How we differentiate ARMO Platform from Open Source Kubescape

First update: June 11th, 2023 / Second update: June 16th, 2024

In August 2021 we launched Kubescape with a mission to make Kubernetes security open source, simple, and available for everyone, even non-security engineers. Since then we have been working on adding new capabilities to Kubescape, while building a strong community around it. The acceptance of Kubescape by the CNCF, as a sandbox project, was an important milestone for ARMO’s open-source journey with Kubescape. 

In order to continue to support Kubescape and lead a vibrant community, we will be offering a suite of paid products and services. The first of these is ARMO Platform. This is an enterprise-grade product that is based on Kubescape. It extends its functionality to support mature or maturing organizations with enterprise requirements.

In this blog post, we will be discussing some of those features and how we decide what goes into ARMO Platform.

ARMO Powered by Kubescape

Before we dive into the differences, let’s talk about the relationship. Users of ARMO Platform will see that under the logo we add Powered by Kubescape. What does this mean?

While a user of Kubescape can be oblivious to ARMO Platform the opposite is not true. In order to unlock the full value of ARMO Platform, users should install the Kubescape operator on their clusters. This allows ARMO Platform to surface findings from within the cluster. Thus, providing users with cluster-specific insights that easily drive the improvement of their security posture.

Furthermore, Kubescape offers pre-integration into development tools and CI/CD pipelines, which ARMO Platform utilizes as well. This enables seamless security checks throughout the software development lifecycle and ensures that security is prioritized and addressed early on.

ARMO Platform Differences

DevSecOps Dashboard: Enterprises have many stakeholders when it comes to security. ARMO Platform provides a single pane of glass for the different security and DevOps stakeholders. Providing each stakeholder with the information they need, the action they need to make, within the required context, and creating a common language between them.

Enterprise Support: True to our open source mission, our engineers share their expertise on the open source project via GitHub Issues and our community Slack channels (find us at the CNCF Slack workspace #kubescape and #kubescape-dev). That said, enterprise users need more. That’s why, included with ARMO Platform, we offer different levels of support with escalation options, a response SLA, and a dedicated account manager.

Premium Plugins: Since nobody works alone, ARMO Platform offers a set of plug-ins for collaboration tools. Collaboration tools enable enterprises to apply more context to workflows. Currently available plug-ins are: Slack, Microsoft Teams and Jira. We have expansion plans, so watch this space. 

Multi-user and Multi-tenancy: Collaboration capabilities are further enhanced by providing multiple users access to the same accounts. Providing the same information to different organizational roles, creates a single context and a common language for different security stakeholders in the organization. This includes roles that aren’t typically or eagerly security aware, like DevOps. Support for multi-tenancy allows separate departments in the enterprise to use the same instance of ARMO Platform without increasing the noise from issues not related to them.

Authentication & Security: In enterprises, access control for existing users and reducing friction associated with managing new and previous users are some of the biggest challenges in adopting a tool. Which is why providing single-sign-on (SSO) capabilities is imperative. To solve this, ARMO Platform enables third-party authentication SSO using SAML or OIDC. This allows you to associate your account with all e-mails coming from an authorized domain name. User access and permission management are coming soon.

Data retention: Enterprises are often subject to regulation and compliance policies that require data to be retained for specified periods of time (e.g. for forensic analysis). ARMO Platform will retain your data for a configurable period of time. Data retention enables ARMO Platform users to review the history of security posture and easily identify configuration drifts.

Attack paths and Security issues: Security work is demanding and security efficiency is a neccessity. To this end ARMO Platform seeks to bubble up the most important security issues that need to be attended to. Furthermore, when put in the context of an Attack Path, ARMO Platform understand exactly how to block an attck vector.

Smart Remediation: Uptime is a key performance indicator for many enterprises. This may be a cause of friction between security and operations. At times, configurations that adhere to well-known security bechmarks may cause applications to not function as expected or at all. Smart remediation solves this by bringing runtime information into this decision, enabling ARMO Platform users, to safely harden configurations.

RBAC visualizer: Keeping track of Kubernetes access permissions of the different actors that have permissions gets very hard when you have many clusters. Especially when you have large and complex clusters with many roles and role bindings. Kubescape provides utilities to analyze your RBAC permissions. ARMO Platform offers a unique interactive RBAC visualizer for this data. Users can drill down per role and per verb and easily find over-privileged users, inactive accounts and more.

Kubernetes Security Features	Open-Source (Kubescape)	Enterprise (ARMO Platform)
CI/CD Compliance and misconfiguration scanning	✅	✅
Cluster Compliance and misconfiguration scanning	✅	✅
CI/CD Container Vulnerability scanning	✅	✅
Cluster Container Vulnerability scanning	✅	✅
Runtime Data collection in CRDs (Lib usage, Network, Syscalls, File usage)	✅	✅
DevSecOps Dashboard		✅
Multi-cluster, Multi-user view and management		✅
Vulnerabilities Prioritization & Advanced Remediation (tailored for your specific context)		✅
Data retention – History and trends		✅
Smart Remediation (tailored based on analyzing run-time behavior)		✅
Attack Paths and remediation options		✅
RBAC Insights		✅
Network Policy visualization		✅
Integrations (Slack, Teams, Jira)		✅
Premium support		✅

How We Decide Which Features Go into Enterprise?

Our goal is to create a great enterprise product without undermining open-source Kubescape. In choosing the features to develop for ARMO Platform, we follow a rigorous internal review process. 

Our objective is to continue to enhance Kubescape together with the community, as an end-to-end CI/CD and Kubernetes security platform. Ultimately providing the best set of Kubernetes security capabilities from left to right. As such, we default to providing core security and compliance capabilities in Kubescape. For ARMO Platform we select capabilities that are uniquely valuable to enterprise requirements. As we continue to grow and evolve open-source Kubescape and our line of supported paid products. The ability to make these decisions is crucial to our success and the success of our community.