is executed via different routes depending on the type of the network function. In a traditional network, the Network management systems (OSS) will configure into the network elements the desired service parameters, corresponding directly to a long-term network state. In NFV, service parameters constantly change in real-time, in response to traffic variations and these service parameters can also be non-3GPP mobile service related.

According to 5G system architecture principles, the SSOF 102 can interact with other NF and its network function services directly or indirectly via a service communication proxy if required. Figure 3 is a block diagram illustrating an example of a SSOF 102 incorporated in the management architecture of mobile networks when combining 3GPP and ETSI architectures which include virtualized network functions as defined in 3GPP TS 23.501 vl6.4.0; 3GPP TS 33.501 vl7.1.0; 3 GPP TS 28.530 vl5.0.0; 3 GPP TS 28.533 vl5.0.0; 3 GPP TS 28.801 vl5.1.0; and ETSI GS NFV-SEC 024, version 0.0.6.

The SSOF 102 is the primary security orchestration function communicating between CSPs and other network functions and network entities within a CSP infrastructure supporting security service level agreement negotiation based on the security attributes. The objective of SSOF 102 is to ensure consistency of security policies. The described mechanism can be applied to privacy attributes in similar way.

A communication service can be realized by resources deployed in different network domains (e.g., Access Network, Core Network). The SSOF 102 maps the communication service security requirements to security managers in the respective network domains and passes each of them with their domain specific security attributes. For monitoring purposes, the SSOF 102 collects security compliance information from the domains and passes the full view of S-SLA compliance to the enterprises. Figure 4 is a flow chart of an example of a method 400 of operation of a SSOF according to some embodiments of the inventive concepts. In some examples, the method 400 is performed by the SSOF 102 in Figures 1 and 3. In accordance with some examples, the method 400 is implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA). The method 400 is also an example of functionality of the SSOF when applied to 3GPP and ETSI systems as illustrated in Figure 3.

In block 402, the method 400 includes receiving, by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA comprising a plurality of business service S-SLA requirements.

In block 404, the method 400 includes converting, by the SSOF, the business service S- SLA requirements to a S-SLA resource request. In block 404, the method 400 also includes transmitting, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP. In accordance with some examples, e.g., the example in Figure 3, transmitting the S-SLA resource request to the CSMF comprises transmitting the S-SLA resource request using an Os-Ssof reference point.

In block 406, the method 400 includes retrieving physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

In block 408, the method 400 includes mapping a service security capability of the physical and virtual resources per requested business service by the enterprise or the other CSP.

In block 410, the method 400 includes allocating security attributes of the physical and virtual resources per requested business service. In block 410, the method 400 also includes transmitting instructions to security managers in different BSS/CSMF communication systems how to configure their respective physical and virtual resources to provide the one or more requested business services for compliance of the S-SLA. In accordance with some examples, transmitting the instructions to the security managers in the different BSS/CSMF communication systems includes transmitting instructions to a network security manager in a 3 GPP communication system and a network function virtualization (NFV) security manager in a ETSI communication system how to configure their respective physical and virtual resources to provide the one or more requested business service. In accordance with some examples, e.g., Figure 3, the instructions are transmitting over a Sm-Ssof reference point to each security manager.

In block 412, the method 400 includes transmitting S-SLA compliance monitoring requests per requested business service to each security manager.

In block 414, the method 400 includes receiving S-SLA compliance monitoring results per requested business service from each security manager. In accordance with some examples, e.g., the example in Figure 3, the S-SLA compliance monitoring requests and results are transmitted and received using the Sm-Ssof reference point.

In block 416, the method 400 includes transmitting the S-SLA compliance monitoring results to the enterprise or the other CSP. In accordance with some examples, e.g., the example in Figure 3, the S-SLA compliance monitoring results are transmitted to the enterprise or the other CSP using a Nssof reference point.

Figure 5 is a flow chart of an example of a method 500 of operation of a SSOF interacting with support security management functions within the security managers according to some embodiments of inventive concepts. The method 500 is an example of the SSOF 102 interacting with the support security management functions 106 when applied to the 3GPP and ETSI communication networks in the example in Figure 3. In the ETSI and NFV context, the supporting security management functions are provided by the NFV security managers. In the 3 GPP context supporting security management functions are provided by network managers or separate security management solutions. In block 502, the method 500 includes performing a business service template and required physical and virtual resources query to provide the one or more requested business services. In block 504, the method 500 includes providing security policy sets per business service delivery. In block 506, the method 500 includes performing a compliance monitoring query per business service.

Figure 6 is a flow chart of an example of a method 600 of operation of a SSOF in a combined ETSI and 3 GPP environment according to some embodiments of the inventive concepts. In some example, the method 600 is implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA). Referring also to Figure 7, Figure 7 is an illustration of an example of SSOF orchestration in a combined ETSI and 3GPP environment according to the exemplary method 600 in Figure 6. Figure 7 illustrates an example of the SSOF orchestrating 3GPP network management and ETSI MANO on security execution. The example in Figure 7, illustrates the case where enterprises have requested two different business services where both services require both physical and virtual resources to realize the requested services. The communication service request information is stored in the BSS/CSMF 702. Note that this example illustrates only one network domain for simplicity reasons, but the principle can be applied to multiple network domains in similar manner.

In block 602, the method 600 includes receiving, by a SSOF of a CSP of a plurality of CSPs, a communications service request from an enterprise or another CSP. The communications service request includes one or more requested business services covered by a S-SLA including a plurality of S-SLA requirements.

In block 604, the method 600 includes storing the communications service request information in the CSS/CSMF 702 (Figure 7).

In block 606, the method 600 includes performing a query, by the SSOF, of a plurality of service templates. Each service template is associated with a different communication system deployment. The query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and to instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources. Each communication system deployment operates based on a different deployment framework. Performing the query of the plurality of service templates associated with the different communication system deployments includes performing the query of each service template for the requested business services from a business support system (BSS) communication system and a communication service management function (CSMF) system over an Os-Ssof reference point. The SSOF queries service templates for the requested services from BSS and CSMF systems over the Os-Ssof reference point to know what type of resources are needed in order to guide the 3GPP network and NFV security managers over the Sm-Ssof reference points to configure proper security settings for those physical and virtual resources that they manage. The same principle applies when there are multiple security managers per domain in both ETSI and 3GPP as illustrated in Figure 3.

In block 608, the method 600 includes instructing the security manager of each communication system deployment over a Sm-Ssof reference point, by the SSOF, to configure proper security settings for the physical and virtual resources of each communication system providing the one or more requested business services for compliance of the S-SLA. In the example in Figure 7 instructing the security manager of each communication system deployment comprises instructing a 3GPP network security manager of a 3GPP communication system and a network function virtualization (NFV) security manager of an ETSI communication system to configure the proper security settings for the physical and virtual resources of the 3 GPP and ETSI communication systems for providing the one or more business services.

In block 610, the method 600 includes mapping, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per business service to fulfill the S-SLA with the enterprise or the other CSP.

In block 612, the method 600 includes, based on the security capability mapping, providing, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment. Providing the security attributes per requested business service to the security manager of each communication system deployment includes providing the security attributes as service specific policy sets using the Os-Ssof reference point.

In the example illustrated in Figure 7 corresponding to the method 600, the SSOF makes a service capability mapping to define the correct security attribute settings per service as illustrated in the Figures 8 and 9. Figure 8 is an illustration of an example of security services capability mapping for end-to-end business services according to some embodiments of inventive concepts. Figure 9 is an illustration of an example of a service template-based resource request according to some embodiments of inventive concepts. In the example in Figures 7 and 8, the end-to-end business service X is offered to both enterprises A and B. The business service X is realized with a Virtual Security Function (VSF), two Virtual Network Functions (VNF 1 and VNF 2) and one Physical Network function (PNF 1). To fulfill the S-SLA to enterprises A and B the common end-to-end business service X requires confidentiality (Cl), Integrity (II) and Authentication (Al) as shown in Figure 8. The end-to-end business service Y for the enterprise B is realized with one Virtual Network Functions (VNF 2), one Physical Network Function (PNF 2) and one Physical Security Function (PSF) in Figure 8. The required security attributes for service Y are confidentiality (C3), Integrity (12), Authentication (A2) and Isolation (IS 1).

Based on the security capability mapping, the SSOF provides required security attributes per service (as a service specific policy set) to 3 GPP Network security manager (physical resources) and VNFV security manager over the Os-Ssof reference points as illustrated in Figure 10. Figure 10 is an illustration of an example of security setting policy sharing according to some embodiments of inventive concepts.

Referring back to Figure 6, in block 614, the method 600 includes monitoring, by the SSOF, the security attributes for compliance of the S-SLA. In accordance with some examples, e.g., the example in Figure 7, monitoring the security attributes for compliance of the S-SLA includes monitoring the service specific policy sets using the Os-Ssof reference point in regular intervals or on demand to determine compliance with the S-SLA per enterprise or other CSP and per business service.

Figure 11 is a flow chart of an example of a method 1100 of operation of a SSOF for slicing across communication service providers according to some embodiments of inventive concepts. Referring also to Figure 12, Figure 12 is an illustration of a SSOF transferring security attributes for slicing across communication service providers according to the exemplary method 1100 in Figure 11. In some example, the method 1100 is implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA).

In block 1102, the method 1100 includes receiving, by a SSOF of a first CSP of the plurality of CSPs, a S-SLA request from an enterprise for a business service. The S-SLA request includes a specific level of security attributes that the enterprise requests are fulfilled in roaming situations.

In block 1104, the method 1100 includes performing a capability mapping between security attributes in the S-SLA request and a common security baseline capability template of the first CSP.

In block 1106, the method 1100 includes implementing, as a result of the capability mapping, the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP.

In block 1108, the method 1100 includes orchestrating, by the SSOF of the first CSP, security attribute enforcement within a network domain of the first CSP.

In block 1110, the method 1100 includes requesting, by the SSOF of the first CSP, the business service including specific security capabilities from the second CSP.

In block 1112, the method 1100 includes performing compliance monitoring by the SSOF of the first CSP. In block 1112, the method 1100 also includes consolidating, by the SSOF of the first CSP, compliance monitoring results based on information received from a network domain of the first CSP and information received from a SSOF of the second CSP. In some example, the information received from the network domain of the first CSP is received via a Sm-Ssof reference point and the information received from the SSOF of the second CSP is received via a Nssof reference point.

Referring to Figure 12, Figure 12 is an example of slicing across operators within the same country applied to a 5G network slicing context. Figure 12 illustrates how security capabilities and attributes are transferred and implemented using the SSOF. The example assumes there has been a service request from an enterprise to CSP A with commonly agreed security attributes for the business service (network slice). The SSOF at CSP A performs capability mapping. As a result of capability mapping, the CSP A decides to implement the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from CSP B. The SSOF of CSP A orchestrates security attribute enforcement within its own network domain. The SSOF of CSP A requests business service with specified security capabilities from CSP B. In the example in Figure 12, compliance monitoring results are consolidated by the SSOF of CSP A based on the information it receives from CSP A’s own network domain via Sm-Ssof and based on the information it receives from the SSOF of CSP B. End-to-end compliance for the business service offering, e.g., the network slice is communicated to enterprise via the Nssof reference point. The SSOF in CSP A expands the Network Slice Management Function in CSP A to cover CSP B slice parts concerning security attributes and their monitoring.

Example embodiments are discussed below.

1. A method implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S- SLA), the method comprising: receiving, by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of business service S-SLA requirements; converting, by the SSOF, the business service S-SLA requirements to a S-SLA resource request; transmitting, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP; and retrieving physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

2. The method of embodiment 1, wherein transmitting the S-SLA resource request to the CSMF comprises transmitting the S-SLA resource request using an Os-Ssof reference point.

3. The method of any of embodiments 1-2, further comprising mapping a service security capability of the physical and virtual resources per requested business service.

4. The method of any of embodiments 1-3, further comprising: allocating security attributes of the physical and virtual resources per requested business service; and transmitting instructions to security managers in different BS S/C SMF communication systems how to configure their respective physical and virtual resources to provide the one or more requested business services for compliance of the S-SLA.

5. The method of embodiments 4, wherein transmitting the instructions to the security managers in the different BS S/C SMF communication systems comprises transmitting instructions to a network security manager in a 3 GPP communication system and a network function virtualization (NFV) security manager in a ETSI communication system how to configure their respective physical and virtual resources to provide the one or more requested business service, wherein the instructions are transmitting over a Sm-Ssof reference point to each security manager. 6. The method of any of embodiments 1-5, further comprising: transmitting S-SLA compliance monitoring requests per requested business service to each security manager; and receiving S-SLA compliance monitoring results per requested business service from each security manager.

7. The method of embodiment 6, wherein the S-SLA compliance monitoring requests and results are transmitted and received using the Sm-Ssof reference point.

8. The method of any of embodiments 6-7, further comprising transmitting the S-SLA compliance monitoring results to the enterprise or the other CSP.

9. The method of embodiment 8, wherein the S-SLA compliance monitoring results are transmitted to the enterprise or the other CSP using a Nssof reference point. 10. The method of any of embodiments 1-9, wherein the SSOF interacts with supporting service management functions within the security managers to perform a set of functions comprising: performing a business service template and required physical and virtual resources query to provide the one or more requested business services; providing security policy sets per business service delivery; and performing a compliance monitoring query per business service.

11. A computing device (200) comprising: processing circuitry (203); and memory (205) coupled with the processing circuitry, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to, receive, by a SSOF of a CSP, a communications service request from an enterprise or another CPS, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; convert, by the SSOF, the business service S-SLA requirements to a S-SLA resource request; transmit, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP; and retrieve physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

12. The computing device of embodiment 11, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to perform operations according to any of embodiments 2-10.

13. A computing device (200) adapted to: receive, by a SSOF of a CSP, a communications service request from an enterprise or another CPS, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; convert, by the SSOF, the business service S-SLA requirements to a S-SLA resource request; transmit, by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP; and retrieve physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication systems of the CSP.

14. The computing device of embodiment 12 further adapted to perform according to any of embodiments 2-10.

15. A computer program comprising program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of embodiments 1-10.

16. A computer program product comprising a non-transitory storage medium including program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of embodiments 1-10.

17. A method implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S- SLA), the method comprising: receiving, by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; performing a query, by the SSOF, of a plurality of service templates, wherein each service template is associated with a different communication system deployment, and wherein the query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources, wherein each communication system deployment operates based on a different deployment framework; mapping, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per business service to fulfill the S-SLA with the enterprise or the other CSP; based on the security capability mapping, providing, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment; and monitoring, by the SSOF, the security attributes for compliance of the S-SLA.

18. The method of embodiment 17, wherein performing the query of the plurality of service templates associated with the different communication system deployments comprises performing the query of each service template for the requested business services from a business support system (BSS) communication system and a communication service management function (CSMF) system over an Os-Ssof reference point.

19. The method of any of embodiments 17-18, further comprising instructing the security manager of each communication system deployment over a Sm-Ssof reference point, by the SSOF, to configure proper security settings for the physical and virtual resources of each communication system providing the one or more requested business services for compliance of the S-SLA. 20. The method of embodiment 19 wherein instructing the security manager of each communication system deployment comprises instructing a 3GPP network security manager of a 3 GPP communication system and a network function virtualization (NFV) security manager of an ETSI communication system to configure the proper security settings for the physical and virtual resources of the 3 GPP and ETSI communication systems for providing the one or more business services.

21. The method of any of embodiments 17-20, wherein the providing the security attributes per requested business service to the security manager of each communication system deployment comprises providing the security attributes as service specific policy sets using the Os-Ssof reference point.

22. The method of embodiment 21, wherein monitoring the security attributes for compliance of the S-SLA comprises monitoring the service specific policy sets using the Os-Ssof reference point in regular intervals or on demand to determine compliance with the S-SLA per enterprise or other CSP and per business service.

23. A computing device (200) comprising: processing circuitry (203); and memory (205) coupled with the processing circuitry, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to, receive, by a SSOF of a CSP, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; perform a query, by the SSOF, of a plurality of service templates, wherein each service template is associated with a different communication system deployment, and wherein the query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources, wherein each communication system deployment operates based on a different deployment framework; map, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per service to fulfill the S-SLA with the enterprise or the other CSP; based on the security capability mapping, provide, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment; and monitor, by the SSOF, the security attributes for compliance of the S-SLA.

24. The computing device of embodiment 23, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to perform operations according to any of embodiments 18-22.

25. A computing device (200) adapted to: receive, by a SSOF of a CSP, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; perform a query, by the SSOF, of a plurality of service templates, wherein each service template is associated with a different communication system deployment, and wherein the query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources, wherein each communication system deployment operates based on a different deployment framework; map, by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per service to fulfill the S-SLA with the enterprise or the other CSP; based on the security capability mapping, provide, by the SSOF, security attributes per requested business service to the security manager of each communication system deployment; and monitor, by the SSOF, the security attributes for compliance of the S-SLA.

26. The computing device of embodiment 25 further adapted to perform according to any of embodiments 18-22.

27. A computer program comprising program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of embodiments 17-22.

28. A computer program product comprising a non-transitory storage medium including program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of embodiments 17-22.

29. A method implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S- SLA), the method comprising: receiving, by a SSOF of a first CSP of the plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request comprises a specific level of security attributes that the enterprise requests are fulfilled in roaming situations; performing a capability mapping between security attributes in the S-SLA request and a common security baseline capability template of the first CSP; implementing, as a result of the capability mapping, the business service as a multi operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP; and requesting, by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

30. The method of embodiment 29, further comprising orchestrating, by the SSOF of the first CSP, security attribute enforcement within a network domain of the first CSP.

31 The method of any of embodiments 29-30, further comprising performing compliance monitoring by the SSOF of the first CSP.

32. The method of embodiment 31, further comprising consolidating, by the SSOF of the first CSP, compliance monitoring results based on information received from a network domain of the first CSP and information received from a SSOF of the second CSP.

33. The method of embodiment 32, wherein the information received from the network domain of the first CSP is received via a Sm-Ssof reference point and the information received from the SSOF of the second CSP is received via a Nssof reference point.

34. A computing device (200) comprising: processing circuitry (203); and memory (205) coupled with the processing circuitry, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to, receive, by a SSOF of a first CSP of a plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request comprises a specific level of security attributes that the enterprise requests are fulfilled in roaming situations; perform a capability mapping between security attributes in S-SLA request and common security baseline capability template of the first CSP; implement, as a result of the capability mapping, the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP; and requesting, by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

35. The computing device of embodiment 34, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to perform operations according to any of embodiments 30-33.

36. A computing device (200) adapted to: receive, by a SSOF of a first CSP of a plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request comprises a specific level of security attributes that the enterprise requests are fulfilled in roaming situations; perform a capability mapping between security attributes in S-SLA request and common security baseline capability template of the first CSP; implement, as a result of the capability mapping, the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP; and requesting, by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

37. The computing device of embodiment 36 further adapted to perform according to any of embodiments 30-33.

38. A computer program comprising program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of embodiments 29-33.

39. A computer program product comprising a non-transitory storage medium including program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of embodiments 29-33. The Security Service Orchestrator Function described herein provides one or more of the following features:

• Provides mechanism how to distribute and monitor Enterprise/VPLMN Security SLAs for end-to-end business services in a combined 3GPP and ETSI NFV MANO environment.

• Provides standardized interfaces and reference points for security service orchestration for business services and underlying network functions in 3 GPP and ETSI NFV MANO deployments.

• Introduces an additional security orchestration function integrating together 3 GPP and ETSI parts in any telecommunication deployment. It can dynamically interpret security requirements for business services into security attributes to be configured and monitored into the network functions independent whether they are of 3 GPP or ETSI origin.

• Provides mapping of the communication service security requirements to security managers in the respective network domains and passes the domain specific security attributes to the security managers.

• Provides end to end security SLA management and orchestration for a combined 3GPP and ETSI deployments to ensure consistent S-SLA fulfillment

• Constructs the real-time full view of S-SLA compliance for monitoring purposes, combining security compliance information from the domains and passes the full view of S-SLA compliance to the enterprises.

• Expands 3GPP service categorization levels with security categories and security attributes facilitating better interworking with ETSI.

• Considers that in NFV, service parameters constantly change in real-time, in response to traffic variations and these service parameters can also be non-3GPP mobile service related.

• Increasing trust since between home operator and enterprises, and between home operator and roaming operators as there is agreed/standardized mechanism to agree security attributes and security levels between CSPs. Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.

Some of the embodiments contemplated herein will now be described more fully with reference to the accompanying drawings. Other embodiments, however, are contained within the scope of the subject matter disclosed herein, the disclosed subject matter should not be construed as limited to only the embodiments set forth herein; rather, these embodiments are provided by way of example to convey the scope of the subject matter to those skilled in the art.

Any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses. Each virtual apparatus may comprise a number of these functional units. These functional units may be implemented via processing circuitry, which may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as read-only memory (ROM), random-access memory (RAM), cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein. In some implementations, the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.

The term unit may have conventional meaning in the field of electronics, electrical devices and/or electronic devices and may include, for example, electrical and/or electronic circuitry, devices, modules, processors, memories, logic solid state and/or discrete devices, computer programs or instructions for carrying out respective tasks, procedures, computations, outputs, and/or displaying functions, and so on, as such as those that are described herein.

In the above-description of various embodiments of present inventive concepts, it is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of present inventive concepts. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which present inventive concepts belong. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

When an element is referred to as being "connected", "coupled", "responsive", or variants thereof to another element, it can be directly connected, coupled, or responsive to the other element or intervening elements may be present. In contrast, when an element is referred to as being "directly connected", "directly coupled", "directly responsive", or variants thereof to another element, there are no intervening elements present. Like numbers refer to like elements throughout. Furthermore, "coupled", "connected", "responsive", or variants thereof as used herein may include wirelessly coupled, connected, or responsive. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Well-known functions or constructions may not be described in detail for brevity and/or clarity. The term "and/or" includes any and all combinations of one or more of the associated listed items.

It will be understood that although the terms first, second, third, etc. may be used herein to describe various elements/operations, these elements/operations should not be limited by these terms. These terms are only used to distinguish one element/operation from another element/operation. Thus, a first element/operation in some embodiments could be termed a second element/operation in other embodiments without departing from the teachings of present inventive concepts. The same reference numerals or the same reference designators denote the same or similar elements throughout the specification.

As used herein, the terms "comprise", "comprising", "comprises", "include", "including", "includes", "have", "has", "having", or variants thereof are open-ended, and include one or more stated features, integers, elements, steps, components or functions but does not preclude the presence or addition of one or more other features, integers, elements, steps, components, functions or groups thereof. Furthermore, as used herein, the common abbreviation "e.g.,", which derives from the Latin phrase "exempli gratia," may be used to introduce or specify a general example or examples of a previously mentioned item, and is not intended to be limiting of such item. The common abbreviation "i.e.,", which derives from the Latin phrase "id est," may be used to specify a particular item from a more general recitation.

Example embodiments are described herein with reference to block diagrams and/or flowchart illustrations of computer-implemented methods, apparatus (systems and/or devices) and/or computer program products. It is understood that a block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions that are performed by one or more computer circuits. These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and/or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions/acts specified in the block diagrams and/or flowchart block or blocks, and thereby create means (functionality) and/or structure for implementing the functions/acts specified in the block diagrams and/or flowchart block(s).

These computer program instructions may also be stored in a tangible computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instructions which implement the functions/acts specified in the block diagrams and/or flowchart block or blocks. Accordingly, embodiments of present inventive concepts may be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.) that runs on a processor such as a digital signal processor, which may collectively be referred to as "circuitry," "a module" or variants thereof.

It should also be noted that in some alternate implementations, the functions/acts noted in the blocks may occur out of the order noted in the flowcharts. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Moreover, the functionality of a given block of the flowcharts and/or block diagrams may be separated into multiple blocks and/or the functionality of two or more blocks of the flowcharts and/or block diagrams may be at least partially integrated. Finally, other blocks may be added/inserted between the blocks that are illustrated, and/or blocks/operations may be omitted without departing from the scope of inventive concepts. Moreover, although some of the diagrams include arrows on communication paths to show a primary direction of communication, it is to be understood that communication may occur in the opposite direction to the depicted arrows.

Many variations and modifications can be made to the embodiments without substantially departing from the principles of the present inventive concepts. All such variations and modifications are intended to be included herein within the scope of present inventive concepts. Accordingly, the above disclosed subject matter is to be considered illustrative, and not restrictive, and the examples of embodiments are intended to cover all such modifications, enhancements, and other embodiments, which fall within the spirit and scope of present inventive concepts. Thus, to the maximum extent allowed by law, the scope of present inventive concepts are to be determined by the broadest permissible interpretation of the present disclosure including the examples of embodiments and their equivalents, and shall not be restricted or limited by the foregoing detailed description.

ABBREVIATIONS

At least some of the following abbreviations may be used in this disclosure. If there is an inconsistency between abbreviations, preference should be given to how it is used above. If listed multiple times below, the first listing should be preferred over any subsequent listing(s).

Abbreviation Explanation AAA Authentication, Authorization, Accounting

ABAC Attribute Based Access Control

AES Advanced Encryption Standard

CIA Confidentiality, Integrity, Availability CSMF Communication Service Management Function

CSP Communications service provider ETSI European Telecommunications Standards Institute HPLMN Home Public Land Mobile Network IPX Internet Packet Exchange LTE Long Term Evolution

NF Network Function NFV Network Function Virtualization NE Network Entity NSA Non- Stand Alone MANO Management And Network Orchestration

MNO Mobile Network Operator OSS Operations Support System PNF Physical Network Function PSF Physical Security Function SA Stand Alone

SBA Service Based Architecture SDN Software Defined Networking SEPP Security Edge Protection Proxy SHA Secure Hash Algorithms S-SLA Security Service Level Agreement

SSOF Security Orchestration Function TDES Triple Data Encryption Algorithm VNF Virtual Network Function VPLMN Visited Public Land Mobile Network VSF Virtual Security Function GPP 3rd Generation Partnership ProjectG Fifth generation mobile networkG Sixth generation mobile network

Claims

CLAIMS:

1. A method (400) implemented by a security service orchestration function (SSOF) (102) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S-SLA), the method comprising: receiving (402), by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of business service S-SLA requirements; converting (404), by the SSOF, the business service S-SLA requirements to a S-SLA resource request; transmitting (404), by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP; and retrieving (406) physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

2. The method of claim 1, wherein transmitting (404) the S-SLA resource request to the CSMF comprises transmitting the S-SLA resource request using an Os-Ssof reference point.

3. The method of any of claims 1-2, further comprising mapping (408) a service security capability of the physical and virtual resources per requested business service.

4. The method of any of claims 1-3, further comprising: allocating (410) security attributes of the physical and virtual resources per requested business service; and transmitting (410) instructions to security managers in different BSS/CSMF communication systems how to configure their respective physical and virtual resources to provide the one or more requested business services for compliance of the S-SLA.

5. The method of claim 4, wherein transmitting (410) the instructions to the security managers in the different BS S/C SMF communication systems comprises transmitting instructions to a network security manager in a 3 GPP communication system and a network function virtualization (NFV) security manager in a ETSI communication system how to configure their respective physical and virtual resources to provide the one or more requested business service, wherein the instructions are transmitting over a Sm-Ssof reference point to each security manager.

6. The method of any of claims 1-5, further comprising: transmitting (412) S-SLA compliance monitoring requests per requested business service to each security manager; and receiving (414) S-SLA compliance monitoring results per requested business service from each security manager.

7. The method of claim 6, wherein the S-SLA compliance monitoring requests and results are transmitted and received using the Sm-Ssof reference point.

8. The method of any of claims 6-7, further comprising transmitting (416) the S-SLA compliance monitoring results to the enterprise or the other CSP.

9. The method of claim 8, wherein the S-SLA compliance monitoring results are transmitted to the enterprise or the other CSP using a Nssof reference point.

10. The method of any of claims 1-9, wherein the SSOF interacts with supporting service management functions within the security managers to perform a set of functions comprising: performing (502) a business service template and required physical and virtual resources query to provide the one or more requested business services; providing (504) security policy sets per business service delivery; and performing (506) a compliance monitoring query per business service.

11. A computing device (200) comprising: processing circuitry (203); and memory (205) coupled with the processing circuitry, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to, receive (402), by a SSOF of a CSP, a communications service request from an enterprise or another CPS, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; convert (404), by the SSOF, the business service S-SLA requirements to a S-SLA resource request; transmit (404), by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP; and retrieve (406) physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication system of the CSP.

12. The computing device of claim 11, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to perform operations according to any of claims 2-10.

13. A computing device (200) adapted to: receive (402), by a SSOF of a CSP, a communications service request from an enterprise or another CPS, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; convert (404), by the SSOF, the business service S-SLA requirements to a S-SLA resource request; transmit (404), by the SSOF, the S-SLA resource request to a Communication Service Management Function (CSMF) of the CSP; and retrieve (406) physical and virtual resources to provide the one or more requested business services per service template from a Business Support System/Communication Service Management Function (BSS/CSMF) in a communication systems of the CSP.

14. The computing device of claim 12 further adapted to perform according to any of claims 2-10.

15. A computer program comprising program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of claims 1-10.

16. A computer program product comprising a non-transitory storage medium including program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of claims 1-10.

17. A method (600) implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S- SLA), the method comprising: receiving (602), by a SSOF of a CSP of the plurality of CSPs, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; performing (606) a query, by the SSOF, of a plurality of service templates, wherein each service template is associated with a different communication system deployment, and wherein the query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources, wherein each communication system deployment operates based on a different deployment framework; mapping (610), by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per business service to fulfill the S-SLA with the enterprise or the other CSP; based on the security capability mapping, providing (612), by the SSOF, security attributes per requested business service to the security manager of each communication system deployment; and monitoring (614), by the SSOF, the security attributes for compliance of the S-SLA.

18. The method of claim 17, wherein performing the query of the plurality of service templates associated with the different communication system deployments comprises performing the query of each service template for the requested business services from a business support system (BSS) communication system and a communication service management function (CSMF) system over an Os-Ssof reference point.

19. The method of any of claims 17-18, further comprising instructing (608) the security manager of each communication system deployment over a Sm-Ssof reference point, by the SSOF, to configure proper security settings for the physical and virtual resources of each communication system providing the one or more requested business services for compliance of the S-SLA.

20. The method of claim 19 wherein instructing the security manager of each communication system deployment comprises instructing a 3GPP network security manager of a 3 GPP communication system and a network function virtualization (NFV) security manager of an ETSI communication system to configure the proper security settings for the physical and virtual resources of the 3 GPP and ETSI communication systems for providing the one or more business services.

21. The method of any of claims 17-20, wherein the providing the security attributes per requested business service to the security manager of each communication system deployment comprises providing the security attributes as service specific policy sets using the Os-Ssof reference point.

22. The method of claim 21, wherein monitoring the security attributes for compliance of the S-SLA comprises monitoring the service specific policy sets using the Os-Ssof reference point in regular intervals or on demand to determine compliance with the S-SLA per enterprise or other CSP and per business service.

23. A computing device (200) comprising: processing circuitry (203); and memory (205) coupled with the processing circuitry, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to, receive (602), by a SSOF of a CSP, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; perform (606) a query, by the SSOF, of a plurality of service templates, wherein each service template is associated with a different communication system deployment, and wherein the query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources, wherein each communication system deployment operates based on a different deployment framework; map (610), by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per service to fulfill the S-SLA with the enterprise or the other CSP; based on the security capability mapping, provide (612), by the SSOF, security attributes per requested business service to the security manager of each communication system deployment; and monitor (614), by the SSOF, the security attributes for compliance of the S-SLA.

24. The computing device of claim 23, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to perform operations according to any of claims 18-22.

25. A computing device (200) adapted to: receive (602), by a SSOF of a CSP, a communications service request from an enterprise or another CSP, wherein the communications service request comprises one or more requested business services covered by a S-SLA comprising a plurality of S-SLA requirements; perform (606) a query, by the SSOF, of a plurality of service templates, wherein each service template is associated with a different communication system deployment, and wherein the query is performed to determine types of physical and virtual resources of each communication system deployment, that are needed to provide the one or more requested business services, and instruct a security manager of each communication system deployment, providing the one or more business services, how to configure security settings for the physical and virtual resources, wherein each communication system deployment operates based on a different deployment framework; map (610), by the SSOF, a security capability of each physical and virtual resource providing the one or more requested business services to define a correct security attribute setting per service to fulfill the S-SLA with the enterprise or the other CSP; based on the security capability mapping, provide (612), by the SSOF, security attributes per requested business service to the security manager of each communication system deployment; and monitor (614), by the SSOF, the security attributes for compliance of the S-SLA.

26. The computing device of claim 25 further adapted to perform according to any of claims 18-22.

27. A computer program comprising program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of claims 17-22.

28. A computer program product comprising a non-transitory storage medium including program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of claims 17-22.

29. A method (1100) implemented by a security service orchestration function (SSOF) in a communication infrastructure, that includes a plurality of communication service providers (CSPs) and a plurality of enterprises, for orchestration of a security service level agreement (S- SLA), the method comprising: receiving (1102), by a SSOF of a first CSP of the plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request comprises a specific level of security attributes that the enterprise requests are fulfilled in roaming situations; performing (1104) a capability mapping between security attributes in the S-SLA request and a common security baseline capability template of the first CSP; implementing (1106), as a result of the capability mapping, the business service as a multi-operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP; and requesting (1110), by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

30. The method of claim 29, further comprising orchestrating (1108), by the SSOF of the first CSP, security attribute enforcement within a network domain of the first CSP.

31. The method of any of claims 29-30, further comprising performing (1112) compliance monitoring by the SSOF of the first CSP.

32. The method of claim 31, further comprising consolidating (1112), by the SSOF of the first CSP, compliance monitoring results based on information received from a network domain of the first CSP and information received from a SSOF of the second CSP.

33. The method of claim 32, wherein the information received from the network domain of the first CSP is received via a Sm-Ssof reference point and the information received from the SSOF of the second CSP is received via a Nssof reference point.

34. A computing device (200) comprising: processing circuitry (203); and memory (205) coupled with the processing circuitry, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to, receive (1102), by a SSOF of a first CSP of a plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request comprises a specific level of security attributes that the enterprise requests are fulfilled in roaming situations; perform (1104) a capability mapping between security attributes in S-SLA request and common security baseline capability template of the first CSP; implement (1106), as a result of the capability mapping, the business service as a multi operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP; and requesting (1110), by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

35. The computing device of claim 34, wherein the memory includes instructions that when executed by the processing circuitry causes the computing device to perform operations according to any of claims 30-33.

36. A computing device (200) adapted to: receive (602), by a SSOF of a first CSP of a plurality of CSPs, a S-SLA request from an enterprise for a business service, wherein the S-SLA request comprises a specific level of security attributes that the enterprise requests are fulfilled in roaming situations; perform (1104) a capability mapping between security attributes in S-SLA request and common security baseline capability template of the first CSP; implement (1106), as a result of the capability mapping, the business service as a multi operator slice instance with virtualized network functions requesting capacity and security capabilities from a second CSP; and requesting (1110), by the SSOF of the first CSP, the business service comprising specific security capabilities from the second CSP.

37. The computing device (200) of claim 36 further adapted to perform according to any of claims 30-33.

38. A computer program comprising program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of claims 29-33.

39. A computer program product comprising a non-transitory storage medium including program code to be executed by processing circuitry (203) of a computing device (200), whereby execution of the program code causes the computing device (200) to perform operations according to any of claims 29-33.