Cloud Native Security in Infrastructure Construction

Cloud Native Security in Infrastructure Construction

September 15, 2021 | Jie Ji

Cloud native security is the development trend of cloud security in the coming years. On the one hand, inherent security of cloud native is worthy of in-depth study. On the other hand, with the reconstruction and upgrade of infrastructure, there is a clear trend towards the integration of cloud native technologies and information infrastructure.

5G, edge computing, IoT, and industrial Internet are key priorities of infrastructure development, and their security assurance lays the groundwork for security of mission-critical applications. Currently, the cloud native technology and architecture are becoming an important way to implement the 5G core network, edge cloud, and the like.

5G Core Network Security

The 5G era has found great changes in core networks. 5G core networks based on the standalone architecture generally use the Network Function Virtualization (NFV) and the Software-Defined Networking (SDN) technologies.

From the perspective of IT infrastructure, a 5G core network can be taken as an Infrastructure as a Service (IaaS) virtualization system or Container as a Service (CaaS) system. In 5G networks, network elements often take the form of virtual machines or containers. In particular, with the introduction of the slicing technology, network elements on the control plane and data plane need to be rapidly deployed and adjusted on demand. Based on this, I expect that containerized network elements will become more prevalent. Moreover, in terms of design, each element in a 5G core network provides independent functions. For instance, Network Exposure Function (NEF) facilitates access to exposed network services and capabilities and Session Management Function (SMF) manages user sessions. Therefore, in the future, with the support of orchestration platforms, 5G network elements will provide business services on the 5G control plane in the form of microservices.

Here, we take two open-source projects of 5G core networks, i.e., free5gc[i] and open5gc[ii], as an example. For either project, each network element can be deployed and managed as a container on an orchestration platform. Therefore, in theory, if elements in a 5G core network are deployed as containers by using the orchestration technology, the cloud native security protection mechanisms mentioned above can all be used for security protection at the resource layer.

At the service layer, in the above two open-source 5G core networks, each type of network element is deployed as an independent container to provide services for external users. Each network element provides its own microservices. Also, we attempted to capture packets in the container network and our analysis of captured packets shows that network element services interact with each other through the standard RESTful/HTTP protocol. Therefore, service security detection methods of cloud native applications also apply to service analysis of 5G core networks. We can, via API invocation parameters and sequence analysis, profile microservice baselines and continuously monitor interactions of elements in 5G core networks during the runtime to discover abnormal service requests.

Edge Computing Security

Edge computing is a distributed computing paradigm which brings networks, computation, storage, and core capabilities of applications closer to data sources at the edge of corporate networks. With the development of the modern industry and 5G communications, edge computing will find widespread application.

Open-source edge computing platforms, including KubeEdge, OpenNESS, and StarlingX, all adopt the cloud native technology to address security needs of the cloud and edges by using containers and Kubernetes. On the one hand, this demonstrates that the cloud native technology is used extensively and edge computing, like cloud native, has such advantages as flexibility, high efficiency, and stability. On the other hand, risks faced by cloud native also exist in edge computing environments and edge computing will introduce new security challenges due to its own characteristics.

Overall, edge computing faces the following security challenges:

Resource restriction: Unlike traditional cloud computing environments, edge computing environments, due to limited computing capabilities and storage resources, may place constraints on the deployment of traditional security protection hardware and software.

Security of platforms on the cloud and edges: The cloud and edges are indispensable parts of a cloud computing environment. The security of their platform systems forms the basis for the security of the entire cloud computing environment, in consideration of threats against traditional hosts and networks still in existence.

Time constraints of edge applications: Edge applications, characterized by complexity and diversity, will update at a faster rate and become more short-lived, with the introduction of the container technology. Also, security protection for these applications will evolve accordingly.

Data privacy and protection: Within the edge computing concept, edges are not merely sensors, but distributed nodes with some computing and storage capabilities. Therefore, it is increasingly important to appropriately use data and ensure data privacy in edge computing environments.

Security systems integrating the cloud and edges: Edge computing is more than computing at edges because from the service perspective, edges are not isolated from the cloud, but collaborate and integrate with the cloud. Accordingly, security systems adapted to service needs should also allow for collaboration and integration of the cloud and edges.

When it comes to security of Kubernetes-based platforms, we naturally think of cloud native security protection mechanisms. We will continue to explore security protection for edge computing. Based on container protection and technical accumulations, we have implemented security protection mechanisms for the above three open-source platforms (KubeEdge, OpenNESS, and StarlingX), a clear demonstration of our capability of providing satisfactory security services for edge computing platforms.

Cloud native technologies, though in their early phase of development, will surely be integrated with various information systems and computing scenarios, empowering systems with resilience, agility, and on-demand orchestration. In view of this, security vendors and providers should fully study cloud native technologies to provide measures to detect, respond to, and protect emerging cloud infrastructure, as well as embed the cloud native technologies in these security products, platforms, and solutions to finally deliver inherent security capabilities in cloud native.

Related links:

What Is Cloud Native Security

Security Risks and Threats of Containerized Infrastructure

Security Visibility Augmented by Cloud Native

Zero-Trust Cloud Native Network Security Enabled by Micro-segmentation

API Security in Cloud Native Applications

Top Four Risks When Using Serverless Function in Cloud Native Applications