Enterprise Security Controls

Many applications have compliance requirements such as workload isolation, ensuring dev cannot talk to prod, and implementing network zones (e.g. microservices in the DMZ can communicate with the public internet but not directly with your backend databases).

Using open-source Project Calico, you can implement these segmentation rules. Project Calico is embedded in nearly every managed public cloud and on-premises distribution of Kubernetes and is the de-facto implementation of Kubernetes Network Policy.



Tiered Policies

Monitoring & Alerting

Compliance Reporting

Watch Details Video

While you can implement these rules using open-source Project Calico, there are a few limitations:

  • Other users can inadvertently override or change your security controls. How do you detect when that happens?
  • When asked for proof that security controls are and have been enforced, how do you generate a report for that? If the policies were changed or removed for a few hours last Saturday, how would you know that?

With Calico Enterprise, you can

  • Implement Security Controls at a higher precedent policy tier that cannot be changed or overridden by other users
  • Alert on changes to your security controls
  • Generate audit reports that demonstrate compliance now and historically


As the Kubernetes footprint expands, we’ve seen demand for an even greater in-depth approach to protecting sensitive data that falls under regulatory compliance mandates. Encrypting data makes it unreadable to anyone except the legitimate keyholder, thus protecting the data should a breach occur. Several regulatory standards impose data protection and compliance requirements on organizations and specify the use of encryption, including SOX, HIPAA, GDPR, and PCI. Encrypting traffic using a standard approach like TLS, for example, requires SSL certificates and results in more complexity and operational overhead for IT organizations that are already overburdened.

Calico Enterprise avoids unnecessary complexity by utilizing WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Independent benchmark tests of Kubernetes CNI’s have shown that Calico with encryption enabled is 6x faster than any other solution in the market. And with Calico Enterprise, you’ll maintain visibility into all traffic in your Kubernetes clusters even when encryption is deployed.

Tiered Policies

Project Calico is an implementation of Kubernetes Network Policy, the network segmentation methodology native to Kubernetes. Using Calico Policies, you can segment your cluster and define which pods can talk to other pods, using declarative policy as code.

Calico Enterprise introduces the concept of Policy Tiers. Policy Tiers define the order in which network security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls.

Policy tiers can federate across multiple clusters using Calico Enterprise Multi-Cluster Management, enabling a single definition of security controls that are applied to all clusters.

If the traffic complies with the security controls then it is evaluated by the lower tiers.

Monitoring and Alerting

How would you know if someone changed your security policies? Calico Enterprise monitors and logs all changes to policies with their version history.

When a policy that implements your security controls changes, Calico Enterprise will alert you of the change. The change history shows exactly what changed and is the first step towards security forensics to identify what happened and how.

Compliance Reporting

When the security team asks to see the corporate security controls you implemented, showing them YAML files is not likely going to work.

Calico Enterprise comes with a web GUI that visually describes the security controls in place in an easy to understand policy view.

The next thing the security team will ask for is which workloads are covered by the security controls and which are not. Calico Enterprise Compliance Reports show all workloads that are in-scope and not in-scope of your policy.

The security team will then need to see evidence that the security controls are operating as expected. Calico Enterprise reports on all connections evaluated by the policy and whether those connections were allowed or denied.

Finally, the security team will need to ensure that the policies haven’t been tampered with. For example, a policy didn’t change last Saturday for 2 hours, allowing the controls to be violated. Calico Enterprise tracks all changes to policies and maintains a version history of those changes.

With all this in place, you should be able to ace your next security audit.

Watch Product Details Video


Interested in trying Calico Enterprise to implement, enforce, and report on your enterprise security controls?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!