NSA Guidance: Zero Trust Applied to 5G Cloud Infrastructure contd: Parts 3 and 4

Part 2 of a 2-part series
By: Kathleen M. Moriarty, CIS Chief Technology Officer and active participant in the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group

“Security Guidance for 5G Cloud Infrastructures” is a series of four documents intended to help secure cloud environments. It’s been created as a joint industry and government effort with the support of several large contributors through the NSA’s Enduring Security Framework (ESF).

In the previous blog, Parts 1 and 2 were highlighted. Parts 3 and 4 of the series detail the requirements to achieve integrity and data confidentiality in cloud-hosted environments.

The guidance throughout the four documents applies to any virtual environment with an aim to provide a secure multi-tenant isolated computing infrastructure. This series establishes a detailed set of requirements and guidelines to ensure a holistic view is taken and that all angles are considered in terms of how a cloud provider or even a sophisticated data center could achieve the security level necessary to host the solutions and applications expected for 5G. These applications are likely to require multi-tenant isolation and may operate in a cloud environment or an edge computing server with a similar virtual environment.

Major Threat Vectors in the 5G Ecosystem

The cloud and edge hosted systems have been identified as a major threat vector in the 5G ecosystem. This makes sense due to the cloud being an aggregation point with data that is being processed by applications in the network core on infrastructure with high computing capabilities. The series of documents provide a comprehensive set of guidelines aimed at the service provider. It can help with implementation by providing pointers to more granular resources, such as the CIS Benchmarks. The series also sets expectations for built-in security to be provided as a service. Customers of managed and hosted solutions can also use these guides when assessing security from service providers.

At the Center for Internet Security (CIS), we’re also interested to see secure hosted and managed solutions improve built-in security capabilities that support our recommendations for state, local, tribal, and territorial organization members. Recommendations made in the CIS Benchmarks provide a comprehensive set of capabilities to assess environments that are provided as integral to managed and hosted solutions. As organizations increase the number of Benchmark they implement, alignment to the recommended capabilities can be assessed, and guidance to select a provider that supports an appropriate level of security aligned to risk-based assessments can be provided.

The series of documents include:

• Part I: Prevent and Detect Lateral Movement: Detect malicious cyber actor activity in 5G clouds and prevent actors from leveraging the compromise of a single cloud resource in order to compromise the entire network.
• Part II: Securely Isolate Network Resources: Ensure that there is secure isolation among customer resources with emphasis on securing the container stack that supports the running of virtual network functions.
• Part III: Data Protection: Protect Data in Transit, In-Use, and at Rest: Ensure that network and customer data is secured during all phases of the data lifecycle (at-rest, in transit, while being processed, upon destruction).
• Part IV: Ensure Integrity of Infrastructure: Ensure that 5G cloud resources (e.g., container images, templates, configuration) are not modified without authorization.

The Development of Trusted Infrastructure

Maintaining system integrity with the ability to provide ongoing assessments of the level of trust in the infrastructure is a capability that has been developed and deployed in many environments over the past two years. Trusted infrastructure is quickly becoming a requirement for many organizations. We have seen advancements in these capabilities through the deployment of trusted platform modules (TPM) and trusted execution environments (TEE). TPM offered hope for a long time before its uses became not only practical, but standard to providing attested infrastructure over the past few years. Assurance from a root of trust was made possible by the diligent work contributors to the Trusted Computing Group. The TEE has been in use for several years as well, proving isolation for the execution of code that requires this level of protection for the data processed. The use of a TEE was possible, but considered difficult until recently as a result of difficulty programming to vendor specific software development kits (SDKs).

Part 3: Protect Data

The Confidential Computing Consortium (CCC) is working toward long-term solutions to maintain data as encrypted when in execution. Near-term measures to keep data protected and isolated are possible following the guidance provided as well as SDKs to make it possible. The CCC effort involves numerous large vendors supporting multiple SDKs that improve and simplify the programmability of a TEE. Examples include OpenEnclave and Google Asylo, which allow programming to any TEE as well as back to a range of operating systems, including Windows and Linux. These advancements make it possible for the TEE to more easily be used up the stack as training on specific SDKs with vendor ties for assistance is no longer necessary.

As a result, the recommendations in Part 3 of this guide are not only possible, but they are also feasible, and with industry demand, will become required in order to ensure security is built-in.

Part 4: Ensure Integrity of Infrastructure

While it may sound simple to ensure all data is encrypted in transit and at rest, there are numerous considerations that lead to a secure deployment. Part 4 of the guide includes a detailed checklist for a holistic view of what encryption should be provided in hosted environments supporting 5G. Security guidelines often focus first on transport security, as that has been a requirement for many years and has been easier to establish than more complex data-at-rest strategies. However, zero trust architectures call out the need for data to be encrypted at all times in order to reduce the chance of an attacker gaining access to data. Zero trust architectures have resulted in increased interest in data-at-rest encryption, as well as making such solutions more feasible through the automation of key management functions. Through this guide, service providers meeting the recommendations would offer a holistic solution to meet zero trust expectations of having encryption everywhere, and those using the service gain from their implementation experience. This level of encryption will be made easier through secure key management enhancements. If service providers innovate to make these capabilities possible, data center operators may benefit from those innovations. In support of the May Executive Order on Cybersecurity, the fourth guide provides a helpful checklist to more fully support encryption of data-at-rest.

About the Author