Security#

As cloud-native architectures become the standard, the complexity of securing dynamic and distributed systems grows. Enter Cilium, leveraging eBPF to offer a comprehensive security suite designed to address the unique challenges of Kubernetes security, from network layer protections to runtime enforcement and forensic capabilities.

Maintaining a secure network is vital for preventing unauthorized access, protecting sensitive data, and ensuring the resilience of production applications. Meanwhile, runtime security is essential for safeguarding the execution of container workloads, making sure that they run in a controlled and secure environment. Cilium tackles these challenges head-on, offering cloud-native solutions that bolster network security through features like advanced micro-segmentation and robust threat detection, while also ensuring runtime security by providing real-time monitoring and threat prevention, all of which is crucial for achieving a secure and reliable Kubernetes environment.

../_images/secops.png

Explore the SecOps journey on the map!#

Network Security#

Cilium implements robust network security, providing IPsec and WireGuard encryption for data protection, granular control via network policies, and support for mutual authentication, DNS, and visibility.

Network Policies
Beyond traditional IP-based policies, Cilium extends network policy enforcement to Layers 3, 4, and 7. This enables more granular control over ingress and egress traffic based on application behavior, enhancing security without compromising flexibility​. These policies also provide DNS support and enable mutual authentication, enhancing the overall security and flexibility of Kubernetes deployments.
Identity-aware Micro-Segmentation
By leveraging eBPF, Cilium provides fine-grained micro-segmentation capabilities, allowing for the isolation of workloads at the pod level. This segmentation is critical in enforcing least privilege access within Kubernetes clusters, significantly reducing the attack surface and offering platform teams deep flexibility with security monitoring and enforcement.
Network Encryption
Cilium simplifies Kubernetes security with IPsec and WireGuard encryption for pod-to-pod and node-to-node communications, ensuring all traffic remains protected during transit. This feature simplifies encryption management and strengthens the overall security posture of your Kubernetes environment, without requiring any application changes or additional proxies. Cilium network encryption offers an efficient way to comply with and prove the encryption controls for regulatory standards like HIPAA, SOC2, NIST, and more.

Network Security Resources#

Cilium User Story: How Capital One used eBPF and Cilium to build a secure, maintainable PaaS

Runtime Security#

Tetragon provides eBPF-based security observability and runtime enforcement. Filter directly in the kernel for low CPU and memory utilization, parse L7 events (HTTP, TLS, DNS, and more), and enable robust forensic analysis to identify and address security incidents effectively.

Execution Monitoring
Tetragon's eBPF sensor provides in-depth execution monitoring, coupled with Kubernetes context awareness. This allows for the observation of the entire lifecycle of processes down to the binary, enabling early real-time detection of malicious activity. Go a step further and correlate runtime executions with network traffic to understand what binaries launch the observed egress/ingress traffic across your environment.
Runtime Enforcement
Runtime security is not just about monitoring; actively enforce security policies to block malicious processes in real-time. Through eBPF, policies are implemented directly in the kernel, ensuring reliable high-performance enforcement without the overhead typical of other security tools​.
File Integrity Monitoring (FIM)
Tetragon extends Cilium's runtime security capabilities by monitoring file access and modifications, a crucial component of runtime security. This real-time visibility into file system changes helps in detecting and responding to unauthorized modifications indicative of a breach​.

Runtime Security Resources#