Enterprise Security Controls

At some point in your Kubernetes journey, you’ll want to extend your existing enterprise security controls to your Kubernetes environment. Many applications have compliance requirements such as workload isolation, ensuring developers cannot access production, and the implementation of security zones (trusted, untrusted, DMZ). For example, microservices in the DMZ can communicate with the public Internet but not directly with your backend databases.

Using Calico Enterprise or Calico Cloud, you can implement these security controls and deploy others.

  • Implement security controls at a higher precedent policy tier that can’t be changed or overridden by other users
  • Alert on any changes to your security controls
  • Generate audit reports that prove compliance


Tiered Policies

Monitoring & Alerting

Compliance Reporting

Watch Details Video


As the Kubernetes footprint expands, we’ve seen demand for an even greater in-depth approach to protecting sensitive data that falls under regulatory compliance mandates. Encrypting data makes it unreadable to anyone except the legitimate keyholder, thus protecting the data should a breach occur. Several regulatory standards impose data protection and compliance requirements on organizations and specify the use of encryption, including SOX, HIPAA, GDPR, and PCI. Encrypting traffic using a standard approach like TLS, for example, requires SSL certificates and results in more complexity and operational overhead for IT organizations that are already overburdened.

Calico Enterprise and Calico Cloud avoid unnecessary complexity by utilizing WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Independent benchmark tests of Kubernetes CNI’s have shown that Calico with encryption enabled is 6x faster than any other solution in the market. And with Calico Enterprise and Calico Cloud, you’ll maintain visibility into all traffic in your Kubernetes clusters even when encryption is deployed.

Tiered Policies

Calico Enterprise and Calico Cloud introduce the concept of Policy Tiers. Policy Tiers define the order in which security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls.

Policy tiers can federate across multiple clusters using Unified Control, enabling a single definition of security controls that can be applied to all clusters.

If the traffic complies with the security controls then it is evaluated by the lower tiers.

Monitoring and Alerting

How would you know if someone changed your security policies? Calico Enterprise and Calico Cloud monitor and log all changes to policies, including their version history.

When a policy that implements your security controls changes, you will be alerted of the change. The change history shows exactly what changed and is the first step in providing security forensics that provide a record identifying what happened and how.

Compliance Reporting

When the security team asks to see the corporate security controls you implemented, showing them YAML files is not going to work.

Calico Enterprise and Calico Cloud include a web-based GUI that visually describes the security controls in place in an easy-to-understand policy view.

The next thing the security team will want to know is which workloads are covered by the security controls and which ones are not? Compliance Reports show all workloads that are in-scope and out-of-scope with your policy.

The security team will also need to see evidence that the security controls are functioning as expected. Calico Enterprise and Calico Cloud report on all connections evaluated by a given policy and whether those connections were allowed or denied.

Finally, the security team will need to ensure that the policies haven’t been tampered with. For example, a policy didn’t change last Saturday for two hours, allowing the controls to be violated. Calico Enterprise and Calico Cloud track all changes to policies and maintain a version history of those changes.

With all of this in place, you should be able to ace your next security audit!

Watch Product Details Video


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>