Tigera Integrates Calico Cloud for Amazon EKS with AWS Control Tower
Tigera has integrated its Calico Cloud networking and security platform with the governance management framework that Amazon Web Services (AWS) makes available to IT teams that have multiple accounts that need to be administered.
Dhiraj Sehgal, director of product marketing for Tigera, says the goal is to make it simpler for those IT teams to use the AWS Control Tower service to provision Calico Cloud alongside other services running on the Amazon Elastic Kubernetes Service (EKS).
As part of that effort, Tigera is also adding an egress gateway capability that gives IT teams control over how access to specific namespaces in EKS is granted to external services.
Sehgal says all the security and network policies an organization defines using AWS Control Tower will now automatically populate in Calico Cloud, an open source software-as-a-service (SaaS) platform based on Calico, that enables IT teams to monitor and secure network services across Kubernetes clusters. The goal is to reduce the amount of friction IT teams might otherwise experience when employing an AWS Control Tower service that is already widely used to govern cloud services, notes Sehgal.
Once installed, IT teams can enforce security policies that limit which microservices running on a Kubernetes cluster can communicate with one another. In the event of a security breach, Calico Cloud will also prevent malware from moving laterally across an IT environment by limiting the communication between microservices and enforcing microsegmentation policies across the network.
Calico Cloud also encrypts data in transit, provides intrusion detection capabilities and employs machine learning algorithms to both detect anomalies and generate policy recommendations that can be easily applied. Monitoring capabilities, meanwhile, are enabled via Project Calico’s Dynamic Service Graph that observes both microservices behavior and interactions at runtime to automatically identify performance hotspots. Using an automated packet capture function, software engineers can drill down and identify the source of a problem at the application, process and socket levels.
Interest in microsegementation—and observability in general—is rising in part because IT teams are being required to embrace a zero-trust approach to securing IT environments. The challenge IT teams face is the number of individuals that have experience securing Kubernetes environments is far less than the number of IT professionals that have Kubernetes management experience at all. Tigera is betting a SaaS platform that makes it simpler to enforce security policies will appeal to organizations that often rely on a small team of IT professionals to manage all aspects of a Kubernetes environment.
Regardless of the approach, it’s now only a matter of time before more cyberattacks are aimed specifically at Kubernetes clusters as they are deployed more widely in production environments. The challenge, of course, is that cybercriminals have a lot more time to study Kubernetes vulnerabilities and exploit them than internal IT teams typically have to determine how to remediate them. As such, the ability to apply and enforce security policies across fleets of Kubernetes clusters is critical.