Back to blog

Implementing Cilium for Compliance Use Cases: ControlPlane + Isovalent Whitepaper

Jeremy Colvin
Jeremy Colvin
Published: Updated: Cilium
Implementing Cilium for Compliance Use Cases: ControlPlane + Isovalent Whitepaper

Get the White Paper

See how Cilium, eBPF, and Tetragon address common Access Control, Audit, and Incident Response compliance controls.

Read White Paper

Isovalent and ControlPlane have partnered to create the “Mastering Cilium for Kubernetes Compliance” white paper applying the full Cilium platform (Cilium, Hubble, and Tetragon) to modern compliance challenges. This technical guide serves as a walkthrough for security and platform teams to modernize their compliance implementations through Cilium. 

Cilium stands out as a CNCF-graduated project and the first graduated CNI plugin, with eBPF for modernized networking, security, and observability. Learn to trace processes with Kubernetes identity awareness and implement fine-grained control in dynamic environments.

Addressing Kubernetes Security Complexities

The Full Cilium Platform for Compliance
Cilium, Hubble, and Tetragon make up the Cilium platform, bringing out the best of eBPF in the network layer and at runtime. 

Framework-Agnostic Compliance Solutions for Kubernetes
While rooted in NIST 800 controls, the white paper expands its relevance to a broad array of compliance frameworks, detailing how Cilium’s technological advancements map to compliance requirements across Access Control, Auditing and Accountability, and Incident Response.

Access control with Cilium & Tetragon

With full Kubernetes awareness, Cilium applies identity aware label-based policies to manage access, embodying the principles of least privilege and zero-trust security within dynamic Kubernetes environments. This approach restricts communication to necessary endpoints, reducing the overall attack surface and enforcing compliance rules.

Cilium integrates with Kubernetes identities to ensure that only authenticated and authorized entities can access resources. This native identity- awareness gives Cilium a distinct advantage as it can restrict access to specific services based on the source workload’s identity.

Cilium is able to control and audit where information can travel within a system and between systems, and restrict Kubernetes workloads to communicate with only the endpoints, binaries, open files and capabilities they need and nothing more.

The whitepaper prepares teams to answer compliance questions and prove attestation across frameworks: 

  • Are you using standardized roles that enforce least- privilege principles?
  • How can you show that your workload has only the required network access?
  • How easy is it to craft a new network policy that adheres to a least- privilege principle?
  • Can you show that running containers are using minimal tooling/permissions?

Auditing and Accountability with Cilium & Tetragon

The platform provides detailed logging and event tracing capabilities. Tetragon further extends these capabilities by offering visibility into runtime behaviors and system calls, facilitating the enforcement of runtime security policies and supporting potential work around anomaly detection or streamlined compliance reporting.

The whitepaper prepares teams to answer compliance questions and prove attestation across frameworks: 

  • What event data are we collecting?
  • Are we able to dig deeper and follow linked chains of events?
  • How can we send alerts and warnings based on specific events and cluster state?
  • How can we visualise cluster events and generate reports?
  • How can we protect audit information at the platform and application levels?
  • How can I audit if an attacker was leveraging a specific attack vector?
    • Network communication to suspicious IP address or using un- common protocol
    • Execution of malicious binaries
    • Accessing sensitive container files
    • Leveraging container permissions

This deep visibility into runtime processes enables clear historical analysis and incident response through ancestry process mapping, as seen in the image above. Imagine your SOC team identifies a suspicious connection at 6pm. Which workload did it originate from? From which namespace in your sprawling Kubernetes deployment? Which exact binary was executed and at what time? What was the destination address for these processes? With Tetragon, the full picture is easy to see and react to.

Incident Response with Cilium & Tetragon

Incident handling is required for all levels of security control baseline as defined by NIST. These technical controls are among the most common vulnerabilities and misconfigurations within production Kubernetes environments, including inadequate network segmentation and a lack of centralized policy enforcement.

Highlighting the importance of swift and informed incident handling, Cilium’s seamless integration with SIEM and observability tools such as Splunk, ELK, or Grafana enables rapid detection, analysis, and response to security incidents. This integrated approach leverages network and application-level data for thorough investigations and effective threat mitigation.

Networking logs and metrics provided by Cilium are supplemented by the runtime and system data from Tetragon, covering use cases such as file access, file integrity monitoring, syscall activity logs, privilege and capability escalation alerting.

Download the Cilium Compliance Whitepaper!

Read the collaboration with Isovalent + ControlPlane, applying the Cilium platform to any compliance framework.

Download the whitepaper

Get Started

Achieving compliance is a constant challenge of implementation and attestation. Modern demands are around tools and approaches that match the complexity of cloud-native technologies. The Cilium platform offers a powerful set of tools for security and platform teams to enforce compliance, improve security posture, and manage dynamic environments with confidence.

The “Mastering Cilium for Kubernetes Compliance” whitepaper is an invaluable resource, providing deep insights into leveraging Cilium for a wide range of compliance frameworks. Whether you’re a security professional, platform engineer, or part of a compliance team, this guide arms you with the knowledge and tools needed to navigate the compliance landscape successfully.

Explore the related resources below to continue your learning journey or try the hands-on security labs.

Jeremy Colvin
AuthorJeremy ColvinSenior Technical Marketing Engineer


Mastering Cilium for Kubernetes Compliance

Read the Cilium white paper from Isovalent and ControlPlane, solving NIST and other compliance frameworks in cloud-native environments.  The executive summary below maps out the scope and importance of this white paper for technical audiences and leadership teams. This guide is framed around the NIST 800 controls as a way to dive into specific feature-to-control relationships, and is written to be applicable and foundational across any compliance framework. Download now and get a deep, technical understanding of the future of cloud-native compliance, regardless of which compliance framework you are looking to solve!

How to enable host-based Kubernetes visibility

Correlate process-to-network data. Learn how Tetragon’s lightweight eBPF sensor captures K8s telemetry down to the binary, tying process to network data with no application changes. Decode DNS, TLS, HTTP, UDP, TCP , and more while matching to process ancestry information, all with Kubernetes identity-aware metadata (labels, pod names, etc). Read the solution brief and get under the hood with Tetragon.

Discovery: SecOps Engineer

In this short hands-on discovery lab designed for SecOps Engineers, you will learn, in 15 minutes, several Cilium and Tetragon security features, including: Network Observability Network Policies Transparent Encryption Mutual Authentication Runtime Security Visibility and Enforcement with Tetragon and more!

Industry insights you won’t delete. Delivered to your inbox weekly.