In a recent Red Hat State of Kubernetes security report, fifty-five percent of DevOps, engineering, and security professionals said they delayed an application launch in the last year because of security concerns. Almost half (48%) of these IT pros worried more about misconfigurations in container and Kubernetes environments than vulnerabilities (28%) or cyberattacks (16%), because misconfigurations can lead to data leakage and increased exposure to data theft. IBM reported a 146% increase in new Linux ransomware code and a shift to Docker-focused targeting.
In preparation of the inevitable move from monolithic applications to microservices, let’s look at the security challenges facing the 5G cloud native wireless core network and how the industry is responding. Intel is engaged with the ecosystem to address broad edge-to-core security requirements and important network use cases. Today, let’s focus on securing the control plane.
5G and Cloud Native are Changing Security Requirements
5G networks are highly distributed, built on open and service-based architectures, and require a multi-vendor hardware and software development environment, all reasons why they have larger attack surfaces compared to fixed-function, proprietary networks of the past.
The cloud native architecture also introduces new security challenges. Cloud native breaks up monolithic VMs into microservice pods, resulting in a higher volume of signaling and communication flowing through and between the microservices. Moreover, secure connections within the monolithic application have been replaced with untrusted communication between the microservices, requiring additional secure compute capabilities.
The 5G Control Plane uses a single service-based interface (SBI) for API-based web communication between virtualized or containerized network functions. Control plane communication is based on HTTP2 that requires transport layer security (TLS), which, in turn, requires the use of private keys. Telecommunication equipment manufacturers (TEMs) and cloud-native network function (CNF) providers can incorporate secure keys into workloads or communication service providers (CoSPs) can rely on secure keys as part of the service mesh to enable communication between microservices. In either case, private keys are stored in the clear.
These factors lead to the conclusion that the traditional “walled garden” approach to perimeter security/firewalled architecture is not effective. The 5G infrastructure would benefit from key management services and a security architecture based on zero trust.
Zero Trust, Hardware-based Security
The Kubernetes community defines the 4 C’s of Cloud Native security: Cloud, Clusters, Containers, Code. When applying zero trust architecture principles, a critical security solution would secure containers and code from any unauthorized access or modification. In that case, let’s consider hardware-based security using application isolation technology.
Intel® Software Guard Extensions (SGX) uses a small portion of CPU memory to create a secure, software enclave that protects application code and data. These enclaves provide a CPU-hardened access control and memory encryption for applications to protect code and data from processes running at higher privilege levels (OS, application layers, etc). Developers can partition applications into hardened enclaves or trusted execution modules to increase application security. The technology enables operators to secure keys and data at-rest or in-use for sensitive security operations with smallest attack surface.
Since its launch in 2015, Intel SGX has been thoroughly researched, updated, and battle-tested across the ecosystem as a trusted execution engine for data center confidential computing. Companies across industries, such as healthcare, financial services, manufacturing, telecommunications, and more, are tapping SGX capabilities in public and private cloud environments. (Learn more)
To Mesh or Not to Mesh?
As mentioned before, companies can either incorporate private keys into CNFs or deploy them as part of the service mesh, and hardware-based security supports either option. It’s worth mentioning that a service mesh deployment is a lighter lift for CoSP IT and development teams because they won’t have to change or customize CNFs. It also puts each CoSP in the driver seat to set the direction for horizontal, security strategy across the infrastructure and drive execution across the ecosystem.
In addition to integrating security capabilities into the 3rd Generation Intel® Xeon® Scalable processors, Intel released the Key Management Reference Application (KMRA) reference software for integrating asymmetric key capabilities in Intel SGX with a hardware security model on a centralized key server. The latest Network and Cloud Edge Reference System Architectures v 22.05 enables automatic key management in service mesh implementations.
Ecosystem Collaboration is Key to Zero Trust Future
Companies are using security technologies from Intel to secure data at-rest, in-use, or in-transit. We’re collaborating closely with the telecommunications ecosystem and Communications Service Providers to solve the most pressing security challenges resulting from the shift to 5G and cloud native architectures. One such example is our partnership with ACL Digital delivering secure communication between 5G Control Plane elements with private key management based in Intel SGX and accelerated by Intel crypto acceleration technologies. I look forward to sharing more partner and CoSP use cases across 5G infrastructure for Intel’s highly secure hardware-based security framework in the coming weeks and months.
1 “Cloud-Native 5G Core Operator Survey” Heavy Reading, March 2021"