Enterprise Security Controls
At some point in your Kubernetes journey, you’ll want to extend your existing enterprise security controls to your Kubernetes environment. Many applications have compliance requirements such as workload isolation, ensuring developers cannot access production, and the implementation of security zones (trusted, untrusted, DMZ). For example, microservices in the DMZ can communicate with the public Internet but not directly with your backend databases.
Using Calico Enterprise or Calico Cloud, you can implement these security controls and deploy others.
- Implement security controls at a higher precedent policy tier that can’t be changed or overridden by other users
- Alert on any changes to your security controls
- Generate audit reports that prove compliance
Monitoring & Alerting
Watch Details Video
Calico Enterprise and Calico Cloud avoid unnecessary complexity by utilizing WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Independent benchmark tests of Kubernetes CNI’s have shown that Calico with encryption enabled is 6x faster than any other solution in the market. And with Calico Enterprise and Calico Cloud, you’ll maintain visibility into all traffic in your Kubernetes clusters even when encryption is deployed.
Calico Enterprise and Calico Cloud introduce the concept of Policy Tiers. Policy Tiers define the order in which security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls.
Policy tiers can federate across multiple clusters using Unified Control, enabling a single definition of security controls that can be applied to all clusters.
If the traffic complies with the security controls then it is evaluated by the lower tiers.
Monitoring and Alerting
When a policy that implements your security controls changes, you will be alerted of the change. The change history shows exactly what changed and is the first step in providing security forensics that provide a record identifying what happened and how.
When the security team asks to see the corporate security controls you implemented, showing them YAML files is not going to work.
Calico Enterprise and Calico Cloud include a web-based GUI that visually describes the security controls in place in an easy-to-understand policy view.
The next thing the security team will want to know is which workloads are covered by the security controls and which ones are not? Compliance Reports show all workloads that are in-scope and out-of-scope with your policy.
The security team will also need to see evidence that the security controls are functioning as expected. Calico Enterprise and Calico Cloud report on all connections evaluated by a given policy and whether those connections were allowed or denied.
Finally, the security team will need to ensure that the policies haven’t been tampered with. For example, a policy didn’t change last Saturday for two hours, allowing the controls to be violated. Calico Enterprise and Calico Cloud track all changes to policies and maintain a version history of those changes.
With all of this in place, you should be able to ace your next security audit!