Container Security When You Cannot Trust the Network
Threats can exist within the underlying network, compromised infrastructure and workloads, as well as internal and external attackers.
Tigera’s Zero Trust Security model does not trust services, the network, users, or any other resource in your environment. Tigera authenticates workloads via multiple sources of identity and then protects your application at multiple points of enforcement within the infrastructure.
Tigera’s Zero Trust Security model is a layered defense that augments your existing network. Minimal or no changes are required to your existing network architecture.
Cross-Cloud Compatible Container Firewall
Modern applications often connect between the data center and multiple cloud providers. When some components are running inside the data center and others with a cloud provider, a coarse-grained perimeter-based security approach is not sufficient to protect applications.
Tigera’s Zero Trust Security model supports hosts and VMs in the data center, multiple orchestrators, and is cloud provider agnostic. This abstraction enables uniform security policies that are portable across any environment you decide to run your workloads.
Encryption can be enabled for all traffic within and across environments. Traffic is encrypted at the application layer using mutual Transport Layer Security (mTLS) at the edge of the application and using IPsec between hosts at the infrastructure layer. Both layers of encryption are transparent to the application and require no code or configuration changes.
Container Network Security for Microservice Architectures
Modern application architectures have evolved from monoliths to microservices that are assembled and connected with API calls. What was once a simple and trusted procedural call within the application is now a web request traversing multiple segments of your network. These API requests can be intercepted or tampered with and significantly expand your attack surface if internal traffic is left trusted.
Tigera’s Zero Trust Security model authenticates the identity of each request based on multiple sources including the L3 network identity and x509 certificate-based cryptographic identity.
Tigera’s declarative, intent-based security policies can incorporate multiple criteria based including network attributes, application layer attributes, and workload metadata.
These network security policies are enforced at multiple points including the host, container, and edge of the app. This approach provides Defense in Depth, protecting applications from compromised infrastructure.
Dynamic Runtime Security for Containers
Microservices are typically ephemeral workloads that run as needed, at the capacity needed, for a short duration. These dynamic applications generate massive churn on your network and enforcing runtime security for containers is not possible without rethinking the approach.
Tigera’s container security policies enable granular rules that are enforced dynamically at runtime based on authenticated workload identity and metadata. This approach enables your organization to deploy containers securely on modern infrastructure without compromising on your security or compliance controls.
Multilayer Security Policy
Enterprise Calico Policy provides a unified and intuitive policy model aligned with Kubernetes’ native and established NetworkPolicy.
The solution enables a single location for multi-layer enforcement with network and web application security policies. Multi-layer enforcement increases operations efficiency by reducing the need to write and manage multiple policies for different layers. In addition, Enterprise Calico Policy provides tiering and web application visibility capabilities beyond Open Source Calico Policy. Tiering capabilities enable enterprise teams to collaborate in a concurrent manner. Web application security insight helps meet security and compliance requirements.
The intuitive graphical interface also enables easy implementation, management, and troubleshooting of both application and network policy. Audit logs of unified policy provide insight into authorized and unauthorized changed.
North-South Access Controls
DNS Policies enable fine-grained access controls between individual Kubernetes pods and 3rd party APIs, SaaS platforms, and resources outside the cluster – on-prem and in the cloud.