Security

For businesses at the forefront of cybersecurity and those for whom security is integral to their operations, the rise of cloud native applications presents immense opportunities and accompanying challenges. The dynamism of cloud native architectures, from microservices to containerization and distributed computing, demands a paradigm shift in securing these environments.

Traditional security approaches struggle to adapt to the ephemeral and dynamic nature of cloud native applications.

Cilium delivers robust cloud native security with features like transparent encryption, mutual authentication, security observability, advanced network polices, egress gateway, and runtime enforcement. Leveraging eBPF, Cilium offers efficient observability across the entire application stack, integrates seamlessly with SIEM systems, and ensures compliance with standards like FIPS, FedRAMP, and SOC. Cilium aligns security practices with the realities of building, maintaining, and scaling cloud native applications.

ebeedex security bee
The overall conclusion is that Cilium is a well-secured project. The audit found no critical vulnerabilities and found a lot of positives about the security of Cilium. This included both the code displaying positive security awareness as well as the maintainers having thorough understanding about the security posture of Cilium.
Adam Korczynski & David Korczynski — Security Researchers, Ada Logics

The Cilium project has undergone security and fuzzing audits by a reputable third-party company, Ada Logics, and the CNCF has commissioned the resulting reports.

Read The Blog Post

Secure Modern Applications with Cilium's Advanced Network Policies. Scale Policies with Identities, Not IPs

Modern distributed applications rely on containers to facilitate agility in deploying new versions of their application and to scale out on demand. Typical firewalls secure workloads by filtering source IP addresses and ports, but in Kubernetes and other cloud native platforms, IP addresses are ephemeral. Traditional firewalls are not cloud native aware and can't be programmed on the fly as applications scale out or new versions are deployed. Updating the firewall constantly to adapt to the constant changes becomes impossible at scale.

Cilium features network policies that operate at layers 3, 4, and 7, providing more flexibility in managing ingress and egress traffic. By leveraging eBPF, Cilium can insert security rules based on service/pods/container identity rather than an IP address for identification as in the traditional systems. Cilium makes applying security policies in a dynamic container environment scalable by decoupling security from IP addressing, providing stronger security isolation, and adding the following functionality to the Kubernetes cluster.

l3 - l7 policy illustration

Tetragon: eBPF-based Security Observability and Runtime Enforcement

tetragon image logo

Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.

  • Monitor Process Execution

    Observe the complete lifecycle of every process on your machine with Kubernetes context awareness

  • Runtime Security Policies

    Translate high level policies for file monitoring, network observability, container security, and more into low overhead eBPF programs

  • Real Time Enforcement

    Synchronous monitoring, filtering, and enforcement completely in the kernel with eBPF

Bolster Security, Streamline Infrastructure, Reduce Complexity Without Sacrificing Performance Using Cilium's Mutual Authentication

Organizations are increasingly looking to bolster their security posture in cloud native environments. Cilium's sidecar-free service mesh uses mutual authentication to optimize security and performance, ensuring that services authenticate each other's identities before communication occurs.

Cilium features network policies that operate at layers 3, 4, and 7, providing more flexibility in managing ingress and egress traffic. By leveraging eBPF, Cilium can insert security rules based on service/pods/container identity rather than an IP address for identification as in the traditional systems. Cilium makes applying security policies in a dynamic container environment scalable by decoupling security from IP addressing, providing stronger security isolation, and adding security functionality directly to the Kubernetes cluster.

Cilium's mutual TLS illustration

Better Understand Security Breaches and Recover Quickly with Cilium’s Forensics Capabilities

Critical workloads that run in a Kubernetes environment require cloud native-aware tooling to perform efficient incident investigations and monitor key compliance requirements. Cilium's forensic capabilities enable SecOps teams and App owners to conduct security analysis with a native understanding of cloud native identities. Cilium provides a deep understanding of network flows from L3/L4 up to L7 and runtime visibility from OS to code executions in the pod.

tetragon runtime enforcement illustration

Ease Integration with Traditional Firewall Systems Using Cilium's Static Egress Gateway

With Cilium's Static Egress Gateway, cloud native workloads can be presented from stable IP addresses, easing integration with traditional firewall systems. This approach ensures that firewall requirements remain consistent even as workloads scale, fostering a bridge between cloud native and conventional environments.

Cilium egress gateway illustration

Featured Talks

The Next Log4jshell? Preparing for CVEs with eBPF!

See how Tetragon can give full network and process-level visibility to detect and prevent Log4jshell and your next CVE

Tutorial: Getting Familiar with Security Observability Using eBPF &Cilium Tetragon

Better understand types of data and activity that should be monitored to prevent malicious events, and the ability to detect a container escape.

Mutual Authentication with Cilium

Cilium's Mutual Authentication provides authentication, confidentiality, and integrity for service-to-service communications.

Who's Using Cilium in The Security Industry?

  • Migrating to Cilium for Better Networking, Visibility and Security

    In the beginning, it was hard for our developers to write network policies because we were in our early Kubernetes adoption phase. Everyone had to learn a lot of stuff in Kubernetes and then also had to learn how to write network policies. Cilium helped reduce the mental overhead and helped speed up our development process so that we can bring new features to customers faster.

    Jan Jansen, Platform Engineer, G DATA

    Read The Case Study

Cilium's Security Focused Use Cases

Transparent Encryption

Elevate compliance and lower risk with Cilium transparent encryption. With just one switch, no application changes, service meshes, or additional proxies

Learn more

Network Policy

Maintain identity based policies effectively at scale with Cilium’s advanced network polices.

Learn more

Runtime Enforcement

Prevent unauthorized access to your traffic at runtime to stop attacks on the OS level, preventing malicious actions.

Learn more

Community

Join our Slack channelContribute on GitHubFollow us on TwitterWatch Echo Livestream