CISA and NSA have issued guidance on strengthening Pod isolation by limiting permissions on deployed containers and implementing real-time threat detection.
To mitigate cyber threats within 5G cloud infrastructure, the National Security Agency and the Cybersecurity and Infrastructure Security Agency issued guidance related to threats to 5G container-centric or hybrid container/virtual network, also known as Pods.
The Securely Isolate Network Resources guidance is the second part of a four-part series -- Security Guidance for 5G Cloud Infrastructures -- issued under the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA.
Cloud-native 5G networks make use of Pods, or isolated environments where 5G network functions are executed. “The scale and interoperability requirements of 5G cloud components makes securely configuring Pods a challenging but important ongoing effort,” the guidance states, so containerization technology is used to harden the deployed application, protect interactions between Pods and detect malicious/anomalous activity within the cluster.
This document covers several aspects of pod security including strengthening Pod isolation, limiting permissions on deployed containers, avoiding resource contention and denial of service attacks and implementing real-time threat detection.
The guidance included recommendations for cloud providers, mobile network operators and customers. It also features a section on incident response.
“Preventing a process that runs in a container from escaping the isolation boundaries of its container and gaining access to the underlying host is a threat that must be addressed,” the guidance states. “Capabilities that enable the detection of unexpected behavior, such as dynamic verification through attestation or use of behavior profiles, need to be industry best practices.”
Part I of the series discussed preventing and detecting malicious cyber actor activity in a 5G cloud infrastructure and recommended mitigations aimed at preventing cybersecurity incidents. Part III will speak to protection of data in transit and at rest.
NEXT STORY: DOD taps cloud contenders for JEDI replacement