A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks

Hashem Eiza, M; Akwirry, B; Raschella, A; Mackay, M; Maheshwari, M

A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks

Export Citation

Hashem Eiza, M ORCID: 0000-0001-9114-8577, Akwirry, B, Raschella, A, Mackay, M and Maheshwari, M (2025) A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks. Future Internet, 17 (8).

[thumbnail of A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks.pdf]

Preview

Text
A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks.pdf - Published Version
Available under License Creative Commons Attribution.
Download (1MB) | Preview

Publisher URL: https://doi.org/10.3390/fi17080372

Abstract

The evolution toward sixth generation (6G) wireless networks promises higher per-formance, greater flexibility, and enhanced intelligence. However, it also introduces a substantially enlarged attack surface driven by open, disaggregated, and multi-vendor Open RAN (O-RAN) architectures that will be utilised in 6G networks. This paper ad-dresses the urgent need for a practical Zero Trust (ZT) deployment model tailored to O-RAN specification. To do so, we introduce a novel hybrid ZT deployment model that establishes the trusted foundation for AI/ML-driven security in O-RAN, integrating macro-level enclave segmentation with micro-level application sandboxing for xApps/rApps. In our model, the Policy Decision Point (PDP) centrally manages dynamic policies, while distributed Policy Enforcement Points (PEPs) reside in logical enclaves, agents, and gateways to enable per-session, least-privilege access control across all O-RAN interfaces. We demonstrate feasibility via a Proof of Concept (PoC) imple-mented with Kubernetes and Istio and based on the NIST Policy Machine (PM). The PoC illustrates how pods can represent enclaves and sidecar proxies can embody combined agent/gateway functions. Performance discussion indicates that enclave-based de-ployment adds 1–10 ms of additional per-connection latency while CPU/memory overhead from running a sidecar proxy per enclave is approximately 5–10 % extra uti-lisation, with each proxy consuming roughly 100–200 MB of RAM.

Item Type:	Article
Uncontrolled Keywords:	46 Information and computing sciences
Subjects:	Q Science > QA Mathematics > QA75 Electronic computers. Computer science T Technology > T Technology (General) > T58.5 Information Technology
Divisions:	Computer Science and Mathematics
Publisher:	MDPI
Date of acceptance:	6 August 2025
Date of first compliant Open Access:	6 August 2025
Date Deposited:	06 Aug 2025 13:21
Last Modified:	21 Aug 2025 12:45
DOI or ID number:	10.3390/fi17080372
URI:	https://researchonline.ljmu.ac.uk/id/eprint/26906

View Item

CORE (COnnecting REpositories)