Ansible Fest — takeaways
Attended Ansible Fest 2020, enjoyed, and learned a lot!
While reading post-mortem of any data breach incident like the recent incident, reported by FBI and CISA where hackers operating for China had penetrated US government systems or ICC Pro (smart irrigation app) users using the default configuration without password, I always questioned, why they were still using default configuration/passwords, why credentials were not timely changed, why systems were not patched and so on. But finally was able to get a satisfactory answer to which I could imagine and relate to real-world scenarios in the Ansible session “Case study: Defending a defense company with Ansible Automation by Jeff Vealey”.
As the size of the company increases, everything scales up, be it the number of networking devices or tools to the team’s size. At some point in time security becomes overwhelming, for instance maintaining the secure configuration of networking devices or having scattered data from multiple security tools. Manually managing them becomes cumbersome. At this point, automation makes life easier by having automating scripts to do most of the managing work securely minimizing human error and delay to defend against the attack.
The automation can include Ansible tower a centralized UI for managing IT infrastructure along with CyberArk tools. Since Ansible playbooks contain credentials to automate most of the crucial processes like managing the cloud components (For example creating/modifying an instance/DB in AWS) they are a hotspot for attackers. Hence we need to reduce the threat area, this can be done by using tools provided by CyberArk that help us store our secrets securely as well as provide automation services for password rotation, auditing, etc. to know more check out this blog. A typical interaction would be Ansible tower requests for the credentials through CyberArk Credential Provider, which in turn verifies the credibility of the Ansible tower, on the verification success, the credentials are served to Ansible tower and are ready to be used. Finally, CyberArk also provides “Automated Credential Management” for password rotation without the need for human intervention.
As a newbie in Ansible, the fest talks unwrapped the potential of Ansible automation depicting why security is difficult and how automation can help to increase security in the real world.
Thank you, Jeff Vealey!
Description:
