A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks

Hashem Eiza, M orcid iconORCID: 0000-0001-9114-8577, Akwirry, B, Raschella, A, Mackay, M and Maheshwari (Postdoc), M A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks. Future Internet. (Accepted)

[thumbnail of A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks.pdf]
Preview
Text
A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks.pdf - Accepted Version
Available under License Creative Commons Attribution.

Download (1MB) | Preview

Abstract

The evolution toward sixth generation (6G) wireless networks promises higher per-formance, greater flexibility, and enhanced intelligence. However, it also introduces a substantially enlarged attack surface driven by open, disaggregated, and multi-vendor Open RAN (O-RAN) architectures that will be utilised in 6G networks. This paper ad-dresses the urgent need for a practical Zero Trust (ZT) deployment model tailored to O-RAN specification. To do so, we introduce a novel hybrid ZT deployment model that establishes the trusted foundation for AI/ML-driven security in O-RAN, integrating macro-level enclave segmentation with micro-level application sandboxing for xApps/rApps. In our model, the Policy Decision Point (PDP) centrally manages dynamic policies, while distributed Policy Enforcement Points (PEPs) reside in logical enclaves, agents, and gateways to enable per-session, least-privilege access control across all O-RAN interfaces. We demonstrate feasibility via a Proof of Concept (PoC) imple-mented with Kubernetes and Istio and based on the NIST Policy Machine (PM). The PoC illustrates how pods can represent enclaves and sidecar proxies can embody combined agent/gateway functions. Performance discussion indicates that enclave-based de-ployment adds 1–10 ms of additional per-connection latency while CPU/memory overhead from running a sidecar proxy per enclave is approximately 5–10 % extra uti-lisation, with each proxy consuming roughly 100–200 MB of RAM.

Item Type: Article
Uncontrolled Keywords: 46 Information and computing sciences
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
T Technology > T Technology (General) > T58.5 Information Technology
Divisions: Computer Science and Mathematics
Publisher: MDPI
Date of acceptance: 6 August 2025
Date of first compliant Open Access: 6 August 2025
Date Deposited: 06 Aug 2025 13:21
Last Modified: 06 Aug 2025 13:30
URI: https://researchonline.ljmu.ac.uk/id/eprint/26906
View Item View Item