Zero Trust Network Security

The strongest security framework for your microservices

Overview Video (2min 30s)

Zero Trust Network Security is a strong security posture that assumes that something in your application or infrastructure has been compromised and is currently hosting some form of malware.

Kubernetes is particularly vulnerable to the spread of malware due to the open nature of cluster networking; by default, any pod can connect to any other pod, even across namespaces. It is very difficult to detect malware or its spread within a Kubernetes cluster without implementing a strong security framework like Zero Trust.

Calico Enterprise enables a Zero Trust Network built on four core capabilities.

Workload Identity

Dual-factor auth for every microservice

Learn more about Workload Identity

Least Privilege Access Controls

Limit access to necessary resources

Learn more about Least Privilege Access Controls

Defense in Depth

Enforce security at multiple layers of your stack

Learn more about Defense in Depth

Encrypt Data-in-transit

Prevent the theft of data transmitted between microservices

Learn more about Encryption

Product Details Video (2mins 58s)

Workload Identity

Calico Enterprise authenticates every microservice using strong multi-factor authentication built on a combination of x.509 certificates, network identity, and other metadata.

When a microservice successfully authenticates, Calico Enterprise only then allows access to the network, and only to those network destinations the microservice is authorized to connect to.

Least Privilege Access Controls

The concept of least privileges is to allow access only as needed while blocking all other access. Calico Enterprise implements Least Privilege Access Controls by denying all network traffic by default and allowing only the connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.

Calico Enterprise Least Privilege Access Controls protects your application throughout the entire infrastructure stack. You can define which network locations can be connected to as well as define which application API paths and web methods are authorized using a single policy per microservice.

If a microservice attempts to connect to another service or location that was not authorized, Calico Enterprise will raise an alert for further investigation and remediation.

For currently running microservices, you can quickly authorize connections using the Calico Enterprise Policy Recommendation Engine. To add or remove authorized connections, it’s as simple as deploying the policy with your microservice using Self-Service Policy Changes.

Defense in Depth

The underlying premise of Zero Trust is that you have to assume that some layer of the infrastructure or application has been compromised at any given point in time. Defense in depth is how Calico Enterprise mitigates that risk.

For every connection request, Calico Enterprise evaluates whether the connection has been authorized at the host, the pod, and then again at the container. If any layer of your infrastructure has been compromised, Calico Enterprise will still block unauthorized connections and alert you.

Encrypt Data-in-transit

Calico Enterprise encrypts your microservice traffic, preventing the theft of data transmitted between your microservices. Malware on your network will no longer be able to capture and filter your packets.

Calico Enterprise can use mTLS encryption between all pods or IPsec encryption on the wire to protect your traffic.

Interested in trying Calico Enterprise to secure your Kubernetes network?

Sign up for a free trial or get a demo