‘Security Guidance for 5G Cloud Infrastructures’ is a series of four documents intended to help secure cloud environments. It’s been created as a joint industry and government effort with the support of several large contributors through the NSA’s Enduring Security Framework (ESF).
The guidance throughout the four documents applies to any virtual environment with an aim to provide a secure multi-tenant isolated computing infrastructure. This series establishes a detailed set of requirements and guidelines to ensure an holistic view is taken and that all angles are considered in terms of how a cloud provider or even a sophisticated data centre could achieve the security level necessary to host the solutions and applications expected for 5G. These applications are likely to require multi-tenant isolation and may operate in a cloud environment or an edge computing server with a similar virtual environment.
The industry experts behind these documents included many with hands-on experience in providing design decisions to help secure 5G infrastructure. The four documents include:
- Part I: Prevent and Detect Lateral Movement: Detect malicious cyber actor activity in 5G clouds and prevent actors from leveraging a single compromised cloud resource to compromise the entire network.
- Part II: Securely Isolate Network Resources: Ensure that there is secure isolation among customer resources with emphasis on securing the container stack that supports the running of virtual network functions.
- Part III: Data Protection: Protect Data in Transit, In-Use, and at Rest — Ensure that network and customer data is secured during all phases of the data lifecycle (in transit, while being processed, at-rest, upon destruction).
- Part IV: Ensure Integrity of Infrastructure: Ensure that 5G cloud resources (for example, container images, templates, configuration) are not modified without authorization.
Securing containers in 5G infrastructure with CIS guidance
The guidance is clear on the important controls that must be implemented to prevent lateral movement and to isolate network resources. Specific guidance is referenced for the configuration of containers and pod security to ensure those properties are provided in cloud-hosted 5G infrastructure. The Center for Internet Security (CIS) Benchmarks for both Kubernetes and Docker are among the referenced materials. They provide granular recommendations on how isolation and secure configurations can be achieved with information on risk-based decisions for control implementation. The NSA also released a very helpful document providing guidance on Kubernetes. It offers both a high-level view and more specific configuration guidance that can be used with the CIS Benchmark for Kubernetes.
Great expectations for built-in security in public cloud
As an increasing number of cloud providers adopt these standards and meet the recommendations set forth in the ESF guidance, the baseline for security expectations in hosted environments will rise. Built-in security with scalable management, following zero trust tenets, will hopefully become the norm with drivers such as the US Cyber Security Executive Order on Cyber Security and the European Union Network and Information Systems (NIS) directive.
Major threat vectors in the 5G ecosystem
Cloud and edge hosted systems have been identified as a major threat vector in the 5G ecosystem. This makes sense due to the cloud being an aggregation point with data that is being processed by applications in the network core on infrastructure with high computing capabilities. The series of documents provide a comprehensive set of guidelines aimed at the service provider. It can help with implementation by providing pointers to more granular resources, such as the CIS Benchmarks. The series also sets expectations for built-in security to be provided as a service. Customers of managed and hosted solutions can also use these guides when assessing security from service providers.
At CIS, we’re also interested to see secure hosted and managed solutions improve built-in security capabilities that support our recommendations for state, local, tribal, and territorial organization members. Recommendations made in the CIS Benchmarks provide a comprehensive set of capabilities to assess environments that are provided as integral to managed and hosted solutions. As organizations increase the number of Benchmarks they implement, alignment to the recommended capabilities can be assessed, and guidance to select a provider that supports an appropriate level of security aligned to risk-based assessments can be provided.
The development of trusted infrastructure
Maintaining system integrity with the ability to provide ongoing assessments of the level of trust in the infrastructure is a capability that has been developed and deployed in many environments over the past two years. Trusted infrastructure is quickly becoming a requirement for many organizations. We have seen advancements in these capabilities through the deployment of Trusted Platform Modules (TPM) and Trusted Execution Environments (TEE). TPM offered hope for a long time before its uses became not only practical, but standard to providing attested infrastructure over the past few years. Assurance from a root of trust was made possible by the diligent work of contributors to the Trusted Computing Group. The TEE has been in use for several years as well, proving isolation for the execution of code that requires this level of protection for the data processed. The use of a TEE was possible but considered difficult until recently because of difficulty programming to vendor specific software development kits (SDKs).
The Confidential Computing Consortium (CCC) is working towards long-term solutions to maintain data as encrypted when in execution. Near-term measures to keep data protected and isolated are possible following the guidance provided as well as SDKs to make it possible. The CCC effort involves numerous large vendors supporting multiple SDKs that improve and simplify the programmability of a TEE. Examples include OpenEnclave and Google Asylo, which allow programming to any TEE as well as back to a range of operating systems, including Windows and Linux. These advancements make it possible for the TEE to more easily be used up the stack as training on specific SDKs with vendor ties for assistance is no longer necessary.
As a result, the recommendations in Part 3 of this guide are not only possible, but they are also feasible, and with industry demand, will become required to ensure security is built in.
Ensure integrity of infrastructure
While it may sound simple to ensure all data is encrypted in transit and at rest, there are numerous considerations that lead to a secure deployment. Part 4 of the guide includes a detailed checklist for an holistic view of what encryption should be provided in hosted environments supporting 5G. Security guidelines often focus first on transport security, as that has been a requirement for many years and has been easier to establish than more complex data-at-rest strategies. However, zero trust architectures call out the need for data to be always encrypted to reduce the chance of an attacker gaining access to data. Zero trust architectures have resulted in increased interest in data-at-rest encryption, as well as making such solutions more feasible through the automation of key management functions.
Through this guide, service providers meeting the recommendations would offer an holistic solution to meet zero trust expectations of having encryption everywhere, and those using the service gain from their implementation experience. This level of encryption will be made easier through secure key management enhancements. If service providers innovate to make these capabilities possible, data centre operators may benefit from those innovations. In support of the May Executive Order on Cybersecurity, the fourth guide provides a helpful checklist to support encryption of data-at-rest more fully.
Additional resources for trusted assurance and zero trust
Documentation on topics related to trusted assurance and trusted execution environments (TEE) can be somewhat difficult to understand unless you are well steeped in the technology areas. For example, it may be difficult to understand the hardware supporting the functions as well as the capabilities enabled through the technology. That’s why we broke down the basics in our recent blog: Trusted assurance simplified.
Zero trust may also seem overwhelming for many. These documents are aimed at breaking down the important aspects for cloud-hosted environments supporting 5G infrastructures. However, much of the guidance can be applied to any virtual environment consisting of containers and pods with TPM and TEE hardware. The following blog breaks down the importance of zero trust as related to the reduction in dwell time for attackers: Where does zero trust begin and why is it important?
Kathleen Moriarty is Chief Technology Officer at the Center for Internet Security and the former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
Adapted from posts on the CIS Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.