Container use continues to grow, and Kubernetes is the most widely adopted container orchestration system, managing nearly half of all container deployments. Nearly every enterprise on the planet is at some stage in their Kubernetes journey. Kubernetes’ greatest value in the enterprise is achieved when it becomes an integrated component within the existing IT environment. Successful integration of Kubernetes and container services within the enterprise depends heavily on access to external resources such as databases, cloud services, third-party application programming interfaces (APIs), and other applications. All this egress activity must be controlled for security and compliance reasons.
The Challenge: Kubernetes Requires a Different Approach to Access Control
Traditional IP-based access control doesn’t work in Kubernetes, where workloads are ephemeral, typically stateless, and use short-term IP addresses. Kubernetes workloads make heavy use of the network and generate a lot of east/west traffic. Firewalls don’t have the context required to understand Kubernetes traffic (namespace, pod, labels, container id, etc.). If you are deploying a conventional firewall within your Kubernetes architecture, you will lose all visibility into this traffic. This makes it impossible to troubleshoot networking issues, perform forensic analysis, or report on security controls for compliance.
While the Tigera Calico Enterprise security management interface provides customized control within the Kubernetes environment, using Calico Enterprise security in isolation from existing enterprise network security leaves organizations with disparate policy-enforcement approaches that introduce unwanted complexity. Maintaining two separate network security systems also hinders visibility into routing and connectivity within and between Kubernetes clusters. This complicates the process of troubleshooting issues that span Kubernetes and external environments.
Visibility into Kubernetes Infrastructure is Essential
Lack of visibility also has compliance implications. Like any on-premises or cloud-based networked services, Kubernetes production containers must address both organizational and regulatory security requirements. If compliance teams can’t trace the history of incidents across the entire infrastructure, they can’t adequately satisfy their audit requirements.
To enable the successful transition of Kubernetes pilot projects to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. In response, Fortinet and Tigera jointly developed a suite of Calico Enterprise solutions for the Fortinet Security Fabric that deliver both north-south and east-west visibility, as well as compliance enablement and advanced threat-intelligence capabilities for Kubernetes clusters. Fortinet customers can extend their network security architecture to their Kubernetes environments to protect their Kubernetes-based infrastructure.
The Tigera and Fortinet joint solution supports all cloud-based and on-premises Kubernetes environments. With this architecture, Calico Enterprise will map security policies from FortiManager into each Kubernetes cluster in the cloud or on-premises. The joint solution enables Fortinet customers to enforce network security policies for traffic into and out of the Kubernetes cluster (North/South traffic) as well as traffic between pods within the cluster (East/West traffic).
Learn more in the Fortinet and Tigera webinar on June 17: Extending Your FortiGate Next-Gen Firewall to Kubernetes.
Key Fortinet and Tigera Integrations
Fortinet and Tigera have jointly developed four integrations that help ensure consistent visibility, control, security, and compliance:
3. FortiGuard Threat Feed integration enriches the Calico Enterprise threat database with global real-time threat intelligence from FortiGuard Labs. Calico Enterprise users gain broader protection from malicious traffic at the source in the Kubernetes cluster. For FortiGuard subscribers, this integration ensures that the most robust protection will cover their Kubernetes environment as well, at no additional cost.
How Do These Integrations Benefit Fortinet and Tigera Customers?
Fortinet Dynamic Cloud Security solutions integrated with Tigera Calico Enterprise bring Kubernetes deployments into the Fortinet Security Fabric. Organizations migrating to Kubernetes architectures maintain their security posture and ensure the successful adoption of the Kubernetes platform throughout the enterprise. This results in a collaborative security culture that ensures that security success is jointly owned by Platform, Security, Compliance, Networking and DevOps teams.
On an operational level, integration between Fortinet and Tigera technologies provides the comprehensive insight needed to speed up troubleshooting and reduce mean time to resolution. These integrated technologies also reduce operational complexity, which lowers staff and training costs and minimizes configuration errors that can add significant attack risk to the organization. Security architects can also show proof of the reduced risk in a timely fashion to comply with corporate and regulatory data protection rules.
To learn more, please join Fortinet and Tigera for our June 17 webinar: Extending Your FortiGate Next-Gen Firewall to Kubernetes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.