Back to blog

Implementing Cilium for Compliance Use Cases: ControlPlane + Isovalent White Paper

Jeremy Colvin
Jeremy Colvin
Published: Updated: Cilium
whitepaper-compliance-cilium

Get the white paper

See how Cilium, eBPF, and Tetragon address common Access Control, Audit, and Incident Response compliance controls.

Read white paper

Isovalent and ControlPlane have partnered to create the “Mastering Cilium for Kubernetes Compliance” white paper, which applies the full Cilium platform (Cilium, Hubble, and Tetragon) to modern compliance challenges. This technical guide serves as a walkthrough for security and platform teams to modernize compliance implementations through Cilium. 

Cilium stands out as a CNCF-graduated project, and the first graduated CNI plugin, with eBPF for modernized networking, security, and observability. Learn to trace processes with Kubernetes identity awareness and implement fine-grained control in dynamic environments.

Addressing Kubernetes security complexities

The Full Cilium Platform for Compliance
Cilium, Hubble, and Tetragon make up the Cilium platform, bringing out the best of eBPF in the network layer and at runtime. 

Framework-Agnostic compliance solutions for Kubernetes
While rooted in NIST 800 controls, the white paper expands its relevance to a broad array of compliance frameworks, detailing how Cilium’s technological advancements map to compliance requirements across Access Control, Auditing and Accountability, and Incident Response.

Access control with Cilium & Tetragon

With full Kubernetes awareness, Cilium applies identity aware label-based policies to manage access, embodying the principles of least privilege and zero-trust security within dynamic Kubernetes environments. This approach restricts communication to necessary endpoints, reducing the overall attack surface and enforcing compliance rules.

Cilium integrates with Kubernetes identities to ensure that only authenticated and authorized entities can access resources. This native identity- awareness gives Cilium a distinct advantage as it can restrict access to specific services based on the source workload’s identity.

Cilium is able to control and audit where information can travel within a system and between systems, and restrict Kubernetes workloads to communicate with only the endpoints, binaries, open files and capabilities they need and nothing more.

The whitepaper prepares teams to answer compliance questions and prove attestation across frameworks: 

  • Are you using standardized roles that enforce least- privilege principles?
  • How can you show that your workload has only the required network access?
  • How easy is it to craft a new network policy that adheres to a least- privilege principle?
  • Can you show that running containers are using minimal tooling/permissions?

Auditing and Accountability with Cilium & Tetragon

The platform provides detailed logging and event tracing capabilities. Tetragon further extends these capabilities by offering visibility into runtime behaviors and system calls, facilitating the enforcement of runtime security policies and supporting potential work around anomaly detection or streamlined compliance reporting.

The whitepaper prepares teams to answer compliance questions and prove attestation across frameworks: 

  • What event data are we collecting?
  • Are we able to dig deeper and follow linked chains of events?
  • How can we send alerts and warnings based on specific events and cluster state?
  • How can we visualise cluster events and generate reports?
  • How can we protect audit information at the platform and application levels?
  • How can I audit if an attacker was leveraging a specific attack vector?
    • Network communication to suspicious IP address or using un- common protocol
    • Execution of malicious binaries
    • Accessing sensitive container files
    • Leveraging container permissions

This deep visibility into runtime processes enables clear historical analysis and incident response through ancestry process mapping, as seen in the image above. Imagine your SOC team identifies a suspicious connection at 6pm. Which workload did it originate from? From which namespace in your sprawling Kubernetes deployment? Which exact binary was executed and at what time? What was the destination address for these processes? With Tetragon, the full picture is easy to see and react to.

Incident response with Cilium & Tetragon

Incident handling is required for all levels of security control baseline as defined by NIST. These technical controls are among the most common vulnerabilities and misconfigurations within production Kubernetes environments, including inadequate network segmentation and a lack of centralized policy enforcement.

Highlighting the importance of swift and informed incident handling, Cilium’s seamless integration with SIEM and observability tools such as Splunk, ELK, or Grafana enables rapid detection, analysis, and response to security incidents. This integrated approach leverages network and application-level data for thorough investigations and effective threat mitigation.

Networking logs and metrics provided by Cilium are supplemented by the runtime and system data from Tetragon, covering use cases such as file access, file integrity monitoring, syscall activity logs, privilege and capability escalation alerting.

Download the Cilium compliance white paper

Read the collaboration with Isovalent + ControlPlane, applying the Cilium platform to any compliance framework.

Download the whitepaper

Get started

Achieving compliance is a constant challenge of implementation and attestation. Modern demands are around tools and approaches that match the complexity of cloud-native technologies. The Cilium platform offers a powerful set of tools for security and platform teams to enforce compliance, improve security posture, and manage dynamic environments with confidence.

The “Mastering Cilium for Kubernetes Compliance” whitepaper is an invaluable resource, providing deep insights into leveraging Cilium for a wide range of compliance frameworks. Whether you’re a security professional, platform engineer, or part of a compliance team, this guide arms you with the knowledge and tools needed to navigate the compliance landscape successfully.

Explore the related resources below to continue your learning journey or try the hands-on security labs.

Jeremy Colvin
AuthorJeremy ColvinSenior Technical Marketing Engineer
Jeremy is a Senior Technical Marketing Engineer at Isovalent – the company behind eBPF, Cilium, and Tetragon.
Jeremy enjoys the bits and bytes of what makes good security. Prior to joining Isovalent, Jeremy worked in roles as a security engineer architecting, configuring, and implementing secure systems and as a technical PMM in the container security space. He graduated from Princeton, focusing on policy around privacy and information security. He also has a Masters in Information Security from UC Berkeley.
Outside of Isovalent, Jeremy enjoys playing soccer and volunteering with Best Buddies.
Share on social media

Related

The Blueprint for Kubernetes Compliance
White papers

The Blueprint for Kubernetes Compliance

Supercharge your cloud-native compliance with the white paper from Isovalent and ControlPlane! Master NIST-800 and other key compliance frameworks in cloud-native environments, with insights tailored for technical experts and leadership teams alike.   What’s inside: Executive Summary: A comprehensive overview designed for both technical audiences and leadership teams. NIST 800 Controls: A detailed analysis connecting specific features to control requirements. The Cilium, Tetragon, and eBPF Platform: Implementation guidance from across the Isovalent platform, applicable to any compliance framework.   From Strategy to Action:  Future-Proof Your Compliance: Stay ahead in the ever-evolving landscape of cloud-native compliance. Deep Technical Insights: Gain expert knowledge to tackle compliance challenges effectively with the Isovalent platform. Strategic Value: Build your architecture with the foundations to navigate Kubernetes and Linux compliance.   Download the Cilium white paper now and take the first step towards mastering cloud-native compliance!

By
Natália Réka IvánkóJeremy Colvin
The guide to host-based Kubernetes visibility
Briefs

The guide to host-based Kubernetes visibility

Correlate process-to-network data. Learn how Tetragon’s lightweight eBPF sensor captures K8s telemetry down to the binary, tying process to network data with no application changes. Decode DNS, TLS, HTTP, UDP, TCP , and more while matching to process ancestry information, all with Kubernetes identity-aware metadata (labels, pod names, etc). Read the solution brief and get under the hood with Tetragon.

By
Jeremy Colvin
Discovery: SecOps Engineer
Labs

Discovery: SecOps Engineer

In this short hands-on discovery lab designed for SecOps Engineers, you will learn, in 15 minutes, several Cilium and Tetragon security features, including: Network Observability Network Policies Transparent Encryption Mutual Authentication Runtime Security Visibility and Enforcement with Tetragon and more!

Industry insights you won’t delete. Delivered to your inbox weekly.