Enterprise Security Controls
Meet Corporate and Regulatory Requirements
Using open-source Project Calico, you can implement these segmentation rules. Project Calico is embedded in nearly every managed public cloud and on-premises distribution of Kubernetes and is the de-facto implementation of Kubernetes Network Policy.
While you can implement these rules using open-source Project Calico, there are a few limitations:
- Other users can inadvertently override or change your security controls. How do you detect when that happens?
- When asked for proof that security controls are and have been enforced, how do you generate a report for that? If the policies were changed or removed for a few hours last Saturday, how would you know that?
With Calico Enterprise, you can
- Implement Security Controls at a higher precedent policy tier that cannot be changed or overridden by other users
- Alert on changes to your security controls
- Generate audit reports that demonstrate compliance now and historically
Tamper-Proof Your Policies
Calico Enterprise defines higher-precedent “tiers” of policies that cannot be modified or overridden.
Alert on Non-Compliance
Any drift in your security policies can result in an alert. All policies include a full audit trail with change history.
Ace Your Next Security Audit
Compliance reports prove that your controls are being enforced (point in time). They also prove that your controls have been enforced historically.
Product Details Video (5mins 43s)
Tiered Policies
Project Calico is an implementation of Kubernetes Network Policy, the network segmentation methodology native to Kubernetes. Using Calico Policies, you can segment your cluster and define which pods can talk to other pods, using declarative policy as code.
Calico Enterprise introduces the concept of Policy Tiers. Policy Tiers define the order in which network security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls.
Policy tiers can federate across multiple clusters using Calico Enterprise Multi-Cluster Management, enabling a single definition of security controls that are applied to all clusters.
If the traffic complies with the security controls then it is evaluated by the lower tiers.
Monitoring and Alerting
How would you know if someone changed your security policies? Calico Enterprise monitors and logs all changes to policies with their version history.
When a policy that implements your security controls changes, Calico Enterprise will alert you of the change. The change history shows exactly what changed and is the first step towards security forensics to identify what happened and how.
Compliance Reporting
When the security team asks to see the corporate security controls you implemented, showing them YAML files is not likely going to work.
Calico Enterprise comes with a web GUI that visually describes the security controls in place in an easy to understand policy view.
The next thing the security team will ask for is which workloads are covered by the security controls and which are not. Calico Enterprise Compliance Reports show all workloads that are in-scope and not in-scope of your policy.
The security team will then need to see evidence that the security controls are operating as expected. Calico Enterprise reports on all connections evaluated by the policy and whether those connections were allowed or denied.
Finally, the security team will need to ensure that the policies haven’t been tampered with. For example, a policy didn’t change last Saturday for 2 hours, allowing the controls to be violated. Calico Enterprise tracks all changes to policies and maintains a version history of those changes.
With all this in place, you should be able to ace your next security audit.
Interested in trying Calico Enterprise to implement, enforce, and report on your enterprise security controls?
Sign up for our free trial – we’ll even provide sample workloads to test with.