CISA Pushes for Zero Trust in Latest 5G Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) cited multitenant cloud infrastructures as the primary risk factor for 5G security in new guidance released earlier this month. To mitigate this risk, CISA and the NSA advise a zero trust approach to cloud and 5G security.

The new guidance is the third installment in a series on 5G security. In Part I and Part II of the guidance on 5G security, CISA and the NSA advocated the use of identity, credential and access management (ICAM) solutions to prevent unauthorized access to 5G networks and advised separation of network resources, (i.e., “pod security”), to prevent malicious lateral movement within a network should a breach occur.

Part III continues to emphasize the importance of data protection and zero trust for all cloud-based security efforts, especially as federal agencies like the Defense Department, the Department of Homeland Security and the Department of Veterans Affairs prepare their networks for 5G capabilities.

Multitenancy refers to multiple cloud infrastructure customers sharing a single physical infrastructure, including sharing security responsibilities, which is a common consequence of cloud modernization.

“5G networks, which are cloud-native, will be a lucrative target for cyber threat actors who wish to deny or degrade network resources or otherwise compromise information,” CISA and the NSA said in their joint guidance.

The joint guidance emphasizes data protection and zero trust architectures as the most reliable approaches to securing 5G networks, tracking with the latest federal cybersecurity guidance and comments from federal cyber leaders regarding cloud networks in general.

“Data in a network as vast as 5G cloud infrastructures cannot be secured by a solitary entity,” said Morgan Adamski, chief of NSA’s Cybersecurity Collaboration Center, according to the press release. “It takes the collaboration of government agencies and our industry partners. When we combine our unique perspectives, we can fit together the pieces of the puzzle and solve critical cybersecurity issues.”

NIST IT Specialist Jeff Cichonski said zero trust as a security strategy is “very applicable” to 5G networks in an October CyberCast interview with GovernmentCIO Media & Research. For federal agencies looking to deploy 5G capabilities, focusing on zero trust deployment is a great first step, but 5G security will not be “one size fits all” and will look different from network to network, Cichonski added.

“5G technologies definitely have multiple stakeholders — consumers and service providers,” he said in the interview. “We’re definitely seeing that shift to leveraging cellular networks for day-to-day business. I think it’s really important to take these networks into account, ensuring the risk process is understood … different applications or use cases for 5G will have different security requirements.”