Calico Enterprise
Zero Trust Network Security and Continuous Compliance for Kubernetes Platforms
Calico Enterprise Secures
Modern and Legacy Workloads
Calico Enterprise enables a workload to workload Zero Trust model that protects modern business applications and extends through the rest of the legacy applications to provide a stronger security posture across the enterprise. It enforces security around each workload; whether running on a Container, VM or Host. No traffic is trusted, and all traffic is verified via service-to-service authentication that is executed via encrypted channels.
Calico Enterprise integrates with your existing environment, tools, and SOC. It applies security policy that provides anomaly detection and traffic visibility that help detect and fight threats. It automates audit reports that enable proof to auditors seeking evidence to assure your compliance controls are established and working.
Encrypt Data in Motion
A critical compliance requirement is to encrypt all data in motion.
Calico Enterprise can encrypt traffic within and between clusters using the built-in certificate manager, or integrate with your existing certificate management solution.
Flow Logs with Workload Metadata
Most organizations are using an existing system to capture flow logs. Calico Enterprise integrates with existing security operations center (SOC) threat analytic and log aggregation systems.
Workload identity is appended to 5-tuple flow logs to provide accurate data for dynamic and ephemeral workloads like containers.
Calico Enterprise flow logs are configured at the policy level or the node level. Log data generated can be configured and include all connections, accepted connections, denied connections, or traffic based on any security policy.
For Kubernetes environments like Amazon EKS, bi-directional flow logs are generated for all pods as well as host connections and include workload identity as well as pod and host labels.
Fine Grained Access Controls
to Resources Outside Your Cluster
Your Kubernetes pods may need to communicate with resources outside of the cluster such as databases, third-party APIs, or cloud services. Firewalls and cloud-native security groups cannot limit access to a single pod, the best you can do is allow all pods access to the external resource.
Calico Enterprise enables fine-grained policy control within and outside of the cluster. You can define policies that limit a single pod or collection of pods access to any external resource.
Integration with Your SIEM for Security Incidents
Calico Enterprise provides network visibility and monitors the network for potentially malicious traffic.
Calico Enterprise integrates with most security incident and event management (SIEM) solutions and can send alerts with details of the suspicious traffic.
Network Flow and Audit Logs simplify troubleshooting and provide the data required for PCI, HIPAA, GDPR, and internal compliance frameworks.
Calico Enterprise Enables Key Security Capabilities
Extend Firewalls to Kubernetes
Enterprise Security teams rely on firewalls to keep the bad guys out and prevent them from traversing the network. Firewall policies are based on IP addresses, don’t understand Kubernetes labels, and cannot track or enforce dynamic pod traffic. Tigera extends firewalls, enabling your security team to continue to use the process and tools they use today to secure your Kubernetes clusters.
Extend Firewalls to Kubernetes
Enterprise Security teams rely on firewalls to keep the bad guys out and prevent them from traversing the network. Firewall policies are based on IP addresses, don’t understand Kubernetes labels, and cannot track or enforce dynamic pod traffic. Tigera extends firewalls, enabling your security team to continue to use the process and tools they use today to secure your Kubernetes clusters.
Zero-Trust Network Security
With 40% or more of all breaches originating from within the network, you must always have to assume that something has been compromised. Applications running on Kubernetes make heavy use of the network for service to service communication. However, most clusters have been left wide open and are vulnerable to attack. A zero trust approach is the most secure way to lock down your Kubernetes platform.
Zero-Trust Network Security
With 40% or more of all breaches originating from within the network, you must always have to assume that something has been compromised. Applications running on Kubernetes make heavy use of the network for service to service communication. However, most clusters have been left wide open and are vulnerable to attack. A zero trust approach is the most secure way to lock down your Kubernetes platform.
Visibility and Threat Detection
Applications running on Kubernetes have dynamic IP addresses. Firewalls and traditional flow logs are not effective for detecting & preventing indicators of compromise because they lack visibility and context such as namespace, pod, container id, and labels.
Visibility and Threat Detection
Applications running on Kubernetes have dynamic IP addresses. Firewalls and traditional flow logs are not effective for detecting & preventing indicators of compromise because they lack visibility and context such as namespace, pod, container id, and labels.
Continuous Compliance
Kubernetes is dynamic and constantly changing. Moments after a compliance audit is completed the environment will have changed again. A continuous compliance solution is the only way to prove that your security controls have been implemented properly now and historically.
Continuous Compliance
Kubernetes is dynamic and constantly changing. Moments after a compliance audit is completed the environment will have changed again. A continuous compliance solution is the only way to prove that your security controls have been implemented properly now and historically.
Ready to get started?
Seeing is believing! Get a free demo of Calico Enterprise.
Calico Enterprise Trial is Coming Soon
Very soon, you’ll be able to try Calico Enterprise. Be the first to know when the trial version is released. Sign up to be notified and we’ll email you when it’s live.