Security is Hard. Why Not Automate It?

December 6, 2016 by Sam Doran


Security automation doesn't get a lot of time in the spotlight, but it's something that deserves more thought and attention. The almost constant stream of headlines about the latest data breach or large scale hack make these seem like inevitable events that can't be prevented. Nothing could be further from the truth.

In reality, most data breaches are easily prevented by applying basic security standards and fixing known vulnerabilities in a timely manner. Covering the basics frees information security teams to monitor, detect, and stop more advanced attacks. Hardened systems also make life difficult for attackers, which is always a good thing.

But where does Ansible fit into all this? Ansible is great for configuration management, continuous integration and delivery, orchestration, application deployment and even infrastructure provision. But “I solved a security problem with Ansible” might not be what you’re accustomed to hearing at the water cooler from your average information security or operations person.

To understand how Ansible fits into to the security picture, it’s worth stepping back a little to understand exactly what is information security.

Information security is a multifaceted problem

Keeping information secure isn’t easy. We all know what needs to be done, but the task of configuring systems and applications to make life more difficult for attackers is daunting.

Information security is a multifaceted and complex problem that involves people, processes, technology, and economics.

It’s a people problem because we're all imperfect humans and we consistently ship software with bugs. Those bugs are discovered by clever attackers who leverage them for illicit gain. More technology being released at a breakneck pace means more vulnerabilities ripe for exploitation.

The development processes and economic forces in place today for creating and shipping software flood the market with vulnerabile devices no one is incentivized to fix (I’m looking at you IoT). It isn't feasible to spend tens of thousands of dollars and months of development time testing a $50 disposable device.

With all these factors at play, no wonder it’s difficult to solve today’s complex security challenges.

Ansible can help

First the not so good news: Ansible isn’t a magic unicorn. It can’t fix a broken process or a business culture not interested in securing its own products. What Ansible does bring to the table is a combination of qualities that make it an excellent tool for security automation. Qualities that make it easier to enforce standards and adapt to and meet internal and external security guidelines:

  • Agentless
  • SSH/WinRM
  • Desired State (no unnecessary changes)
  • Extensible and Modular
  • Push-Based Architecture
  • Easy Targeting Based on Facts
These qualities in and of themselves are nothing revolutionary. But the combination in a single tool is a potent ally in the fight to secure your critical systems against attack.

Another reason to love Ansible for security – it’s like extending an olive branch across IT departments

Whether you’re in development or operations, perhaps you’re already using Ansible — it’s a great tool that plays nice with others (no need for Ansible to be the only tool in your tool belt). But as with any organization, there’s tension between those responsible for the overall security of the organization and those writing software (Developers) and keeping systems running (Operations). Each team simply has a different job to do, each one just as important as the other.

What makes Ansible unique is that it’s a tool that can be used and loved by developers, operations, and security teams alike.

Consider this scenario: Developers and Operations are using Ansible to provision and manage their infrastructure. The security team interjects with a list of security vulnerabilities that need to be fixed in said infrastructure. It’s a familiar situation that causes delays and gripes. What if, instead, the security team said “We’ve found these problems in your environment, and We’ve written a Playbook that you can use to fix it. Take a look, let us know what you think, and try running it on your systems.”

Suddenly, everyone is talking the same language thanks to a tool that’s trusted by all. Instead of piling more work on already over-burdened teams, the Information Security team can build bridges with a proactive, Playbook-based fix.

Through security automation, Ansible bridges a fundamental gap in how organizations approach information security and can help all teams work together towards achieving meaningful improvements in the security posture of their organization.

Just some of the security use cases that Ansible can be used for, include:

  • Security Technical Implementation Guides (STIG)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Network device hardening
  • Remediation
  • Internal standards
  • System tracking with Ansible Tower
  • Incident response

Ready for more?

Watch my session from AnsibleFest Brooklyn 2016 below to learn more about how you can automate each of these security tasks using the agentless, push-based power of Ansible. (You can skip to the 16:25 minute mark to dive straight into the examples).



Sam Doran

Sam Doran is a Senior Software Engineer, Ansible, working on Red Hat Ansible Engine. He served in the US Air Force as an aircraft mechanic and is a proud alumnus of the Virginia Tech Corps of Cadets. He worked for the US Government as well as private industry in jobs ranging from professional photography and graphic design to Site Reliability Engineering, Network Engineering, and Information Security. He has used Ansible since 2013 to automate security monitoring infrastructure, cloud provisioning, application installation and configuration as well as helped Fortune 500 companies implement large scale deployments of Red Hat Ansible Tower. Sam loves automating anything and everything using Ansible.

rss-icon  RSS Feed