Raise the Bar -  Workload protection on OpenShift

This is a guest post by Amir Kaushansky, VP product at ARMO. 

ARMO's unique security approach combined with Openshift enterprise standard results in a total hybrid secured solution. ARMO is an additional security layer for your Kubernetes workloads.  It integrates with your CI/CD pipeline, maps the workload, and creates a strong identity: workload DNA. Based on this DNA, it provides: 

• Malware prevention, including in-memory protection and zero-day attacks prevention. 
• Micro-Segmentation, which is defined by an easy-to-use policy and enables cross-location (e.g. on-premises to the cloud) secure connectivity.
• Data protection,  including encryption key management. 

ARMO is certified on OpenShift 4.x and supports Universal Base Image (UBI), you can find it in the RedHat market place.

Once ARMO is installed, on your OpenShift cluster you can use the ‘cacli’ tool to define policy and manage the agent, or you can do it from the SaaS management web user interface. 

Once ARMO’s agent has signed your workload, you can define a network and/or encryption policy and create a highly resilient environment.
The below illustrates how it is done:  in case an attacker penetrates your environment (by exploiting a weak link, exploiting an operating system component or an insider), the attacker can not do any damage as data is totally encrypted and even if it is leaked, it is useless due to the encryption, communication between your workloads is encrypted using mutual TLS - which mean that the attacker cannot eavesdrop to the communication nor to establish any communication with the other signed workloads.