Zero Trust Network Security

The most-advanced network security available for dynamic Kubernetes workloads

Assume Something Has Been Compromised

Zero Trust assumes that at all times, something in your network has been compromised.

Threats can exist within the network, compromised infrastructure, and your workloads.

Tigera’s Zero Trust Security is a layered defense that does not trust infrastructure, the network, users, or workloads by default.

Workload Identity

Every Kubernetes Pod authenticates itself with Calico Enterprise using multiple sources of identity, similar to multi-factor authentication.

When a pod has established trust through authentication, it is authorized to connect to other workloads through the use of standard Kubernetes Network Policy.

If a pod cannot authenticate itself, it will not have any connectivity within your cluster.

Implement Least Privileges Security

Tigera uses a combination of policy tiering and whitelisting to achieve a least privileges security model.

Policy tiering enables security rules to be defined using Kubernetes Network Policies that cannot be overridden by any other policy. This enables security guardrails to be setup, while enabling the democratization of policy deployment.

By default, all pod to pod connections are denied. A network policy must be deployed with each workload to enable connectivity.

Calico Enterprise can automatically generate Kubernetes Network Policies for your DevOps team by observing and auditing the ingress and egress connections to any given Pod. This enables your DevOps team to generate and deploy policies without having to write them from scratch.

Enforce Security at Multiple Layers of the Infrastructure

Security at the Pod is not enough. The host itself may be compromised. Calico Enterprise evaluates traffic and enforces security policies at the host and the Pod.

That provides you a Defense in Depth security posture for your Kubernetes cluster.

Automatically Encrypt Pod to Pod Traffic

It is a good practice to encrypt traffic between your workloads to prevent your data from being sniffed through that traffic. It is also a base level requirement for most regulatory and corporate compliance frameworks.

Calico Enterprise can automatically encrypt a portion or all pod to pod traffic. Developers need not change any code within their containers, the traffic gets encrypted at the edge of the pod and decrypted at the destination pod.

Learn More Use Cases

Extend Firewalls to Kubernetes

Extend your security controls to Kubernetes
Discover

Visibility & Threat Detection

Monitor traffic, detect and prevent threats
Discover

Continuous Compliance

Continuous reporting, alert on non-compliance
Discover

Ready to get started?

Seeing is believing! Get a free demo of Calico Enterprise.

Pin It on Pinterest