Zero Trust Security
Zero Trust Security is a strong security model that assumes that networked entities should not be trusted by default, and that your application or infrastructure has been compromised and is currently hosting some form of malware.
Kubernetes is particularly vulnerable to the spread of malware because of the open nature of cluster networking; by default, any pod can connect to any other pod, even across namespaces. It’s very difficult to detect malware or its spread within a Kubernetes cluster without implementing a security model like Zero Trust.
Calico Enterprise and Calico Cloud enable a Zero Trust environment built on three core capabilities.
Defense in Depth
Watch Details Video
As the Kubernetes footprint expands, we’ve seen demand for an even greater in-depth approach to protecting sensitive data that falls under regulatory compliance mandates. Encrypting data makes it unreadable to anyone except the legitimate keyholder, thus protecting the data should a breach occur. Several regulatory standards impose data protection and compliance requirements on organizations and specify the use of encryption, including SOX, HIPAA, GDPR, and PCI. Encrypting traffic using a standard approach like TLS, for example, requires SSL certificates and results in more complexity and operational overhead for IT organizations that are already overburdened.
Calico Enterprise and Calico Cloud avoid unnecessary complexity by utilizing WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Independent benchmark tests of Kubernetes CNI’s have shown that Calico with encryption enabled is 6x faster than any other solution in the market. And with Calico Enterprise and Calico Cloud, you’ll maintain visibility into all traffic in your Kubernetes clusters even when encryption is deployed.
Least Privilege Access Controls
The concept of least privileges requires that a process, user, or application must be able to access only the information and resources that are necessary for its legitimate purpose. All other access is denied. Calico Enterprise and Calico Cloud implement Least Privilege Access Controls by denying all network traffic by default and allowing only those connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.
Least Privilege Access Controls protect your application throughout the entire infrastructure stack. You can define which cluster resources can be connected to as well as define which application API paths and web methods are authorized using a single policy per microservice.
If a microservice attempts to connect to another service or location that was not authorized, it will raise an alert for further investigation and remediation.
For currently running microservices, you can quickly authorize connections using the Policy Recommendation Engine. To add or remove authorized connections, it’s as simple as deploying the policy with your microservice using Self-Service Policy Changes.
Defense in Depth
The underlying premise of Zero Trust is that networked resources should not be trusted by default and that you have to assume that some layer of your infrastructure or application has been compromised at any given point in time. Calico Enterprise and Calico Cloud mitigate that threat with a Defense-in-Depth approach to security.
For every connection request, Calico Enterprise and Calico Cloud evaluate whether the connection has been authorized at the host, the pod, and then again at the container levels. If any layer of your infrastructure has been compromised, Calico Enterprise and Calico Cloud will still block unauthorized connections and alert you.