Summary: Tigera, the creator of Calico Enterprise and Calico Cloud, has added active cloud-native application security to Calico Cloud that protects applications all the way from build to deploy and runtime. We invited Utpal Bhatt, Chief Marketing Officer at Tigera, to learn more about Calico Cloud, a cloud-native application protection platform (CNAPP), and how it is helping organizations cope with the complexity of cloud-native applications.
“The traditional security tools that were developed for monolithic applications where you could contain the surface either to a single machine or a cluster of machines and you could draw a perimeter around the surface of the application, do not apply for cloud-native applications. Hence, it requires security and DevSecOps teams to rethink how they’re going to secure these next generation of cloud-native applications,” said Bhatt. “We’re very excited to announce active cloud-native application protection with Calico Cloud which protects applications all the way from build to deploy and runtime.”
Highlights of the show:
- Tigera announces an active cloud-native application security that goes beyond detecting threats to limit exposure and ability to mitigate risks in real time.
- Why it’s about time organizations start taking cloud-native security seriously?
About Utpal Bhatt: As Chief Marketing Officer for Tigera, Utpal is responsible for overall marketing strategy and execution, Utpal brings 20+ years of Marketing and Product Management leadership experience at high-growth start-ups and large companies.
About Tigera: Tigera empowers organizations to secure, observe, and troubleshoot containers, Kubernetes, and cloud. Its commercial products include Calico Enterprise, a self-managed security and observability platform, and Calico Cloud, a Kubernetes-native cloud service that extends the declarative nature of Kubernetes. Its open-source offering, Calico Open Source, is the most widely adopted container networking and security solution.
Here is the full unedited transcript of the show:
- Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR: Let’s Talk. And today, we have with us once again from Tigera, Utpal Bhatt, chief marketing officer at Tigera. Utpal, it’s great to have you on the show.
Utpal Bhatt: Thanks for having me on the show Swapnil. Great to be here.
- Swapnil Bhartiya: Yeah, I mean, its new year. It’s almost February, so I want to get some, what’s new with Calico Cloud. So just give us a quick update.
Utpal Bhatt: We’re very excited to announce active cloud native application protection with Calico Cloud. Calico Cloud protects applications all the way from build to deploy and run time. And this notion of active security is central to what we are releasing here, where it will not only protect applications, but actively remediate risks from exposure and be happy to talk more about that.
- Swapnil Bhartiya: If we just kind of scale back and just focus on the problem area, when we are talking about protection, what kind of risks are there?
Utpal Bhatt: If you look at a cloud native application, it fundamentally has a different kind of footprint and hence the different sets of challenges. So for example, the cloud native application itself is broken into these smaller components and these components which are microservices, they’re sometimes ephemeral. They’re very distributed. They’re dynamic. They oftentimes live for less than five minutes. And now that increases the attack surface of your application because each and every microservice can potentially be talking to an external actor. So your attack surface, fundamentally is very large. The second problem with these applications is, as I mentioned, they’re distributed. So oftentimes you’re running these applications in multi-cloud environments. You could be running them in a hybrid environment.
And so securing these applications is a very arduous task. Not only just security, but compliance is extremely difficult with these types of applications as well. So that’s fundamentally what we are looking at when it comes to cloud native applications. The traditional security tools that were developed for your monolithic applications where you could contain the surface either to a single machine or a cluster of machines and you could draw a perimeter around the surface of the application. That paradigm does not apply for cloud native applications. And hence it requires security and DevSecOps teams to rethink how they’re going to secure these next generation of cloud native applications.
- Swapnil Bhartiya: I just want to quickly talk about when we do look at cloud native, apps are ephemeral, they come and go, but we also see in cloud native applications are becoming more and more stateful, not only data, but also applications as well. So how does that creates a different challenge versus traditional IT, which is also a stateful?
Utpal Bhatt: Yeah, I mean, when cloud native applications can also be stateful and in terms of the securing a stateful application versus a stateless application, the challenges are similar. In fact, in a stateful application, when you have, oftentimes you have to continue maintaining the state. It’s a lot of that information is either stored within the application itself and the application kind of reads back and so on. So I don’t think the security necessarily changes with the type of the application.
- Swapnil Bhartiya: Now, I want to just go a bit deeper into the cloud native application protection platform. Can you talk about how it works or some of the core components there?
Utpal Bhatt: If you think about the whole landscape of cloud native applications and especially security or cloud native application security platforms, there all the emphasis really has been on doing one thing and one thing really well, which is, how do I detect the threats and vulnerabilities in these applications? And so all the innovation you see is happening in the best engine to detect vulnerabilities to identify threats both at deploy time or at build time, deploy time and at run time.
But if you think about, that is only part of the problem, because, I mean, part of the solution, for example, let’s say you’re finding lots and lots of vulnerabilities in your application. At the end of the day, you have a limited set of security resources who can fix those. So what happens is if you just focus on finding more threats and more vulnerabilities, but don’t help your security teams figure out the prioritization, which ones to fix first? If you don’t help them with remediation of the exposure, how do I know there are some vulnerabilities in my application? I just found out yesterday. How do I mitigate the risk from exposure?
If you don’t help the teams with that, then what you’re doing is you’re creating a security gap. Because there is research out there from IBM and from [NTT 00:06:01] that says, “On an average, if you have a critical vulnerability, it’s going to take you 271 days to address that vulnerability.” The cost of fixing a vulnerability is really high as well. So on one hand, organizations are adopting more cloud native architectures, they’re adopting open source technology. So the source of vulnerabilities and threats is increasing, but your security team, the size of the team stays the same, that’s creating the gap. So what we believe you need is an active cloud protection platform, which not only detects vulnerabilities and threats, but it actively reduces the attack surface. So you’re limiting how many different ways you can get attacked with zero trust principles.
And then, also, actively remediates any risks from exposure. A case in point, Log4j vulnerability. When the Log4j vulnerability was, everyone found out that, “Hey, this is a vulnerability that anybody using that piece of software is exposed to,” and everybody on there and there was a such a wide footprint of that, of Log4j and what organizations were scrambling while they were scrambling to fix that vulnerability, they were completely exposed to attacks. Now with active protection that we are offering with Calico Cloud, you can apply policies, that’ll create a security mode around those exposed pods. And so you are no longer, those pods are no longer reachable by outside actors. Even though the pod itself has a vulnerability, that vulnerability risk has been contained because you are drawing a security mode around that part. And that is an example of active security in action.
- Swapnil Bhartiya: Thanks for also explaining the active part there, which was going to be my next question. But can you also talk a bit about how are you leveraging machine learning and AI for CNAPP?
Utpal Bhatt: Yeah. That’s a great question. So we think about, there are two ways you can detect threats or anomalies, one obvious way is that there are lots of databases of vulnerabilities and threats, and you can consume these threat feeds and you can compare the signature of whatever traffic you’re seeing or whatever anomaly you’re seeing and you can compare that signature with known threat and if there’s a match, you can say, “Oh yes, that’s, you know that there is a problem.” It’s similar to your antivirus software, malware software that just kind of does a comparison and looks at what’s out there. So that’s one way of detecting what we call detecting known threats, but then equally important is to detect zero day threats or unknown threats. What if you are the first one to see the threat and we believe there are only two types of threats, there are ones that you know about, and then there are ones that, they’re in your system which you don’t know about them, but the assumption is they’re already there.
So how do you detect those? And that’s where we use machine learning to identify anomalous behavior. We look at network information and we collect all this data to create a baseline behavior model of your application. And so now we have that baseline behavior and we continually monitor that application using the same data elements that we are collecting and we compare your new state with the baseline state. And if we see a huge variance, somethings … Let’s say you’re, all of a sudden your network traffic has gone up by 20 times and maybe some streaming service or some bot has taken over that IP address and their VPC in some service through your pod, right?
So that’s an example of using machine learning to identify that, “Hey, this new behavior doesn’t match up with your normal behavior.” And hence there is a potential of a zero day threat. We can alert, we can push an alert to a seam. And the great thing about this active security component is that we automatically recommend a policy and we’ll say, “Looks like there may be a compromise here while you debug, what is the issue, you can draw security mode around it so that nobody can access it. So you have some time and during that time, you can do some more forensics work.”
- Swapnil Bhartiya: Since it’s a platform, can you also talk about where do you run it?
Utpal Bhatt: Yeah. So Calico Cloud is a fully managed service. Let’s say pay as you go software as a service for cloud native application security. We have Calico Cloud surrounding in the public cloud. We can run it in the public cloud of your choice, so you can run it on AWS, Google, or Azure, depending on any preference, we can run it in the… If you have any sovereign data requirements, we can run it there as well. And the data plane, which is where your application’s running, the service will connect to that data plane, but the service itself runs in the cloud.
Swapnil Bhartiya: Is there any timeliness to this announcement? Because we are hearing a lot about cloud security discussion has started a few years back, but now we are also seeing a lot of attacks and also even at the federal government level, there was a meeting early this year here in the D.C. last year, they talked about executive order for SBOMs and stuff like that. So do you also see from cultural side of things that there is more awareness about it, because realizing, as you also listen, realizing that there is a problem is more important than solution because in most cases, solutions are there, but you never knew that you needed one. So talk about the timeliness of this release now.
Utpal Bhatt: That’s a great question. See what increasingly the industry is realizing that this is going to be a continuous war in terms of, waging a war against the vulnerabilities and threats and malicious actors. It’s not going to go away. It’s not going to get easier. And people are, companies are realizing that security teams are getting overrun right now, because just the sheer volume of these types of incidents. And hence it is really important given the scale of applications that we are deploying, given the distributed nature, the ephemeral nature of these applications, the industry’s realizing that we have to resort to machine learning. We have to resort to active remediation from exposure. And I think these types of components are extremely important.
And the industry is realizing that the manual processes of yesterday, the way individually looking at CVEs and the threats and fixing them one at a time and only then deploying it, that’s not going to work in today’s environment where deployments happen automatically when deployments happen every five minutes, when pods are on for five minutes, we just have to rethink this whole manner in which we secure applications. And that’s why this is timely from that standpoint that it takes these learnings and applies it for these cloud native applications.
- Swapnil Bhartiya: Everybody wants security, right? There’s nobody who would say, “Hey, we don’t,” but there’s a big difference in preaching, wanting versus actually practicing while we do hear a lot about DevOps, DevSecOps, and SREs and everything else. But how much are you seeing that these things are actually in practice? Because what happens is that sometimes with these kind of offering, you have to kind of make it easy also. Because cloud native is already very, very complicated and you are adding one more knob in a very complicated submarine of Kubernetes already. So talk about how are you folks helping with the cultural shift as well?
Utpal Bhatt: Yeah. So what we are doing, we, Calico Cloud itself is a great example of how we are helping organizations cope with the complexity of these applications, right? So in many organizations that have embraced cloud native architectures, you only have one or two people and they kind of combine the roles of DevOps and security. We have this DevSecOps role and they have lots and lots of things to worry about. So what we have done with Calico Cloud, again, with it’s a super easy process with a single click, you can get started. We have things like policy recommender that automatically recommend policies that’ll help reduce the attack surface. We are bringing that principle of zero trust into your application so that your application, the way to help individuals is to make sure that they can contain the application attack surface, and then using policy recommendations and applying those policies, helping remediate the risks from exposure. These are different ways we are making the life of DevOps and DevSecOps easier. Because they don’t necessarily have to get into the weeds and we are securing these applications for them.
- Swapnil Bhartiya: Utpal, thank you so much for taking time out today and of course, talk about this platform. But also, share those insights about, especially actively addressing those challenges that are there. Thanks for those insights and as usual, I would love to have you back on the show. Thank you.
Utpal Bhatt: Thanks for having me on the show Swapnil. It’s always a pleasure.