Case Study: Major Automobile Manufacturer
- Reduced application delivery time two weeks by eliminating Kubernetes related firewall changes
- Addressed compliance gaps by gaining visibility into Kubernetes workloads
- Deployed a zero trust security model to protect against emerging threats
- Achieved security and compliance objectives across containers, virtual machines, and bare metal servers
This manufacturer is a global leader in producing and selling automobiles. The company produces millions of automobiles annually and employs several hundred thousand workers worldwide.
The company’s vision is beyond merely manufacturing automobiles, they want to connect with their drivers and passengers digitally. This relies on their ability to interact online with their customers and will require an agile delivery model. The company chose to build a Kubernetes platform to serve their needs for agility and scalability. The company deeply cares about their customer’s data which drove the need for an agile security and compliance solution that can support the dynamic nature of their Kubernetes platform.
With Tigera, the company could:
- Remove bottlenecks caused by firewall rule changes, thereby accelerating application delivery
- Meet their internal and external compliance requirements with proper identification of workload traffic
- Protect east-west workload traffic within their Kubernetes clusters against emerging threats
The company faced two major challenges after adopting Kubernetes. First, the expected benefits of fast and agile application delivery did not materialize. Upon closer inspection, application deployment was crippled by the constant need to implement firewall changes to handle provisioning of ephemeral Kubernetes workloads. The process of provisioning firewall changes for Kubernetes workloads took weeks to complete and required oversight and constant coordination with the security and networking teams, significantly slowing down application delivery. Kubernetes workloads generate exponentially greater network churn when compared to traditional or VM-based architectures. The company’s traditional security approaches of custom automation and manual firewall provisioning were not designed for a Kubernetes architecture.
The second challenge that the company discovered was that traditional network logs did not capture denied traffic at the container level and provided insufficient details for compliance requirements. These dated capture methods only provided limited 5-tuple flow logs and required additional context to be useful. Traditional 5-tuple information containing IP and port information were unable to provide context specific to Kubernetes workloads that cycle through IP addresses. The company discovered that monitoring Kubernetes workloads is significantly different than monitoring traditional host-based system and requires visibility into the Kubernetes constructs. These constructs where the application runs are entirely invisible to traditional network monitoring systems that stop at the host. Kubernetes construct information such as containers, pods, nodes, namespaces, and labels are needed beyond just IP addresses for compliance requirements.
After realizing the limitations of the traditional security model and technology, the company needed their security and compliance infrastructure to support a new level of agility as developers embraced Kubernetes.
The company investigated multiple alternatives before deciding to adopt Tigera Secure for multi-cloud zero trust security. Tigera Secure stood out because it supports both Kubernetes applications as well as legacy workloads running in bare metal and VMs. Tigera was also preferred because their technology is embedded in Amazon, Microsoft, Google, and IBM’s Kubernetes services, as well as embedded in Docker EE and integrated into Red Hat OpenShift. This provides the company with the flexibility to change their mind about the Kubernetes distro they use or use multiple distros.
The company’s focus on security motivated the team to implement a zero trust security posture, with dynamic policy-driven, distributed enforcement of network security rules. The company’s cross-functional team, including security, networking, compliance, site reliability engineering, development teams, and technical operations all leverage Tigera’s security architecture for the following capabilities:
Tigera’s hierarchical security policies replaced the firewall for east/west traffic and enabled the security and networking teams to define security controls that cannot be overridden. Developers can now define how their applications communicate without the risk of violating a security control. This approach removed the need for firewall changes each time a new workload is deployed.
Tigera flow logs capture data at the container level and append Kubernetes metadata. The network flow logs include workload identity and other metadata that provides visibility and provides visibility into which workload did what for compliance auditing and security forensic purposes.
Tigera zero trust network security provides declarative, intent-based policies. These fine-grained security policies are enforced at multiple points including the host, container, and edge of the application. Network attributes, application layer attributes, and workload metadata are all evaluated against the policies. This approach alerts their SOC when any anomalous traffic is detected.
Tigera enforces security around each workload; whether running on a Container, VM or Host. The product supports both next-generation containerized applications in Kubernetes as well as legacy workloads running in bare metal and VMs.
Tigera Secure is now a critical component of the company’s Kubernetes platform. Tigera Secure provides the company with a consistent network security framework.
Before the Tigera solution, the typical turnaround for changes to firewall policy was two weeks. The company now uses Tigera Secure to deliver same-day changes to accelerate developer agility while maintaining its zero trust security posture. Tigera Secure enabled the increased agility that has come from adopting Kubernetes, together with reducing the time to deploy a new microservice from months to days.