The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently released the first of a four part series titled Security Guidance for 5G Cloud Infrastructures. This series of four action-oriented documents is intended to provide guidance on how to move toward zero trust in support of securing 5G. It’s been created as a joint industry and government effort with the support of several large contributors through the NSA’s Enduring Security Framework (ESF).
This second release in the series is titled Security Guidance for 5G Cloud Infrastructures – Part II: Securely Isolate Network Resources [PDF] with the focus on ensuring that there is secure isolation among customer resources with emphasis on securing the container stack that supports the running of virtual network functions.
The guidance focuses on “pods” isolated environments used to execute 5G network functions in a 5G container-centric or hybrid container/virtual network function design and deployment and it describes several aspects of Pod security including:
- Strengthening Pod isolation, such as limiting permissions on deployed containers;
- Cryptographically isolating critical Pods using trusted execution environments;
- Using best practices to avoid resource contention & DOS attacks;
- Implementing container image security through build processes, scanning, and
enhancements to the trust environment; and
- Implementing real-time threat detection through minimizing noise, curating baseline
behavior, and alerting on anomalous activity.
For more information see the release on the CISA website: https://www.cisa.gov/uscert/ncas/current-activity/2021/11/19/nsa-and-cisa-release-guidance-securing-5g-cloud-infrastructures
The guidance is available here [PDF]: Security Guidance for 5G Cloud Infrastructures – Part II: Securely Isolate Network Resources