In new guidance published Thursday, the security agencies said operators should focus on protecting data, including through the use of hardware techniques like Trusted Execution Environments.
A Trusted Execution Environment (TEE) is an area in memory protected by the processor in a computing device. Hardware can ensure the confidentiality and integrity of code and data inside a TEE.
Containers and virtual machines are key elements of 5G networks because they allow traditional network structures to be further broken down into customizable segments.
“Today, it is near-universal practice in cloud and enterprise to protect data at rest using strong encryption, such as AES 256, in local and/or network-attached storage. However, when the same data is being processed by the central processing unit (CPU), it is held as plain text in memory and not protected by encryption,” the guidance said. “Therefore, it is critical that data in memory has comparable protection to data at rest in storage devices.”
The latest guidance is the second part of a four-part series issued by the NSA and CISA intended to help 5G cloud providers improve their cybersecurity measures.
In the first document, published last month, the agencies highlighted the role that artificial intelligence and machine learning systems may play in helping cloud providers to detect the presence of sophisticated attackers and other security incidents.
Other guidance in the second part of the series includes the recommendation that operators implement a network policy to ensure pods on a 5G network are isolated immediately on discovery of a cybersecurity incident.
The new document also included the recommendation that the number of containers running in privileged mode with root capabilities should be limited.
The guidance from NSA and CISA follows preliminary analysis and threat assessment carried out by a cloud working panel earlier this year, which concluded that the top 5G cloud infrastructure security challenges could be divided into four parts.
The agencies are shortly expected to publish the remaining two parts of the series, which are focused on securely isolating network resources, protecting data in transit, in use and at rest, and ensuring the integrity of infrastructure.