Calico Cloud

Pay-as-you-go, active cloud-native application security for containers, Kubernetes, and cloud

Overview

Calico Cloud is a pay-as-you-go SaaS Security for containers, Kubernetes, and cloud. It enables organizations of all sizes to secure their containers and cloud-native workloads with container security, zero-trust workload security, compliance, observability, and troubleshooting capabilities across multi-cluster, multi-cloud, and hybrid deployments. Calico Cloud is built on Calico Open Source, the most widely adopted container networking and security solution. Calico Cloud has a Kubernetes-native architecture that provides native extensions to enable security and observability as code for easy and consistent enforcement across multi-cloud and hybrid environments.

With Calico Cloud, users only pay for services consumed and are billed monthly, getting immediate value without upfront investment.

While Kubernetes provides great flexibility, we’ve learned how challenging it is to secure, observe, and troubleshoot this environment. With the detailed visibility and robust security offered by Calico Cloud via features such as the Dynamic Service Graph, we’re able to observe exactly what is going on, which helps us analyze and troubleshoot far more effectively.

Jeff Puccinelli

Senior DevOps engineer, Mulligan Funding

Benefits

Reduce attack surface and actively mitigate security risks

Any container, any Kubernetes distribution, any workload, any cloud

Flexible pricing with usage-based billing

Get up and running in minutes

Architecture

Capabilities

Build Time Security and Compliance

Secures containers, microservices, namespaces, and workloads at build and deploy time with image assurance, a runtime view of vulnerable and misconfigured images, an admission controller, and security policy.

Helps both security and DevOps teams maintain the security posture needed to meet compliance requirements mandated by regulations including PCI DSS, SOC 2, HIPAA, GDPR, FIPS, and custom frameworks.

Provides audit reports on a scheduled or on-demand basis to demonstrate proof of compliance.

KEY FEATURES INCLUDE

  • Image assurance
  • Admission controller
  • Configuration security
  • Compliance
  • Security policies

Zero-trust Workload Security

Implement zero-trust workload access controls for traffic to and from individual pods to external endpoints on a per-pod basis to protect your Kubernetes cluster. Author DNS policies that implement fine-grained access controls between a workload and the external services it needs to connect to, like Amazon RDS, ElasticCache, and more.

Limit the blast radius when a security breach results in an APT (advanced persistent threat) with identity-aware microsegmentation for both container and VM workloads. Use a single policy framework and Kubernetes declarative model to set controls at the host, container/VM, and application levels.

Extend the use of existing firewalls and SIEMs to your Kubernetes environment with out-of-the-box firewall and SIEM integrations.

KEY FEATURES INCLUDE

  • Zero-trust workload access controls
  • Identity-aware microsegmentation for workloads
  • Firewall and SIEM integration
  • Envoy-based application-level protection

Runtime Threat Defense

Calico Cloud protects your workloads at runtime from both known and zero-day threats.

Calico Cloud has built-in probes that collect workload activity data across network traffic, file system, processes, sys calls, binaries, and more. The threat defense engine compares data from these probes, in near real time, with known malicious attacks. It uses machine learning to create a behavioral baseline of the workload, and Tigera’s own curated ruleset based on historical attacks, to provide a comprehensive threat defense solution against zero-day threats.

Calico provides workload-level intrusion detection and prevention, deep packet inspection, protection from DDoS attacks, Envoy-based application-level protection, and WAF. Calico Cloud uses AlienVault and custom threat feeds to actively protect your containers from known malware and DGA attacks.

KEY FEATURES INCLUDE

  • Workload-based IDS/IPS, DDoS, DPI, and WAF
  • Malware protection
  • ML-based zero-day workload protection

Active Risk Mitigation

Calico Cloud’s robust and highly performant security policy engine can alert, pause, quarantine, or terminate infected pods within milliseconds in multi-cloud and hybrid environments.

The Security Policy Recommender scans your environment and recommends policies for robust security.

KEY FEATURES INCLUDE

  • Security Policy Recommender
  • Security policies to alert, pause, quarantine, and terminate infected pods

Observability and Troubleshooting

Distributed applications are very difficult to troubleshoot. Calico solves this problem by dynamically generating a Dynamic Service and Threat Graph, as well as providing a built-in, UI-driven troubleshooting tool that enables easy monitoring and troubleshooting for microservices.

The Dynamic Service and Threat Graph provides a rich set of information with Kubernetes context, including across which namespaces workloads are communicating, detailed DNS information, detailed logs for every flow in your cluster, and how security policies are being evaluated.

Dynamic Packet Capture is a self-service, on-demand tool for capturing and evaluating traffic for a specific pod or collection of pods based on secure user access. It allows you to monitor how microservices are behaving and interacting with each other at runtime.

KEY FEATURES INCLUDE

  • Dynamic Service and Threat Graph
  • Performance hotspots
  • Dynamic Packet Capture
 

Unified Controls

Calico Cloud provides a single pane of glass to ensure consistent application of security controls across both containers and VMs in heterogeneous environments. Unified controls reduce the complexity for DevOps teams running the clusters by supporting self-service security and CI/CD integration. Using “Security as code,” Calico Cloud fully automates the cluster-wide, end-to-end policy deployment process including any necessary security changes. Built on Calico Open Source, the most widely adopted networking and security solution for containers and Kubernetes, Calico Cloud also supports third-party CNIs including EKS VPC, Azure CNI, and GKE to expand your choice of public cloud providers.

KEY FEATURES INCLUDE

  • Unified controls for security and observability across multi-cloud and hybrid environments

Shift-Left Security with Policy Tiers and Automation

Developers, DevOps teams, and SREs want to follow a simple workflow and generate security policies with minimal effort in their code. Calico Cloud allows them to create their own security policies within their tiers and customize permissions based on organizational structure.

Calico ensures the policies in the left-most tiers are given precedence over the right. Tiers are a Kubernetes object, so you can control who can view/modify policies in specific tiers. Every change of record to tiers and policies is captured, enabling you or auditors to go back in time for review or troubleshooting purposes.

KEY FEATURES INCLUDE

  • Policy automation

Key Features

How It Works

 

See active build, deploy and runtime security in action for any distribution across public cloud providers.

Additional Resources:

Get Started

Resources

Webinar

Watch here

QuickStart Package

Download

Calico Cloud Datasheet

Read

Latest Content

BYOCNI: Introducing Calico CNI for Azure AKS

BYOCNI: Introducing Calico CNI for Azure AKS

By Dhiraj Sehgal on Jun 30, 2022

Cloud-native applications running on Kubernetes rely on container network plugins to establish workload communication. While Azure Kubernetes Service (AKS) provides several supported networking options (kubenet and Azure CNI) that address...

Read more >
State of Cloud-native Security 2022 Market Report: Key Implications for Organizations

State of Cloud-native Security 2022 Market Report: Key Implications for Organizations

By Neeraj Shahdadpuri on Jun 27, 2022

Our first ‘State of Cloud-Native Security market’ report compiled survey results from more than 300 security and IT professionals worldwide, and explored organizations’ needs and challenges when it comes to...

Watch here >
Hands-on workshop: Implementing security controls on containerized workloads and Kubernetes

Hands-on workshop: Implementing security controls on containerized workloads and Kubernetes

By Neeraj Shahdadpuri on May 6, 2022

Attend this in-depth, hands-on workshop with a Calico expert to design and implement container security and zero-trust workload security for your containerized workloads running in self-managed Kubernetes on Amazon AWS,...

Register here >