As part of the Enduring Security Framework (ESF), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published guidance today to mitigate cyber threats within 5G cloud infrastructure. Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods.
The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial of service attacks, and implementing real time threat detection.
In Part I of the series, ESF discussed best practices on preventing and detecting malicious cyber actor activity in a 5G cloud infrastructure and recommended mitigations aimed at preventing cybersecurity incidents. Part II of the series dives into Pod security and preventing a process that runs in a container from escaping the isolation boundaries of its container and gaining access to the underlying host.
“5G changes the traditional mobile network operations architecture, allowing for the core network to be moved away from proprietary hardware and software to a modular cloud-native infrastructure,” said Jorge Laurel, NSA Project Director for ESF. “This is more flexible in its development and deployment, but also introduces new cybersecurity implications and risks that need to be mitigated.”
“The deployment of 5G is built on an agile, highly configurable network architecture, a foundation of virtualization that can bring a wealth of benefits to our lives and work as well as greater security risks,” said Matt Hartman, Deputy Executive Assistant Director for Cybersecurity, CISA. “With our partners at NSA and ESF, CISA encourages the 5G community to review this guidance to ensure they achieve the necessary heightened level of Pod security in 5G cloud.”
Pods are the isolated environments used to execute 5G network functions in a 5G container-centric or hybrid container/virtual network function design and deployment. Pods provide highly configurable, flexible workloads that can be scaled and orchestrated from a central control plane, while enforcing isolation of each workload. The scale and interoperability requirements of 5G cloud components makes securely configuring Pods a challenging but important ongoing effort. A strong Pod security posture leverages containerization technology to harden the deployed application, protects interactions between Pods, and detects malicious/anomalous activity within the cluster.
“5G changes communication capabilities and risks,” said Rob Joyce, NSA Cybersecurity Director. “This guidance document from ESF brings to light the need to secure Pods as an important aspect of securing 5G cloud environments.”
5G cloud providers, integrators, and network operators share the responsibility to securely configure, deploy, and orchestrate Pods that provide services.
This series has been published under the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA.
Related White Papers:
- Potential Threat Vectors to 5G Infrastructure
- Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement (Part I)
- Security Guidance for 5G Cloud Infrastructures: Securely Isolate Network Resources (Part II)