Tigera Tightens Cloud Native Container Security
Tigera claims you can catnap about your container security with its new cloud native application protection platform (CNAPP) for its Calico Cloud. If the name sounds familiar, there’s a reason. Gartner defined CNAPP as an emerging category of security programs. Its point is to secure cloud native applications from development to production. Tigera is far from the only company working on this approach. What Tigera brings to this clowder of napping cats is zero trust.
According to Gartner, “There is synergy in combining Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM) capabilities, and multiple vendors are pursuing this strategy. The combination will create a new category of Cloud Native Application Protection (CNAPs) that scan workloads and configurations in development and protect workloads and configurations at runtime.” Specifically, CNAPPs bundle up multiple security functions such as container scanning; Infrastructure as Code (IaC) scanning; and cloud runtime workload protection.
Can’t Trust Anything
To this Tigera’s zero trust drops the traditional security concept of your systems having a “perimeter” and replaces it with the idea that you can’t trust anyone or anything. So, instead, authentication is handled on a per request basis. Every action is either authorized or restricted, and the default is everything is restricted. This drastically reduces your cloud native program’s attack surface.
To this basic concept, Tigera has added machine learning (ML) to combat runtime security risks from known and zero-day threats. This enables continuous compliance, prioritizing and mitigating the risks from vulnerabilities and attacks through security policy changes.
This all works in concert with Tigera’s Calico Cloud. Besides providing network services to OpenStack and Kubernetes, Calico has already added network security protections in a software-as-a-service (SaaS) model.
Here’s what Tigera is now offering with its pairing of CNAPP and Calico Cloud.
Build-Time Security with Image Assurance:
Calico Cloud introduces a new scanning engine to continuously assess images for vulnerabilities and misconfigurations. It also provides a real-time view of the images running in Kubernetes clusters and their potential risks.
Active security during the build and deploy time with an admission controller, which can automatically block the deployment of pods that contain high-severity vulnerabilities.
Improves Configuration Management for Images, Workloads, and Kubernetes:
Calico Cloud continuously monitors images, workloads, and Kubernetes infrastructure against common configuration security standards using CIS Benchmarks and provides a detailed assessment report. Application and infrastructure owners can integrate these reports into their CI/CD pipeline or incident response workflows for active mitigation.
Zero-Trust Principles to Cloud Native Applications:
Calico Cloud uses the principle of zero-trust to reduce the attack surface by enabling zero-trust workload access controls, identity-aware microsegmentation, and integration with firewalls and security information and event management (SIEM) tools.
Calico Cloud adds known and zero-day runtime threat defense
Comprehensive Runtime Threat Defense for Containerized Workloads:
Calico Cloud has built-in probes that collect workload activity data across network traffic, file systems, processes, syscalls, binaries, and more. The threat defense engine compares data from these probes, in near real-time, with known malicious attacks. It uses machine learning to create a behavioral baseline of the workload, and Tigera’s own curated ruleset based on historical attacks, to provide a comprehensive threat defense solution against zero-day threats. It also offers workload-level intrusion detection and prevention, deep packet inspection (DPI), distributed denial-of-service (DDoS) attack prevention and application-level protection with a web application firewall (WAF).
Improves Observability with Dynamic Service and Threat Graph:
Calico Cloud’s Dynamic Service and Threat Graph provides live visualization of communication between services, namespaces, and workloads enabling faster troubleshooting. Security gaps and vulnerabilities are shown along with performance issues and communication breakdown between microservices. It’s easy to drill down into the visualization to perform troubleshooting and significantly reduce the time and steps it takes to pinpoint and troubleshoot container or connectivity issues.
Integrated Security Policy Engine Mitigates Risks from Exposure:
Calico Cloud is built on Calico Open Source, the industry’s most widely used technology for container networking and security. With its integrated policy engine, Calico mitigates the risk from exposure by deploying corrective security policies as code that can alert, pause, quarantine, or terminate pods.
Combination of Measures
“Never before has this level of security been offered through the full lifecycle of building, deploying, and running cloud native applications,” claimed Ratan Tipirneni, Tigera president and CEO. “It’s not about just finding the most vulnerabilities; it’s about reducing the broad attack surface with zero trust and actively mitigating risks with the combination of preventive measures, combining behavioral baselining and known threats knowledge to detect anomalous activity at runtime and the ability to mitigate risks in real-time.”
Does it offer the right kind of security for your cloud native setup? Only you can decide that but at a quick glance, it certainly looks worth checking out.