security at inception atl slide... · •hashicorp vault key-value store (kv) •hashicorp vault...
TRANSCRIPT
Security at InceptionAnsible Orchestration Meets Secrets ManagementJoe Garcia, CISSPDevOps Security Engineer, CyberArk
Share your automation story
1. How did you get started with Ansible?
2. How long have you been using it?
3. What's your favorite thing to do when you Ansible?
WHO IS CYBERARK?
SECRETS MANAGEMENT TODAY
Developer SCM Build PackageRepo
Deploy Test Stage Prod
Jenkins CredentialsArtifactory
Secrets Ansible Tower Credentials
“ISLANDS OF SECURITY”Each ”Island of Security” requires maintenance, management, and auditing
Hiera DatabagsTower Credentials
IAM / KMS IAM / KMS
Secrets SecretsSecrets
IAM / KMS
THE PROBLEM? WE’RE HUMAN
STRESSED BUSY TIME OFF
SECRET MANAGEMENT METHODS
Developer SCM Build PackageRepo
Deploy Test Stage Prod
Centralized Secrets ManagementCentralized AuditingCentralized Dynamic Retrieval
JUST-IN-TIME SECRET RETRIEVAL FROM CYBERARK
CENTRAL CREDENTIALPROVIDER
DYNAMIC ACCESSPROVIDER
• Web Service• Attribute-Based Authn• 100+ Integrations
• Containerized• Token + Attribute-Based Authn• Auto-Scalable with HA
Ansible TowerSecret Management System
AVAILABLE INTEGRATIONS IN TOWER v3.5.1
• CyberArk Application Identity Manager (AIM)• CyberArk Conjur• HashiCorp Vault Key-Value Store (KV)• HashiCorp Vault SSH Secrets Engine• Microsoft Azure Key Management System (KMS)
• CyberArk Application Identity Manager (AIM)• CyberArk Conjur
Create Credential & Link to Secret Lookup
Allows the centralized vault to rotate and manage secrets
Add Machine Credential to Job TemplateOR
Reference Credential Variable in Playbook
CYBERARK APPLICATION ACCESS MANAGER (AAM)
Formerly Application Identity Manager (AIM)
Credential Type: CyberArk AIM Secret Lookup
CYBERARK CONJUR
Credential Type: CyberArk Conjur Secret Lookup
Create Credential & Link with Secret Lookup
Add Machine Credential to Job TemplateOR
Reference Credential Variable in Playbook
Allows the centralized vault to rotate and manage secrets
Onboarding SecretsCreated in Play
ANSIBLE GALAXYPROVISIONING ROLE
$ ansible-galaxy install infamousjoeg.provisioning
Onboards credentials and secrets into CyberArk PAS Core Solution created in play
Allows you to randomize secrets and no_log
INFAMOUSJOEG.PROVISIONINGEXAMPLE
Built-In Lookup PluginsFor Ansible Engine
CYBERARKPASSWORDLOOKUP PLUGIN
Available in Ansible Engine v2.5 or above
Retrieves secrets “Just-in-Time” usingCyberArk Credential Provider
CONJUR_VARIABLELOOKUP PLUGIN
Available in Ansible Engine v2.5 or above
Retrieves secrets “Just-in-Time” fromCyberArk Conjur
Ansible Engine v2.5 or above
No Ansible Tower licensing
CyberArk Credential Providercyberarkpassword
CyberArk Conjurconjur_variable
Ansible Tower below v3.5.1
WHICH INTEGRATION TO USEAND WHEN?
Ansible TowerSecret Management System
Onboarding SecretsCreated in Play
Built-In Lookup Pluginsfor Ansible Engine
Ansible Tower v3.5.1 or above
CyberArk Central Credential ProviderCyberArk AIM Secret Lookup
CyberArk ConjurCyberArk Conjur Secret Lookup
CyberArk PAS Core Solution
Secret creation required mid-play
Secret is deemed privileged & fallsunder compliance regulations
@Joe_Garcia infamousjoeg
https://cyberark.com | https://conjur.org