Enterprise Security Controls

Meet Corporate and Regulatory Requirements

Many applications have compliance requirements such as workload isolation, ensuring dev cannot talk to prod, and implementing network zones (e.g. microservices in the DMZ can communicate with the public internet but not directly with your backend databases). While you can implement these rules using open-source Project Calico, there are a few limitations:

  • Other users can inadvertently override or change your security controls. How do you detect when that happens?
  • When asked for proof that security controls are and have been enforced, how do you generate a report for that? If the policies were changed or removed for a few hours last Saturday, how would you know that?

With Calico Enterprise, you can

  • Implement Security Controls at a higher precedent policy tier that cannot be changed or overridden by other users
  • Alert on changes to your security controls
  • Generate audit reports that demonstrate compliance now and historically

Tamper-Proof Your Policies

Calico Enterprise defines higher-precedent “tiers” of policies that cannot be modified or overridden.

Learn more about Tiered Policies

Alert on Non-Compliance

Any drift in your security policies can result in an alert. All policies include a full audit trail with change history.

Learn more about Monitoring and Alerting

Ace your next security audit

Compliance reports prove that your controls are being enforced (point in time). They also prove that your controls have been enforced historically.

Learn more about Compliance Reporting

Tiered Policies

Calico Enterprise introduces the concept of Policy Tiers. Policy Tiers define the order in which network security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls.

Policy tiers can federate across multiple clusters using Calico Enterprise Multi-Cluster Management, enabling a single definition of security controls that are applied to all clusters.

If the traffic complies with the security controls then it is evaluated by the lower tiers.

Monitoring and Alerting

How would you know if someone changed your security policies? Calico Enterprise monitors and logs all changes to policies with their version history.

When a policy that implements your security controls changes, Calico Enterprise will alert you of the change. The change history shows exactly what changed and is the first step towards security forensics to identify what happened and how.

Compliance Reporting

When the security team asks to see the corporate security controls you implemented, showing them YAML files is not likely going to work.

Calico Enterprise comes with a web GUI that visually describes the security controls in place in an easy to understand policy view.

The next thing the security team will ask for is which workloads are covered by the security controls and which are not. Calico Enterprise Compliance Reports show all workloads that are in-scope and not in-scope of your policy.

The security team will then need to see evidence that the security controls are operating as expected. Calico Enterprise reports on all connections evaluated by the policy and whether those connections were allowed or denied.

Finally, the security team will need to ensure that the policies haven’t been tampered with. For example, a policy didn’t change last Saturday for 2 hours, allowing the controls to be violated. Calico Enterprise tracks all changes to policies and maintains a version history of those changes.

With all this in place, you should be able to ace your next security audit.

Interested in trying Calico Enterprise to implement, enforce, and report on your enterprise security controls?

Sign up for our free trial – we’ll even provide sample workloads to test with.

Free Trial