Zero Trust Network Security
Assume Something Has Been Compromised
Threats can exist within the network, compromised infrastructure, and your workloads.
Tigera’s Zero Trust Security is a layered defense that does not trust infrastructure, the network, users, or workloads by default.
Every Kubernetes Pod authenticates itself with Calico Enterprise using multiple sources of identity, similar to multi-factor authentication.
When a pod has established trust through authentication, it is authorized to connect to other workloads through the use of standard Kubernetes Network Policy.
If a pod cannot authenticate itself, it will not have any connectivity within your cluster.
Implement Least Privileges Security
Tigera uses a combination of policy tiering and whitelisting to achieve a least privileges security model.
Policy tiering enables security rules to be defined using Kubernetes Network Policies that cannot be overridden by any other policy. This enables security guardrails to be setup, while enabling the democratization of policy deployment.
By default, all pod to pod connections are denied. A network policy must be deployed with each workload to enable connectivity.
Calico Enterprise can automatically generate Kubernetes Network Policies for your DevOps team by observing and auditing the ingress and egress connections to any given Pod. This enables your DevOps team to generate and deploy policies without having to write them from scratch.
Enforce Security at Multiple Layers of the Infrastructure
Security at the Pod is not enough. The host itself may be compromised. Calico Enterprise evaluates traffic and enforces security policies at the host and the Pod.
That provides you a Defense in Depth security posture for your Kubernetes cluster.
Automatically Encrypt Pod to Pod Traffic
It is a good practice to encrypt traffic between your workloads to prevent your data from being sniffed through that traffic. It is also a base level requirement for most regulatory and corporate compliance frameworks.
Calico Enterprise can automatically encrypt a portion or all pod to pod traffic. Developers need not change any code within their containers, the traffic gets encrypted at the edge of the pod and decrypted at the destination pod.
Learn More Use Cases
Ready to get started?
Seeing is believing! Get a free demo of Calico Enterprise.