We are excited to introduce Calico Cloud, a pay-as-you-go SaaS platform for Kubernetes security and observability. With Calico Cloud, users only pay for services consumed and are billed monthly, getting immediate value without upfront investment.
Calico Cloud gives DevOps, DevSecOps, and Site Reliability Engineering (SRE) teams a single pane of glass across multi-cluster and multi-cloud Kubernetes environments to deploy a standard set of egress access controls, enforce security policies, ensure compliance, get end-to-end visibility, and troubleshoot applications. Calico Cloud is Kubernetes-native and provides native extensions to enable security and observability as code for easy and consistent enforcement across Kubernetes distributions, multi-cloud and hybrid environments. It scales automatically with the managed clusters according to the user requirements to ensure uninterrupted real-time visibility at any scale.
Security and Observability Challenges
North-South Controls: Often microservices need to communicate with services or API endpoints running outside the Kubernetes cluster. Implementing access control from Kubernetes pods to external endpoints is hard. Most traditional or cloud provider’s firewalls do not understand the Kubernetes context which forces the ops team to allow traffic from the entire cluster or a set of worker nodes.
East-West Controls: Even after effective perimeter-based north-south controls, the organizations face challenges to control security threats residing in their environments. Attackers have pivoted to find at least one vulnerable pod/service account with the right privileges to take over a cluster. The attack surface grows as the cluster gets bigger and more third-party applications are deployed. It is also important to limit the blast radius when a security breach results in an APT (Advanced Persistent Threat).
Security and Compliance Controls: Most traditional security and compliance approaches do not apply for Kubernetes workloads as the microservices running in Kubernetes are highly dynamic and ephemeral. Any security controls designed on IP addresses or the location of the workload on the network won’t be effective. Implementing network security controls for any regulatory framework whether it is PCI DSS or SOC2 can be very tedious for Kubernetes environments.
Observability: As microservices deployments grow it is very important for devops teams to have complete visibility inside the clusters. While development teams and service owners often understand the microservices they are deploying to Kubernetes (i.e. their piece of the puzzle), it’s often difficult for devops teams to get a complete view of dependencies and how all the services are communicating with each other across a cluster. When there is a performance issue or service outage, they are left with trying to stitch the logs and metrics together with little to no workload context.
Unified Controls and Observability Across Multiple Clusters: Organizations are scaling Kubernetes deployments on a mix of on-prem, cloud, and multi-cloud infrastructure. However, not all users are taking a standardized approach to build multiple clusters on a common distribution and on a single infrastructure with common security tools. Lack of a centralized, unified multi-cluster approach to security and observability, compliance, and policy management results in dozens of clusters that are deployed and managed independently throughout an organization, with very little uniformity in the way they are secured. This adds complexity for DevOps teams, who must adapt to different cluster environments. Also, inconsistent policy enforcement leaves clusters vulnerable to attack and creates a corporate liability.
Calico Cloud addresses Kubernetes security and observability
DNS Policy – Enables the use of domain names in Calico security policies to control access to resources outside the cluster
Egress Gateway – Route traffic from a specific namespace to an egress gateway to ensure consistent network identity outside the cluster
AWS Security Group Integration – Extend group membership to pods in the cluster for fine-grained access controls with resources in a VPC
Microsegmentation – Use a common security model that works across multi-cloud, VM, and Kubernetes environments and provides a defense in depth security posture when deployed in conjunction with the existing security models
Host Protection – Get protection on three levels, host, container/VM, and application with a “defense-in-depth” approach
Single Policy Framework – Set controls at the host, container/VM, and application levels in the same declarative mode across multi-cloud and multi-cluster deployments
Enterprise Security & Compliance Controls
Data-in-Transit Encryption – Use highly performant encryption using Wireguard to secure data during transit
Intrusion Detection System (IDS) – Get integrated threat feeds and anomaly detection to monitor for indicators of compromise
Compliance Reporting – Leverage declarative reports that allow a continuous audit of CIS benchmarks, network policies, and other controls
Alerts – Define custom alerts against network or audit logs to initiate security and DevOps playbooks
Observability and Troubleshooting
Dynamic Service Graph – Provides a point-to-point, topographic view of network traffic between namespaces, services, and deployments
Flow Visualizer – Get a 360-degree view of network traffic around a specific namespace or resource, with real-time visibility into policy evaluation
Dynamic Packet Capture – Automatically retrieve pcap files from cluster nodes with the Kube-native approach to packet capture with a CLI.
DNS Dashboard – Quickly confirm or eliminate DNS as the root cause for microservice and application connectivity issues
Application Layer (L7) Observability – Address two of the most common service mesh use cases – observability and security with Envoy along with high-performance data-in-transit encryption using WireGuard
Unified Controls and Observability Across Multiple Clusters
Multi-cluster Management – Monitor with unified management plane for every cluster in your Kubernetes platform
Kibana Dashboard – Have direct access to raw log data and dashboards to quickly make sense of DNS activity, L7 traffic, and much more