Enforce Critical Security & Compliance Controls for Kubernetes Environments
Customer facing applications are subject to critical network security and regulatory compliance requirements. Tigera Secure Cloud Edition provides security and compliance controls for Amazon EKS and other Kubernetes deployments on AWS. Tigera Secure CE enables Network Segmentation, Encryption, Visibility & Traceability of network traffic, and the ability to extract data required for IT Audits for Amazon EKS and other Kubernetes environments running on AWS.
Host to Host Encryption
A critical compliance requirement is to encrypt all data in motion.
Tigera Secure CE enables you to meet this requirement using Host to Host encryption. All traffic within and between clusters is encrypted with built-in certificate management.
Endpoint reporting provides visibility into the encryption status for all pods that have been in existence for the reporting period, enabling accurate data used to prove compliance for audit reports.
Flow Logs with Workload Metadata
Most organizations are using an existing system to capture flow logs. Tigera Secure CE integrates with existing security operations center threat analytic and log aggregation systems.
Workload identity is appended to 5-tuple flow logs to provide accurate data for dynamic and ephemeral workloads like containers.
Tigera Secure CE flow logs are configured at the policy level or the node level. Log data generated can be configured and include all connections, accepted connections, denied connections, or traffic based on any security policy.
For Kubernetes environments like Amazon EKS, bi-directional flow logs are generated for all pods as well as host connections and include workload identity as well as pod and host labels.
By default, flow logs are sent to a specified Amazon CloudWatch Group.
AWS Security Groups and Kubernetes Policy Integration
Your Kubernetes pods may need to communicate with other resources in your AWS VPC, like RDS or AMIs.
AWS Security Groups is the standard approach to network security for AWS VPC resources, while Kubernetes Network Policy is the model for Kubernetes workloads.
When deploying Kubernetes on AWS, all Kubernetes pods have the same Security Groups as the host/node they are on (and vice-versa). Additionally, Kubernetes policy is not aware of non-Kubernetes workloads or security groups.
Tigera Secure CE provides you more fine-grained policy control. All namespaces, service accounts and pods can be added to a list of Security Group IDs; enabling you to define which Security Groups are applied to which pods with an RBAC model.
This capability enables you to use Kubernetes Network Policy in conjunction with Security Groups to secure the entire application with a universal approach to security policy.
Integration with CloudWatch for Metrics and Audit Logs
Tigera Secure CE provides network visibility and compliance monitoring, and monitors the network for illegitimate traffic while identifying indicators of compromise (IoC).
These incidents are optionally integrated with a security incident and event management (SIEM) solution or a threat analytics platform for further analysis and enrichment by a security analyst.
Network Flow and Change Logs simplify troubleshooting and provide the data required for PCI, HIPAA, GDPR, and other compliance frameworks.
AWS Marketplace Integration
Tigera Secure CE is available through the Amazon Marketplace and can be delivered under your existing commercial contract and master service agreement (MSA) if one exists between you and AWS. Order fulfillment and provisioning only takes 10 minutes to complete.