Cloud-native architecture enables Communication Service Providers (CoSPs) to run workloads wherever they deliver optimal performance in the network. As the edge of the network is virtualized and made programmable, CoSPs need to ensure that they have appropriate computer security measures there, as well as in other network locations. Edge assets may be in locations that are not protected with the same physical security you would expect in the data center. They are also geographically distributed, making them harder to monitor and secure.
Intel proposes three levels of security for servers at the edge of the network:
- Level 1 uses a hardware root of trust based on Intel® Boot Guard for firmware protection. This helps to ensure that the firmware has not been tampered with when the server boots, by cryptographically verifying each critical piece of firmware as it is installed. The National Cybersecurity Center of Excellence at the National Institute of Standards and Technology (NIST) sees hardware roots of trust and attestation as important for a secure evolution to 5G. Intel Boot Guard is available in Intel® Xeon® Scalable processors and Intel® Xeon® D processors, and is enabled by the server original equipment manufacturer (OEMs) during manufacture.
- Level 2 applies secure boot processes using Unified Extensible Firmware Interface Secure Boot, including verifying the Linux kernel has not been tampered with when the server boots. Secure Boot is available in several leading Linux distributions and most OEMs have a deployment-ready solution. For more information, see the application note on secure boot methodologies (PDF).
- Level 3 integrates the edge platform security with the cloud orchestration software, such as Kubernetes. The previous two levels are about verifying that the server has not been tampered with. Level 3 enables you to identify where you may be weak because of new vulnerabilities that have been discovered, regardless of whether they have been exploited. Intel® SecL – DC can be used to maintain a trust database, with policies used to change the trust status of a platform if a certain firmware or Linux kernel version is found to be vulnerable. The solution integrates with Kubernetes or OpenStack, so the CoSP can more easily identify platforms that may no longer be secure and take appropriate remedial action.
Using these three levels, CoSPs can more proactively manage the security of their virtualized network assets. To find out more, download the solution brief: “Enhancing the Security of Servers in the 5G Network and Edge”.