Zero Trust Network Security

Zero Trust Network Security is a strong security posture that assumes that something in your application or infrastructure has been compromised and is currently hosting some form of malware.

Kubernetes is particularly vulnerable to the spread of malware due to the open nature of cluster networking; by default, any pod can connect to any other pod, even across namespaces. It is very difficult to detect malware or its spread within a Kubernetes cluster without implementing a strong security framework like Zero Trust.

Calico Enterprise enables a Zero Trust Network built on four core capabilities.

Workload Identity

Access Controls

Defense in Depth

Encrypt Data-in-transit

Watch Details Video

Workload Identity

Calico Enterprise authenticates every microservice using strong multi-factor authentication built on a combination of x.509 certificates, network identity, and other metadata.

When a microservice successfully authenticates, Calico Enterprise only then allows access to the network, and only to those network destinations the microservice is authorized to connect to.

Least Privilege Access Controls

The concept of least privileges is to allow access only as needed while blocking all other access. Calico Enterprise implements Least Privilege Access Controls by denying all network traffic by default and allowing only the connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.

Calico Enterprise Least Privilege Access Controls protects your application throughout the entire infrastructure stack. You can define which network locations can be connected to as well as define which application API paths and web methods are authorized using a single policy per microservice.

If a microservice attempts to connect to another service or location that was not authorized, Calico Enterprise will raise an alert for further investigation and remediation.

For currently running microservices, you can quickly authorize connections using the Calico Enterprise Policy Recommendation Engine. To add or remove authorized connections, it’s as simple as deploying the policy with your microservice using Self-Service Policy Changes.

Defense in Depth

The underlying premise of Zero Trust is that you have to assume that some layer of the infrastructure or application has been compromised at any given point in time. Defense in depth is how Calico Enterprise mitigates that risk.

For every connection request, Calico Enterprise evaluates whether the connection has been authorized at the host, the pod, and then again at the container. If any layer of your infrastructure has been compromised, Calico Enterprise will still block unauthorized connections and alert you.

Encrypt Data-in-transit

Calico Enterprise encrypts your microservice traffic, preventing the theft of data transmitted between your microservices. Malware on your network will no longer be able to capture and filter your packets.

Calico Enterprise can use mTLS encryption between all pods or IPsec encryption on the wire to protect your traffic.

Watch Product Details Video


Interested in trying Calico Enterprise to secure your Kubernetes network?

Try Calico Enterprise or contact us if you have some questions – we’d love to hear from you!