NSA Guidance: Zero Trust Applied to 5G Cloud Infrastructure: Parts 1 and 2

Part 1 of a 2-part series
By: Kathleen M. Moriarty, CIS Chief Technology Officer and active participant in the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group

The Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group is an industry and government partnership which drives cybersecurity advancement against top cyber threats. This working group requires close collaboration between the private and public sectors.

The ESF Working Group recently developed four action-oriented documents to provide guidance on how to move toward zero trust in support of securing 5G. The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) have published the first three parts of the four-part series, Security Guidance for 5G Cloud Infrastructures. These documents focus on the areas of greatest risk using current technologies to prevent attacker lateral movement, enable isolation for multi-tenant workloads, data protection, and infrastructure integrity. The panel focused on cloud infrastructure and multi-tenancy as they were determined to be the greatest areas of risk for securing 5G. The industry experts behind these documents included many with hands-on experience in providing design decisions to help secure 5G infrastructure. The four documents include:

1. Part I: Prevent and Detect Lateral Movement: Detect malicious cyber actor activity in 5G clouds and prevent actors from leveraging a single compromised cloud resource to compromise the entire network.
2. Part II: Securely Isolate Network Resources: Ensure that there is secure isolation among customer resources with emphasis on securing the container stack that supports the running of virtual network functions.
3. Part III: Data Protection: Protect Data in Transit, In-Use, and at Rest: Ensure that network and customer data is secured during all phases of the data lifecycle (in transit, while being processed, at-rest, upon destruction).
4. Part IV (Publishing December 16, 2021): Ensure Integrity of Infrastructure: Ensure that 5G cloud resources (e.g., container images, templates, configuration) are not modified without authorization.

Securing Containers in 5G Infrastructure with CIS Guidance

In the first two parts, the guidance is clear on the important controls that must be implemented in order to prevent lateral movement and to isolate network resources. Specific guidance is referenced for the configuration of containers and pod security to ensure those properties are provided in cloud-hosted 5G infrastructure. The Center for Internet Security (CIS) Benchmarks for both Kubernetes and Docker are among the referenced materials. They provide granular recommendations on how isolation and secure configurations can be achieved with information on risk-based decisions for control implementation. The NSA also released a very helpful document providing guidance on Kubernetes. It offers both a high-level view and more specific configuration guidance that can be used with the CIS Benchmark for Kubernetes.

Additional Resources for Trusted Assurance and Zero Trust

Documentation on topics related to trusted assurance and trusted execution environments (TEE) can be somewhat difficult to understand unless you are well steeped in the technology areas. For example, it may be difficult to understand the hardware supporting the functions as well as the capabilities enabled through the technology. That’s why we broke down the basics in our recent blog: Trusted Assurance Simplified.

Zero trust may also seem overwhelming for many. These documents are aimed at breaking down the important aspects for cloud-hosted environments supporting 5G infrastructures. However, much of the guidance can be applied to any virtual environment consisting of containers and pods with Trusted Platform Module (TPM) and TEE hardware. The following blog breaks down the importance of zero trust as related to the reduction in dwell time for attackers: Where Does Zero Trust Begin and Why is it Important?

Great Expectations for Built-In Security in Public Cloud

As an increasing number of cloud providers adopt these standards and meet the recommendations set forth in the ESF guidance, the baseline for security expectations in hosted environments will rise. Built-in security with scalable management, following zero trust tenets, will hopefully become the norm with drivers such as the US Cyber Security Executive Order on Cyber Security and the European Union Network and Information Systems (NIS) directive. This set of four guides from the ESF working group, with part one, two, and three already available, provide excellent guidance for getting started. The documents detail what will be required to consider a system secure, meeting recommendations to enable zero trust, and providing isolation between tenants.

About the Author