The Challenge
At the beginning of the COVID-19 pandemic in Quebec, Akinox was engaged with the government setting up pandemic monitoring and vaccination passports. In addition, the government enlisted Akinox to help improve communications between professionals in the healthcare system in Quebec. This triggered sharp growth of the number of employees at Akinox and the size of the product suite that needs to be built and maintained. This drove growing infrastructure needs in the company and Kubernetes became the infrastructure of choice for the company, due to its scalability and portability.
The Problem
The low security score by the cloud provider prompted the goal to improve it. Especially since Akinox’s work with government agencies leads to very strict security requirements. Since most of the development is done on Kubernetes, a Kubernetes specific solution was required to really impact security. In addition, the cloud provider security solution, while providing a lot of insight, is only based on one framework (MITRE ATT&CK) with only about 60 controls. Akinox was interested in using additional frameworks. Namely, the NSA-CISA Kubernetes Hardening guidelines.
The combination of adherence to security requirements, supporting a growing number of teams and suite of products, as well as achieving other internal goals became very time consuming. Hence, the team at Akinox sought out a tool that monitors changes in compliance and vulnerabilities being introduced or fixed, as well as the RBAC visualizer which helps keep track of things quickly and easily.
The Solution
Akinox chose ARMO Platform, which is based on Kubescape, a leading open-source Kubernetes security tool. The objective was to obtain deep Kubernetes-specific findings, with a high signal-to-noise ratio. Starting with the Kubescape CLI was easy, but the need to go deep into the findings led to the adoption of ARMO Platform, which provides easy-to-use dashboards and drilldowns in a GUI. In the process they found that a single pane of glass is useful to both security and DevOps.
ARMO Platform was compared to other cloud provider security solutions as well as other tools on the market. It was found to have the most comprehensive set of security controls, providing more coverage than two different tools combined. Using ARMO Platform has helped improve the security score calculated by the cloud provider.
Akinox has shifted its process from deploying YAML files to creating a deployment Helm chart, which was created securely with the help of ARMO. Consequently, the team is now delivering secure deployments by default.
The Kubescape operator reduces noise by only providing information about the containers running on the cluster, and not others in the environment. Visibility throughout the software development life-cycle helps identify changes or drift. The assisted remediation offered by ARMO saves time and effort. In addition, the RBAC visualizer is proving particularly helpful in getting into the details of user access in the clusters.
ARMO is used weekly by DevOps, and is instrumental in continuing to shift security left to developers. Currently, the platform is used to prioritize work, and create building blocks for platform engineering. The team at Akinox is pleased with ARMO, as it has reduced the time and effort required to harden the environment, freeing up more time to do strategic work.