How we differentiate ARMO Platform from Open Source Kubescape

Updated on: June 11th, 2023

In August 2021 we launched Kubescape with a mission to make Kubernetes security open source, simple, and available for everyone, even non-security engineers. Since then we have been working on adding new capabilities to Kubescape, while building a strong community around it. The recent acceptance of Kubescape by the CNCF, as a sandbox project, is another important milestone for ARMO’s open-source journey with Kubescape. 

In order to continue to support Kubescape and lead a vibrant community, we will be offering a suite of paid products and services. The first of these is ARMO Platform. This is an enterprise-grade product that is based on Kubescape. It extends its functionality to support mature or maturing organizations with enterprise requirements.

In this blog post, we will be discussing some of those features and how we decide what goes into ARMO Platform.

ARMO Powered by Kubescape

Before we dive into the differences, let’s talk about the relationship. Users of ARMO Platform will see that under the logo we add Powered by Kubescape. What does this mean?

While a user of Kubescape can be oblivious to ARMO Platform the opposite is not true. In order to unlock the full value of ARMO Platform, users should install the Kubescape operator on their clusters. This allows ARMO Platform to surface findings from within the cluster. Thus, providing users with cluster-specific insights that easily drive the improvement of their security posture.

Furthermore, Kubescape offers pre-integration into development tools and CI/CD pipelines, which ARMO Platform utilizes as well. This enables seamless security checks throughout the software development lifecycle and ensures that security is prioritized and addressed early on.

ARMO Platform Differences

DevSecOps Dashboard: Enterprises have many stakeholders when it comes to security. ARMO Platform provides a single pane of glass for the different security and DevOps stakeholders. Providing each stakeholder with the information they need, the action they need to make, within the required context, and creating a common language between them.

Enterprise Support: True to our open source mission, our engineers share their expertise on the open source project via GitHub Issues and our community Slack channels (find us at the CNCF Slack workspace #kubescape and #kubescape-dev). That said, enterprise users need more. That’s why, included with ARMO Platform, we offer different levels of support with escalation options, a response SLA, and a dedicated account manager.

Premium Plugins: Since nobody works alone, ARMO Platform offers a set of plug-ins for collaboration tools. Collaboration tools enable enterprises to apply more context to workflows. Currently available plug-ins are: Slack and Jira. We have expansion plans, so watch this space. 

Multi-user and Multi-tenancy: Collaboration capabilities are further enhanced by providing multiple users access to the same accounts. Providing the same information to different organizational roles, creates a single context and a common language for different security stakeholders in the organization. This includes roles that aren’t typically or eagerly security aware, like DevOps. Support for multi-tenancy allows separate departments in the enterprise to use the same instance of ARMO Platform without increasing the noise from issues not related to them.

Authentication & Security: In enterprises, access control for existing users and reducing friction associated with managing new and previous users are some of the biggest challenges in adopting a tool. Which is why providing single-sign-on (SSO) capabilities is imperative. To solve this, ARMO Platform enables third-party authentication SSO using SAML or OIDC. This allows you to associate your account with all e-mails coming from an authorized domain name. User access and permission management are coming soon.

Data retention: Enterprises are often subject to regulation and compliance policies that require data to be retained for specified periods of time (e.g. for forensic analysis). ARMO Platform will retain your data for a configurable period of time. Data retention enables ARMO Platform users to review the history of security posture and easily identify configuration drifts.

RBAC visualizer: Keeping track of Kubernetes access permissions of the different actors that have permissions gets very hard when you have many clusters. Especially when you have large and complex clusters with many roles and role bindings. Kubescape provides utilities to analyze your RBAC permissions. ARMO Platform offers a unique interactive RBAC visualizer for this data. Users can drill down per role and per verb and easily find over-privileged users, inactive accounts and more.

How We Decide Which Features Go into Enterprise?

Our goal is to create a great enterprise product without undermining open-source Kubescape. In choosing the features to develop for ARMO Platform, we follow a rigorous internal review process. 

Our objective is to continue to enhance Kubescape together with the community, as an end-to-end CI/CD and Kubernetes security platform. Ultimately providing the best set of Kubernetes security capabilities. As such, we default to providing core security and compliance capabilities in Kubescape. For ARMO Platform we select capabilities that are uniquely valuable to enterprise requirements. As we continue to grow and evolve open-source Kubescape and our line of supported paid products. The ability to make these decisions is crucial to our success and the success of our community.