Elevator Pitch
The act of secrets mgmt is one of the 1st steps to building a successful security program.Many orgs complete this task as a manual process,leaving it exposed to human error.Let’s put humans back to work and thinking while leveraging APIs w/automation to build security at the inception of the secret.
Description
Security at Inception: Ansible Orchestration of Secrets Management
This talk centers around CyberArk as the product integrating with RedHat Ansible to alleviate the security and secrets management. It is easily modified to be “vendor agnostic” by replacing CyberArk-specific product(s) with generalized terms such as “Credential Provider” and “Secrets Service” or “Secrets Backend.”
Problem
Humans are not perfect. We don’t follow code and we’re not robots. We also have a lot of things going on at once. From time to time, we need a break. Be it a mental health day or a vacation, we need to get away. An alarming amount of organizations today take on manual tasks during their secrets onboarding into their secret service of choice. This means more human interaction than necessary.
This talk aims to enlighten the audience on more automated ways, specifically using the popular orchestration application Ansible, to help alleviate the possibility of human error or absence from the process to increase agility, reduce stress and workload, all while maintaining a high level of security.
Solution
This talk will go over real-world examples of different methods CyberArk has found over the years to solve the problem aforementioned.
- Utilization of the
infamousjoeg.provisioning
Ansible role to automate the onboarding of secrets as they’re created. ** One such example, deploying a LAMP stack onto a web server requires the instantiation of a MySQL admin account. The immediate onboarding and management of this secret allows for no need to know the password in the Ansible playbook and allows for immediate rotation of the secret to prevent anyone walking away with the keys to the database. - Utilization of Ansible’s built-in
cyberarkpassword
lookup plugin in versions >=2.5. This allows for you to leave those SSH private keys and root account passwords out of your inventory files and Ansible playbooks in order to grab them “just-in-time” (JIT) as needed to login to remote target hosts. - Utilization of request-based applications, such as ServiceNow, in order to further automate the onboarding process in tandem with Ansible orchestration.
Ansible Role infamousjoeg.provisioning
https://github.com/infamousjoeg/provisioning
ansible-galaxy install infamousjoeg.provisioning
Notes
Joe Garcia, CISSP - Strategic Solutions Engineer, CyberArk
As a Strategic Solutions Engineer, Joe Garcia has a strong background in DevOps, Cloud and Security and is currently focused on helping customers implement and scale effective secrets management solutions. As CyberArk’s subject-matter expert in DevOps Security, Joe Garcia shares CyberArk’s vision of building a security community that is as agile as the automation they are securing in today’s fast paced environments. You can typically find him spreading that shared vision at DevOps events, conferences, webinars, podcasts, and anywhere automation is a hot topic. Prior to that, as a CyberArk customer, Joe worked at Raymond James Financial, most recently serving in their Security Operations Center (SOC) focused on Vulnerability and Monitoring - dealing with everything from data automation from the Qualys Cloud all the way down to producing comprehensive compliance metrics for the division. Joe is a CISSP, Six Sigma Yellow Belt, and is a Certified AWS Technical Professional.
Social
Twitter: @Joe_Garcia | LinkedIn: /in/JoeGarciaFL | GitHub: infamousjoeg | KeyBase.io: infamousjoeg
Previous Speaking Engagements & Podcasts:
Application Security Weekly | ITPro.TV Technado Podcast | RedHat Summit 2019