Enterprises now rely on IT automation to manage security across increasingly complex infrastructure, applications, and hybrid cloud environments. When adopting an automation strategy, many organizations start with no-cost, community-based automation solutions.
These solutions can be useful in specific situations, but they often lack the support and security capabilities needed in an enterprise environment. This can become a costly deficiency when dealing with vulnerabilities across teams and domains.
Ansible® is at the heart of many organizations' efforts to implement automation at scale. It uses open source software development via an engaged community—upstream Ansible is composed of more than 20 disparate community projects, which are often tied together using a GUI and API wrapper called AWX.
Open source communities are a foundation of modern IT operations and application development, but not all versions of open source software are equally suited for enterprises with security concerns. This becomes clear when comparing the multiple release versions of community Ansible to the security-focused Red Hat® Ansible Automation Platform.
No environment is perfectly secure, but it’s more important than ever for automation tools to be designed with enterprise security in mind. Software supply chain attacks—which can cause both financial and reputational damage—are becoming more frequent:
- In the past 3 years, the average annual number of software supply chain attacks has gone up 742%1.
- 45% of organizations will experience supply chain attacks by 20252.
- Compromises of software supply chains account for 1 in 5 data breaches3.
- Ransom payments for attacks are increasing 71% year-over-year4.
With these vulnerabilities in mind, an unmanaged open source tool with only community support can be problematic. Open source repositories can be hosted virtually anywhere, which leads to a lack of uniformity that makes it difficult to track changes and increases the potential for lost updates.
Community projects may have some safeguards, but these protections can vary dramatically and be unevenly applied, leaving some projects more vulnerable than others. However, this does not mean that all projects using open source components are inappropriate for enterprise use—they simply need to be packaged and tested to meet more exacting standards.
While community projects such as AWX are not designed for organizations that prioritize security, Ansible Automation Platform is security-hardened with support, performance testing, bug fixes, and other standardized practices that contribute to a more consistent and less vulnerable enterprise environment.
As a community-supported upstream project, AWX lacks many things most enterprises expect from a business-critical automation tool. AWX does not include service-level agreement (SLA) guarantees on security vulnerabilities, certified content with independent software vendor (ISV) compatibility, or supported upgrade migrations between versions.
Ansible Automation Platform includes:
- 24x7 support for any packaged component with enhanced troubleshooting and root cause analysis via Red Hat.
- Self-service access to a wealth of accumulated knowledge in the Red Hat Customer Portal.
- Prioritization for bug fixes and features from the Red Hat Ansible Engineering team.
New versions of AWX are tested by community members, but there is no guarantee that community-based testing will ensure the compatibility and performance needed for enterprise environments. As Red Hat’s teams develop new versions of Ansible Automation Platform, they perform continuous, vigorous testing and log performance improvements throughout the process—reliably building new capabilities for enterprises' evolving needs.
Ansible Automation Platform includes:
- Nightly QA and integration testing.
- Regular penetration testing of the product to prevent new security vulnerabilities from being exploited.
- Stress testing of automation controller and automation mesh for scale-out execution of Ansible Playbooks and other content.
Container Health Index and security grading
Ansible Automation Platform publishes supported execution environments with a security grading called the Container Health Index (CHI). This means that container images are certified, maintained, and supported by Red Hat. No similar service is available with community AWX.
- If an execution environment lands anywhere other than an “A” security grade, the SLA is 5 business days to get it back up to the “A” grade. This does not apply for execution environments in AWX.
Secure Development Lifecycle practices
Secure Development Lifecycle (SDL) is a codified set of best practices that are standardized into specific phases of product development at Red Hat. Ansible Automation Platform follows SDL in development. Because of their decentralized nature, AWX and the disparate Ansible sub-projects do not.
The goal of SDL practices and standards is to:
- Reduce the number of vulnerabilities in released software.
- Mitigate the potential impact of undetected or unaddressed vulnerabilities.
- Address the root causes of vulnerabilities to prevent future recurrences.
Bugs in Ansible Automation Platform are tracked in a central database and a development team works to fix them on a daily basis. Bug resolution is prioritized according to direct user feedback.
- Customers have access to Red Hat-identified bug fixes via access.redhat.com.
- Customers can either open a case in the customer portal, or for more urgent bug fixes, can contact their local support center via phone.
In community Ansible, on the other hand, bugs are not centrally tracked, and they are prioritized by the community as a whole. It can also be difficult for users to transition between versions of community Ansible due to how bug fixes differ across those versions.
Ansible Automation Platform comes with the consistent personalized attention that enterprises need to quickly deal with bugs and limit their possible consequences for business operations.
Ansible Automation Platform includes Event-Driven Ansible, which can automate a variety of tasks—including software updates and remediation—through a standardized and audited process. Event-Driven Ansible can help you:
- Minimize human errors that are often caused by high-volume, repetitive tasks and add vulnerabilities to the supply chain.
- Automate security responses to address vulnerabilities rapidly, before they become urgent issues.
Still curious about the differences between Ansible and Ansible Automation Platform?
Red Hat Ansible Automation Platform provides a consistent enterprise framework for you to build and operate IT automation at scale, while prioritizing security every step of the way. It allows your teams to automate security and compliance across your enterprise, and use certified automation content to respond to threats in a coordinated way—with around-the-clock support from Red Hat.
Red Hat’s open development model connects the engineers behind Ansible Automation Platform to more than a dozen open source Ansible projects in the community. As members work together to identify and elevate the best ideas, Red Hat supports them by contributing to the code and creating products from upstream projects.
Ansible Automation Platform simplifies packaging and distribution while providing tested and trusted interoperability between all the components. Combined with an 18-month support life cycle, Ansible Automation Platform minimizes the uncertainty and security vulnerabilities that come with using upstream open source tools.
Additionally, Ansible Automation Platform can serve as an integration point for security solutions by using content from certified partners like CyberArk, IBM, and Palo Alto Networks, allowing you to automate the management and integration of a wide range of external security technologies.