How security and compliance automation can help achieve a more secure hybrid cloud

In hybrid cloud environments, where workloads are deployed in physical hosts, virtual machines and containers across on-premise and cloud environments, security becomes more and more complex. As a part of the AnsibleFest Virtual Experience, Lucy Kerner, a Red Hat security strategist and evangelist, and Justin Lacey, a Red Hat solution architect, led the breakout session “Implementing a secure hybrid cloud using security and compliance automation.” The session highlighted a combination of Red Hat technologies that can help simplify and improve security and compliance in a hybrid cloud environment at scale using automation. Missed out on this session? We’re recapping some key points here. 

Start with a consistent enterprise automation strategy

Automation can help reduce human errors and can improve speed and consistency in your auditing tasks. It can make time-consuming, manual tasks repeatable by allowing for reusable workflows for consistent results. Some examples include full stack automated patching with automated workflows and automated scanning and remediation against both vulnerabilities and security compliance. 

Automation can help integrate security requirements into processes, application, and infrastructure from the start (from development to production). It’s Important to have a consistent automation strategy across teams in your organization--one that can interconnect infrastructure operations, application development, and security operations. 

In an ideal world, an enterprise would have a common automation language, which should be open and simple--easy to write, maintain, understand, document and adopt by the existing organization and new hires alike. A common automation language across the full stack and across teams allows for everything as code (meaning infrastructure as code, security as code, compliance as code), which enables repeatability, shareability, and auditability of processes. 

How can Ansible help?

Ansible is an automation language that is modular and easy to learn--allowing it to be easily adopted as the common automation language across the entire organization to bring that repeatability, shareability, and auditability. Its ability to adapt and integrate with the enormous number of security solutions on the market and integrate with many other components in the IT stack makes Ansible a versatile solution. You can view our partners, such as our cloud partners, under the Automation Hub. Our partners provide certified modules and build out Ansible Collections--roles, modules, and plugins--to help solve your needs.

Some of the ways Ansible can help include:

1. Issue detection - By creating your custom detection method and taking advantage of the modular nature of Ansible, you can replicate the known detection method over the entire environment to help you understand what’s happening across your hybrid cloud environment. You can also use Red Hat Insights to both detect and resolve issues in a Red Hat environment.

2. Issue resolution - Lacey refers to this as “implementing change without disruption.” Ansible can encapsulate, distribute via multiple connection methods, and record changes to help you duplicate your steps for auditability. You can, then, use a secure delivery method to define workflow processes and integrate changes.

3. Operational knowledge - Gather facts on hosts, create custom facts based on need, and store variables.

4. Cost savings to implement - Ansible can help reduce costs by allowing you to break down steps and reuse them.

From automating application programming interface (API) calls and chaining everything together for both continuous integration and automated builds of custom images, to full stack automated patching and automatically deploying tools, Ansible can be used to improve security and compliance in your enterprise’s infrastructure, application, and security operations.

Improving security and compliance in infrastructure operations

Approach your infrastructure automation journey in phases and define goals for each phase. Many enterprises start by implementing tasks that are performed repetitively. According to Kerner, when you start your automation journey by automating the security and compliance for infrastructure operations, you’re taking “baby steps” toward DevSecOps comprehensively. These baby steps allow you to work iteratively to deploy automation and deliver results. This is a different approach compared to the monolithic approach for patch automation with one playbook to do it all.

Check out this AnsibleFest breakout session recording for a series of demos on how to implement infrastructure security and compliance automation using Red Hat technologies. One of the demos in this session guides you through automated audit scans and automated controlled remediations for both vulnerabilities and compliance to both regulatory and custom security standards. 

In order to help with automating security compliance to both regulatory and custom security standards, Red Hat ships OpenSCAP with a variety of Red Hat products like Red Hat Enterprise Linux (RHEL) and Red Hat Satellite. OpenSCAP is a National Institute of Standards and Technology (NIST)-validated tool designed to perform configuration and vulnerability scans on systems, validate security compliance against both industry standard and custom security profiles, and generate audit reports based on these scans. You can also perform remediations using the native tooling in OpenSCAP, or using the Ansible remediation roles that Red Hat provides in Ansible Galaxy for compliance to regulatory security standards (such as PCI-DSS). For any custom security profiles that you create, you can automatically create Ansible remediation playbooks directly from scan results.

Improving security and compliance in application development

With automation in place in your application pipeline, you can build a “software factory” to create your applications at scale in a more secure way, in a dynamic infrastructure. An automated application pipeline, with security gates in place, can lead to more life cycle control of all components in the stack. When components are automatically patched and updated, you can be assured your software supply chain produces trusted software components for deployment. 

Improving security and compliance in security operations

So what happens once an application enters production? It’s often being protected by security operations centers and response and remediation teams. You can use Ansible to integrate across various security tools used by enterprises and automate the remediation and responses done by security operations. Ansible stitches together different tools already used in those activities to help with a more efficient and streamlined way to identify and automatically respond to security events. Some examples include:

1. Investigation enrichment - Enabling programmatic access to log configurations.

2. Threat hunting - Automating alerts, correlation searches, and signature manipulation.

3. Incident response - Creating new security policies to create allowlists, denylists, or quarantine a machine.

Summary

Automation can help streamline daily operations and integrate security in processes from the start. Breaches (especially cloud security breaches) usually start with misconfigurations and inadequate change control. Implementing a unified automation strategy across your organization can help you reduce the risk of misconfigurations and human errors. Automation increases consistency, repeatability, and verifiability of infrastructure operations, application development, and security operations. A consistent automation strategy across the organization is also key to successful DevSecOps. 

Start with baby steps in your automation journey. You can work with your Red Hat team to try the Security and Compliance hands-on lab exercises or use a Red Hat Consulting Discovery Session to plan your path forward. 

If you missed the AnsibleFest Virtual Experience, this breakout session and other event content is still available on demand. Registration is still free, and the content will be available until next October.