CNCF: Supporting a Strong, Secure OSS Cloud Native Ecosystem 

For many organizations, open source software (OSS) has become a must-have tool in their digital transformation toolboxes—what’s more, it’s fundamentally transforming the way software is developed. A 2020 Red Hat study shows that 95% of IT leaders believe open source is strategically important, while 77% believe enterprise OSS will continue to grow.  

So what, exactly, are enterprises using open source for? The same study reveals security is the number one use for enterprise OSS today (52%)—followed closely by cloud management tools (51%). This makes sense, since cloud-native environments bring key changes to the cyber risk landscape. As many recent headlines show, failing to properly secure, manage and configure cloud resources can lead to a data breach or failed audit and force the team to halt the delivery of new features in order to catch up on technical debt.  

Open Source Is the Answer for Many Cloud-Native Security Challenges—But What’s the Best Tool For You? 

For many obvious reasons, traditional security tools and processes don’t translate well in the dynamic, automated world of cloud-native applications. The use of microservices, containers and serverless technologies requires constant fluidity, as applications morph and move from on-premise to the cloud to another cloud, and then back again. Securing all of these fast-moving pieces is a serious challenge. Increasingly, cloud-native, open source tools are the answer. With the proper tools in place, applications can be deployed securely and automatically to any cloud provider.  

Security leaders recognize the need for a fresh approach to security and many vendors and developers have answered the call, flooding the market with new cloud-native tools that tackle various facets of risk. So how do you find the right open source tools that have been verified by a credible community? 

CyberArk Joins the Cloud Native Computing Foundation 

That’s where the Cloud Native Computing Foundation (CNCF) comes in. The CNCF exists to promote cloud-native computing and foster standardization of tools and best practices for effective use of cloud-native infrastructure. It’s the home of many popular open-source projects, like Kubernetes, Prometheus and Envoy, and supports projects for thousands of contributors and companies around the world.  

The CNCF plays a critical role in ensuring technologies are readily available to the development community and free of partisan influence—driving industry collaboration and rapid development of projects. 

Our team here at CyberArk has long-relied on the CNCF, tapping into innovative open source projects, connecting with amazing developers, discussing top-of-mind security and identity challenges and much more. In fact, the CNCF has played a major role in our own open source security projects, CyberArk Conjur, Secretless Broker, and CyberArk Summon, which help cloud-native applications implement secure access to credentials and other application and service secrets.  

CyberArk joined the CNCF to support the growth and health of cloud-native, open-source software for everyone.   

Widely recognized as the PAM market leaderwe have the skills and platform-agnostic technologies needed to influence the growth of open source cloud-native software. By working alongside fellow CNCF members and organizations around the world, we can ensure that security and identity are front and center of the conversation—and firmly embedded into future tools.   

We know that security is a team game and we’re excited to join the CNCF in tackling key cloud challenges to help organizations realize the full promise of the cloud.  

You can read more about CyberArk and the CNCF in this articleIf you’re interested in learning more about our own open source contributions, read on! 

CyberArk’s Open Source Projects: At-A-Glance 

Secrets—including API keys, usernames, passwords, access control, etc.—grant access to applications, tools, critical infrastructure and other sensitive dataAn area of concern that touches all aspects of cloud-native computing is the security, policies and auditing of these secrets in dynamically changing and complex environmentsOur open source projects CyberArk Conjur, Secretless Brokerand Summons were designed to make secrets management simple. 

  • Conjur manages secrets needed for cloud and DevOps operations. You can use the open source interface to securely authenticate, control and audit non-human access across tools, applications, containers and cloud environments.  Using granular role-based access control (RBAC), Conjur authenticates the application, performs an authorization check against the security policy and then securely distributes the secret. It has native integrations with most leading DevOps tools. For more details, see the full Git repository of the project.  
  • Secretless Broker helps developers build safer applications faster by eliminating the need to handle secrets within application code.  This simplifies the process for applications to securely connect to databases, web applications, and other supported services in a transparent way.
  • Summon helps developers access secrets stored in a variety of providers, such as AWS S3, AWS Secrets Manager and Gopass, to name just a few (you can also implement a custom provider interface if needed!).

Complex cloud environments may span multiple cloud providers. Summon’s ability to access secrets from the various providers keeps security implementations consistent while easing the developer load. Visit this Git repository to find examples, releases, source code and documentation. 

Conjur, Secretless Broker, and Summon can be used seamlessly in a variety of cloud-native scenarios—across CI/CD pipelines, for container security configuration and for managing secrets in elastic and auto-scaling environments.  There was a recent webinar demonstrating how these tools can make developer’s lives easier while improving security hosted by the CNCF, you can watch it here to learn more.  Check out CyberArk Commonsthe open source community for developers and engineers, to dig deeper into these tools.