Several members of the CyberArk team recently returned from AnsibleFest 2019, a four-day conference focused on Ansible, Red Hat’s open source automation management platform. Brandon Traffanstadt, Global Director for Solutions Engineering, and DevOps Security Guru Joe Garcia attended the conference in Atlanta. At AnsibleFest, they delivered presentations on integrations with Ansible’s new security automation platform, highlighting a number of CyberArk integrations with Ansible solutions. There was a lot of interest in the new integration that provides Ansible Tower users with an easy to use menu option to select CyberArk to secure, manage and rotate the secrets used by Ansible Tower.
Right after the event I was able to catch up with Brandon and Joe to ask each of them how the conference went…
What did you present on at AnsibleFest?
BT: The area my talk focused on was CyberArk’s integration with Ansible Security Automation.
The integration between CyberArk’s secure platform and Ansible Security Automation allows organizations to programmatically respond to environmental changes as well as input from other security solutions. For instance, if something out of the ordinary happens – like Joe clicking on a malicious funny cat video– it could trigger a company’s email security system to flag him as being a compromised user.
Once Ansible receives this information, it could then take proactive action to disable this user or require a password change, even going as far to change the security policy by requiring additional authentication or approval to use any privileged accounts that he had access to within CyberArk. The Ansible Security Automation with CyberArk helps automate incident response around an organization’s most privileged assets.
JG: What I spoke about in my talk is that, in the most recent version of Ansible Tower – version 3.5.1 – Ansible introduced the idea of a secrets management system. What that essentially means is that Ansible Tower has a credential store where it will encrypt at-rest secrets that you need in order to log in to the remote host, the private key that’s needed to log in, things like that.
People need secrets in order to log in and then configure a remote resource. Ansible always had a built-in way to do it, but this created a security island. When you don’t centralize all that management and auditing, it becomes a lot harder to maintain. That’s where our secrets management integration comes in. Instead of having the secrets stored in Ansible Tower itself, it redirects any attempts to get credentials from Ansible Tower to our backend, through the CyberArk Privileged Access Security Solution.
The integration creates secret look-ups in Ansible Tower with the relevant information that’s needed in order to make the connections back to the CyberArk solution. Then you can start to create machine credentials, Amazon Web Services credentials and different types of cloud credentials. Instead of having the information in Ansible Tower, the integration will grab those credentials just-in-time from CyberArk. Then it will provide that securely into the playbook and connect to the machine securely. This allows you to start getting that centralized management rotation.
You’re staying within compliance now. You’re not changing things or breaking automation. At the same time, we get to audit all the access throughout the different nodes in Ansible. People are really starting to like the fact that they don’t have to manage secrets separately in Ansible Tower anymore. They have CyberArk to go to as a central source.
What kind of reaction did you get?
JG: Compared to past events, I’d say one of the biggest changes was the interest and enthusiasm around security and automation.
This year for my talk I had a packed room with more than a hundred people all interested in learning about how to deal with security at inception using Ansible with CyberArk and secrets management. The conversations I had with attendees afterwards really reinforced the impact we can have on how companies approach security.
BT: The single biggest piece of feedback I received from the conversations we had at the booth and outside the booth was that folks at AnsibleFest are interested in learning more about secrets management and CyberArk’s approach. There’s a lot of thirst for education happening in the market right now. It’s an exciting time to be in this space.
For example, automation developers were really interested in hearing about CyberArk’s integration with Ansible Tower. One of the problems people were having is that secrets rotation, a requirement that is being mandated in many cases by their security teams, is manual in Ansible Tower. This makes it hard to make sure that the credentials are getting rotated when and how they should be. If you’re not using Tower, this means that you’d potentially have to go out and update playbooks, scripts and other artifacts after every rotation cycle, which is pretty much a terrible way to spend a few afternoons.
IT managers were really surprised at how much easier credential rotation was with CyberArk handling it. Attendees working for companies that already leverage CyberArk for Privileged Access Management were also very interested to hear about the integrations with Ansible that are already part of the core solution—from using Ansible to deploy elements of the platform to leveraging the CyberArk collection within Galaxy to automate tasks — like secrets onboarding – within CyberArk.
It’s a really exciting time. There’s so much more follow-up we can do after hearing, “Oh man, I would really love to learn more.”
If you weren’t able to make it to Atlanta this year for Brandon and Joe’s talks, stay tuned as we are scheduling a follow up webinar to help security teams enable their automation focused developers and IT staff leverage CyberArk to secure their Ansible environments. You can also discuss the Ansible integrations in the new CyberArk Commons discussion forum and access the CyberArk /Ansible integrations in the CyberArk Marketplace and on www.conjur.org. If you’re in Chicago, we’re planning a half day workshop with Ansible later this year. Contact [email protected] for additional information.