Updated on: September 19, 2024
In a recent interview with SafetyDetectives, Phil DiCorpo, Senior Director of Product Management at Tigera, shared insights into his journey within the cybersecurity space and his role at Tigera. With a background in software development and a passion for startup innovation, DiCorpo has helped drive Tigera’s mission to provide robust container and Kubernetes security solutions. The discussion touched on Tigera’s unique approach, the challenges developers and security teams face in securing cloud-native environments, and how the adoption of AI and Kubernetes are reshaping the industry’s future.
Phil is responsible for Calico Enterprise and Calico Cloud. With a background in engineering and a strong understanding of core technologies, He is known for his ability to bridge the gap between customer needs and product development. Nearly half of Fortune 100 companies use products he has helped define and build. Phil holds a BS in Electrical and Computer Engineering from Washington University in St. Louis.
Could you share details about your background in cybersecurity and what motivated you to join Tigera?
Absolutely. I began my career as a software developer, then transitioned into the cybersecurity industry. My first cybersecurity-focused role was at an early stage startup called Vontu. Vontu was a pioneer in the data loss prevention market. At the time, this was such a fundamental shift for security teams, and it was interesting to witness how it grew, evolving into such an important aspect of how organizations operate worldwide. This role helped launch my career in cybersecurity and ignited my passion for working at startups and building new innovations that solve complex challenges.
I joined Tigera in 2019 as the Director of Product Management. As the provider of the industry’s only container security platform with built-in network security, I was impressed with how the company works to streamline the complexities faced by DevOps and security professionals. As adoption of containers and Kubernetes has grown in mid-market organizations and enterprises alike, providing robust container security and networking solutions has become essential. Tigera is uniquely positioned to help organizations achieve the utmost network visibility and security posture across these environments.
Can you explain what Tigera does and what makes it unique compared to other networking and container/Kubernetes security companies?
Tigera provides secure networking and comprehensive protection for containers and Kubernetes. Tigera is the creator and maintainer of Calico Open Source, the most widely used container networking and security solution.
Unlike other container security platforms, Tigera’s Calico Cloud interconnects security risks using network insights to help prioritize, remediate, and mitigate risks. Calico Cloud is the industry’s only container security platform with built-in network security to prevent, detect, and mitigate security breaches.
The foundational container security features available in Calico Cloud include:
- Workload Security posture management – Users can scan images and registries and configure the admissions controller to block deployment of the vulnerable images. They can harden their Kubernetes cluster configuration using CIS benchmark results and also improve the security posture of their workloads with data-in-transit encryption, microsegmentation, egress access controls, and integration with network and cloud firewalls.
- Runtime workload protection – Protect workloads from known attackers with capabilities such as workload-based IDS/IPS, workload-centric WAF, DDoS protection and malware detection.
- Runtime threat detection – Out-of-the-box eBPF based detectors to detect container and network-based attacks based on container and network activity.
- Observability and incident response – Users can use the Dynamic Service and Threat Graph and Security Events Dashboard to monitor vulnerabilities and get alerted when attacked as well as deploy risk mitigation controls to reduce the risk.
Calico is used by leading companies, including Discover, Chipotle, NBCUniversal, HanseMerkur, Box, Siemens Healthineers, Playtech, Royal Bank of Canada, and Bell Canada.
What core challenges are developers and security teams facing today, and how is Tigera helping companies overcome these hurdles?
Many organizations are modernizing their virtualization environments and adopting Kubernetes as a comprehensive orchestrator for managing workloads for their applications both on-premises and in the public cloud. Modern virtualization platforms must support different types of workloads, such as virtual machines (VMs), containers, and bare metals with Kubernetes for both on-premises and public cloud deployments. New cloud-native environments have rendered current segmentation approaches and solutions obsolete. Traditionally, enterprises segment their virtualized environments by creating distinct virtual networks and security zones based on function, for example, production; development; and testing environments. The architecture and design of current network segmentation solutions like NSX are ill-equipped to handle the dynamic, constantly-changing nature of Kubernetes environments and a flat, open network approach. Kubernetes workloads are highly dynamic; pods are created and destroyed frequently. Traditional network segmentation solutions cannot keep up with the rapid changes in network configurations and policies, as they are optimized for more static VM environments.
Tigera’s Calico platform is designed to support a diverse range of workloads, including VMs, containers, and bare metals, to provide organizations with a robust and high-performance network policy engine to perform segmentation across both on-premises and cloud deployments. Calico provides dynamic segmentation capabilities based on workload metadata such as namespace and labels, which ensures that new workloads are segmented automatically upon initial deployment. Calico works to help organizations simplify their segmentation process utilizing declarative, user-friendly policy language, and an intuitive policy user interface.
In addition, the complexities associated with the adoption of a service mesh and maintaining secure communications in complex microservices environments are also causing a significant strain on DevOps teams and Site Reliability Engineers (SREs): teams who already operate with very limited resources.
There is a considerable amount of time and capital required for the configuration, operation and maintenance of a traditional service mesh. With Tigera’s differentiated approach, Calico provides the capabilities to address the security and observability challenges organizations face without the conventional overheads of a standalone service mesh solution. Calico provides organizations with a unified dashboard to address the three primary service mesh use cases— security, observability, and control. With Calico, users can easily achieve full-stack observability and security, deploy highly performant encryption, and tightly integrate with existing security infrastructure such as firewalls.
How can organizations uphold container and Kubernetes security best practices in the age of Artificial Intelligence? Are there any considerations when it comes to networking?
Artificial intelligence (AI), particularly generative AI (GenAI), is one of the most significant technical innovations of our time. By 2026, Gartner anticipates that more than 80% of enterprises will have deployed generative AI-enabled applications. Many organizations are deploying GenAI workloads in Kubernetes given their operational advantages. However, to avoid data exfiltration, these applications require stringent security guardrails. There are several security controls that enterprises can implement to reduce the security risks of these applications. Security controls include:
- Establishing security controls at the ingress and egress level to ensure that data leaving and entering GenAI applications is properly regulated.
- Enforcing a robust level of multi-tenancy and segregation between GenAI applications and their broader infrastructure to limit damage in the event of initial exfiltration.
- Scanning for vulnerabilities at the build and runtime phases to continuously track and monitor for risks and misconfigurations.
- Adopting a least privilege approach and enabling communications only when necessary.
From the networking side, many organizations are currently experiencing troubleshooting issues when deploying GenAI applications. Enterprises are running GenAI applications on multiple Graphics Processing Units (GPUs), often resulting in the presence of thousands of GPUs to train their GenAI models. With the significant costs associated with GPUs, when downtime occurs and applications are inactive, the ability to quickly troubleshoot and establish root cause is essential to avoiding expensive downtime. Network latency is one of the most significant challenges with GenAI applications and it is crucial that organizations implement controls that can rapidly determine the root cause of such latency. This most often requires the use of purpose-built solutions that can visualize what is happening across the network and accurately pinpoint where issues exist.
What are your predictions for the market’s evolution over the next few years, and what are the future plans for Tigera?
The size of the container and Kubernetes security market will continue to grow exponentially over the next several years, especially as containers and Kubernetes adoption continues to accelerate. While organizations increasingly deploy containers and Kubernetes as part of digital transformation and application modernization initiatives, few have implemented security controls for these complex environments that go beyond the minimal level of security mandated by compliance requirements. As security gaps within containers and Kubernetes can manifest into significant data exfiltration attacks or ransomware incidents, more and more organizations will realize the importance of adopting purpose-built solutions to improve the security posture and resilience of such crucial modern environments.
At Tigera, we are continually enhancing Calico to streamline and enhance container and Kubernetes security. This year, we extended the runtime threat defense capabilities of Calico Cloud and Calico Enterprise, providing users with comprehensive monitoring, analysis and visibility into potential threats to enable quick remediation. We also added new features for Calico Cloud, aimed at proactively bolstering the security posture of containerized applications. We have several other significant updates on our product roadmap over the next several months that we are excited to unveil to the wider market.