Secure 5G networks with confidential computing

Learn why the NSA and CISA recommend confidential computing to protect 5G cloud infrastructures.

Lara Montoya Laske

5G networks and cloud infrastructure


Because of the ever-increasing number of connected devices and subsequent demand for network capacity, cloud infrastructure is becoming crucial for mobile network operators (MNOs) in the age of 5G.



In contrast to prior network generations, 5G networks have adopted a decentralized, software-centric architecture. One key component of this architecture is network functions virtualization, which refers to the replacement of network functions on dedicated appliances — such as routers, load balancers, and firewalls — with virtualized instances, called virtual network functions (VNFs), running as software on general-purpose hardware. Virtualization facilitates network slicing in 5G networks, allowing the creation of multiple virtual networks over the physical infrastructure, each tailored for specific applications and uses, according to current demand.



While VNFs are usually run inside virtual machines (VMs), cloud-native network functions (CNFs), an evolution from VNFs, have been designed to run inside containers. Therefore, CNFs inherit all the operational and architectural principles of cloud-native computing. These principles include lifecycle management, resiliency, observability, and agility.


The evolution of network functions in telecommunication:


This means that with 5G cloud-native deployments based on CNFs, MNOs such as Vodafone, Telekom, and AT&T can efficiently implement dynamically scalable 5G core networks with features such as network slicing, while staying flexible and distributing their infrastructure across multiple clouds for maximum resilience.



High-level overview of the 5G ecosystem:


Challenges of the cloud


As they are running large amounts of highly sensitive data, cloud-native 5G networks are an attractive target for hackers and other malicious actors. In the Thales Cloud Security Study (2023) almost half of the respondents (46%) reported that they had experienced a data breach in their cloud environment, up 4 percentage points compared to the previous year. One of the biggest threats in public cloud environments is multi-tenancy. As compute resources are shared with numerous other tenants, malicious actors could be inside the infrastructure and gain access to another tenant's data. The Nokia 5G Managed Security Survey (2022) highlights that "breaches are the rule, not the exception", and "cloud service providers (CSPs) are facing continuous challenges in adapting to evolving cyber threats". IBM's Cost of a Data Breach Report shows that in 2023, the average breach costs companies an all-time high of USD 4.45 million. With the increase in data breaches in the cloud and the associated costs, it is paramount to improve the security posture.



Another aspect to take into consideration is data privacy. Regulations like GDPR present great challenges for companies that want to use cloud services. For example, under the CLOUD Act, US companies may be required to disclose data stored or processed outside the United States to authorized authorities without a court order. This conflicts with GDPR and other European data protection laws, causing great uncertainties for companies when processing personal data. (For more information on this topic, read this blog post).



The CISA and NSA recommend confidential computing to encrypt data in use


Highly sensitive data such as personal data, storage encryption keys, session keys, credentials, customer IP, and important system data is commonly protected at rest and in transit, but not while being processed in the CPU. The US Cybersecurity & Infrastructure Security Agency and the National Security Agency have published a security guidance that recommends organizations to leverage confidential computing technology, running 5G containers in trusted execution environments (TEEs), to keep service providers and potentially malicious insiders outside the trusted computing base.



"As hardware-based TEEs become more pervasive and broadly enabled for use with container platforms and runtimes, it would be advisable (and recommended) to consider running containers in TEEs to reduce the attack surface for containers, and to keep the cloud service providers and malicious insiders outside the trusted computing base."

- Security Guidance for 5G Cloud Infrastructures Part IV



Additionally, confidential computing also plays a crucial role in enabling secure edge computing, a pivotal factor in the 5G landscape. By bringing processing and storage resources closer to the user's end device, edge computing aims to reduce latency and enhance applications' reliability. Leveraging TEEs, confidential computing empowers MNOs and end-users, such as companies, to provide data processing resources even in less secure environments including geographically vulnerable regions.



Basics of confidential computing


Confidential computing is a new technology that leverages the latest CPUs from industry leaders like Intel and AMD to encrypt data not just at rest and in transit but also during processing. These processors include the abovementioned TEE and all data is encrypted in memory at runtime. On top of runtime encryption, with confidential computing, the integrity of workloads can be verified using a mechanism called remote attestation. With remote attestation, the integrity of a workload can be verified based on cryptographic certificates. The combination of runtime memory encryption and remote attestation enables secure data processing, even when the computers belong to someone else. If you want to learn more about confidential computing, read our whitepaper.



To summarize, by leveraging confidential computing technology, 5G network functions can be always encrypted and secured, independently from the environment they are running on.



It's important to note that confidential computing solutions can be vastly different. Some solutions only protect individual services, while others isolate entire applications, making all data invisible to the infrastructure. Constellation, the world's first confidential Kubernetes encrypts entire Kubernetes clusters and is compatible with virtualized network functions for 5G. Book a demo with our experts to learn more about Constellation or try it out on GitHub.

Author: Lara Montoya Laske

Related reading

View all