Our modern world is built on vast interconnected systems of network devices. Within an organization, networks keep everyone and everything connected and up and running. To maintain a strong cybersecurity posture, network infrastructure must reflect the well-known CIA “triad” of confidentiality, integrity and availability. Each configuration within the network is comprised of multiple pieces of equipment, each secured by credentials and secrets, and must remain confidential with access granted only to authorized personnel. To maintain integrity, each configuration must also be consistent and compliant within various frameworks and standards. And to meet availability standards, each device must be continuously updated to keep things running smoothly and securely.
Maintaining this security triad is paramount for government agencies and their partners as they hold both sensitive data and the keys to critical infrastructure. Yet their IT security teams face challenges in scaling security across these increasingly complex, interconnected global networks. Manually managing tens of thousands of networking devices often requires several full-time staff members and hundreds (perhaps thousands) of hours spent backing up the system and maintaining configuration standards alone. As IT shops work hard to do more with less, while facing pressure to speed processes and maximize efficiency, automation is now the name of the game and a strategic component of digital transformation. While the notion of automating a huge network may seem intimidating at first, it doesn’t have to be that way.
This is a story of how a leading defense contractor took a lean, mean, automated approach to managing their machines — by diving head-first into The Matrix.
Into The Matrix: Automation Unlocks a New Dimension
In the pop culture classic film “The Matrix,” starring Keanu Reeves, the character Neo was presented with a tough choice: keep your old life and maintain status quo by choosing to take a blue pill or discover a whole new world and limitless possibilities by taking the red pill.
Once Neo chooses to take the red pill, the world of The Matrix opens up to him. Not only does he learn that everything about life as he knew it was a lie, he also learns how to manipulate the world around him to make things easier and more efficient. For example, he is able to bypass decades of martial arts training just by “plugging in,” mastering kung fu in a matter of seconds. This “automatically” acquired skill becomes valuable later on in the movie when he faces the antagonist Agent Smith in the final life-or-death showdown.
Sure, this comparison isn’t perfect – after all, we’re talking about automating systems and machines, not learning kung fu. But when presented with the option of putting thousands of hours into manual configuration or automating the network, the choice is clear: automation can make all the difference when facing metaphorical “Agent Smiths,” from rogue attackers to relentless nation states.
How a Defense Contractor Mastered the Matrix with the CyberArk Ansible Tower Integration
For this government defense contractor, automation was crucial to conquering the gargantuan task of securely configuring and maintaining thousands of routers, switches and other networking devices across its network. For this organization, Red Hat’s Ansible Platform was a natural choice, providing a simple, device-agnostic way to automatically configure their network stack, simplify authentication processes, and continuously test and correct network configuration issues.
But to make this automation “magic” happen across so many different functions and systems, tools like Red Hat Ansible require highly privileged access in the form of identities, credentials and secrets. This far-reaching access makes these tools very powerful – and also very attractive targets for cyber attackers, who, just like many organizations today, are focused on working smarter not harder. If they can gain access to privileged credentials that open direct doors to sensitive assets and data, they can save a lot of time and effort.
Understanding these risks, the defense contractor brought together a powerful trio of Red Hat Ansible Tower, CyberArk Application Access Manager and Cisco Identity Services Engine (ISE) to protect and programmatically rotate privileged credentials and secrets, meet compliance requirements, accelerate its strategic automation push, and ultimately, tame the Matrix.
Here’s how it works.
- Using secrets and privileged credentials, Ansible Tower accesses and interacts with Cisco ISE to log on to each networking device and perform automated duties, such as backup configuration, network configuration maintenance and more.
- Instead of storing these secrets in Ansible Tower itself – which creates another potential attack vector and operationally reduces overhead with secrets management – the CyberArk Ansible Tower integration directs all credential requests to CyberArk Application Access Manager.
- All Cisco ISE secrets and credentials are centrally stored, monitored, rotated daily (based on the contractor’s specific policies and requirements) and audited by the CyberArk Core Privileged Access Security solution. When a credential is needed, Ansible Tower retrieves it via a query, enabling secure access to Cisco ISE.
- Ansible playbooks can rapidly and seamlessly access and use the credential, brokering access and enabling the automated process.
- And to make it even easier, integrations between Ansible and CyberArk, and with Cisco and CyberArk, are available in the CyberArk Marketplace.
With this integrated and centralized secrets management approach, the organization can stay in compliance, easily audit all access throughout various Ansible nodes and rapidly rotate device passwords based on policy or an incident – all without changing workflows, breaking automation or adding operational complexity or overhead.
Today, the defense organization can automatically patch, reconfigure and update more than 80,000 networking devices in less than two hours. By eliminating these manual processes, the IT security and network operations teams has saved hundreds of thousands of work hours and can now dedicate significantly more time to business-critical tasks that move the organization forward.
Working together, CyberArk, Ansible Tower and Cisco ISE have automated the network – and this defense contractor client has tamed its own Matrix, much like Neo did.
To hear the full story, tune in to our recent AnsibleFest 2020 talk (free registration required). To learn how CyberArk combined with Red Hat can help your organization securely automate processes and unleash operational efficiencies, check out these resources:
- Red Hat and CyberArk Resource Center: cyberark.com/redhat
- Webinar: How to Secure Ansible Automation Environments with CyberArk Secrets Management
- Interactive Demo: Ansible Tutorial
- Blog Post: Managing Secrets in Red Hat Ansible Automation Playbooks – A Detailed Ansible Secrets Management Tutorial With Conjur Open Source
- Blog Post: A Look Back at AnsibleFest 2019: Spotlight on Ansible Tower Integration
- DevOps Resource Center: https://www.cyberark.com/solutions/digital-transformation/devops-security/