Unconventional Automation: Ansible for FedRAMP
Ansible today is more powerful than it has ever been. Over the past few years it has taken the IT automation world by storm. For sure there are other automation technologies that are ‘better’ or more ‘performant’ within certain niches. But as a general-purpose, one-size-fits-most automation solution, Ansible is the dominant technology.
One area where Ansible is underrated is in the world of compliance. Many controls within the various regulatory and compliance bodies such as HIPAA, PCI, SOC2, FedRAMP, and others demand certain ‘things’ to be true in a technical sense. These technical controls can be mostly or entirely resolved by Ansible depending on the nuances of a particular environment.
I’m going to teach you how to figure out where Ansible can fit when it comes to satisfying controls within FedRAMP. This is the first part of a two-part series. The second part, to be released at AnsibleFest, will provide more concrete technical examples as well as some extra resources to leverage on your compliance automation journey.
What is FedRAMP?
For the uninitiated, FedRAMP is a compliance standard that applies to cloud service providers (CSPs), think *aaS, that wish to solicit business from Federal agencies. To give an example, suppose you make a really spectacular To-Do list application that is provided as a SaaS. Now imagine that you want the fine folks at NASA to be able to use your application…all you have to do is get through a FedRAMP audit. Keep in mind, FedRAMP is probably the most challenging (and expensive) compliance standard to adhere to with over 400 unique controls and a multi-step process to make sure all of your ducks are in a row. If you really want to learn more about FedRAMP you can do so on the official website.
How does Ansible Fit?
Before we get into a detailed example, let’s talk about how to identify places where Ansible can fit into your solution for a given control. The entire list of controls for what is called a ‘Moderate’ system can be found in the FedRAMP System Security Plan Template (direct link to DOCX). For many controls there are keywords that are very strong indicators that Ansible will be able to help, in part or in whole, to satisfy the control. For example, words like ‘automatically’ or ‘configuration’ are strong indicators that Ansible would be a good fit. Let’s take a look at the literal text of one control.
CM-2, Enhancement 2 (link)
BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.
Related to: CM-7, RA-5
For those already well grounded in Ansible-land, the text is a given. The control is, in layman’s terms, mandating that the baseline for information systems (operating systems, network devices, laptops, etc.) are applied and maintained in an automatic fashion. Further distilling this into Ansible terms, by having Ansible content (playbooks, roles, vars) that strictly define the baseline configuration for all of the information systems that are to be audited, you have effectively satisfied this control (sans documentation).
The best part is that since Ansible can effectively also be the tool that tracks and manages your inventory, you are already in the running to at least partially satisfy control CM-8 (2) which deals with system inventory management.
This isn’t magic, it’s simply mapping what the text of the compliance body says with the capabilities that are already available to you via Ansible. This is a topic that can and will go deeper. If you are fortunate enough to be attending AnsibleFest this year (in Austin), I’ll be presenting on this very topic and going quite a bit deeper. If you’re unable to attend, no worries, the second part to this blog post will be made available after AnsibleFest along with a video of my presentation.