By 2025, Gartner estimates that over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021. This momentum of these workloads and solutions presents a significant opportunity for companies that can meet the challenges of the burgeoning industry.
As digitalization continues pushing applications and services to the cloud, many companies discover that traditional security, compliance, and observability approaches do not transfer directly to cloud-native architectures. This is the primary takeaway from Tigera’s recent The State of Cloud-Native Security report. As 75% of companies surveyed are focusing on cloud-native application development, it is imperative that leaders understand the differences, challenges, and opportunities of cloud-native environments to ensure they reap the efficiency, flexibility, and speed that these architectures offer.
The flexibility container workloads provide makes the traditional ‘castle and moat’ approach to security obsolete. Cloud-native architectures do not have a single vulnerable entry point but many potential attack vectors because of the increased attack surface. Sixty-seven percent of companies named security as the top challenge regarding the speed of deployment cycles. Further, 69% of companies identified container-level firewall capabilities, such as intrusion detection and prevention, web application firewall, protection from “Denial of Service” Continue reading
We’ve just released Calico v3.25! This milestone release includes a number of eBPF dataplane improvements designed to deliver an even faster upgrade experience, smaller memory footprint, and shorter eBPF networking object load time speed.
But before we get into the details of these changes, let’s welcome and thank our new community problem-solvers who got their first contribution requests merged into our beloved project.
Documentation is the most essential part of any project since that is the go-to place for everyone to get a better idea about the capabilities or deployment of that project. So let’s start by giving a big shout-out to @cavcrosby, @Congrool, @chenbojian, and @gopihc for their attention to detail and fixing issues in the project documentation.
Shoutout to @OrvilleQ and @masap for extending the exclusion list of interfaces to make the automatic interface selection of Calico even faster.
Shoutout to @gregwhorley, @dlipovetsky, @nickperry, and @tamcore for their updates to `tigera-operator` that will make the installation and maintenance experience of Calico even better.
Shoutout to @ramanujadasu for enhancing the logic behind the unicast IP address hashing.
Shoutout to @chrisjohnson00 and @vitaliy-leschenko for enhancing the Calico windows installer and adding Continue reading
Cloud computing and the use of cloud native architectures enable unparalleled performance, flexibility, and velocity. The speed of innovation has driven significant advancements across industries, but as digitalization continues pushing applications and services to the cloud, bad actors’ intrusion techniques have also become more sophisticated. The burgeoning threat landscape is top of mind for enterprise and midmarket business and security leaders, and should lead their decision-making—from the right solutions to implement, to the right partners to engage.
Economic conditions tightening and macroeconomic forces will continue introducing challenges in the coming year, but businesses that sustainably provide value to their customers and make security a foundational aspect of their organization will thrive.
Here are some trends I anticipate for 2023:
While the last few years were dominated by early adopters who thrive in the technical playgrounds of emerging technologies, 2023 will see the ‘early majority’ of mainstream users begin adopting cloud-native architectures as the market reaches an inflection point. This inflection is driven by the accelerating accessibility and usability of the tools and technologies available, as the early majority prioritizes platforms that work easily over those with advanced functions that they likely won’t use.
The rise of fintech has pushed traditional financial institutions to provide online-based services and launch fintech applications. But these services must be secure and meet certain regulatory requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), or SOC 2.
When our customer, Mulligan Funding, needed to launch a new fintech SaaS platform, they had to ensure that all communication to and from the application would be secure and SOC 2 compliant, since the platform would handle sensitive personal and financial data. To achieve this, Mulligan Funding decided to standardize on Microsoft Azure Kubernetes Service (AKS) and chose Calico Cloud for its security and compliance needs.
Mulligan Funding faced two major challenges when it came to achieving SOC 2 compliance:
Read the case study to learn:
Read Continue reading
Containers are a great way to package applications, with minimal libraries required. It guarantees that you will have the same deployment experience, regardless of where the containers are deployed. Container orchestration software pushes this further by preparing the necessary foundation to create containers at scale.
Linux and Windows support containerized applications and can participate in a container orchestration solution. There is an incredible number of guides and how-to articles on Linux containers and container orchestration, but these resources get scarce when it comes to Windows, which can discourage companies from running Windows workloads.
This blog post will examine how to set up a Windows-based Kubernetes environment to run Windows workloads and secure them using Calico Open Source. By the end of this post, you will see how simple it is to apply your current Kubernetes skills and knowledge to rule a hybrid environment.
A container is similar to a lightweight packaging technique. Each container packages an application in an isolated environment that shares its kernel with the underlying host, making it bound by the limits of the host operating system. These days, everyone is familiar with Linux containers, a popular way to run Linux-based binary files in an Continue reading
Microservices are loosely coupled software that provides flexibility and scalability to a cloud environment. However, securing this open architecture from vulnerabilities and malicious actors can be challenging without a service mesh.
This blog post will demonstrate how you can create an Istio and Calico integration to establish a service mesh that will manipulate HTTP traffic in the application layer. This Istio-Calico integration provides a unified way to write security policies interacting with applications and implement restrictions without disturbing the entire system.
A service mesh is a software layer that sits between the microservices that form your workload. After deploying and enabling a service mesh system for your workloads, an injector will add a sidecar container to each. These sidecars then collect and manipulate information via the rules you provide, allowing you to secure your cluster on an application level without requiring any change inside your software.
Without a service mesh, to ensure communication integrity and confidentiality between workloads, you must modify each to embed encryption methods. On top of that, gathering insight into the events that are happening in the application layer will require modifying the workload application itself, which all requires a good amount of Continue reading
Tigera provides the industry’s only active Cloud-Native Application Security Platform (CNAPP) for containers and Kubernetes. Available as a fully managed SaaS (Calico Cloud) or a self-managed service (Calico Enterprise), the platform prevents, detects, troubleshoots, and automatically mitigates exposure risks of security issues in build, deploy, and runtime stages across multi-cluster, multi-cloud, and hybrid deployments.
We are very excited to unveil Calico Enterprise 3.15 and its new capabilities that will further reduce your applications’ attack surface and improve threat detection capabilities. Read this blog to learn about some of the biggest highlights of this latest release.
US federal agencies require that any software they use be compliant with the Federal Information Processing Standard (140-2), also known as FIPS 140-2. FIPS 140-2 specifies security requirements that are satisfied by a cryptographic module of applications and environments. With the release of Calico Enterprise 3.15, you can now configure Calico Enterprise to run in a FIPS 140-2 level 1 compliant mode to pass compliance requirements when serving US federal regulatory agencies.
When installing Calico Enterprise, you now have the option to install the platform in FIPS-compliant mode. This will ensure that the Calico components that are Continue reading
There’s no better way to learn something than to get hands-on. Tigera is excited to present its brand new (and completely free!) self-paced workshops for containers and Kubernetes. Each workshop comes with your own provisioned sample application (Hipstershop) and Calico Cloud lab environment for a limited time.
The first self-paced workshop we’ve launched is on compliance for containers and Kubernetes. Let’s take a closer look at why you should enroll in our compliance workshop and what you’ll gain.
From the Payment Card Industry Data Security Standard (PCI DSS) to the Health Insurance Portability and Accountability Act (HIPAA) to the General Data Protection Regulation (GDPR), most industries must meet certain compliance requirements when it comes to handling personal data. This could mean implementing resource access control, isolating workloads with sensitive data, or enforcing more advanced security controls such as logging all customer confidential data transactions. No matter what sort of controls you need to implement, the compliance auditor will require proof of compliance, such as what security controls are currently in place, whether control changes can be detected, and if compliance can be verified on demand. The ephemeral nature of Kubernetes can make it Continue reading
Tigera is delighted to present the annual CalicoCon + Cloud-Native Security Summit on December 7th, 2022, 9:45 a.m. – 4:00 p.m. PT. This is your chance to network with top cloud-native platform, security, DevOps, and site reliability engineer (SRE) teams, and explore real-world use cases with major players in the cloud-native industry.
Live, free, and fully virtual, the Summit gathers industry experts to explore the best practices for securing, observing, and troubleshooting cloud-native applications through real-world stories.
The Summit is curated for security, DevOps, SRE, and platform architect teams in the cloud-native world.
From panels to workshops to fireside chats, the Summit offers a variety of interactive sessions. Here’s a quick peek at some of our speakers and sessions:
Kubernetes has come of age with more organizations adopting a microservices architecture at scale. But scale brings a whole slew of new challenges, especially with Kubernetes, which is designed to operate as a single cluster. However, the usage of Kubernetes, especially at leading-edge organizations operating at scale, has crossed the single-cluster threshold. Organizations are building and deploying services across multiple clusters for high availability, disaster recovery, application isolation, compliance, latency concerns, staged migration, and multi-tenancy reasons.
Regardless of the reasons to deploy multiple clusters, platform and application teams must address networking, security, and observability issues related to microservices deployed across multi-clusters, sometimes spanning hybrid and multi-cloud environments.
Calico, the most widely adopted container networking and security solution (according to a recently published container adoption report by Datadog), provides an operationally simple solution to solve the networking, security, and observability challenges of running multi-cluster Kubernetes environments.
In simple terms, creating a multi-cluster Kubernetes environment requires stitching multiple Kubernetes clusters together to provide a common set of services. To create a single logical environment spanning multiple clusters, the key requirements are:
As innovations in the world of application development and data computation grow every year, the “attack surface” of these technologies grows as well. The attack surface has to be understood from two sides—from the attacker’s side and from the organization being attacked. For the attacker, they benefit from the entry point into a system, either through the ever-growing perimeter of public-facing applications or the people managing these applications, because the probability of finding a weakness to enter from these entry points is higher. For the organization, managing the attack surface requires investing in more security tools and personnel. This can cascade into bigger security issues, which is why addressing the attack surface is essential.
The MITRE adversarial tactics, techniques, and common knowledge (ATT&CK) framework can help us understand how this large attack surface can be exploited by an adversary and how they strategize an attack. In this two-part blog, I will cover the new ATT&CK matrix for containers and how Calico provides mitigation solutions for each tactic in the matrix. In this blog, we will explore the first four tactics, which mostly deal with reconnaissance. In the second part, we will discuss the techniques and mitigation strategies once an attacker Continue reading
Container environments are highly dynamic and require continuous monitoring, observability, and security. Since container security is a continuous practice, it should be fully integrated into the entire development and deployment cycle. Implementing security as an integral part of this cycle allows you to mitigate risk and reduce the number of vulnerabilities across the dynamic and complex attack surface containers present.
Let’s take a look at three best practices for ensuring containers remain secure during build, deployment, and runtime.
Securing containers during the build and deployment stages is all about vulnerability management. It’s important to continuously scan for vulnerabilities and misconfigurations in software before deployment, and block deployments that fail to meet security requirements. Assess container and registry image vulnerabilities by scanning first- and third-party images for vulnerabilities and misconfigurations, and using a tool that scans multiple registries to identify vulnerabilities from databases such as NVD. You also need to continuously monitor images, workloads, and infrastructure against common configuration security standards (e.g. CIS Benchmarks). This enables you to meet internal and external compliance standards, and also quickly detect and remediate misconfigurations in your environment, thereby eliminating potential attack vectors.
Containerized workloads require a Continue reading
Cloud-native applications offer a lot of flexibility and scalability, but to leverage these advantages, we must create and deploy a suitable environment that will enable cloud-native applications to work their magic.
Managed services, self-managed services, and bare metal are three primary categories of Kubernetes deployment in a cloud environment. Our focus in this article will be on Amazon Web Service’s (AWS) managed Kubernetes service, Elastic Kubernetes Service (EKS), and capabilities that Calico Open Source adds to the EKS platform.
A managed cluster is a quick and easy way to deploy an enterprise-grade Kubernetes cluster. In a managed cluster, mundane operations such as provisioning new nodes, upgrading the OS/Kubernetes, and scaling resources are transferred to the cloud provider, which allows you to expand your application with ease.
EKS is a managed service by AWS that offers a fault-tolerant Kubernetes control plane endpoint and automates worker node maintenance and deployment process.
Most popular managed services, such as EKS, come with an official CNI that offers networking and other features for your cluster. While these CNIs are highly integrated with the underlying system, they can introduce some limitations. To remedy these limitations and unlock the Continue reading
Architecturally speaking, cloud-native applications are broken down into smaller components that are highly dynamic, distributed, and ephemeral. Because each of these components is communicating with other components inside or outside the cluster, this architecture introduces new attack vectors that are difficult to protect against using a traditional perimeter-based approach. A prudent way to secure cloud-native applications is to find a way to reduce the number of attack vectors, and this is where the principles of zero trust come into play.
With today’s multi-cloud and hybrid-cloud environments, networks are no longer restricted to a clear perimeter with clearly defined borders to defend—and cyber criminals are taking advantage of this fact by tricking users and systems into providing unauthorized access. While a lot of zero trust is focused on limiting access from users and devices, organizations are now also recognizing that in the world of distributed cloud-native applications, workloads themselves are communicating with each other and the same principles of zero trust need to be extended to cloud-native applications.
Because traditional security methods such as network firewalls rely on fixed network addresses, they are insufficient to protect dynamic, distributed, and ephemeral cloud-native workloads, which do not have fixed network addresses. They simply Continue reading
Companies are increasingly adopting managed Kubernetes services, such as Microsoft Azure Kubernetes Service (AKS), to build container-based applications. Leveraging a managed Kubernetes service is a quick and easy way to deploy an enterprise-grade Kubernetes cluster, offload mundane operations such as provisioning new nodes, upgrading the OS/Kubernetes, and scaling resources according to business needs.
AKS also provides a fault-tolerant Kubernetes control plane endpoint and automates the worker node maintenance and deployment process. With regards to networking within the cluster, AKS provides an integrated CNI to address basic Kubernetes networking requirements, such as configuring network interfaces and providing connectivity between pods. However, the basic container networking in Microsoft AKS comes with a limited set of IP addresses. As businesses grow, so does application usage. Having a limited set of IPs can cause scale, availability, and manageability challenges for Microsoft AKS users.
In this blog post, I will discuss IP address exhaustion on Microsoft AKS and how Calico can solve this issue. I will also explore how Calico can address scalability challenges and provide resources that can quickstart your journey in using Calico to solve IP address exhaustion on AKS.
Earlier this year, Microsoft AKS introduced the ability to bring Continue reading
Tigera is back at KubeCon + CloudNativeCon NA 2022! We’re excited to be back in person and meet new and familiar faces—and we have a lot of exciting Calico updates to share with you.
KubeCon + CloudNativeCon is action-packed as usual, kicking off the week with co-located events. We will be onsite at two co-located events: eBPF Day and Cloud Native SecurityCon. At the main event, KubeCon + CloudNativeCon, we will have a booth that you can visit for cool swag and deep dives with our experts. We will also be teaming up with AWS to bring you a fun party that you won’t want to miss!
Interested in attending? Curious about the party? Want to win some prizes? Read this blog post to find out what we have in store for KubeCon + CloudNativeCon NA 2022.
eBPF Day is a vendor-neutral conference that explores the transformational technology that is eBPF, and its impact on the future of cloud native. This event is co-located with KubeCon + CloudNativeCon.
As a speaker at the event, our resident eBPF expert, Tomas Hruby, will demonstrate how to inspect and troubleshoot the eBPF mode of Calico Open Source during Continue reading
Productive, scalable, and cost-effective, cloud infrastructure empowers innovation and faster deliverables. It’s a no-brainer why organizations are migrating to the cloud and containerizing their applications. As businesses scale their cloud infrastructure, they cannot be bottlenecked by security concerns. One way to release these bottlenecks and free up resources is by using automation.
What if you could automate the deployment and integration of your container security services with your cluster’s environment?
In a joint blog post with AWS Marketplace, AWS Sr. Cloud Application Architect, Deepak Sihag, joins Tigera’s Technical Marketing Engineer, Joseph Yostos, to walk you through the process of activating, deploying, and configuring Calico Cloud in your AWS Control Tower environment. And of course, how to automate the process of connecting Calico Cloud to your EKS cluster.
Aside from showing you how you can fully leverage the preconfigured resources of AWS Control Tower, the solution walkthrough also highlights:
As the Continue reading
A couple of weeks ago, TIgera engineers released the new version of Calico, as part of a community effort to drive cloud security and networking even further. But before I begin diving into the details of this new release, I want to first spotlight a few of our community members who have merged their contributions to Calico Open Source for the first time.
Shout out to @agaffney for adding configurable labels and annotations to the tigera-operator deployment in Helm charts.
Shout out to @backjo for improving the Calico Windows installation script and adding support for IMDSv2 in AWS EC2 data retrieval.
Shout out to @EugenMayer for pointing out an improvement for the calicoctl binary in a Helm chart installation and @lou-lan for making it happen.
Shout out to @joskuijpers for informing the community about the outdated ipset package in the calico-node ARM64 image and @ScOut3R for updating it.
Shout out to @juanfresia for contributing changes to enable Calico to run without programming the route table, useful when integrating with other routing mechanisms.
Shout out to @muff1nman, who added Wireguard traffic to the Calico failsafe ports, allowing us to confidently apply network security policies without worrying about accidentally cutting off Continue reading
As enterprises adopt containers, microservices, and Kubernetes for cloud-native applications, vulnerability management is crucial to improve the security posture of containerized workloads throughout build, deploy, and runtime. Securing your build artifacts and deployment pipeline, especially when it comes to images, is extremely important. By following best practices for image building and scanning throughout the application development and deployment process, you can help ensure the security of the containers and workloads in your environment.
Let’s look at some of the nuances of choosing a base image, hardening your container image, and container image scanning, including tips on choosing an appropriate scanning solution and tackling privacy concerns.
It’s important to choose a base image that reduces the attack surface of your container. I recommend using a distroless or scratch image because they contain only the application and its runtime dependencies. Both types of images improve your security posture by reducing the attack surface and exposure to vulnerabilities.
If for some reason you can’t use a distroless or scratch image, choose a minimal distro. Modern immutable Linux distributions, such as Bottlerocket and Flatcar Container Linux, can be used as base images for containers, as can minimal versions Continue reading
Summer is almost over but we are bringing the heat back with the official release of Tigera’s new container security features. With this official launch, Calico leads the industry by offering a complete line of solutions across every stage of a cloud-native application CI/CD pipeline. From a new and improved approach to scanning container images for vulnerabilities to strengthening runtime security with improved performance, we’ve significantly improved and enhanced our Image Assurance and Runtime Threat Defense features for this exciting new phase of our Calico Cloud offering. Let’s take a look at the new container security features of this release.
Scanning container images for vulnerabilities is a critical first step in stopping malicious software from being deployed. As business demands grow, development teams are pushed to churn out updates and new features faster. As a result, DevOps teams require assistance to help them quickly identify vulnerabilities in the registries where the container images are pulled from. Calico Cloud is now offering a CLI-based scanner for on-demand scanning, where customers can locally scan for vulnerabilities in their build stage. A lightweight downloadable binary is all it takes to perform these scans and integrate the process into Continue reading