The old security model, which followed the “trust but verify” method, is broken. That model granted excessive implicit trust that attackers abused, putting the organization at risk from malicious internal actors and allowing unauthorized outsiders wide-reaching access once inside. The new model, Zero Trust networking, presents an approach where the default posture is to deny access. Access is granted based on the identity of workloads, plus other attributes and context (like time/date, source, destination), and the appropriate trust required is offered at the time.
Calico Enterprise Zero Trust Network Security is one of the most effective ways for organizations to control access to their Kubernetes networks, applications, and data. It combines a wide range of preventative techniques including identity verification, least privilege controls, layered defense-in-depth, and encryption of data-in-transit to deter threats and limit access in the event of a breach. Kubernetes is particularly vulnerable to the spread of malware as a result of the open nature of cluster networking. By default, any pod can connect to any other pod, even across namespaces. Without a strong security framework, it’s very difficult to detect malware or its spread within a Kubernetes cluster.
Zero Trust policies rely on real-time visibility into workloads, and can only be successful if organizations are able to continuously monitor and validate that a requested connection has the right privileges and attributes. One-time validation won’t suffice, because threats and connection attributes are all subject to change. Zero Trust ensures that all access requests are continuously vetted prior to allowing connection to any of your enterprise or cloud assets. Calico Enterprise Zero Trust Network Security is based on four core capabilities.
Workload Identity – Calico Enterprise authenticates every microservice using strong multi-factor authentication built on a combination of x.509 certificates, network identity, and other metadata. When a microservice successfully authenticates, Calico Enterprise only then allows access to the network, and only to those network destinations the microservice is authorized to connect to.
Least Privilege Access Control – The concept of least privilege is to allow access only as needed while blocking all other access. Calico Enterprise implements Least Privilege Access Control by denying all network traffic by default and allowing only the connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster, protecting your application throughout the entire infrastructure stack. You can define which network locations can be connected as well as define which application API paths and web methods are authorized using a single policy per microservice.
Defense in Depth – The underlying premise of Zero Trust is to assume that some layer of the infrastructure or application has been compromised at any given point in time. Defense in depth is how Calico Enterprise mitigates that risk. For every connection request, Calico Enterprise evaluates whether the connection has been authorized at the host, pod, and container. If any layer of your infrastructure has been compromised, Calico Enterprise will still block unauthorized connections and alert you.
Encryption of Data-in-Transit – Calico Enterprise encrypts your microservice traffic, preventing the theft of data transmitted between your microservices. Malware on your network will no longer be able to capture and filter your packets. Calico Enterprise can deploy mTLS encryption between all pods or IPsec encryption on the wire to protect your traffic.
Want to learn more about Calico Enterprise Zero Trust Network Security? Watch the video.
Free Online Training
Access Live and On-Demand Kubernetes Training
Calico Enterprise – Free Trial
Network Security, Monitoring, and Troubleshooting
for Microservices Running on Kubernetes