- Calico Cloud
- Identity-Aware Microsegmentation
Overview
Identity-aware microsegmentation enables DevSecOps teams to logically divide workloads into distinct security segments and then define granular security controls for each unique segment. Teams rely on microsegmentation to isolate workloads based on environments, application tiers, compliance needs, user access, and individual workload requirements.
By default, Kubernetes is an open system with no built-in security controls. Without east-west controls like microsegmentation, a cyberattacker, having gained unauthorized access, can move laterally within a cluster in search of sensitive data and other high-value assets. Given the large attack area within a Kubernetes cluster it’s essential to isolate endpoints and prevent lateral movement.
Calico provides a unified, cloud-native segmentation model and single-policy framework that makes multiple, siloed approaches a thing of the past, and works across all multi-cloud and hybrid environments. Calico’s unified solution is an operationally simpler replacement for multiple, costly proprietary approaches and the skill sets required to manage them.
Benefits
Eliminates Lateral Movement
Eliminate the risks associated with lateral movement in the cluster by cyberattackers in search of sensitive data and other high-value assets
Works Everywhere
Eliminate the operational inefficiencies of deploying multiple siloed workload segmentation solutions by providing a single security model and unified policy framework that works seamlessly across multiple cloud and hybrid environments
Instant Response
Enforce security policy changes in milliseconds, providing faster response to security threats
Capabilities
Unified Policy Framework
Calico provides a unified segmentation solution that works across all multi-cloud and hybrid environments to segment any combination of hosts, bare metals, VMs, containers, Kubernetes, and cloud instances. Calico uses labels to correlate workload identity with security policies to deliver identity-aware microsegmentation.
Policy Creation and Enforcement
Calico supports granular policy creation that enables:
- Allowlist zero-trust policies
- Denylist policies
- Automatic policy generation
- Build and test policies before enforcement
- Hierarchical policies
- Policy inheritance for new workloads
- Role-based views with policies scoped to application and location
Segmentation Granularity
Calico’s rich segmentation policies support multiple types of microsegmentation, including:
- Workload segmentation (applications, containers, Kubernetes, VMs, hosts)
- Environment segmentation (e.g. Dev, Test, Production)
- Application-tier segmentation (e.g. backend tier, middle tier, frontend tier)
- Regulatory compliance-based segmentation (PCI DSS, SOC 2, HIPAA, and more)
Observability and Endpoint Discovery
Calico’s Dynamic Service and Threat Graph provides visibility across the stack from the network layer to the application layer, showing a runtime view of how namespaces, services, and pods are operating in your Kubernetes cluster. This visibility is essential to define boundaries and levels of access.
Breach Detection and Response
Calico delivers a feature-rich IDS solution that monitors the east-west traffic that is traversing the cluster environment. Calico’s IDS can:
- Pinpoint the source of malicious activity
- Use machine learning to identify anomalies
- Create a security moat around critical workloads
- Deploy HoneyPods that capture zero-day attacks, and automatically quarantine potentially malicious workloads to thwart an attack
Dynamic Segmentation
- Calico uses a dynamic workload segmentation model that is not based on a specific workload, but instead is based on the metadata attached to that workload, such as pod name, namespace, node, labels, and annotations.
- With the Calico model, you can rapidly scale a service without having to change security policies by using appropriate labels when deploying new workloads.
High-Performance, Distributed Architecture for Workload Microsegmentation
- Calico’s distributed cloud-native architecture eliminates centralized congestion points associated with legacy approaches to workload microsegmentation that can impact performance.
- With Calico, new workloads can be securely deployed to environments with 10’s of thousands of servers, and be online within milliseconds (vs. hours and days for legacy approaches).
How It Works
Calico’s segmentation solution with a unified policy framework works across all of your existing environments: any combination of cloud providers, cloud instances, containers, Kubernetes distributions, virtual machines, and bare metals. Calico enables full workload portability and the ability to define workload segmentation policies for multi-cloud and hybrid connections.
Additional resources:
