6 key points of the new CISA/NSA 5G cloud security guidance

The security guidance focuses on zero-trust concepts as the US agencies anticipate growth of 5G networks.

5G light trails
PLEJ92 / Getty Images

5G, or 5th generation mobile networks, is among the most talked about technologies. At a high level, it promises to connect virtually any entity spanning devices, objects, and machines. 5G improves on 4G communication networks in key areas such as latency, speed, and reliability.

Cloud computing will play a pivotal role in the use and success of 5G networks. Any new technology adoption brings with it security concerns, and 5G’s use of cloud is no different. That’s why the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently released the first of a four part series titled Security Guidance for 5G Cloud Infrastructures.

This first release in the series is titled Security Guidance for Cloud Infrastructures Part I: Prevent and Detect Lateral Movement. It is recommended for service providers and system integrators who are involved in building and configuring 5G cloud infrastructures. These entities are a critical component of the broader supply chain since so many service providers and consumers will be directly or indirectly impacted by any malicious activity against their cloud infrastructure and hosting environments. Other issues in the series will focus on topics such as securely isolating network resources, protecting data in various states, and ensuring integrity of cloud infrastructure.

5G networks will use the cloud to provide the desired outcomes and improvements over 4G due to the cloud's robust infrastructure, scalability, and resilience. That said, a key security concern with public cloud infrastructure is its multitenant nature. Consumers from multiple unrelated organizations rely on the same public-cloud providers and often host workloads in the public-cloud environment. If a malicious actor is able to move laterally or pivot from one compromised workload to another, they can have far reaching and cascading effects on countless tenants in the cloud environment.

This multi-tenant nature warrants hardening both the underlying infrastructure and hosting environment as well as the workloads residing in the cloud environments to mitigate lateral movement threats. This of course will rely upon a successful understanding and execution of the cloud’s shared responsibility model by all the stakeholders involved, such as cloud service providers and 5G service providers.

NSA/CISA guidance focuses on zero trust

It should come as no surprise that the guidance for preventing and detecting lateral movement in 5G cloud environments revolves around the concept of zero trust. To learn more about zero trust, check out NIST SP 800-207 along with guidance from NSA and CISA.

The guidance for 5G cloud environments involves robust perimeter protections as well as secure internal controls coupled with sufficient logging, monitoring, and automation. Cloud environments present myriad entry points and vulnerable interfaces where malicious actors could attempt to compromise environments including software, APIs and networks.

The first release of the NSA/CISA focuses on these six areas:

  • Implement secure identity and access management
  • Keep 5G cloud software updated and free from known vulnerabilities
  • Securely configure 5G cloud networks
  • Lock down communications among isolated network functions
  • Monitor for adversary lateral movement
  • Use analytics to detect sophisticated adversarial presence

1. Implement identity and access management

Regardless of the compute model deployed, such as virtual machines (VMs), containers, or serverless, sufficient security practices must be put in place to mitigate vulnerabilities and lateral movement in 5G cloud environments. From the IAM perspective, fundamental security controls and practices can go a long way. These include items such as unique identities, least permissive access control, robust authentication and multi-factor authentication. Certificates should be used to implement mutual transport layer security (mTLS) and certificate pinning to verify the identity of certificate holders. In addition to these best practices, logging is critical. Anomalous behavior should be identified as soon as possible and auto-remediation capabilities implemented when feasible.

2. Keep 5G software updated

One inherent complexity of cloud environments is the myriad sources of software at place. This includes both open-source and proprietary software all used to provide robust services to 5G cloud consumers. For this reason it is key that 5G cloud providers implement robust software development practices such as NIST’s Secure Software Development Framework (SSDF) coupled with mature vulnerability management programs and operations.

5G cloud providers are a core component of the broader supply chain and failing to address software vulnerabilities at this level will ripple out across their wide consumer base. This vulnerability management program should account for publicly known vulnerabilities both with and without a patch available, as well as zero-day vulnerabilities. This includes having an operation patch management program in place.

3. Secure 5G network configuration

The implementation of networking security in the cloud can vary and has many layers, such as virtual private clouds (VPCs), hosts, containers, and pods. Some of the recommendations include grouping resources based on their sensitivity and limiting blast radiuses via microsegmentation.

Network configuration and isolating communications are key when it comes to securing 5G cloud environments. Due to the multitenant nature of cloud and the introduction of software-defined networking (SDN), a new approach to network is both warranted and possible. The guidance recommends using cloud-native capabilities such as network access control lists and firewall rules to properly constrain network paths. This is a key focus area when it comes to preventing lateral movement of malicious actors in cloud environments. If a malicious actor compromises a single VPC or subnet, you don’t want this serving as a pivot point to other VPCs and subnets within your cloud environment.

Other recommendations include default deny entries in firewalls and access control lists for both inbound and outbound traffic and controlling east/west traffic through the use of service meshes, which are common for cloud-native environments. Service mesh guidance can be found in NIST’s 800-204C publication.

4. Lock down communication among isolated network functions

5G cloud environments will have complex networking implementations and architectures. Despite this reality, 5G cloud environments should ensure that all communication sessions are both authorized and encrypted appropriately. As mentioned above, the use of microsegmentation should also be practiced to minimize the blast radius of a compromise of any specific network segment within the environments.

5. Monitor and detect lateral movement

No discussion of securing 5G cloud-native environments would be sufficient without including measures to monitor and detect lateral movement from adversaries. All the preventive controls in the world won’t matter if malicious actors gain access and 5G cloud providers are totally oblivious to them. Incidents such as credential compromises, vulnerability exploitations, and others are almost a forgone conclusion. This is why it warrants having proper monitoring, detection, alerting, and remediation practices in place for when this does occur. This should involve activities such as monitoring for user behavior abnormalities and suspicious network traffic behaviors, such as communicating with known-bad external addresses.

6. Use analytics to detect adversarial presence

These complex and dynamic 5G cloud environments ultimately warrant the use of enhanced technologies and capabilities such as machine learning and artificial intelligence to scope with the scale of activity and telemetry that they will produce. Security teams simply can’t keep pace with the scope or scale of activity in many complex cloud-native environments. By leaning in to CSP and third-party capabilities, security teams can use automation to help quickly identify and limit malicious activities.

When security warrants response times in seconds, humans are minutes and even sometimes hours away. It’s this reality that requires the use of automation and why automation is a key pillar of implementing zero-trust architectures, including in 5G cloud environments.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline