The primary areas for a secure cloud native environment are infrastructure, clusters, development, and workloads. With complex telco networks moving toward 5G and cloud network functions, automation and orchestration are required to optimize network security and achieve network transformation.
VMware Telco Cloud Automation provides orchestration and automation to secure telco network services and functions, including CNFs and Kubernetes. The platform’s orchestration tool automates several operational procedures to avoid configuration mistakes.
![Capabilities of VMware Telco Cloud Automation](images/GUID-E8B3CD2D-B8E6-445A-AECE-B658609EF895-low.png)
Securely orchestrating containerized applications
The Center for Internet Security (CIS) is a non-profit organization that relies on the IT community to safeguard private and public organizations against cyber threats. To set up Kubernetes clusters with a secure configuration, analyze their security posture using the CIS Kubernetes Benchmark.
Checklist of countermeasures for cloud native security
If you are implementing cloud native network functions or introducing containers and Kubernetes into your telco stack, apply the following list of countermeasures to the cloud native components. These countermeasures ensure that the cloud native technology is protected with fully integrated security.
Use this checklist to evaluate whether countermeasures are included in a platform or component by default or whether they must be applied. For more information, see the NIST Application Container Security Guide (NIST Special Publication 800-190).
Implement container-specific countermeasures
Integrate countermeasures into the container life cycle and pipeline, from build through the registry and runtime through orchestration
Monitor containers across their life cycle and stack for full visibility
Enforce security with policies, especially RBAC and policies for image use
Use only the latest known, patched, scanned, and signed images
Run images as non-privileged, immutable containers without SSH
Manage containers through the orchestration engine, not the container host
Securely store secrets, encrypted, in the orchestrator, not in the image
Connect to registries and dashboards over secure, encrypted channels
Tightly control access to registries, orchestrators, and dashboards with RBAC using principles of least privilege and separation of duties
Control access to the Kubernetes API
Federate existing accounts by using a standard directory service and implement single sign-on
Log, monitor, and audit registry, orchestrator, and dashboard access
Encrypt data at rest using container-specific methods
Segment orchestrator network traffic into discrete virtual networks by sensitivity level
Only mix workloads of the same sensitivity level and threat posture on the same host
Use a patched, up-to-date runtime
Limit network access from containers
Profile and protect apps at runtime to ensure integrity
Use an up-to-date container-specific minimalist OS to narrow the attack surface
Set the root file system to read-only
Limit, log, and audit host OS access to detect anomalies and privileged operations
Limit resource consumption of a container to prevent denial-of-service (DoS) attacks
Monitor the cluster and network usage
Monitor for suspicious activity and analyze failed login and RBAC events
Use the latest versions of Kubernetes, which are more secure than older versions
Monitor configurations, such as dashboard access, for risks and vulnerabilities
Perform routine tests for vulnerabilities and attack vectors by using standard tools