{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T22:20:21Z","timestamp":1775082021088,"version":"3.50.1"},"reference-count":52,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2025,8,18]],"date-time":"2025-08-18T00:00:00Z","timestamp":1755475200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Department for Science, Innovation and Technology (DSIT), UK Government, Liverpool City Region HDD (High Demand Density)"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>The evolution toward sixth generation (6G) wireless networks promises higher performance, greater flexibility, and enhanced intelligence. However, it also introduces a substantially enlarged attack surface driven by open, disaggregated, and multi-vendor Open RAN (O-RAN) architectures that will be utilised in 6G networks. This paper addresses the urgent need for a practical Zero Trust (ZT) deployment model tailored to O-RAN specification. To do so, we introduce a novel hybrid ZT deployment model that establishes the trusted foundation for AI\/ML-driven security in O-RAN, integrating macro-level enclave segmentation with micro-level application sandboxing for xApps\/rApps. In our model, the Policy Decision Point (PDP) centrally manages dynamic policies, while distributed Policy Enforcement Points (PEPs) reside in logical enclaves, agents, and gateways to enable per-session, least-privilege access control across all O-RAN interfaces. We demonstrate feasibility via a Proof of Concept (PoC) implemented with Kubernetes and Istio and based on the NIST Policy Machine (PM). The PoC illustrates how pods can represent enclaves and sidecar proxies can embody combined agent\/gateway functions. Performance discussion indicates that enclave-based deployment adds 1\u201310 ms of additional per-connection latency while CPU\/memory overhead from running a sidecar proxy per enclave is approximately 5\u201310% extra utilisation, with each proxy consuming roughly 100\u2013200 MB of RAM.<\/jats:p>","DOI":"10.3390\/fi17080372","type":"journal-article","created":{"date-parts":[[2025,8,18]],"date-time":"2025-08-18T13:28:22Z","timestamp":1755523702000},"page":"372","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["A Hybrid Zero Trust Deployment Model for Securing O-RAN Architecture in 6G Networks"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9114-8577","authenticated-orcid":false,"given":"Max","family":"Hashem Eiza","sequence":"first","affiliation":[{"name":"School of Computer Science and Mathematics, Liverpool John Moores University, Liverpool L3 3AF, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3708-7659","authenticated-orcid":false,"given":"Brian","family":"Akwirry","sequence":"additional","affiliation":[{"name":"School of Engineering and Computing, University of Lancashire, Preston PR1 2HE, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1626-8947","authenticated-orcid":false,"given":"Alessandro","family":"Raschella","sequence":"additional","affiliation":[{"name":"School of Computer Science and Mathematics, Liverpool John Moores University, Liverpool L3 3AF, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9013-7884","authenticated-orcid":false,"given":"Michael","family":"Mackay","sequence":"additional","affiliation":[{"name":"School of Computer Science and Mathematics, Liverpool John Moores University, Liverpool L3 3AF, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2843-9758","authenticated-orcid":false,"given":"Mukesh Kumar","family":"Maheshwari","sequence":"additional","affiliation":[{"name":"School of Computer Science and Mathematics, Liverpool John Moores University, Liverpool L3 3AF, UK"},{"name":"Department of Electrical Engineering, Bahria University, Karachi Campus, Karachi 75260, Pakistan"}]}],"member":"1968","published-online":{"date-parts":[[2025,8,18]]},"reference":[{"key":"ref_1","unstructured":"Larsson, D.C., Gr\u00f6vlen, A., Parkvall, S., and Liberg, O. (2024, September 01). 6G Standardization\u2014An Overview of Timeline and High-Level Technology Principles. Available online: https:\/\/www.ericsson.com\/en\/blog\/2024\/3\/6g-standardization-timeline-and-technology-principles."},{"key":"ref_2","unstructured":"O-RAN Alliance (2024, September 10). O-RAN Specifications. Available online: https:\/\/www.o-ran.org\/specifications."},{"key":"ref_3","unstructured":"6G Smart Networks and Services Industry Association (6G-IA) (2024, August 05). Open RAN and 6G Future Networks Development. 6G SNS IA. Available online: https:\/\/6g-ia.eu\/wp-content\/uploads\/2024\/05\/6g-ia-open-sns_open-networks-status-and-future-development_ran-final.pdf."},{"key":"ref_4","unstructured":"O-RAN Next Generation Research Group (nGRG) (2024, September 22). O-RAN Towards 6G Report ID: RR-2023-01. O-RAN Alliance. Available online: https:\/\/mediastorage.o-ran.org\/ngrg-rr\/nGRG-RR-2023-01-O-RAN-Towards-6G-v1_3.pdf."},{"key":"ref_5","unstructured":"O-RAN Next Generation Research Group (nGRG) (2024, August 11). Architecture Principles for a Cloud-Friendly Future 6G RAN Architecture Report ID: RR-2024-01. ORAN Alliance, 2024. Available online: https:\/\/mediastorage.o-ran.org\/ngrg-rr\/nGRG-RR-2024-01-O-RAN%20Cloud%20Friendly%20Future%206G%20RAN-v1.2.1.pdf."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"e191","DOI":"10.1002\/spy2.191","article-title":"Augmenting Zero Trust Architecture to Endpoints Using Blockchain: A State-Of-The-Art Review","volume":"5","author":"Alevizos","year":"2022","journal-title":"Secur. Priv."},{"key":"ref_7","unstructured":"US Government (2023). National Cybersecurity Strategy, The White House."},{"key":"ref_8","unstructured":"National Cyber Security Centre (NCSC) (2021). Zero Trust Architecture Design Principles, NCSC."},{"key":"ref_9","unstructured":"RAN Alliance (2024, July 21). Zero Trust Architecture for Secure O-RAN v1.0. O-RAN Alliance, May 2024. Available online: https:\/\/mediastorage.o-ran.org\/white-papers\/O-RAN.WG11.ZTA%20for%20Secure%20O-RAN%20White%20Paper-2024-05.pdf."},{"key":"ref_10","unstructured":"National Institute of Standards and Technology (NIST) (2024, September 13). Advanced Security Architectures for Next Generation Wireless. 15 April 2024, Available online: https:\/\/www.nist.gov\/programs-projects\/advanced-security-architectures-next-generation-wireless."},{"key":"ref_11","unstructured":"Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2024, September 15). Zero Trust Architecture, Available online: https:\/\/csrc.nist.gov\/pubs\/sp\/800\/207\/final."},{"key":"ref_12","unstructured":"(2025, August 11). Cybersecurity & Infrastructure Security Agency (CISA), Enduring Security Framework (ESF), Security Guidance for 5G Cloud Infrastructures, Volumes 1\u20134. US DHS CISA, October-November 2021, Available online: https:\/\/www.cisa.gov\/resources-tools\/groups\/enduring-security-framework-esf."},{"key":"ref_13","unstructured":"US DHS CISA (2024, May 26). Zero Trust Maturity Model (ZTMM), Version 2.0. CISA, April 2023, Available online: https:\/\/www.cisa.gov\/sites\/default\/files\/2023-04\/zero_trust_maturity_model_v2_508.pdf."},{"key":"ref_14","unstructured":"O-RAN Alliance (2025, August 11). O-RAN Architecture Description v14.0. O-RAN Alliance. Available online: https:\/\/specifications.o-ran.org\/download?id=862."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1376","DOI":"10.1109\/COMST.2023.3239220","article-title":"Understanding O-RAN: Architecture, Interfaces, Algorithms, Security, and Research Challenges","volume":"25","author":"Polese","year":"2023","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_16","unstructured":"O-RAN Alliance (2024, September 27). The O-RAN ALLIANCE Security Working Group Continues to Advance O-RAN Security. 9 February 2024. Available online: https:\/\/www.o-ran.org\/blog\/the-o-ran-alliance-security-working-group-continues-to-advance-o-ran-security."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Liyanage, M., Braeken, A., Shahabuddin, S., and Ranaweera, P. (2023). Open RAN security: Challenges and opportunities. J. Netw. Comput. Appl., 214.","DOI":"10.1016\/j.jnca.2023.103621"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"11265","DOI":"10.1109\/TMC.2024.3393430","article-title":"Securing O-RAN Open Interfaces","volume":"23","author":"Groen","year":"2024","journal-title":"IEEE Trans. Mob. Comput."},{"key":"ref_19","unstructured":"O-RAN Alliance (2025, August 11). O-RAN Security Threat Modelling and Risk Assessment 6.0. O-RAN Alliance. Available online: https:\/\/specifications.o-ran.org\/download?id=918."},{"key":"ref_20","unstructured":"O-RAN Alliance (2025, August 11). O-RAN Security Requirements and Controls Specification 12.0. O-RAN Alliance. Available online: https:\/\/specifications.o-ran.org\/download?id=914."},{"key":"ref_21","unstructured":"O-RAN Alliance (2025, August 11). O-RAN Security Protocols Specifications 12.0. O-RAN Alliance. Available online: https:\/\/specifications.o-ran.org\/download?id=917."},{"key":"ref_22","unstructured":"O-RAN Alliance (2025, August 11). O-RAN Security Test Specifications 10.0. O-RAN Alliance. Available online: https:\/\/specifications.o-ran.org\/download?id=920."},{"key":"ref_23","unstructured":"O-RAN Alliance (2025, August 11). O-RAN Study on Security for Service Management and Orchestration (SMO) 6.0. O-RAN Alliance. Available online: https:\/\/specifications.o-ran.org\/download?id=852."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1109\/MWC.001.2300419","article-title":"ZTRAN: Prototyping Zero Trust Security xApps for Open Radio Access Network Deployments","volume":"31","author":"Abdalla","year":"2024","journal-title":"IEEE Wirel. Commun."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Jiang, H., Chang, H., Mukherjee, S., and Van der Merwe, J. (2023, January 7). OZTrust: An O-RAN Zero-Trust Security System. Proceedings of the IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Dresden, Germany.","DOI":"10.1109\/NFV-SDN59219.2023.10329620"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Zaheer, Z., Chang, H., Mukherjee, S., and Van der Merwe, J. (2019, January 3). eZTrust: Network-Independent Zero-Trust Perimeterization for Microservices. Proceedings of the 2019 ACM Symposium on SDN Research (SOSR \u201819), San Jose, CA USA.","DOI":"10.1145\/3314148.3314349"},{"key":"ref_27","unstructured":"The Kubernetes Authors (2024, October 11). Using RBAC Authorization. 28 June 2024. Available online: https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/."},{"key":"ref_28","unstructured":"The Cilium Authors (2024, October 11). Cilium\u2014Cloud Native eBPF-Based Networking, Observability, Security. Available online: https:\/\/cilium.io\/."},{"key":"ref_29","unstructured":"Tigera, Inc. (2024, October 11). Calico. Available online: https:\/\/docs.tigera.io\/calico\/latest\/about\/."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"224","DOI":"10.1109\/MNET.2023.3326356","article-title":"Zero Trust Architecture for 6G Security","volume":"38","author":"Chen","year":"2024","journal-title":"IEEE Netw."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Dumitru, I.-A. (2022, January 30). Zero Trust Security. Proceedings of the International Conference on Cybersecurity and Cybercrime (IC3), Bucharest, Romania.","DOI":"10.19107\/CYBERCON.2022.13"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"He, Y., Huang, D., Chen, L., Ni, Y., and Ma, X. (2022). A Survey on Zero Trust Architecture: Challenges and Future Trends. Wirel. Commun. Mob. Comput., 6476274.","DOI":"10.1155\/2022\/6476274"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Basta, N., Ikram, M., Kaafar, M., and Walker, A. (2022, January 25). Towards a Zero-Trust Micro-segmentation Network Security Strategy: An Evaluation Framework. Proceedings of the NOMS 2022\u20142022 IEEE\/IFIP Network Operations and Management Symposium, Budapest, Hungary.","DOI":"10.1109\/NOMS54207.2022.9789888"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Sheikh, N., Pawar, M., and Lawrence, V. (2021, January 10). Zero trust using Network Micro Segmentation. Proceedings of the IEEE INFOCOM 2021\u2014IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Vancouver, BC, Canada.","DOI":"10.1109\/INFOCOMWKSHPS51825.2021.9484645"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Mhaskar, N., Alabbad, M., and Khedri, R. (2021). A Formal Approach to Network Segmentation. Comput. Secur., 103.","DOI":"10.1016\/j.cose.2020.102162"},{"key":"ref_36","unstructured":"NIST, and Computer Security Resource Centre (CSRC) (2025, February 10). Policy Machine|CSRC  , Available online: https:\/\/csrc.nist.gov\/Projects\/Policy-Machine."},{"key":"ref_37","unstructured":"The Kubernetes Authors (2024, April 25). Kubernetes. Available online: https:\/\/kubernetes.io\/."},{"key":"ref_38","unstructured":"Istio Authors (2024, April 25). The Istio Service Mesh. Available online: https:\/\/istio.io\/latest\/."},{"key":"ref_39","unstructured":"Kiali (2024, April 25). Kiali\u2014The Console for Istio Service Mesh. Available online: https:\/\/kiali.io\/."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Paul, B., and Rao, M. (2023). Zero-Trust Model for Smart Manufacturing Industry. Appl. Sci., 13.","DOI":"10.3390\/app13010221"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Ruambo, F.A., Zou, D., and Yuan, B. (2023). Securing SDN\/NFV-Enabled Campus Networks with Software-Defined Perimeter-Based Zero-Trust Architecture. SSRN.","DOI":"10.2139\/ssrn.4511057"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"1876","DOI":"10.1109\/TNSM.2022.3157248","article-title":"On Sustained Zero Trust Conceptualization Security for Mobile Core Networks in 5G and Beyond","volume":"19","author":"Bello","year":"2022","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Barr, A., Lavi, O., Naor, Y., Rampal, S., and Tavori, J. (2024). Technical Report: Performance Comparison of Service Mesh Frameworks: The MTLS Test Case. arXiv.","DOI":"10.1109\/NOMS57970.2025.11073712"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Rodigari, S., O\u2019Shea, D., McCarthy, P., McCarry, M., and McSweeney, S. (2021, January 5). Performance Analysis of Zero-Trust multi-cloud. Proceedings of the IEEE 14th International Conference on Cloud Computing (CLOUD), Chicago, IL, USA.","DOI":"10.1109\/CLOUD53861.2021.00097"},{"key":"ref_45","unstructured":"Cunningham, C., Holmes, D., and Pollard, J. (2024, August 27). The Eight Business and Security Benefits of Zero Trust Business Case: The Zero Trust Security Playbook. Forrester Research, 2019. Available online: https:\/\/www.kennisportal.com\/wp-content\/uploads\/2022\/06\/Akamai-the-eight-business-and-security-benefits-of-zero-trust-report.pdf."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Brasser, F., Gens, D., Jauernig, P., Sadeghi, A., and Stapf, E. (2019, January 24). SANCTUARY: ARMing TrustZone with User-space Enclaves. Proceedings of the Network and Distributed Systems Security (NDSS) Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2019.23448"},{"key":"ref_47","unstructured":"Vomvas, M., Ludant, N., and Noubir, G. (2024). Establishing Trust in the Beyond-5G Core Network using Trusted Execution Environments. arXiv."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"11167","DOI":"10.1002\/int.23037","article-title":"Hybrid isolation model for device application sandboxing deployment in Zero Trust architecture","volume":"37","author":"Zhang","year":"2022","journal-title":"Int. J. Intell. Syst."},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Zheng, D., Xing, H., Cao, X., and Xu, J. (2024). Efficient Zero-Trust-enabled Service Function Chain Deployment in Multi-Vendor Networks. TechRxiv.","DOI":"10.36227\/techrxiv.171778732.29298095\/v1"},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Nadeem, A., Hussain, M., Iftikhar, A., and Aslam, S. (2020, January 5). Narrowband IoT Device to Device Pairing Scheme to Save Power. Proceedings of the IEEE 23rd International Multitopic Conference (INMIC), Bahawalpur, Pakistan.","DOI":"10.1109\/INMIC50486.2020.9318111"},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"3422","DOI":"10.1109\/TII.2020.2995598","article-title":"Low-Complexity MIMO-FBMC Sparse Channel Parameter Estimation for Industrial Big Data Communications","volume":"17","author":"Wang","year":"2020","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_52","doi-asserted-by":"crossref","first-page":"754","DOI":"10.1109\/TITS.2022.3145363","article-title":"Channel Parameter Estimation of mmWave MIMO System in Urban Traffic Scene: A Training Channel-Based Method","volume":"25","author":"Wang","year":"2024","journal-title":"IEEE Trans. Intell. Transp. Syst."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/8\/372\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:29:50Z","timestamp":1760034590000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/8\/372"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,18]]},"references-count":52,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2025,8]]}},"alternative-id":["fi17080372"],"URL":"https:\/\/doi.org\/10.3390\/fi17080372","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,18]]}}}