Home Business NSA Guidance: Zero Trust Applied to 5G Cloud Infrastructure

NSA Guidance: Zero Trust Applied to 5G Cloud Infrastructure

by George Mathews

The ESF Working Group recently developed four action-oriented documents to provide guidance on how to move toward zero trust in support of securing 5G. The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) have published a four-part series, Security Guidance for 5G Cloud Infrastructures. The Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group is an industry and government partnership which drives cybersecurity advancement against top cyber threats. This working group requires close collaboration between the private and public sectors.

These documents focus on the areas of greatest risk using current technologies to prevent attacker lateral movement, enable isolation for multi-tenant workloads, data protection, and infrastructure integrity. The panel focused on cloud infrastructure and multi-tenancy as they were determined to be the greatest areas of risk for securing 5G. The industry experts behind these documents included many with hands-on experience in providing design decisions to help secure 5G infrastructure. The four documents include:

Part I: Prevent and Detect Lateral Movement: Detect malicious cyber actor activity in 5G clouds and prevent actors from leveraging a single compromised cloud resource to compromise the entire network.

Part II: Securely Isolate Network Resources: Ensure that there is secure isolation among customer resources with emphasis on securing the container stack that supports the running of virtual network functions.

Part III: Data Protection: Protect Data in Transit, In-Use, and at Rest: Ensure that network and customer data is secured during all phases of the data lifecycle (in transit, while being processed, at-rest, upon destruction).

Part IV: Ensure Integrity of Cloud Infrastructure: Ensure Integrity of Infrastructure: Ensure that 5G cloud resources (e.g., container images, templates, configuration) are not modified without authorization.

Securing Containers in 5G Infrastructure with CIS Guidance

In the first two parts, the guidance is clear on the important controls that must be implemented in order to prevent lateral movement and to isolate network resources. Specific guidance is referenced for the configuration of containers and pod security to ensure those properties are provided in cloud-hosted 5G infrastructure. The Center for Internet Security (CIS) Benchmarks for both Kubernetes and Docker are among the referenced materials.

They provide granular recommendations on how isolation and secure configurations can be achieved with information on risk-based decisions for control implementation. The NSA also released a very helpful document providing guidance on Kubernetes. It offers both a high-level view and more specific configuration guidance that can be used with the CIS Benchmark for Kubernetes.

Additional Resources for Trusted Assurance and Zero Trust

Documentation on topics related to trusted assurance and trusted execution environments (TEE) can be somewhat difficult to understand unless you are well steeped in the technology areas. For example, it may be difficult to understand the hardware supporting the functions as well as the capabilities enabled through the technology. That’s why we broke down the basics in our recent blog: Trusted Assurance Simplified.

Zero trust may also seem overwhelming for many. These documents are aimed at breaking down the important aspects for cloud-hosted environments supporting 5G infrastructures. However, much of the guidance can be applied to any virtual environment consisting of containers and pods with Trusted Platform Module (TPM) and TEE hardware. The following blog breaks down the importance of zero trust as related to the reduction in dwell time for attackers: Where Does Zero Trust Begin and Why is it Important?

Great Expectations for Built-In Security in Public Cloud

As an increasing number of cloud providers adopt these standards and meet the recommendations set forth in the ESF guidance, the baseline for security expectations in hosted environments will rise. Built-in security with scalable management, following zero trust tenets, will hopefully become the norm with drivers such as the US Cyber Security Executive Order on Cyber Security and the European Union Network and Information Systems (NIS) directive.

This set of four guides from the ESF working group, with part one, two, and three already available, provide excellent guidance for getting started. The documents detail what will be required to consider a system secure, meeting recommendations to enable zero trust, and providing isolation between tenants.

The Development of Trusted Infrastructure

Maintaining system integrity with the ability to provide ongoing assessments of the level of trust in the infrastructure is a capability that has been developed and deployed in many environments over the past two years. Trusted infrastructure is quickly becoming a requirement for many organizations. We have seen advancements in these capabilities through the deployment of trusted platform modules (TPM) and trusted execution environments (TEE).

TPM offered hope for a long time before its uses became not only practical, but standard to providing attested infrastructure over the past few years. Assurance from a root of trust was made possible by the diligent work contributors to the Trusted Computing Group. The TEE has been in use for several years as well, proving isolation for the execution of code that requires this level of protection for the data processed. The use of a TEE was possible but considered difficult until recently as a result of difficulty programming to vendor specific software development kits (SDKs).

Part 3: Protect Data

The Confidential Computing Consortium (CCC) is working toward long-term solutions to maintain data as encrypted when in execution. Near-term measures to keep data protected and isolated are possible following the guidance provided as well as SDKs to make it possible.

The CCC effort involves numerous large vendors supporting multiple SDKs that improve and simplify the programmability of a TEE. Examples include OpenEnclave and Google Asylo, which allow programming to any TEE as well as back to a range of operating systems, including Windows and Linux. These advancements make it possible for the TEE to more easily be used up the stack as training on specific SDKs with vendor ties for assistance is no longer necessary.

As a result, the recommendations in Part 3 of this guide are not only possible, but they are also feasible, and with industry demand, will become required in order to ensure security is built-in.

Part 4: Ensure Integrity of Infrastructure

While it may sound simple to ensure all data is encrypted in transit and at rest, there are numerous considerations that lead to a secure deployment. Part 4 of the guide includes a detailed checklist for a holistic view of what encryption should be provided in hosted environments supporting 5G. Security guidelines often focus first on transport security, as that has been a requirement for many years and has been easier to establish than more complex data-at-rest strategies.

However, zero trust architectures call out the need for data to be encrypted at all times in order to reduce the chance of an attacker gaining access to data. Zero trust architectures have resulted in increased interest in data-at-rest encryption, as well as making such solutions more feasible through the automation of key management functions.

Through this guide, service providers meeting the recommendations would offer a holistic solution to meet zero trust expectations of having encryption everywhere, and those using the service gain from their implementation experience. This level of encryption will be made easier through secure key management enhancements. If service providers innovate to make these capabilities possible, data center operators may benefit from those innovations. In support of the May Executive Order on Cybersecurity, the fourth guide provides a helpful checklist to more fully support encryption of data-at-rest.

The views expressed are solely of the author and do not necessarily reflect those of ESPC Media.

Related Articles

We use cookies to improve user experience, and analyze website traffic. For these reasons, we may share your site usage data with our analytics partners. By clicking “Accept Cookies,” you consent to store on your device all the technologies described in our Cookie Policy. Accept Read More

ESPC on the go