Enhancing Secrets Management in Ansible with CyberArk Application Identity Manager

Similar documents
Getting Started with Ansible - Introduction

ANSIBLE TOWER OVERVIEW AND ROADMAP. Bill Nottingham Senior Principal Product Manager

OPEN SOURCING ANSIBLE

AUTOMATING THE ENTERPRISE WITH ANSIBLE. Dustin Boyd Solutions Architect September 12, 2017

Ansible. -- Make it so

AUTOMATION FOR EVERYONE Accelerating your journey to the Hybrid Cloud with Ansible Tower

Ansible and Ansible Tower by Red Hat

MULTI CLOUD AS CODE WITH ANSIBLE & TOWER

ANSIBLE AUTOMATION AT TJX

AUTOMATION ACROSS THE ENTERPRISE

Automation and configuration management across hybrid clouds with CloudForms, Satellite 6, Ansible Tower

IN DEPTH INTRODUCTION ARCHITECTURE, AGENTS, AND SECURITY

Get Automating with Infoblox DDI IPAM and Ansible

SELF-SERVICE IT WITH ANSIBLE TOWER & MICROSOFT AZURE. Chris Houseknecht Dave Johnson. June #redhat #rhsummit

AGENTLESS ARCHITECTURE

INTRODUCTION CONTENTS BEGINNER S GUIDE: CONTROL WITH RED HAT ANSIBLE TOWER

Ansible at Scale. David Melamed Senior Research Engineer, CTO Office, CloudLock

Housekeeping. Timing Breaks Takeaways

Ansible Tower on the AWS Cloud

Contents. Prerequisites 1. Linux 1. Installation 1. What is Ansible? 1. Basic Ansible Commands 1. Ansible Core Components 2. Plays and Playbooks 8

WHAT IS ANSIBLE AND HOW CAN IT HELP ME?

Ansible in Depth WHITEPAPER. ansible.com

Study Guide. Expertise in Ansible Automation

Building and Managing Clouds with CloudForms & Ansible. Götz Rieger Senior Solution Architect January 27, 2017

Ansible F5 Workshop +

Rapid Deployment of Bare-Metal and In-Container HPC Clusters Using OpenHPC playbooks

Ansible. Go directly to project site 1 / 36

Cloud and Devops - Time to Change!!! PRESENTED BY: Vijay

ANSIBLE TOWER IN THE SOFTWARE DEVELOPMENT LIFECYCLE

Sanjay Shitole, Principle Solutions Engineer

Ansible Hands-on Introduction

An introduction to ANSIBLE. Anand Buddhdev RIPE NCC

RED HAT TECH EXCHANGE HOUSE RULES

GIVING POWER TO THE PEOPLE With General Mills

DevOPS, Ansible and Automation for the DBA. Tech Experience 18, Amsersfoot 7 th / 8 th June 2018

Splunk and Ansible. Joining forces to increase implementation power. Rodrigo Santos Silva Head of Professional Services, Tempest Security Intelligence

Getting started with Ansible and Oracle

Infoblox and Ansible Integration

INTRODUCTION WHY CI/CD

introducing Haid-und-Neu-Str. 18, Karlsruhe Germany

IAC on OpenStack (feat. ansible) 김용기부장 Sr. Solution Architect Red Hat

Ansible. For Oracle DBAs. Alexander Hofstetter Trivadis GmbH

Dominating Your Systems Universe with Ansible Daniel Hanks Sr. System Administrator Adobe Systems Incorporated

Ansible Tower Quick Setup Guide

Ansible: Server and Network Device Automation

Ansible Bootcamp. Bruce Becker: Coordinator, Africa-Arabia ROC

Ansible Tower Quick Install

Ansible Tower Quick Setup Guide

TACKLING BIG-IP BLUE-GREEN DEPLOYMENTS IN PRIVATE CLOUD USING F5 & VMWARE ANSIBLE MODULES

Ansible - Automation for Everyone!

We are ready to serve Latest IT Trends, Are you ready to learn?? New Batches Info

Malaysian Open Source Conference (The) Multi Facets of the Open Source Tools. Muhammad Najmi Ahmad Zabidi

ansible-workshop Documentation

Modern Provisioning and CI/CD with Terraform, Terratest & Jenkins. Duncan Hutty

Webserver deployment on. Amazon Web Services using IAC tool Terraform

Ansible Essentials 5 days Hands on

AWS and Ansible. Automating Scalable (and Repeatable) Architecture

Automation: Making the Best Choice for Your Organization

ANSIBLE SERVICE BROKER Deploying multi-container applications on OpenShift Todd Sanders John Matthews OpenShift Commons Briefing.

Choosing an orchestration tool: Ansible and Salt. Ken Wilson Opengear. Copyright 2017 Opengear, Inc. 1

HASHICORP TERRAFORM AND RED HAT ANSIBLE AUTOMATION Infrastructure as code automation

Ansible and Firebird

Red Hat Ansible Workshop. Lai Kok Foong, Kelvin

Automate Patching for Oracle Database in your Private Cloud

Button Push Deployments With Integrated Red Hat Open Management

Zabbix Ansible Module. Patrik Uytterhoeven

Ask an Expert: Ansible Network Automation

Getting Started with Ansible for Linux on z David Gross

Ansible + Hadoop. Deploying Hortonworks Data Platform with Ansible. Michael Young Solutions Engineer February 23, 2017

Ansible Tower Quick Install

Managing 15,000 network devices with Ansible. Landon Holley & James Mighion May 8, 2018

How to avoid boring work - Automation for DBAs

Introduction to Ansible. yench

Splunk ConfiguraAon Management and Deployment with Ansible

ABOUT INTRODUCTION ANSIBLE END Ansible Basics Oleg Fiksel Security CSPI GmbH OpenRheinRuhr 2015

The Foreman. Doina Cristina Duma, cristina.aiftimiei<at>cnaf.infn.it Diego Michelotto, diego.michelotto<at>cnaf.infn.it INFN-CNAF

Harnessing your cluster with Ansible

Henry Stamerjohann. Apfelwerk GmbH & Co. #macadmins

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other

Managing Microservices Using Terraform, Docker, and the Cloud

Introduction to Ansible

Ansible in Operation. Bruce Becker: Coordinator, SAGrid

Introduction to CLI Automation with Ansible

Infrastructure Configuration and Management with Ansible. Kaklamanos Georgios

Socially conscious software at scale. Ram Mehta, CTO Propel Inc

Zero Touch Provisioning of NIOS on Openstack using Ansible

Automate DBA Tasks With Ansible

mastering ansible A622DFD780311BCF8921DE033F8C7977 Mastering Ansible 1 / 6

Managing Microservices using Terraform, Docker, and the Cloud

Ansible Tower Upgrade and Migration

Infrastructure as Code CS398 - ACC

vagrant up for Network Engineers Do it like they do on the Developer Channel!

Infrastructure at your Service. Setup Oracle Infrastructure with Vagrant & Ansible

Ansible Tower Upgrade and Migration

Data-Driven DevOps Using Splunk SoLware and Ansible Tower

(Almost) Instant monitoring

goodplay Documentation

PodCTL #4 - All the Tools in the Kubernetes Toolbox

EPISODE 674 [INTRODUCTION]

Behind the scenes of a FOSS-powered HPC cluster at UCLouvain

Transcription:

+ Enhancing Secrets Management in Ansible with CyberArk Application Identity Manager 1

TODAY S PRESENTERS: Chris Smith Naama Schwartzblat Kyle Benson Moderator Application Identity Manager Senior Product Manager CyberArk Global Alliance Architect, Red Hat DevOps Product Marketing, CyberArk

TODAY S IT ARCHITECTURES are continually changing and must be infinitely flexible. 3 CONFIDENTIAL

IT OPERATIONS BEARS THE BURDEN CEO LINE OF BUSINESS DEVELOPERS IT OPERATIONS 4 CONFIDENTIAL

EFFECTIVE MANAGEMENT & AUTOMATION MUST SPAN CLOUD, CONTAINERS AND TRADITIONAL I.T. Traditional code development & deployment tooling CI/CD Pipelines & Code Repositories Service catalogs & governance Full stack monitoring Databases Kubernetes Container Orchestration Platforms VMs Root cause Analytics Capacity Optimization Middleware Bare metal Container packaging platforms OS Config & Provision Patch & Remediate Hosts X-cloud Portability & Integrations Private Clouds Cloud Financial Mgt Security & Compliance Network and storage infrastructure SaaS/PaaS IT Automation AWS Azure Google ITSM & CMDB Integration

WHAT IS ANSIBLE AUTOMATION? --$] ansible-playbook -i inventory playbook.yml - name: install and start apache The Ansible project is an open source community[user@hostname: hosts: all sponsored by Red Hat. It s also a simple PLAY [install vars: and start apache] *********************************** automation language that perfectly describes IT http_port: 80 TASK [Gathering Facts] ******************************************** max_clients: 200 application environments in Ansible Playbooks. ok: [webserver.local] remote_user: root TASK [install httpd] ********************************************** Ansible Engine is a supported product built from tasks: changed: [webserver.local] the Ansible community project. - name: install httpd TASK [write apache config file] yum:the pkg=httpd state=latest ******************************** Ansible Tower is an enterprise framework for changed: [webserver.local] - name: write the apache config file controlling, securing, managing and extending your template: TASK [start httpd] src=/srv/httpd.j2 dest=/etc/httpd.conf Ansible automation (community or engine) with a************************************************* changed: [webserver.local] - name: start httpd UI and RESTful API. service: name=httpd state=started PLAY RECAP ********************************************************* webserver.local failed=0 6 CONFIDENTIAL : ok=4 changed=3 unreachable=0

WHY ANSIBLE? SIMPLE 7 POWERFUL AGENTLESS Human readable automation App deployment Agentless architecture No special coding skills needed Configuration management Uses OpenSSH & WinRM Tasks executed in order Workflow orchestration No agents to exploit or update Usable by every team Network automation Get started immediately Get productive quickly Orchestrate the app lifecycle More efficient & more secure CONFIDENTIAL

8

SHARING IS CARING Modular approaches help teams respect each others standards of operations SCM is key to spreading Ansible best practices and helping cross-train newcomers to the Orchestration table

HOW TO DETERMINE WHAT ANSIBLE CAN DO FOR YOU

PROBLEM SOLVING STARTS WITH TRIAGE, NOT TOOLS What am I doing? Who is involved? How does this scale or grow? What is the plan for ongoing management? Is there built-in capability to my tools, or am I creating something from scratch?

ANSIBLE + RED HAT ANSIBLE TOWER

Ansible solves the problem of automating and orchestrating Tower spotlights security considerations and provides predictability Does not address bigger picture security/compliance Role-based access control and secure credential storage API integrations, accountability and execution history

SECURITY CONSIDERATIONS

Only respects security in place at host user level No abstraction of remote host or cloud credentials from user No guarantee of execution parameters or integrity of playbook as designed by the team Creates an isolated runtime environment to control execution of Ansible Abstracts security credentials and specifics (ssh keys, username+passwords, etc.) from end user Guarantees execution parameters and execution is as designed for the playbook

ORGANIZATION AND RBAC CONSIDERATIONS Multiple Inventories may be needed Network automation may not need to have app/cache/db hosts in their inventory Multiple Cloud Dynamic Sources will overwrite each other Things that just work for CLI may need consideration in Tower Execution isolation means config files at ~/.* need to be placed for AWX user in Tower PRoot isolates Tower runs to project/playbook directory (can t write to /tmp locally, etc.) SCM is to your advantage: Playbook projects for different teams/orgs can utilize forks, branch tags Roles don t need one monolithic repository

UTILIZE OUR PARTNERSHIPS CyberArk Splunk GitHub & Atlassian Integrate with Enterprise Credential Management Get your logs out of Ansible Tower and making meaningful decisions at scale Use your existing source control tools to manage your infrastructure like code

Cyberark Advanced Threat Landscape - 2018 Report, indicated: BUT.. DEVOPS PIPELINES MAY NOT BE FULLY SECURED 75% organizations do not have a privileged account security strategy for DevOps Fewer than half report that DevOps and security teams consistently work together Nearly all (99%) of security pros and DevOps respondents failed to identify all places where privileged accounts or secrets exist Confidential and Proprietary. CyberArk Software Ltd. All rights reserved. 18

Must Protect The Pipeline! Unwatched environment DEVOPS EXPANDS THE SECURITY CHALLENGES Massive Amounts of Corporate IP POWERFUL Credentials Accessed, changed and modified by people and code constantly! Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

Islands Of Security In Access Management Create Challenges Islands of Security Jenkins Ansible Vault AWS IAM /KMS Docker Secrets Kubernetes Secrets Microsoft Azure IAM / KMS / KMS Native tool solutions for secrets: Create Security Islands Provide a specific and different solution for each tool Not built with security in mind -Secret repository only No rotation of secrets Artifactory Security Google Cloud IAM / KMS OpenShift Secrets No audit Have limited integration capabilities No central view of Privileged Account Security Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

TYPICAL CHALLENGES OF THE CI/ CD TOOLS Unmanaged and distributed secrets and credentials Usually Master server needs super user privileges to gain access to many secrets Security islands: duplicate secrets management for different platforms Lack of audit Lack of compliance visibility Lack of Segregation of Duty Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

Global Energy Company WHY DO CUSTOMERS WANT THE INTEGRATED SOLUTION? Requirements/Solution Enable Ansible to checkout credentials from CyberArk Enterprise Vault via Application Identity Manager (AIM) Execute an automation task in Ansible using the checked-out credentials Limit and control use of checked-out credentials within Ansible Confidential and Proprietary. CyberArk Software Ltd. All rights reserved. 22

APPLICATION IDENTITY MANAGER Eliminates embedded application credentials for improved security and compliance Confidential and Proprietary. CyberArk Software Ltd. All rights reserved. 23

SECRET MANAGEMENT WITH CYBERARK CREDENTIAL PROVIDER (CP) Key Feature: Strong authentication Local cache Full audit Secret rotation Authentication: IP/DNS/Hostname OS User App Path App Hash Resiliency: Agent based Server Applicatio n OSUser: app1 Path: /var/lib/app1 Hash: ABCDE Database Attacker s Applicatio n OS User: att Path: /etc/att Hash: AB123 Credential Provider Confidential and Proprietary. CyberArk Software Ltd. All rights reserved. CyberArk Vault

INTEGRATION GOALS 1. Automatic Secure Credential Retrieval 2. No Security islands - secrets are managed centrally in the Vault 3. Enable Secret rotation 4. Auditability Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

CYBERARK & ANSIBLE: AUTOMATIC SECURE CREDENTIAL RETRIEVAL Vault Control Node 1. Standard python lookup executed from within Playbook Credential Provider 2. Lookup utilizes AIM CLIPasswordSDK to communicate with Credential Provider installed on Ansible Control Node to retrieve credentials 2 1 3 Whenever Ansible Requires Privileged Credentials: Ansible Playbook 3. Credentials stored in variables and used throughout playbook to access assets, APIs, configure systems, install applications, etc. Managed Nodes Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

CYBERARK AIM IS PART OF ANSIBLE! CyberArk AIM module for Ansible has been approved by the community and is merged into the core Ansible product Ansible v.2.4 shipped in mid-sept 2017 includes the AIM integration. Add a CyberArk password lookup plug in allows retrieval of credentials from vault Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

SECURE THE CONFIGURATION MANAGEMENT TOOL WITH CYBERARK Critical steps for securing your CI/CD Tools Secure Master / Playbook by removing the hard coded/unmanaged credentials from the jobs and retrieving them in a secure way using Application Identity Manager Protect the tool console by monitor and record any Interactive Access with Privileged Session Manager Configuration Management tool Secure the tool credentials by managing and rotating them based on policies using Central Policy Manager Auto discover hidden hard coded credentials in the tool Playbooks, Roles, Tasks by using DNA Secure the managed Nodes by establishing an identity during orchestration to be used for secrets retrieval in a secure way using Conjur Confidential and Proprietary. Software Ltd. All rights reserved. the full environment Leverage the CyberArk PAS CyberArk suite to secure across

SECURE ANSIBLE WITH CYBERARK -CONJUR Secrets managed by CyberArk and Conjur are delivered securely to Ansible hosts Least privilege enforced on Ansible hosts Security Teams enabled to bring best practices to Ansible and meet compliance requirements Removes the need to duplicate Secrets Management functionality across multiple platforms. Audit privileged activity on Ansible hosts Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

DNA: INTEGRATION WITH ANSIBLE AUTOMATES DISCOVERY Automates discovery of hidden credentials in Ansible (Playbooks, Roles, Tasks) by using CyberArk Discovery & Audit Customer Value Improves security and reduces risk for CI/CD pipeline by automating discovery Gives CISO a powerful tool to help discover and understand the risks of hidden credentials in DevOps environments Helps customers drive additional value from existing CyberArk solutions Confidential and Proprietary. CyberArk Software Ltd. All rights reserved. 30

KEY TAKEAWAYS & WHERE TO LEARN MORE Key Takeaways Use CyberArk Ansible plugin to secure your Ansible playbook Checkout CyberArk solutions for Ansible: https://www.ansible.com/integrations/devops-tools/cybera rk Visit https://galaxy.ansible.com/cyberark-bizdev/ Download AIM lookup plugin from https://galaxy.ansible.com/cyberark-bizdev/password_loo kup_plugin/ CyberArk Conjur - Free and Open Source version of Conjur is available at conjur.org. Where to Start Visit us at www.cyberark.com/conjur Audit capabilities are available only in Conjur Enterprise. CyberArk Conjur Ansible Role & Lookup Plug-in are available on GitHub and Ansible Galaxy. Use CyberArk DNA to identify hidden credentials in Ansible Confidential and Proprietary. CyberArk Software Ltd. All rights reserved.

GET STARTED Learn more about Ansible: ansible.com/it-automation Download an Ansible Tower trial: ansible.com/tower-trial

Q&A

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback