The cloud has accelerated scalability and availability of infrastructure in incredible ways, and as operators it’s often our goal (or perhaps our burden!) to get the best out of these environments. Cloud providers make deploying Kubernetes clusters easier than ever with services such as EKS (Amazon Elastic Kubernetes Service) and AKS (Azure Kubernetes Service), where Kubernetes services are managed and scaled through the hyperscaler. As these environments scale, so does our need for control and consistency – essential to maintaining performance and security at enterprise levels.
This post walks you through why organizations choose the Isovalent platform as the unified data plane across their cloud-native security, networking, and observability. We address common cloud pain points around out-of-the-box visibility, the cost to see, store, and action upon events, and building consistency across multi-cloud environments.
With this shift in how underlying infrastructure is managed, the complexity of managing network security, visibility, and observability at a granular level has only intensified as workloads scale. For security and platform engineering teams, the challenge lies in seeing past surface-level metrics, detecting threats at the process layer, and securing traffic without a heavy performance or operational cost.
Below, we look at how Isovalent Enterprise’s runtime security, powered by Tetragon and built on eBPF, delivers the depth of observability and control essential for complex, dynamic cloud environments. We explore unique capabilities for process-to-network correlation, protocol decoding, and lightweight data capture of security events—helping you control the security and visibility gaps in cloud-native deployments.
New: Isovalent + AWS solution brief!
High-performance observability with minimal overhead. Whether monitoring recycled IPs in S3 or scaling with ENI-backed Kubernetes clusters, Tetragon optimizes resource usage without sacrificing visibility.
Get the AWS brief
New: Isovalent + Azure solution brief!
Unlock deep visibility into your Azure environments. Decode network protocols like DNS, TCP, UDP, HTTP, and TLS while mapping them to process-level data.
Get the Azure AKS brief
What are the security and visibility challenges of cloud workloads?
Traditional cloud visibility tools struggle to capture and correlate the right granular activity in Kubernetes environments, particularly when it comes to understanding deep context down to the binary of events.
Dynamic scaling and ephemeral IPs
Hyperscalers make it easy to scale (hence the name…) containers and VMs up or down, but this dynamism leads to frequent IP changes and short-lived instances. In traditional environments, IPs are static and serve as a reliable identifier, but in the cloud, they’re constantly changing—creating blind spots in traditional monitoring solutions.
For instance, in a payment processing application, a container handling sensitive data may release its IP when scaling down, only for that same IP to be reassigned to an unrelated service moments later. This recycling disrupts threat detection and auditing since it’s difficult to accurately link network events back to the specific process or container responsible.
Tetragon addresses this by shifting focus from IP addresses to process-level tracking tied in with identity metadata about the workload (pod name, label, cluster, etc), meaning that each network event is tied directly to the originating container and process, regardless of IP reassignment. This deeper layer of visibility enables security teams to reliably trace activity even in highly dynamic environments, enhancing both security and compliance.
High costs of traditional monitoring
Cloud users often rely on multiple monitoring tools, each with high ingestion and storage fees. These solutions can be complex to manage and quickly escalate in cost when attempting to capture the required level of detail for security observability.
Capturing and storing packet-level data for every transaction in a high-volume environment can result in astronomical costs, especially with complex applications running hundreds of services. Imagine in a financial institution, where every transaction detail is monitored for compliance, the ingestion and storage costs of traditional monitoring tools can quickly exceed budgets. With Tetragon, data capture occurs selectively at the kernel level using eBPF, pushing the logic to the point of collection and aggregating only the events you need.
Lack of process-level visibility
Legacy monitoring tools focus mainly on network flows or application events, overlooking process-level insights. This gap means that if a specific process makes an unexpected network call, traditional tools lack the context to trace the origin or intent behind that action.
In a cloud environment with numerous microservices, understanding which process within a container initiates a suspicious connection can be critical for threat detection and response.
For example, if a rogue process starts communicating with an external IP, traditional tools might flag the network activity but won’t have the metadata to identify which container or process initiated it. Tetragon provides process-to-network correlation, connecting suspicious activity directly to the specific process involved. This level of visibility helps security teams trace suspicious behavior to its source immediately, reducing investigation time and providing essential context for rapid threat containment.
It is like mythbusters: the myth is that app teams can function independently in a Kubernetes world. The truth is that there needs to be an increased collaboration between both the application and the networking teams to run reliable, secure, and scalable apps in a multi-cloud environment. Myth, busted.
— Guru Ramamoorthy, Global Head of Infrastructure & Network Services at S&P Global
How to guide for host-based Kubernetes visibility
Learn how Tetragon’s lightweight eBPF sensor captures K8s telemetry down to the binary, tying process to network data with no application changes.
Read more about host based visibility
Why secure cloud workloads with Tetragon?
Isovalent Enterprise fills these gaps by leveraging eBPF, the high-performance kernel technology that captures, correlates, and filters data at the OS layer without impacting application performance.
By tapping into the kernel, Tetragon provides real-time visibility, dynamic policy enforcement, and process-to-network context without affecting application performance. This allows teams to secure, observe, and control workloads in multi-cloud environments seamlessly, whether they’re containerized or traditional VMs.
In-kernel visibility and real-time process-to-network correlation
Tetragon’s eBPF-based technology lets security teams track network connections and link them directly to the processes that triggered them. This in-kernel visibility is crucial in dynamic environments, where containers and workloads are constantly changing. Unlike traditional tools that struggle to match this metadata, Tetragon delivers clear, real-time insight, enabling security teams to quickly identify and block suspicious activities.
For example, if a container attempts an unauthorized network connection, Tetragon knows the binary that launched this process, providing the flexibility for a policy that conditionally restricts network activity down to the binary spawning network activity.
Dynamic policy application without downtime
One of the biggest challenges in cloud-native environments is keeping up with constantly evolving workloads and applying security policies without interrupting services. Tetragon solves this with dynamic policy application—meaning new security policies can be enforced across workloads, clusters, and environments without any downtime! Whether you’re dealing with Kubernetes workloads or traditional VMs, Tetragon applies policies in real time without needing to bring down the target workload, giving you flexibility and control across hybrid and multi-cloud setups.
This zero-downtime policy enforcement is perfect for fast-moving cloud environments where security needs to be agile, always-on, and scalable. Imagine a new CVE is disclosed, you need to close the risk gap but can’t afford to bring down any of your backend. With Tetragon, a mitigating policy can be written and pushed out to hundreds of thousands of containers in a matter of minutes (and yes, this is a standard use case we see with customers to help mitigate risk while keeping production running). These policies are then updated without any system downtime, protecting your backend while keeping your frontend up and running.
Cost-effective, low-overhead observability
Traditional monitoring tools can create major overhead from capturing large volumes of events and pushing them to the user agent without logic to understand whether they are actually security-significant or not —draining resources and ballooning costs by placing security logic away from the point of collection
Tetragon’s eBPF-based approach reduces this utilization problem by pushing smart policy logic as close to the point of collection as possible, offering extremely low-overhead observability. Tetragon observes everything, but only captures events from the kernel for security-significant events, drastically reducing cloud storage and monitoring costs. For teams operating in hyperscaled cloud environments, this means paying less for monitoring and gaining more actionable insights.
Below, see the low overhead benchmark (less than 2% in most use cases) from Tetragon’s eBPF sensor. This benchmark highlights Tetragon’s ability to observe (Baseline + Tetragon) and log (with JSON) extremely high-volumes of process event data, with over 1.5M events observed while building the Linux kernel.
Unified visibility across Kubernetes and non-Kubernetes workloads
Whether your workloads run in Kubernetes, traditional VMs, or across a hybrid cloud environment, Tetragon gives you unified visibility. It consolidates security and observability data across different workloads, giving you a consistent view of your entire environment. With Tetragon, cloud-native security doesn’t just apply to containers—it extends to all Linux-based workloads, regardless of where they run.
With eBPF-driven insight and control, you can see everything happening across your environment in real time, helping you spot potential threats before they escalate or implement fleet-wide zero trust principles.
Advanced protocol decoding for deep visibility
Tetragon doesn’t stop at basic network visibility. It goes a step further by decoding application-level protocols like DNS, HTTP, UDP, TCP and TLS. This allows you to detect specific threats, such as unauthorized access attempts or suspicious traffic patterns, directly from the protocol layer. Tetragon then links these events back to specific containers or processes, providing the full context for security teams to respond quickly and effectively.
For example, Tetragon can alert on abnormal HTTP requests, show which container made them, and connect that to the process event, giving you a complete incident audit trail to act on.
Isovalent Enterprise for Tetragon: Deeper Host Network Observability with eBPF
We’ll walk you through example use-cases such as bandwidth, latency, and DNS monitoring, from the host, from the pod, and also from the binaries running inside of the containers!
See the Tetragon network health dashboards
What use cases are driving outcomes on cloud providers?
These advantages from eBPF and Tetragon lead naturally to key use cases that improve daily operations and harden our infrastructure.
Faster incident response and threat detection
In the case of a security incident, Tetragon’s process-to-network correlation allows you to identify the exact container or process behind a suspicious network connection. Rather than relying on network flow data alone, which may only provide IP addresses and ports, Tetragon gives you full visibility into the processes involved. This is a game-changer for incident response, enabling teams to cut down on investigation time and respond faster to threats.
eBPF & Tetragon: Tools for Detecting XZ Utils CVE 2024-3094 Exploit
See how Isovalent helped customers build and deploy policies for the XZ Utils zero-day, keeping production workloads up with the right compensating controls.
See how dynamic policy application works
Compliance and auditing
Regardless of which cloud provider you use, users often face strict compliance requirements, needing detailed logs of network and process activity to meet different global regulatory standards. Tetragon’s audit-ready logs make it simple to trace events back to their source. This is especially valuable in heavily regulated environments, where maintaining detailed records is an essential baseline for passing audits and demonstrating compliance.
Running PCI-DSS Certified Kubernetes Workloads in the Public Cloud
Compliance in the public cloud with Kubernetes can sound difficult and scary, but it doesn’t have to be. In this session Stephen and Marcel talk about their experiences running a PCI-DSS certified Kubernetes cluster in AWS, and share lessons learned to help you achieve the same.
Watch the KubeCon session
Multi-cloud consistency
For organizations operating in multi-cloud setups, maintaining consistent security and observability can be challenging.
Tetragon’s unified data plane ensures that visibility and control policies are standardized across AWS, Azure, OpenShift, and GCP, reducing complexity and eliminating the need for separate tools across different cloud providers. This helps you enforce the same security policies, monitor behavior consistently, and streamline operational efforts across clouds without context switching.
Avoiding cloud vendor lock-in with Kubernetes and Cilium – Form3
Form3 is building out a multi-cloud strategy. To avoid any cloud vendor lock-in, they chose Cilium with Kubernetes for multi-cloud deployments. See why this was the right choice to simplify daily operations and troubleshooting.
Read the Form3 case studyPractical, cost-effective security for production
Operating on cloud workloads demands a visibility that aligns with the dynamic, ephemeral nature of cloud-native workloads. Isovalent Enterprise, powered by Tetragon’s eBPF-based technology, provides a unified data plane that fills visibility gaps and enhances security without compromising on cost or performance.
From deep process-level insights and protocol decoding to cost-effective observability, Tetragon brings organizations the security and visibility needed to secure cloud-native infrastructure —with the clarity into every process and network interaction to make your cloud backend a secure, manageable environment.
For a hands-on look at Tetragon in action, visit our Tetragon lab or see the top use cases with Isovalent Enterprise for network observability, policy enforcement, and runtime security in cloud environments.
