25 January 2022

Cyber Ark Security and Ansible Automation

 


CyberArk offers enhanced end-to-end security for critical assets

As an established leader in privileged access management and identity security capabilities, CyberArk helps the world’s leading organizations secure their most critical digital assets. CyberArk partnered to build Red Hat certified integrations, which offer joint customers endto- end security for Red Hat OpenShift Container Platform and Red Hat Ansible Automation Platform. This unique offering allows Red Hat and CyberArk to increase revenue and grow Partner resources their accounts through more efficient and secure business solutions.

“It’s really rewarding to see this win-win

partnership between Red Hat and CyberArk

that truly benefits both companies—

and their customers.”

Protecting Critical Digital AssetsWorldwide

For more than a decade, the world’s leading organizations have trusted CyberArk to help them secure their most critical digital assets. Today, the growing software security company protects more than 6,600 global businesses—including most of the Fortune 500—and a majority of Fortune banks and insurance, pharmaceutical, energy, and manufacturing companies rely on CyberArk. With its U.S. headquarters in Massachusetts and main office in Illinois, CyberArk offers customers solutions focused on privileged access management (PAM) identity security and DevSecOps. More than 2,000 staff members, located in offices around the globe, help security leaders get ahead of cyber threats, specifically cyberattacks against an organization’s most critical assets. “Typically the most privileged users inside an organization have access to the most sensitive information,” said John Walsh, Senior Product Marketing Manager at CyberArk. But the lines between the trusted insider, third-party vendor, and outsiders have started to blur and even disappear as sophisticated supply chain attacks like SolarWinds materialize. “It’s zero-trust—you really can’t tell who the outsiders and the insiders are anymore.” CyberArk is helping customers move their critical strategies forward more securely. Work from home dynamics and demand for efficiency have motivated companies to accelerate their digital transformations and cloud migration plans. And, with that, customers have a heightened sense of urgency around CyberArk’s PAM and identity solutions.

Secure Automation Secrets

Offering customers end-to-end security

A Red Hat partner since 2016, CyberArk is in the top four strategic security partners, and one of the highest revenue generating in the Global Partner Alliances (GPA) program, specifically in the security segment. GPA helps Red Hat partners build, expand, and sell software applications. As a result of the continued collaboration between the two organizations, CyberArk was recently awarded the Collaboration Technology Independent Software Vendor (ISV) Partner Of The Year, announced at Red Hat Summit 2021. The partnership is not localized to a specific region—it covers North America, Europe, the Middle East and Africa, and Asia Pacific and Japan, across a range of sectors. Red Hat elevated CyberArk to Globally Managed Partner in 2018. “We have a dedicated Red Hat resource,” said Joanne Wu, VP of Business Development at CyberArk. “When Red Hat runs campaigns or events, or goes to market, we are often, if not always, one of the top partners approached for these invitationonly strategic initiatives.” The partnership offers Red Hat customers enhanced security for Red Hat OpenShift and Red Hat Ansible Automation Platform. “Just like any good partnership, we complement and support each other as Red Hat is a market leader in container management and automation,” said Walsh, “while CyberArk is a market leader in privileged access management and identity security. Together, we not only help each other, but we also offer a better solution to our customers.” Red Hat and CyberArk collaborate on rich content such as whitepapers, a hands-on workshop that shows how the technologies integrate, and videos to increase customer skill levels.

Integrating leading solutions

Red Hat and CyberArk work together on Red Hat certified integrations to offer a solution that secures secrets and credentials in Red Hat Ansible Automation Platform and within the DevOps environments of Red Hat OpenShift. Red Hat OpenShift is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multicloud, and edge deployments. “CyberArk secures application secrets and the access they provide for Red Hat technologies, rotating them, auditing, and authenticating access according to best practices,” said Walsh. CyberArk’s Conjur provides a comprehensive, centralized solution for securing credentials and secrets for applications, containers, and continuous integration and continuous delivery (CI/CD) tools across native cloud and DevOps environments. CyberArk Conjur integrates with Red Hat OpenShift to provide ways to simplify and strengthen security by safeguarding the credentials used by applications running in OpenShift containers. CyberArk and Red Hat provide more than 10 integrations to enhance security and protect automation environments for Red Hat OpenShift and Red Hat Ansible Automation Platform. CyberArk makes these available as certified integrations on its marketplace, empowering DevOps and security teams to automatically secure and manage the credentials and secrets used by IT resources and CI/CD tools. These integrations simplify how operations teams write and use playbooks to more securely access credentials. Credentials are centrally managed and secured by CyberArk. Secrets used by Ansible Playbooks are automatically secured and rotated by CyberArk based on the organization’s policy.

Building a strong alliance Increased revenue year over year

Red Hat and CyberArk increase revenue for each other through their partnership, with revenue growing year over year. “CyberArk influences a Red Hat deal being closed and, vice versa, Red Hat helps CyberArk to find opportunities and close deals,” said Wu. “Both companies benefit from the value proposition. It’s a true win-win.” By mutually developing their pipeline over the years, both Red Hat and CyberArk have witnessed exponential growth in the number of accounts where they jointly present their value proposition.

Opened access to the wider organization

Red Hat helps CyberArk gain access to the DevOps team, and CyberArk helps Red Hat gain access to security teams. “CyberArk is mostly speaking to the security teams, all the way up to the CSO [Chief Security Officer],” said Wu. “Red Hat has given us visibility to the infrastructure side of the house.” Most importantly, the partnership with Red Hat helps CyberArk build relationships with DevOps teams using Ansible Automation Platform for their CI/CD pipeline, and looking for security solutions. CyberArk is then able to include security solutions with those DevOps projects. “Red Hat has helped CyberArk reach the IT organization,” said Walsh. “Red Hat enables CyberArk to provide our security solutions and Red Hat integrations as a stronger solution, to raise awareness, and to expand our market reach.”

Securing Your Digital Transformation - CyberArk and Red Hat Integration

Stayed aware of the latest developments

CyberArk’s close relationship with Red Hat means it is always fully informed about how Red Hat technologies are evolving, and, with that, it can ensure its security solutions are always fully aligned with new Red Hat features and products. “Having visibility into the Red Hat Ansible Automation Platform roadmap means we can stay ahead while developing our integrations,” said Wu. When Red Hat released Ansible security automation, CyberArk was one of the first ISVs to develop an integration. And when Ansible Automation Platform first included collections, CyberArk quickly packaged its collection to ensure it was available on Ansible Automation Hub. Enhanced security for users The partnership ensures customers get a more efficient and hardened implementation, whether with Red Hat OpenShift or Red Hat Ansible Automation Platform. Joint customers can find CyberArk’s Red Hat Certified integrations on the Red Hat Ecosystem Catalog and Ansible Automation Hub. CyberArk also has native integration with Ansible Automation Platform, built in at the product level. The integrations are not only free but also jointly supported by both Red Hat and CyberArk. Customers do not need to invest any development resources because the integrations do not require any code.

Ansible and Cyber Ark Security

Expanding on successes with Red Hat

CyberArk is a leader in PAM and identity security. Red Hat is a leader in DevOps and hybrid cloud technology. Their strong alliance offers significant benefits and value for customers. “It’s really rewarding to see this win-win partnership between Red Hat and CyberArk that truly benefits both

companies—and their customers,” said Wu.

As an established leader in privileged access management and identity security capabilities, CyberArk helps the world’s leading organizations secure their most critical digital assets. CyberArk partnered to build Red Hat certified integrations, which offer joint customers end-to-end security for Red Hat OpenShift Container Platform and Red Hat Ansible Automation Platform. This unique offering allows Red Hat and CyberArk to increase revenue and grow their accounts through more efficient and secure business solutions. 

Benefits

  • Increased revenue year over year
  • Opened access to customer’s wider IT organization to build new relationships
  • Enhanced security for users by automating credentials management
  • Protecting critical digital assets worldwide

For more than a decade, the world’s leading organizations have trusted CyberArk to help them secure their most critical digital assets. Today, the growing software security company protects more than 6,600 global businesses—including most of the Fortune 500—and a majority of Fortune banks and insurance, pharmaceutical, energy, and manufacturing companies rely on CyberArk.

Red Hat Ansible Security Automation Overview

With its U.S. headquarters in Massachusetts and main office in Illinois, CyberArk offers customers solutions focused on privileged access management (PAM) identity security and DevSecOps. More than 2,000 staff members, located in offices around the globe, help security leaders get ahead of cyber threats, specifically cyberattacks against an organization’s most critical assets. “Typically the most privileged users inside an organization have access to the most sensitive information,” said John Walsh, Senior Product Marketing Manager at CyberArk. But the lines between the trusted insider, third-party vendor, and outsiders have started to blur and even disappear as sophisticated supply chain attacks like SolarWinds materialize. “It’s zero-trust—you really can’t tell who the outsiders and the insiders are anymore.”

CyberArk is helping customers move their critical strategies forward more securely. Work from home dynamics and demand for efficiency have motivated companies to accelerate their digital transformations and cloud migration plans. And, with that, customers have a heightened sense of urgency around CyberArk’s PAM and identity solutions. 

Offering customers end-to-end security for Ansible and OpenShift

A Red Hat partner since 2016, CyberArk is in the top four strategic security partners, and one of the highest revenue generating in the Global Partner Alliances (GPA) program, specifically in the security segment. GPA helps Red Hat partners build, expand, and sell software applications. As a result of the continued collaboration between the two organizations, CyberArk was recently awarded the Collaboration Technology Independent Software Vendor (ISV) Partner Of The Year, announced at Red Hat Summit 2021.

The partnership is not localized to a specific region—it covers North America, Europe, the Middle East and Africa, and Asia Pacific and Japan, across a range of sectors. Red Hat elevated CyberArk to Globally Managed Partner in 2018. “We have a dedicated Red Hat resource,” said Joanne Wu, VP of Business Development at CyberArk. “When Red Hat runs campaigns or events, or goes to market, we are often, if not always, one of the top partners approached for these invitation-only strategic initiatives.”

The partnership offers Red Hat customers enhanced security for Red Hat OpenShift and Red Hat Ansible Automation Platform. “Just like any good partnership, we complement and support each other as Red Hat is a market leader in container management and automation,” said Walsh, “while CyberArk is a market leader in privileged access management and identity security. Together, we not only help each other, but we also offer a better solution to our customers.” 

Red Hat and CyberArk collaborate on rich content such as whitepapers, a hands-on workshop that shows how the technologies integrate, and videos to increase customer skill levels.

CyberArk Secrets Management in Red Hat OpenShift

CyberArk Secrets Management in Red Hat OpenShift

Integrating leading solutions

Red Hat and CyberArk work together on Red Hat certified integrations to offer a solution that secures secrets and credentials in  Red Hat Ansible Automation Platform and within the DevOps environments of Red Hat OpenShift. Red Hat OpenShift is an enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multicloud, and edge deployments. “CyberArk secures application secrets and the access they provide for Red Hat technologies, rotating them, auditing, and authenticating access according to best practices,” said Walsh.

CyberArk’s Conjur provides a comprehensive, centralized solution for securing credentials and secrets for applications, containers, and continuous integration and continuous delivery (CI/CD) tools across native cloud and DevOps environments. CyberArk Conjur integrates with Red Hat OpenShift to provide ways to simplify and strengthen security by safeguarding the credentials used by applications running in OpenShift containers.

AnsibleFest 2021 - DevSecOps with Ansible, OpenShift Virtualization, Packer and OpenSCAP

CyberArk and Red Hat provide more than 10 integrations to enhance security and protect automation environments for Red Hat OpenShift and Red Hat Ansible Automation Platform. CyberArk makes these available as certified integrations on its marketplace, empowering DevOps and security teams to automatically secure and manage the credentials and secrets used by IT resources and CI/CD tools. 

These integrations simplify how operations teams write and use playbooks to more securely access credentials. Credentials are centrally managed and secured by CyberArk. Secrets used by Ansible Playbooks are automatically secured and rotated by CyberArk based on the organization’s policy.

Building a strong alliance: Red Hat and CyberArk increase revenue through partnership

Increased revenue year over year

Red Hat and CyberArk increase revenue for each other through their partnership, with revenue growing year over year. “CyberArk influences a Red Hat deal being closed and, vice versa, Red Hat helps CyberArk to find opportunities and close deals,” said Wu. “Both companies benefit from the value proposition. It’s a true win-win.” 

By mutually developing their pipeline over the years, both Red Hat and CyberArk have witnessed exponential growth in the number of accounts where they jointly present their value proposition.

Shifting Security Left: Streamlining Enterprise Secrets Management With CyberArk & Red Hat OpenShift

Opened access to the wider organization

Red Hat helps CyberArk gain access to the DevOps team, and CyberArk helps Red Hat gain access to security teams. “CyberArk is mostly speaking to the security teams, all the way up to the CSO [Chief Security Officer],” said Wu. “Red Hat has given us visibility to the infrastructure side of the house.”

Most importantly, the partnership with Red Hat helps CyberArk build relationships with DevOps teams using Ansible Automation Platform for their CI/CD pipeline, and looking for security solutions. CyberArk is then able to include security solutions with those DevOps projects. “Red Hat has helped CyberArk reach the IT organization,” said Walsh. “Red Hat enables CyberArk to provide our security solutions and Red Hat integrations as a stronger solution, to raise awareness, and to expand our market reach.”

Stayed aware of the latest developments

CyberArk’s close relationship with Red Hat means it is always fully informed about how Red Hat technologies are evolving, and, with that, it can ensure its security solutions are always fully aligned with new Red Hat features and products. “Having visibility into the Red Hat Ansible Automation Platform roadmap means we can stay ahead while developing our integrations,” said Wu.

When Red Hat released Ansible security automation, CyberArk was one of the first ISVs to develop an integration. And when Ansible Automation Platform first included collections, CyberArk quickly packaged its collection to ensure it was available on Ansible Automation Hub.

Container Technologies and Transformational value

Enhanced security for users

The partnership ensures customers get a more efficient and hardened implementation, whether with Red Hat OpenShift or Red Hat Ansible Automation Platform. 

Joint customers can find CyberArk’s Red Hat Certified integrations on the Red Hat Ecosystem Catalog and Ansible Automation Hub. CyberArk also has native integration with Ansible Automation Platform, built in at the product level.

The integrations are not only free but also jointly supported by both Red Hat and CyberArk. Customers do not need to invest any development resources because the integrations do not require any code.

Expanding on successes with Red Hat

Looking to the future, CyberArk is planning to build on its already strong partnership with Red Hat. “We’ve had a tremendous co-selling effort in the U.S. and EMEA [Europe, Middle East, and Africa], and I’d like to see that expand even more so to APJ [Asia Pacific and Japan] and South America,” said Wu. “And we’re also planning to get closer and increase reach in the public sector.” 

The security solutions company is also eager to expand its Red Hat Ansible Automation Platform integrations. CyberArk will soon be the first partner to develop a reference architecture with Ansible Automation Platform.

CyberArk is a leader in PAM and identity security. Red Hat is a leader in DevOps and hybrid cloud technology. Their strong alliance offers significant benefits and value for customers. “It’s really rewarding to see this win-win partnership between Red Hat and CyberArk that truly benefits both companies—and their customers,” said Wu. 

(OCB) Identity, Access and Security Management for DevOps: RedHat and CyberArk

The Inside Playbook

Automating Security with CyberArk and Red Hat Ansible Automation Platform

Proper privilege management is crucial with automation. Automation has the power to perform multiple functions across many different systems. When automation is deployed enterprise-wide, across sometimes siloed teams and functions, enterprise credential management can simplify adoption of automation — even complex authentication processes can be integrated into the setup seamlessly, while adding additional security in managing and handling those credentials.

Depending on how users have defined them, users can craft Ansible Playbooks that require access to credentials and secrets that have wide access to organizational systems. These are necessary to systems and IT resources to accomplish their automation tasks, but they’re also a very attractive target for bad actors. In particular, they are tempting targets for advanced persistent threat (APT) intruders. Gaining access to these credentials could give the attacker the keys to the entire organization.

Introduction to Red Hat Ansible Automation Platform

Most breaches involve stolen credentials, and APT intruders prefer to leverage privileged accounts like administrators, service accounts with domain privileges, and even local admin or privileged user accounts.

You’re probably familiar with the traditional attack flow: compromise an environment, escalate privilege, move laterally, continue to escalate, then own and exfiltrate. It works, but it also requires a lot of work and a lot of time. According to the Mandiant Report, median dwell time for an exploit, while well down from over 400 days in 2011, remained over 50 days in 2019. However, if you can steal privileged passwords or the API keys to a сloud environment, the next step is complete compromise. Put yourself into an attacker’s shoes: what would be more efficient? 

While Ansible Tower, one of the components of Red Hat Ansible Automation Platform, introduced built-in credentials and secret management capabilities, some may have the need for tighter integration with the enterprise management strategy. CyberArk works with Ansible Automation Platform, automating privileged access management (PAM), which involves the policies, processes and tools that monitor and protect privileged users and credentials.

Getting Started with OpenShift 4 Security

Why Privileged Access Management Matters

Technologies like cloud infrastructure, virtualization and containerization are being adopted by organizations and their development teams alongside DevOps practices that make the need for security practices based on identity and access management critical. Identity and access management isn't just about employees; it includes managing secrets and access granted to applications and infrastructure resources as well.

A PAM solution ideally handles the following key tasks for your organization:

  • Continuously scan an environment to detect privileged accounts and credentials. 
  • Add accounts to a pending list to validate privileges.
  • Perform automated discovery of privileged accounts and credentials.
  • Provide protected control points to prevent credential exposure and isolate critical assets.
  • Record privileged sessions for audit and forensic purposes.
  • View privileged activity by going directly to specified activities and even keystrokes.

Detect anomalous behavior aiming to bypass or circumvent privileged controls, and alert SOC and IT admins to such anomalies.

Suspend or terminate privileged sessions automatically based on risk score and activity type.

Initiate automatic credential rotation based on risk in the case of compromise or theft.

The common theme in the preceding functions is automation. There’s a reason for that: Automation is not just a “nice to have” feature. It’s absolutely essential to PAM. Large organizations may have thousands of resources that need privileged access, and tens of thousands of employees who may need various levels of privilege to get their work done. Even smaller organizations need to monitor and scale privileged access as they grow. Automated PAM solutions handle the trivial aspects of identity and access management so your team can focus on business goals and critical threats. 

WebLogic Continuous Deployment with Red Hat Ansible Automation Platform

Automation is what you use to:

  • Onboard and discover powerful secrets, where you auto-discover secrets, put them in a designated vault and trigger rotation, just to be on the safe side.
  • Apply compliance standards, such as auto-disabling certain network interfaces. 
  • Harden devices via OS- and network-level controls — like blocking SSH connections as root.
  • Track and maintain configurations.

And, of course, automation becomes indispensable in the remediation and response (R&R) stage. When you’re under attack, the absolute worst-case scenario is having to undertake manual R&R. We’ve seen many times — as you probably have — that it puts security and operations teams at odds with each other, and makes both of these look at development as a source of continuous trouble. 

Security can, and should, exist as code. Integrating Ansible with CyberArk implements security-as-code, which allows security, operations and developers to work in sync as your “first responder” group, giving them the time and peace of mind to meaningfully respond to the threat — and likely to find a way to prevent it from recurring.

Automatically Respond to Threats

For most teams, keeping a constant watch on every detail of privileged access is unsustainable and hard to scale. The default reaction is often to simply lock down access, making growth and development difficult. PAM automation can make responding to threats much more scalable. Your team can focus on setting identity and access parameters, and let automated tools apply those rules to daily access needs. 

For example, Ansible Automation Platform, working with CyberArk Response Manager (CARM), can respond to threats automatically by managing users, security policies and credentials based on preconfigured parameters. CARM is part of the CyberArk PAM Collection, developed as part of the Ansible security automation initiative. 

At a high level, the CARM algorithm works like this:

1. An event is detected. For example:

A user leaves the company

User credentials get compromised

An email address gets compromised

2. An automated workflow is triggered

3. A credential is retrieved to authenticate CyberArk

4. The relevant module is invoked:

cyberark_user

cyberark_policy

cyberark_account

cyberark_credential

5. A remediation is performed through the module

Depending on the specifics of the detected threat and the CyberArk platform configuration, the security action might be to, for example:

Reset a user’s credentials or disable the user so that the user must reset their password.

Enhance or relax a security policy or workflow.

Trigger a credential rotation, in which a vaulted credential is rotated.

As your environment goes about its daily business of deploying, testing and updating payloads, as well as processing and maintaining data, security operators can use Ansible to automatically call CARM  to perform the security actions, and then CARM also performs them automatically. 

Incident Response and Incident Remediation | E5: Ask CyberArk Podcast

Automating threat responses that previously required human intervention now serves as the basis for proactive defense in depth.

Credential retrieval is the first step in many scenarios using Ansible and CARM. This step is performed by the cyberark_credential module of the cyberark.pas Collection. The module can receive credentials from the Central Credential Provider. That way, we can obviate the need to hard code the credential in the environment:

- name: credential retrieval basic

  cyberark_credential:

    api_base_url: "http://10.10.0.1"

    app_id: "TestID"

    query: "Safe=test;UserName=admin"

As can be seen in this example, a target URL needs to be provided in addition to the application ID authorized for retrieving the credential. 

The central parameter is the query: it contains the details of the object actually being queried, in this case the “UserName” and “Safe”. The query parameters depend on the use case, and possible values are “Folder”, “Object”, “Address”, “Database” and “PolicyID”. 

If you are more familiar with the CyberArk API, here is the actual URI request that is created out of these parameter values:

{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }

The return value of the module contains — among other information — the actual credentials, and can be reused in further automation steps.

A more production-level approach is to also encrypt the communication to the API via client certificates:

- name: credential retrieval advanced

  cyberark_credential:

    api_base_url: "https://components.cyberark.local"

    validate_certs: yes

    client_cert: /etc/pki/ca-trust/source/client.pem

    client_key: /etc/pki/ca-trust/source/priv-key.pem

    app_id: "TestID"

    query: "Safe=test;UserName=admin"

    connection_timeout: 60

    query_format: Exact

    fail_request_on_password_change: True

    reason: "requesting credential for Ansible deployment"

Now, let’s look at an example where the detected “bad” event requires rotation of account credentials. With the help of the cyberark_account module, we can change the credentials of the compromised account. The module supports account object creation, deletion and modification using the PAS Web Services SDK.

    - name: Rotate credential via reconcile and provide new password

      cyberark_account:

        identified_by: "address,username"

        safe: "Domain_Admins"

        address: "prod.cyberark.local"

        username: "admin"

        platform_id: WinDomain

        platform_account_properties:

            LogonDomain: "PROD"

        secret_management:

            new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"

            management_action: "reconcile"

            automatic_management_enabled: true

        state: present

        cyberark_session: "{{ cyberark_session }}"

In this example, we changed the password for the user “admin”. Note that the authentication is handled via the cyberark_session value, which is usually obtained from the  cyberark_authentication module.

Ansible Automates 2021: Session 1 - Modern Governance - John Willis

More Information:

https://www.redhat.com/en/resources/cyberark-partner-case-study

https://www.redhat.com/en/technologies/management/ansible

https://www.redhat.com/en/technologies/cloud-computing/openshift/container-platform

https://www.redhat.com/en/technologies/management/ansible/automation-execution-environments

https://www.redhat.com/en/technologies/management/ansible/features


Share:

0 reacties:

Post a Comment