- Calico Cloud
- Compliance and Audit
Overview
Most businesses are subject to corporate and/or regulatory compliance requirements. From an operational perspective, this may involve isolation of workloads containing sensitive data, or restricting who is allowed to access specific resources. There may also be requirements to implement access control frameworks such as security zones (e.g. trusted, untrusted, and DMZ). Even more advanced controls are sometimes needed, like building a moat around PCI-DSS workloads, or logging all HIPAA data transactions.
Auditors need proof that you are enforcing these controls, but capturing the information required to show proof can be challenging, especially in a dynamic, distributed Kubernetes environment where workloads are ephemeral. For example, auditors will want to know what security controls are currently implemented, whether control changes can be detected, and if compliance can be verified for any given day and time. Calico continuously monitors your cloud-native environment for compliance and retains a daily history of your compliance status. Calico also includes predefined compliance report formats, as well as a resource for creating customized reports.
Benefits
Automate and Simplify
Automates and simplifies compliance monitoring, enforcement, and audit by tracking all policy changes and retaining a daily history of your compliance status
Audit and Report
Enables you to easily access audit reports showing the network security rules in place, in order to demonstrate proof of compliance for your security team and auditors
Maintain Compliance
Helps DevSecOps teams maintain the security posture needed to meet compliance requirements mandated by legislation or your own internal security team, helping you to get to production faster
Capabilities
Create and View Compliance Policies
- Calico includes a web-based GUI that visually describes the security policies and compliance controls in place, in an easy-to-understand policy dashboard.
- Calico compliance policies are Kubernetes-native and based on metadata and labels—not IP addresses—making them simple, scalable, and easy to create and enforce in the cluster environment.
Continuous Compliance Monitoring
- Calico monitors and logs all changes to compliance policies, including their version history, and alerts when a policy that implements your security controls changes.
- Calico shows exactly what changed, and is the first step in providing security forensics with a record identifying what happened, when, and how.
Compliance Reporting
- Calico includes pre-defined compliance support for easy audits. Users can also define custom compliance reports.
- Calico runs reports on demand, or on a scheduled basis. A history of all reports is maintained so you can view the compliance status of your cluster for any point in time.
- All compliance data can be exported as spreadsheets that are ready for auditor review.
CIS Benchmark Compliance Reports
Calico provides out-of-the-box CIS benchmark compliance reports. You can use the GlobalReport resource to schedule reports and set compliance thresholds. CIS Benchmark compliance reports are accessible from the Calico compliance dashboard.
How It Works
Auditors need proof that you are enforcing compliance controls, but capturing the information required to show proof can be challenging—especially in a dynamic, distributed Kubernetes environment where workloads are ephemeral. Calico automates and simplifies compliance monitoring, enforcement, and audit, by tracking all policy changes and retaining a daily history of your compliance status.
Additional resources:
