Zero Trust security is a strong security model that assumes that networked entities should not be trusted by default, and that your application or infrastructure has been compromised and is currently hosting some form of malware. Zero Trust policies rely on real-time visibility into workloads, and can only be successful if organizations are able to continuously monitor and validate that a requested connection has the right privileges and attributes. One-time validation won’t suffice, because threats and connection attributes are all subject to change. Zero Trust ensures that all access requests are continuously vetted prior to allowing connection to any of your enterprise or cloud assets.
Kubernetes is particularly vulnerable to the spread of malware because of the open nature of cluster networking; by default, any pod can connect to any other pod, even across namespaces. It’s very difficult to detect malware or its spread within a Kubernetes cluster without implementing a security model like Zero Trust. Calico enables a Zero Trust environment built on three core capabilities: encryption, least privilege access controls, and defense-in-depth.
Enables compliance with corporate and regulatory data protection requirements that specify the use of encryption, including SOX, HIPAA, GDPR, and PCI.
Least privilege access control denies all network traffic by default, allowing only the connections that have been authorized.
Helps shift-left teams maintain the security posture needed to meet compliance requirements mandated by legislation or your own internal security team, helping you to get to production faster.
Several regulatory standards impose data protection and compliance requirements on organizations and specify the use of encryption, including PCI, SOX, HIPAA, and GDPR. Encrypting traffic using a standard approach like TLS, for example, requires SSL certificates and results in more complexity and operational overhead for IT organizations that are already overburdened.
Calico avoids unnecessary complexity by utilizing WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Independent benchmark tests of Kubernetes CNI’s have shown that Calico with encryption enabled is 6x faster than any other solution in the market. And with Calico you’ll maintain visibility into all traffic in your Kubernetes clusters even when encryption is deployed.
The concept of least privileges requires that a process, user, or application must be able to access only the information and resources that are necessary for its legitimate purpose. All other access is denied. Calico implements least privilege access controls by denying all network traffic by default and allowing only those connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.
Least privilege access controls protect your application throughout the entire infrastructure stack. You can define which cluster resources can be connected to as well as define which application API paths and web methods are authorized using a single policy per microservice. If a microservice attempts to connect to another service or location that was not authorized, it will raise an alert for further investigation and remediation.
For currently running microservices, you can quickly authorize connections using the Policy Recommendation Engine. To add or remove authorized connections, it’s as simple as deploying the policy with your microservice using self-service policy changes.
How would you know if someone changed your security policies? Calico monitors and logs all changes to policies, including the version history. When a policy that implements your security controls changes, you will be alerted of the change. The change history shows exactly what changed and is the first step in providing security forensics that provide a record identifying what happened and how.