Container Security
Secure cloud-native applications based on containers and Kubernetes with build and zero-trust runtime security
Overview
Calico Cloud provides out-of-the-box build and runtime security for cloud-native applications based on containers and Kubernetes.
Calico Cloud enables DevOps teams to play an active role in securing containers, giving them the ability to scan first- and third-party images for vulnerabilities and assess image deployment options based on known risks associated with images, registries, and containers.
Calico Cloud provides zero-trust runtime security to protect containers from known and unknown threats. At runtime, Calico Cloud baselines application behavior based on processes, system calls, configurations, and known traffic patterns to detect and mitigate any privilege escalations, unexpected file writes, and other compromises like connecting to a command and control server. Calico Cloud’s robust workload-based IDS/IPS, DDoS, and deep packet inspection provide runtime protection from network-based threats.
Benefits

Robust build-time security with safeguards
Continuously assess images for vulnerabilities and automatically block deployment of images

Runtime detection of known and zero-day threats
Implement security against zero-day threats based on behavioral baseline created with ML

Prevent deployment of vulnerable images
Continuously audit container images and automatically block the deployment of vulnerable images
Key Features

Image Assurance
Continuously scans first- and third-party images and repositories for known CVEs in order to reduce security risk. Provides an intuitive UI to manage container deployment based on a user’s input of severity, threat score, and CVE applicability to the workload.

Configuration Assessment
Continuously monitors image files, Kubernetes data, and control plane configuration to proactively detect violations. Provides automated remediation to mitigate high-severity risks, based on custom and pre-defined rules.

ML-Based Zero-Day Runtime Threat Defense
Detects malicious system calls, privilege escalations, rogue processes, and anomalous file system calls on top of network behavior change and provides a one-click solution to quarantine, block, and remove rogue containers from the environment. This is all achieved by industry-leading ML-based anomaly detection from Calico, which delivers lower false positive rates and higher efficacy compared to other solutions.

Malware Protection
Prevent advanced malware, known exploits, and unknown attacks by pro-actively monitoring the workloads for IoCs. Actively block, quarantine, or terminate compromised workloads, and send security alerts to the operations team.

Zero-Trust Workload Security
Reduce the attack surface significantly using the following:
- Apply zero-trust security (i.e deny-all first approach) to any microservice that wants to communicate externally or with other resources within the cluster.
- Apply identity-aware microsegmentation to stop lateral movement of threat actors.
- Provide firewall protection at the container-level including WAF, IDS/IPS, and DPI.
How It Works

Secure containers from build to runtime stages across multi-cloud and hybrid environments.