PQC

Used to complement the static view from RHTAP by providing evidence of how cryptography is actually being used in practice.

Red Hat Advanced Cluster Security (ACS) provides a much more granular, real-time, and enforcement-oriented approach that is purpose-built for Kubernetes environments. It focuses on securing the containerized workloads themselves. As such ACS provides OpenShift Customers with the granular, real-time view, showing you that a specific pod is the one actively establishing that TLS 1.1 connection to an external service. The focus with ACS is to go beyond simple detection at the infrastructure and enable active enforcement:  

• Network Segmentation and Visualization: The ACS "Network Graph" provides a live, visual map of all network traffic between pods, namespaces, and external services. This is the first step in identifying all communication flows, making it immediately obvious if a workload is talking to an unexpected or insecure endpoint.   
• Runtime Policy Enforcement: This is ACS's key strength. By creating standard default policies that define acceptable network behavior and enforce them at runtime, customers can:  
• Detect insecure protocols: a policy that alerts on or even blocks deployments that attempt to communicate over known cleartext ports or connect to external services without using TLS.
• Address weak cipher suites: define a cryptographic “benchmark” for ACS to audit workloads against, mandating the use of PQ cryptography. A deployment configured with a weak TLS profile would be flagged as a policy violation. 

• Behavioral Baselining and Threat Detection: ACS can automatically baseline normal network activity for a deployment. If a pod suddenly initiates a connection using an unusual or insecure protocol, ACS can flag this as anomalous activity, indicative of a potential threat.

Network observation provides invaluable context, but it too has limitations. It is most effective at ingress points and for well-known protocols. It may not be able to see inside application-specific encrypted tunnels or identify which specific process on a host initiated a given connection. For the highest level of fidelity, a more direct method of auditing is needed.