As cloud environment evolve, efficient and effective workload security has been at the top of the list. At Cisco, we have integrated the Isovalent platform into our infrastructure to ensure our cloud workloads are protected without compromising on performance.
Table of Contents
Why Isovalent?
The Isovalent platform is based on the eBPF (extended Berkeley Packet Filter) technology that offers a very modern approach to securing cloud-native environments. Where traditional security solutions usually fail to keep up with the dynamic and scalable nature of containers, Isovalent’s zero-trust networking and lightweight, highly efficient network observability and security tools, all come tailor-made for Kubernetes environments.
Isovalent embeds security at the kernel level to provide identity-based security, network segmentation, and traffic visibility without the overhead that’s usually associated with legacy solutions. That means Cisco can better protect our workloads and scale with seamless network policy enforcement in our growing cloud infrastructure.
Achieving compliance
Regulatory compliance is one of the most critical aspects of our operation here at Cisco, even more so in high-security-demanding industries. Isovalent has been very instrumental in helping us achieve FedRAMP compliance by providing encryption and being fully FIPS-compliant. This ensures that all data in transit is encrypted, securing sensitive information at every layer.
Beyond encryption, Isovalent provides a platform with deep observability into network flows, which allows us to monitor, track, and enforce policies with a high degree of granularity. With the ability to audit traffic and detect anomalies, we ensure full compliancy with the strictest industry standards while maintaining complete control over our cloud environment.
Isovalent Enterprise for Cilium provides robust support for critical FedRAMP controls, making it a secure choice for federal customers. Two of the most significant controls that Cilium offers are:
1.SC-8(1) — Transmission confidentiality and integrity
- The Cilium agent leverages advanced Linux kernel technologies such as eBPF, IPsec, and the Linux Kernel Crypto API Cryptographic Module.
- Cilium functions similarly to a Service Mesh component by providing network security, observability, and policy enforcement capabilities, as outlined in the DoD’s Kubernetes reference design. This design enables secure and efficient communication between services within the Kubernetes environment.
- Unlike traditional Service Mesh solutions that rely on a sidecar model, Cilium’s eBPF integration allows it to interact directly with the Linux kernel’s TCP/IP layer.
- Cilium installs eBPF and XDP (eXpress Data Path) programs on each Kubernetes node, enabling seamless communication between pods on the same node via the loopback interface. This approach minimizes overhead, allowing for efficient packet processing that reduces latency and CPU usage, thereby improving performance and security.
2. SC-13 — Cryptographic protection
- Cilium utilizes the IPsec suite for transparent data-in-transit encryption, covering multiple protocols such as HTTP, TCP, UDP, and Multicast.
- Supports FIPS compliance, meeting FedRAMP High requirements in environments like Amazon GovCloud.
- Uses the FIPS-compliant AES-GCM encryption algorithm with key lengths of 128 to 256 bits.
- Leverages the NIST CMVP (Cryptographic Module Validation Program) for the applicable Linux distribution, such as Amazon Linux 2 Kernel Crypto API Cryptographic Module CMVP#4593.
With such capabilities, Isovalent Enterprise for Cilium enables federal agencies to secure their Kubernetes-based workloads under strict FedRAMP standards, further guaranteeing data confidentiality and integrity.
Conclusion
Integrating the Isovalent platform into Cisco’s cloud infrastructure has elevated our security capabilities to maintain compliance, protect our workloads, and scale with confidence. Its advanced, eBPF-based security solution has proved to be a must for safeguarding all our cloud-native operations while tending to the never-ending stream of industry regulations such as FedRAMP. With Isovalent, we’ve achieved the perfect balance between robust security and operational efficiency.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share:
Leave a Reply