Top 5 Runtime Security Risks for Financial Services (And How to Solve Them on Kubernetes)

New: How to Build a Secure Financial Services Platform

How do you build a secure financial services platform on Kubernetes? Get started with a guide from the leaders in cloud-native networking.

Read the solution brief

In the financial sector, the stakes couldn’t be higher. High-frequency trading platforms, payment systems, and customer-facing apps process enormous amounts of sensitive data.

Financial services teams operate at this intersection of high-stakes security and rapid innovation. With cyber threats constantly evolving and regulations becoming more stringent, runtime security is no longer an afterthought—it’s a core part of business continuity. 

The nature of financial services infrastructure spans on-prem data centers, private clouds, and dynamic multi-cloud environments, adding complexity to the security equation. Then add in strict regulations like PCI-DSS and the upcoming DORA regulations, and it’s clear why runtime security is a non-negotiable priority for any financial CISO.

So, what are the top runtime security pain points for financial services? And how can Tetragon and Cilium help you not only address these challenges, but turn them into competitive advantages?

Isovalent offers a full stack for container and multicloud networking, which includes CNI, an ingress controller, and service mesh, as well as Hubble and Tetragon for runtime security and observability.

— Andrew Green – Analyst GigaOm

Cilium is the standard in Container Networking

Cloud providers have chosen Cilium for their cloud native container networking and security needs as the de facto standard for Kubernetes.

See why the top enterprise teams choose Isovalent

Is Your Security Strategy Audit-Ready?

For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

ICO, UK

Financial services comply with strict regulations—PCI-DSS, GDPR, CCPA, NIST, PSD2, DORA, and more—that mandate real-time auditing, airtight security controls, and detailed logs.

Implementing compliance in a dynamic, containerized environment is daunting, especially when handling sensitive payment data and personal information. A lack of transparency can result in costly fines and loss of customer trust.

For financial services, the need for compliance extends beyond simple box-checking. In an industry where a breach could mean millions in fines and damage to customer relationships, ensuring every process is compliant and auditable—down to file modifications and process executions—is critical. Real-time monitoring and policy enforcement across both legacy and modern containerized infrastructure is a must.

Audit-Ready Compliance with Real-Time Visibility

Security and platform teams need the flexibility to see and act on any process or file interaction. Tetragon, the flexible Kubernetes-aware observability and runtime enforcement tool, shines when it comes to real-time policy enforcement and audit-ready process tracing using lightweight eBPF programs.

Tetragon enforces strict access policies that bring the Kubernetes identity-awareness to understand the context around which pod, namespace, label, identity, etc is performing what action. For file monitoring, Tetragon’s in-kernel policies offer a stronger guarantee that only authorized processes can access or modify critical files. This granular control aligns with compliance frameworks, giving your security team the clear audit trail they need without slowing down operations.

At the heart of your platform, the network, Cilium’s eBPF-based observability offers unparalleled insight into L3/L4 and L7 network traffic across Kubernetes clusters. Get a deep view into all network communications—so if there’s an attempt to violate compliance, like unauthorized data transfer across borders, you’ll know about it in real-time. Cilium’s network visibility and control is the foundation for auditing data privacy regulations in complex, multi-cloud environments. 

Explore deeper in the following PCI-DSS case study with Schuberg Philis, or download the blueprint for Kubernetes compliance.

We needed a very quick networking solution that would form the backbone of our entire multi-cloud architecture. We choose Cilium as it supports Network Policies at Layer 3/4/7, Cloud agnostic & easy to deploy anywhere.

— Adelina Simion, Technology Evangelist – FORM3

Achieving PCI-DSS Compliance With Isovalent, Cilium, and Zero Trust

With the help of Isovalent and Cilium, Schuberg Philis were able to migrate successfully (from on-prem to cloud infrastructure) and maintain a strong focus on PCI-DSS, zero-trust, and multi-tenancy.

Read the PCI-DSS compliance case study

Mastering Cilium for Kubernetes Compliance

The Cilium + Tetragon white paper from Isovalent and ControlPlane, solving NIST-800 and other compliance frameworks in cloud-native environments.

Download the Cilium compliance white paper

Can You Tie Together Network and Process Activity?

Visibility is everything. In multi-cloud and hybrid environments, it’s easy for blind spots to develop—whether at the network, process, or file system level.

Financial services often operate in highly fragmented infrastructures, making it difficult to monitor everything in real time. Missing even one unauthorized process or misconfiguration could open the door to a breach.

The ability to track and monitor who accessed what, when, and where is the foundation for good security practices. Real-time, end-to-end observability is the building block for security and platform teams to truly control their infrastructure.

In a world where fractions of a second become increasingly important, you need monitoring that’s both comprehensive and resource efficient.

Deep Visibility into Network and System Activity

Cilium’s network observability goes beyond traditional packet monitoring. It provides a full view of application-level traffic, enabling you to see exactly how microservices, containers, and Kubernetes pods communicate. By tracing the common and most prevalent protocols, you get actionable insights into network behavior, helping you detect anomalies that might signal a bottleneck, breach, or misconfiguration.

Do you know who accessed the api endpoint of a given service? Cilium has the answer! IP addresses are no longer the golden data point, instead identity-aware insights are critical for maintaining unified security and smooth zero-trust operations across a multi-cloud environment.

Cilium removes bottlenecks, improves traffic throughput, and ultimately improves end user experience, regardless of whether that user is an external customer logging into a fintech platform or an internal developer building the future of FinOps. 

Tetragon provides deep system-level visibility, capturing critical events like process executions, file accesses, and network traffic. eBPF programs extract telemetry from within the Linux Kernel, tying in metadata from Kubernetes (pod, namespace, cluster, labels, etc) with Kernel information (UID, username, etc).

With Tetragon, you can map out entire process execution trees, providing clear answers to questions like, “Who accessed this sensitive file and why?” or “What binary launched this network connection, and what processes did it execute before?”.

Tetragon works on any Linux machine. Meaning teams are using Tetragon to look across different types of environments (multi-cloud, on-prem) and workloads (containers, VMs, baremetal, etc). This builds a consistent and repeatable level of deep visibility into your infrastructure. 

Cilium and Isovalent helped our team to build a scalable Kubernetes platform which meets our demanding requirements to run mission-critical banking software in production!

—  Thomas Gosteli, Linux Systems Specialist

How to guide for host-based Kubernetes visibility

Learn how Tetragon’s lightweight eBPF sensor captures K8s telemetry down to the binary, tying process to network data with no application changes.

Read more about host based visibility

How to Protect Data Across Hybrid Cloud Environments?

Today’s infrastructures are spread across on-prem, private clouds, and multiple public cloud providers. This fragmented approach introduces complexity, especially when it comes to maintaining consistent security policies, visibility, and control. Applying end-to-end security and data sovereignty across hybrid and multi-cloud environments is a challenge financial organizations are always preparing for.

Financial institutions have to guarantee data sovereignty, even when operating in diverse environments. Compliance frameworks require strict controls over where data is processed and stored, who can access what, and maintaining these controls across multiple infrastructures, whether private or public, is a monumental task.

Unified Security & Resiliance Across Every Cloud, Every Cluster

Apply security policies consistently across your hybrid or multi-cloud environment. Security policies can be applied across Kubernetes namespaces, clusters, or even entire Linux infrastructures, with end-to-end coverage. This eliminates the risk of the same policy working in one cloud environment but failing compatibility in another. This uniform policy layer also brings additional resilience to your applications, with less overhead to get the right policies built, tested, and deployed.

Cilium identity-based security policies bring consistent network security and resiliance across environments. By encrypting and securing network traffic across different infrastructures, Cilium minimizes the risk of data breaches as information moves between environments. This streamlines compliance management, simplifies security audits, and accelerates the deployment of new workloads, all while ensuring critical financial data remains secure.

Isovalent’s Cilium Enterprise has an extensive feature set, ranking high on a variety of key criteria, including secure traffic and segmentation, observability, troubleshooting and diagnostics, declarative and intent-based networking (IBN), and service-to-service connectivity.

— Andrew Green – Analyst GigaOm

Isovalent Named Leader In GigaOm Radar Report For Cloud Networking

Isovalent is an outperformer and leader, having expanded its initial container networking scope to multi- and hybrid- cloud use cases.

Read the full GigaOm Cloud Networking Report

How to Detect Threats and Build Real-Time Responses?

System Intrusion has overtaken Miscellaneous Errors and Basic Web Application Attacks as the primary threat in Financial and Insurance this year, indicating a shift toward more complex attacks.

Verizon, 2024 DBIR Report

With sensitive data constantly moving around, it’s easy to understand why advanced persistent threats, zero-day exploits, and lateral movement attacks are just some of the evolving risks financial institutions face. Threat detection in a containerized environment is complex—malicious actors can move laterally, escalate privileges, and go undetected without the right visibility into runtime processes.

In this context, it’s also important to mention the undercurrent of reputational risk that comes with a breach. A breach isn’t just a temporary setback; it can lead to regulatory penalties and erode customer trust. Teams need the tools to detect and neutralize threats in real-time —before they inflict real harm.

Uncover Hidden Threats with Full-Stack Observability

Tetragon detects suspicious behaviors at the kernel level, blocking unauthorized actions like privilege escalations or unauthorized process executions in real-time. For instance, if there’s an unauthorized attempt to execute kubectl exec to access a Kubernetes pod, Tetragon can block the action instantly, preventing system compromise. The ability to reliably enforce security policies in the Linux kernel at runtime, based on detected threats, enables a faster response to emerging security risks.

When a new zero-day appears, speed of detection and risk reduction are paramount. Tetragon allows teams to quickly write and deploy eBPF policies that protect from emerging CVEs. When the XZ Utils CVE was discovered, Isovalent helped customers write and deploy policies in a matter of hours, not days. 

The best part? eBPF programs are dynamic, so no downtime or restart is needed to cover your entire Linux environment!

Cilium monitors socket-level events and enforces identity-aware network policies based on workload identities. Truly take control of your network flows with transparent encryption, while detecting lateral movement and other network-based attacks.

eBPF & Tetragon: Tools for detecting XZ Utils CVE 2024-3094 Exploit

Leveraging eBPF provides security teams a near-zero overhead framework for detecting vulnerable versions of XZ Utils in the kernel, built in and deployed in minutes.

See the XZ Utils policy

Where Does Security (Performance) Becomes a Catalyst for the Business?

Ultimately, performance is king in financial services. Whether it’s processing high-frequency trades or managing large-scale payment platforms, low-latency operations are essential. Any lag, slowdown, or inefficiency in your security measures could directly impact your bottom line.

The last thing you want is for security tooling to slow down these mission-critical applications. Balancing robust security with operational efficiency is no easy feat.

Security Built For Mission-Critical Systems

Tetragon’s eBPF programs are extremely performant compared to similar security and observability tools that over rely on kernel modules or user-space application logic. Tetragon consumes less than 2% CPU overhead, making it an ideal solution for resource-intensive, real-time applications.

Cilium eBPF-powered networking provides security without slowing down network performance. Its lightweight, identity-based network policies are enforced at the kernel level, ensuring that even high-throughput, low-latency applications, like those found in financial services, remain fast, responsive, and secure. Built for enterprise scale, Cilium allow you to scale security seamlessly across large, distributed environments, bringing improvements to day-to-day operations.

Tracing every process at <2% overhead!

Dive into Tetragon's low performance overhead for core use cases: tracking process executions, high-volume file monitoring, and network TCP_CRR.

Read more about Tetragon benchmarks

Top 20 Cilium Use Cases

Cilium is a powerful solution for networking, observability, and security. Due to its flexibility, but also extensive features, it is used in a plethora of different use cases across security, platform, and ops teams.

Explore the top 20 Cilium use cases

Learn More

Security and platform teams face a unique set of runtime security challenges, where compliance, performance, and innovation must coexist. Cilium and Tetragon offer scalable, efficient solutions to these challenges in Kubernetes and beyond.

By delivering deep visibility, real-time threat detection, and efficient policy enforcement, the Isovalent platform keeps your infrastructure secure, compliant, and competitive in an increasingly regulated world.

Interested in meeting with the creators of eBPF, Cilium, and Tetragon? Reach out to us directly to see the platform in action or message us on slack. 

Now available, download the new solution brief “How to Build a Secure Financial Services Platform”, including a case study on PostFinance.