The primary areas for a secure cloud native environment are infrastructure, clusters, development, and workloads. With complex telco networks moving toward 5G and cloud network functions, automation and orchestration are required to optimize network security and achieve network transformation.

VMware Telco Cloud Automation provides orchestration and automation to secure telco network services and functions, including CNFs and Kubernetes. The platform’s orchestration tool automates several operational procedures to avoid configuration mistakes.


Capabilities of VMware Telco Cloud Automation

Securely orchestrating containerized applications

The Center for Internet Security (CIS) is a non-profit organization that relies on the IT community to safeguard private and public organizations against cyber threats. To set up Kubernetes clusters with a secure configuration, analyze their security posture using the CIS Kubernetes Benchmark.

Checklist of countermeasures for cloud native security

If you are implementing cloud native network functions or introducing containers and Kubernetes into your telco stack, apply the following list of countermeasures to the cloud native components. These countermeasures ensure that the cloud native technology is protected with fully integrated security.

Note:

Use this checklist to evaluate whether countermeasures are included in a platform or component by default or whether they must be applied. For more information, see the NIST Application Container Security Guide (NIST Special Publication 800-190).

  • Implement container-specific countermeasures

  • Integrate countermeasures into the container life cycle and pipeline, from build through the registry and runtime through orchestration

  • Monitor containers across their life cycle and stack for full visibility

  • Enforce security with policies, especially RBAC and policies for image use

  • Use only the latest known, patched, scanned, and signed images

  • Run images as non-privileged, immutable containers without SSH

  • Manage containers through the orchestration engine, not the container host

  • Securely store secrets, encrypted, in the orchestrator, not in the image

  • Connect to registries and dashboards over secure, encrypted channels

  • Tightly control access to registries, orchestrators, and dashboards with RBAC using principles of least privilege and separation of duties

  • Control access to the Kubernetes API

  • Federate existing accounts by using a standard directory service and implement single sign-on

  • Log, monitor, and audit registry, orchestrator, and dashboard access

  • Encrypt data at rest using container-specific methods

  • Segment orchestrator network traffic into discrete virtual networks by sensitivity level

  • Only mix workloads of the same sensitivity level and threat posture on the same host

  • Use a patched, up-to-date runtime

  • Limit network access from containers

  • Profile and protect apps at runtime to ensure integrity

  • Use an up-to-date container-specific minimalist OS to narrow the attack surface

  • Set the root file system to read-only

  • Limit, log, and audit host OS access to detect anomalies and privileged operations

  • Limit resource consumption of a container to prevent denial-of-service (DoS) attacks

  • Monitor the cluster and network usage

  • Monitor for suspicious activity and analyze failed login and RBAC events

  • Use the latest versions of Kubernetes, which are more secure than older versions

  • Monitor configurations, such as dashboard access, for risks and vulnerabilities

  • Perform routine tests for vulnerabilities and attack vectors by using standard tools