Tigera today announced the addition of a scanning engine to its Calico Cloud service that will continuously assess images for vulnerabilities and misconfigurations in addition to managing interactions among microservices running on Kubernetes clusters.
Amit Gupta, vice president of business development and product management for Tigera, says the scanning engine employs machine learning algorithms to identify and remediate both known and unknown threats. In effect, Calico Cloud is now also a cloud-native application protection platform (CNAPP).
CNAPP describes a range of cloud platforms that aggregate security services and makes them easier to consume. Calico Cloud is a software-as-service (SaaS) platform based on the open source Calico network virtualization project. It automatically deploys Calico—along with additional capabilities developed by Tigera—that can, for example, both monitor a Kubernetes environment and enforce security policies that limit communication between specific microservices on a Kubernetes cluster. A dynamic service and threat graph provides live visualizations of communication between services, namespaces and workloads to enable faster troubleshooting by highlighting security gaps, vulnerabilities and performance issues.
Calico also includes an admission controller to automatically block deployment of Kubernetes pods that contain high-severity vulnerabilities. It also continuously monitors images, workloads and Kubernetes infrastructure and compares them against common configuration security standards to provide detailed assessments. Those reports can then be integrated into a continuous integration/continuous delivery (CI/CD) pipeline to further adoption of DevSecOps workflows, says Gupta.
Other capabilities include built-in probes that collect workload activity data across, for example, network traffic, file system, processes, system calls and binaries. The threat defense engine compares data from these probes in near-real-time against known malicious attacks. Machine learning algorithms then create a behavioral baseline of the workload that is additionally informed by a curated ruleset Tigera created based on historical attacks.
Finally, Calico Cloud offers workload-level intrusion detection and prevention, deep packet inspection (DPI), distributed denial-of-service (DDoS) attack prevention and application-level protection with a web application firewall (WAF) that can be integrated with security information and event management (SIEM) platforms.
Collectively, those capabilities make it possible for IT organizations to leverage a platform infused with machine learning algorithms to create a zero-trust environment that can span a fleet of Kubernetes clusters, says Gupta. As modern IT environments based on cloud-native technologies become more complex, Gupta noted machine learning algorithms and other forms of artificial intelligence (AI) are being increasingly necessary to achieve that zero-trust goal. Those algorithms don’t replace the need for IT professionals as much as they augment the small cadre of IT professionals that have the expertise required to manage and secure a Kubernetes environment.
It’s not clear yet whether developers, IT operations teams or cybersecurity professionals are assuming primary responsibility for securing cloud-native environments. It’s increasingly becoming more of a team endeavor as responsibility for application security continues to shift toward application developers. The challenge, of course, is finding a way to achieve that goal that doesn’t adversely impact the rate at which cloud-native applications are being built and deployed.