Securing Ansible Automation Environments with CyberArk

November 26, 2019 Chris Smith

Ansible Automation

Automation Is Transforming IT Departments
Automated processes are transforming IT functions – even IT departments – by replacing manual tasks once handled by IT administrators with self-service tools and automated processes. For some organizations, automation tools are becoming the new system administrators, while, at the same time, helping IT professionals expand their reach across the organization.

What Is the Red Hat Ansible Automation Platform?

Red Hats Ansible Automation Platform incorporates Red Hat Ansible Engine, Red Hat Ansible Tower and SaaS-based capabilities for secure content management and analytics around automation deployments. The Platform is used by companies around the world including many CyberArk customers.

Red Hat Ansible Automation Platform provides enterprises with orchestration, configuration management and governance capabilities at scale, helping them to accelerate DevOps and digital transformation initiatives. For example, Red Hat Ansible Automation Platform enables organizations to rapidly provision cloud and on-premises infrastructure, deploy and update applications and meet other critical IT needs.

Automation Can Expand the Attack Surface
To perform and automate all of these functions, Red Hat Ansible Automation requires a high level of privileged access – in the form of powerful credentials or secrets – to access and manage IT resources and other services. As a typical Ansible Playbook can hold privileged credentials for many different IT resources, operating environments and tools, from a security perspective Ansible is often considered a Tier Zero (or mission-critical) asset.

Because of this, Ansible and other automation tools are attractive targets for cyber attacks. Threat actors can seek to compromise the credentials used by automation tools, just as they would for other Tier Zero assets such as Jenkins or root. If compromised, the attacker could gain access to many other IT resources and processes.

Frequently, human error or the absence of a robust security process results in inadvertent security vulnerabilities. And when poorly secured processes are automated, those vulnerabilities can scale exponentially and unnecessarily expose the enterprise to serious risk.

How Should Automation Environments Be Secured?

First, the secrets and privileged credentials used by automation solutions need to be secured. This starts by removing any hard-coded credentials from playbooks and any other places they’re located and rotating and managing credentials based on policy.  In some cases, monitoring activity to see how sensitive or powerful credentials are being used and applying just-in-time access and least privilege principles can help strengthen protections.

Second, the security footprint of the admin console – including human and programmatic access to the console – can be enhanced by taking a layered approach to access and credentialing. This involves rotating and managing credentials used by humans based on policy and roles, monitoring as needed and applying least privilege with just-in-time access as needed.

Securing development and automation environments can become increasingly difficult as organizations start to use a variety of platforms beyond Ansible (e.g., Jenkins, Red Hat OpenShift, Kubernetes, Puppet, AWS, Azure and others) with duplicate secrets management processes for each platform. This can create “security islands” that each require separate maintenance, management and auditing.

Ansible Automation leverages CyberArk to secure and manage the credentials that automation environments use to actually automate IT deployments.

 Enhancing Ansible Security with CyberArk Integrations

CyberArk offers several integrations with Red Hat Ansible Automation to provide organizations with simplified, automated secrets management, including integrations with both The CyberArk Application Access Manage Central Credential Provider and Dynamic Access Provider, as well as CyberArk Conjur Open Source.  Very briefly these integrations include:

  • Red Hat Ansible Tower Secrets Management System. This integration provides Ansible Tower users with an easy-to-use menu option to select CyberArk to centrally secure, manage, audit and rotate the secrets used by Ansible Tower (v3.5.1 and higher) to access IT and other resources —while enabling just-in-time secrets retrieval. See documentation here.
  • Onboarding Secrets Created in Play. This integration leverages the CyberArk Privileged Access Security Solution to randomize secrets created mid-play and onboard secrets into the Vault before the end of play.
  • Built-In Lookup Plugins for Ansible Engine (AAM Lookup and DAP/Conjur Lookup). Available in Ansible Engine v2.5 and above, the plug-ins retrieve secrets “just-in-time” from Dynamic Access Provider or Conjur Open Source.
  • Protecting the Ansible Console. This integration uses the Secure Web Application Connectors Framework to enable CyberArk to provide enhanced protection for the Red Hat Ansible Tower Website account.

There is also an integration that enables CyberArk DNA to detect unprotected credentials in Ansible Playbooks. CyberArk also has an integration with the Ansible security automation that enables Ansible Automation to automate CyberArk and other security functions. Learn more about these and other Ansible integrations on the CyberArk Marketplace or by joining the CyberArk open source community, CyberArk Commons. And, for a deep dive on Ansible Automation secrets management with Conjur Open Source, read “Managing Secrets in Red Hat Automation Playbooks.”

Learn More: Dec. 11 Webinar and Dec. 4 Workshop

Additionally, we have two live events scheduled in December. Both events are ideal for:

  • Ansible Automation developers who want to find ways to better secure their Ansible Playbooks by utilizing their organization’s existing CyberArk infrastructure.
  • Cybersecurity professionals who want to better secure their organization’s Ansible environment by giving automation developers more secure access to privileged credentials managed by CyberArk.

Don’t miss our December 11 webinar, “Securing Ansible Automation Environments with CyberArk.”  This webinar explores common use cases and best practices for securing Ansible Automation environments and includes practical tips for getting started and improving security by enhancing Ansible’s native capabilities without slowing down automated processes. Register Here.

We’ve teamed up with Red Hat for a hands-on Ansible Workshop, “Securing Ansible Automation Environments.” This workshop highlights practical guidance for using CyberArk to help secure Ansible Playbooks and environments. The December 4 half-day workshop will be held in Chicago.

Attendees will participate in hands-on exercises and interact with security and automation peers to share challenges and successes. Request registration for the workshop or learn more by contacting [email protected]. Space is limited, so get in touch today!


Previous Article
RPA: Citizen Developers – at the Corner of Speed and Value
RPA: Citizen Developers – at the Corner of Speed and Value

Gartner’s definition:  “A citizen developer is a user who creates new business applications for consumption...

Next Article
Self-Sovereign Identity: A Distant Dream or an Immediate Possibility?
Self-Sovereign Identity: A Distant Dream or an Immediate Possibility?

To help solve the identity problem, enter Self-Sovereign Identity (SSID), which enables users to own, contr...