Most businesses are subject to corporate and/or regulatory compliance requirements. From an operational perspective, this may involve isolation of workloads containing sensitive data, or restricting who is allowed to access specific resources. There may also be requirements to implement access control frameworks such as security zones (e.g. trusted, untrusted, and DMZ). Even more advanced controls are sometimes needed, like building a moat around PCI-DSS workloads, or logging all HIPAA data transactions.
Auditors need proof that you are enforcing these controls, but capturing the information required to show proof can be challenging, especially in a dynamic, distributed Kubernetes environment where workloads are ephemeral. Auditors will want to know:
Calico continuously monitors your Kubernetes environment for compliance and retains a daily history of your compliance status. Calico also includes predefined compliance report formats, as well as a resource for creating customized reports.
Automates and simplifies compliance monitoring, enforcement, and audit by tracking all policy changes and retaining a daily history of your compliance status.
Enables you to easily access audit reports showing the network security rules in place, in order to demonstrate proof of compliance for your security team and auditors.
Helps DevSecOps teams maintain the security posture needed to meet compliance requirements mandated by legislation or your own internal security team, helping you to get to production faster.
Several regulatory standards impose data protection and compliance requirements on organizations and specify the use of encryption, including PCI, SOX, HIPAA, and GDPR. Encrypting traffic using a standard approach like TLS, for example, requires SSL certificates and results in more complexity and operational overhead for IT organizations that are already overburdened. Calico avoids unnecessary complexity by utilizing WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Independent benchmark tests of Kubernetes CNI’s have shown that Calico with encryption enabled is 6x faster than any other solution in the market. And with Calico, you’ll maintain visibility into all traffic in your Kubernetes clusters even when encryption is deployed.
Calico introduces the concept of policy tiers. Policy tiers define the order in which security policies are evaluated. Higher tiers evaluate traffic first. This is where you define and implement your security controls.
Policy tiers can federate across multiple clusters using unified control, enabling a single definition of security controls that can be applied to all clusters. If the traffic complies with the security controls then it is evaluated by the lower tiers.
How would you know if someone changed your security policies? Calico monitors and logs all changes to policies, including the version history.
When a policy that implements your security controls changes, you will be alerted of the change. The change history shows exactly what changed and is the first step in providing security forensics that provide a record identifying what happened and how.
When the security team asks to see the corporate security controls you implemented, showing them YAML files is not going to work. Calico includes a web-based GUI that visually describes the security controls in place in an easy-to-understand policy view.
The next thing the security team will want to know is which workloads are covered by the security controls and which ones are not? Compliance reports show all workloads that are in-scope and out-of-scope with your policy.
Finally, the security team will need to ensure that the policies haven’t been tampered with.
For example, a policy may have recently changed for two hours, allowing the controls to be violated. Calico tracks all changes to policies and maintains a version history of those changes. With all of this in place, you should be able to ace your next security audit!