Innovative Minds - On Point - One Group  

MindPoint Group Blog

05
Nov
2019

It’s past time we modernized security hardening procedures

By:

Security baseline automation of STIG and CIS controls with Ansible is improving resource management and compliance

With an ever-growing workload to accommodate, IT is deploying cloud services and automation to help keep pace with its line-of-business demands. A factory-like mentality towards IT infrastructure operations has allowed businesses to improve upon its SLAs while increasing the quality of service delivery.

Photo Credit: Pixababy

Many security practices haven’t yet benefited from modern IT automation practices. Most enterprises continue hardening systems with manual processes fraught with human error and inefficiencies. So why did security get left behind the automation revolution? Like autonomous driving technology, IT security automation is still in its infancy. Up until recently, it was more conceptual than operational. 

Here’s how it typically works. Security teams dictate a policy based on other third party security guidance (FISMA, NIST, DISA, CIS, PCI, HIPAA—the list goes on). After the policy is approved, Security hands it off to IT operations teams who are left to execute in whatever manner they can. While many IT ops teams automate aspects of vulnerability detection and triage, few will attempt to automate the application of security controls through end-to-end automation or CI/CD. To be fair, if applied without tact, automating system security configurations can do more harm than good by causing disruption to production environments and failing to properly secure systems to the standards they were meant to. So instead of trying to automate, teams often play it “safe” with manual steps once a system has been deployed.

The time and money businesses are spending on security hardening indicates that a more cost-effective and capable solution is needed for applying and maintaining security controls. However, current market solutions fail to provide sufficient value and ease of access.

For instance:

  • Cloud Service Providers provide a golden image with security settings already in place. Yes, the image is secure and compliant, but it rarely remains so over the course of its lifecycle. The second an app is installed or the system updated, it’s likely no longer compliant. Of course, this is one of the reasons audits are so painful!
  • Managed Service Providers are capable of delivering secured infrastructure to a client, but many are costly and require the client to relinquish control of their own systems. This relationship sets up a communication divide between client and MSP that many have found to be inefficient, and the market is proving this out with many ending their MSP contracts and taking back control.
  • The do-it-yourself option requires scanning tools to evaluate vulnerabilities within the estate. You’ll then need to write remediation scripts or manually correct vulnerabilities. This is a risky option depending on your exposure, and an expensive cost center to maintain.

Businesses with effective systems security strategy deploy continuous monitoring and remediation toolchains to keep their systems compliant. MindPoint Group’s cybersecurity experts are helping to democratize a pivotal piece of security strategy through a certified content offering that automates hundreds of third party controls. We’ve used our expertise in cybersecurity to automate popular security baselines such as CIS and STIG to infrastructure, operating systems, and applications. The following features are included as part of our annual subscription:

  • Comprehensive and customizable security baseline automation written in Ansible – the most popular and fastest-growing configuration management tool in the world.
  • Testing strategies that can be integrated into any workflow for validation and scoring.
  • Quality assurance, ongoing maintenance, and an SLA to ensure we provide automation that works and keeps up with changes.

Want to learn more? Check out this quick demo on security baseline automation and reach out with any questions.

Additional resources:

 Lockdown Enterprise 

Why Ansible is an awesome execution engine for security controls


Categories: Automation, ISP Blog and tagged , , ,
Share:
 

MindPoint Group Blog

28
Sep
2018

Unconventional Automation: Ansible for FedRAMP

By:

Ansible today is more powerful than it has ever been. Over the past few years it has taken the IT automation world by storm. For sure there are other automation technologies that are ‘better’ or more ‘performant’ within certain niches. But as a general-purpose, one-size-fits-most automation solution, Ansible is the dominant technology.

One area where Ansible is underrated is in the world of compliance. Many controls within the various regulatory and compliance bodies such as HIPAA, PCI, SOC2, FedRAMP, and others demand certain ‘things’ to be true in a technical sense. These technical controls can be mostly or entirely resolved by Ansible depending on the nuances of a particular environment.

I’m going to teach you how to figure out where Ansible can fit when it comes to satisfying controls within FedRAMP. This is the first part of a two-part series. The second part, to be released at AnsibleFest, will provide more concrete technical examples as well as some extra resources to leverage on your compliance automation journey.

What is FedRAMP?

For the uninitiated, FedRAMP is a compliance standard that applies to cloud service providers (CSPs), think *aaS, that wish to solicit business from Federal agencies. To give an example, suppose you make a really spectacular To-Do list application that is provided as a SaaS. Now imagine that you want the fine folks at NASA to be able to use your application…all you have to do is get through a FedRAMP audit. Keep in mind, FedRAMP is probably the most challenging (and expensive) compliance standard to adhere to with over 400 unique controls and a multi-step process to make sure all of your ducks are in a row. If you really want to learn more about FedRAMP you can do so on the official website.

How does Ansible Fit?

Before we get into a detailed example, let’s talk about how to identify places where Ansible can fit into your solution for a given control. The entire list of controls for what is called a ‘Moderate’ system can be found in the FedRAMP System Security Plan Template (direct link to DOCX). For many controls there are keywords that are very strong indicators that Ansible will be able to help, in part or in whole, to satisfy the control. For example, words like ‘automatically’ or ‘configuration’ are strong indicators that Ansible would be a good fit. Let’s take a look at the literal text of one control.

CM-2, Enhancement 2 (link)

BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

Related to: CM-7, RA-5

For those already well grounded in Ansible-land, the text is a given. The control is, in layman’s terms, mandating that the baseline for information systems (operating systems, network devices, laptops, etc.) are applied and maintained in an automatic fashion. Further distilling this into Ansible terms, by having Ansible content (playbooks, roles, vars) that strictly define the baseline configuration for all of the information systems that are to be audited, you have effectively satisfied this control (sans documentation).

The best part is that since Ansible can effectively also be the tool that tracks and manages your inventory, you are already in the running to at least partially satisfy control CM-8 (2) which deals with system inventory management.

This isn’t magic, it’s simply mapping what the text of the compliance body says with the capabilities that are already available to you via Ansible. This is a topic that can and will go deeper. If you are fortunate enough to be attending AnsibleFest this year (in Austin), I’ll be presenting on this very topic and going quite a bit deeper. If you’re unable to attend, no worries, the second part to this blog post will be made available after AnsibleFest along with a video of my presentation.


Click this link to learn more about Jonathan’s presentation at AnsibleFest.

Interested in learning more about our Security Through Automation Services?  Click this link

 

Categories: Cloud, Configuration Management, Cyber Security, FedRAMP, FedRAMP, ISP Blog, Open Source and tagged , , , ,
Share:
 

MindPoint Group Blog

26
Sep
2018

VMware Provisioning and Automation with Ansible

By:

All, in just a week I am going to be at AnsibleFest in Austin, TX to give a talk and see what others are doing. As part of Fest this year, Ansible wants people to share their automation stories. I wanted to give a quick look at mine as a way of introducing the VMWare Provisioning and Automation with Ansible talk I will be co-presenting with Abhijeet Kasurde.

About 6 years ago I was working on a project for the Federal government in which we were providing security for the largest cloud migration at the time. The team had to migrate an entire datacenter (more than 100 applications) to AWS in the span of about 13 weeks. Ansible was still pretty early in its development at the time, but was mature enough that some of the application developers on the team started using it to automate and orchestrate the work being done to build environments in AWS, deploy services, and migrate data.

As the lead for the security team, I was learning what AWS was, and figuring out how to apply traditional government security requirements to cloud systems and services. I was getting a crash course in what “cloud native” meant, and was getting familiar with new toolsets as well. The value of Ansible was apparent almost from the moment I was introduced to it. From a security perspective it meant being able to enforce configuration management and avoid wild west style system administration. From an operational perspective, it meant being able to do things faster and more reliably.

Fast forward to my next role which was leading the transformation of a government Tier 2 Security Operations Center (SOC). The environment was drastically different. There was nothing deployed to the cloud, nor would there be in the near future. But the ability to deploy and manage tools reliably and quickly, make tools already in operation more reliable and resilient, and to enable users who are on the front lines in a constant battle with Advanced Persistent Threats (APTs) made bringing that same automation power to bear just as, if not more relevant.

So, with the backdrop of several years of getting to know and being a casual user of Ansible in a cloud-only environment, now I had to be the one leading the implementation in an environment where:

  • We were 100% deployed on-prem;
  • We used VMware as our virtualization platform; and
  • We were building new tooling completely from scratch.

We had a lot of great success in doing this, and Ansible was the catalyst that allowed us to overhaul several enterprise security systems in a short time, to demonstrate measurable improvements in both performance and reliability, and to bring transparency to what we built and how we built it. There are a couple things from this effort that have led to the talk I’ll be co-presenting.

  1. Using and managing a VMware farm/environment can get expensive. We obviously had some base licensing we needed just to get our farm going, but there are a lot of add-ons like Operations Manager and vRealize Automation that many folks consider “must-haves.” If you are constrained by budget or just want to get the most out of your investment in Ansible, how much is possible?
  2. With any environment- cloud or on-prem virtualization farm- you will have machine templates. Guess what? Now you have to take care of them. The most common thing I have seen is that there are a lot of VM templates in vSphere (one for RHEL6 base, one for RHEL7 base, one for RHEL7 w/ mySQL, and so on). Being a responsible admin or just one who gets audited regularly, you are going to have to dedicate a bunch of time to maintaining those templates. Once a month, you have to boot up a VM from each one, patch it, and then regenerate a new template. This can quickly become many hours of work every month. How can we use Ansible to optimize this process?
  3. In a cloud environment we never had to care about basic stuff like storage size, the amount of RAM, cores of CPU, etc when we provisioned new machines. We just picked the right sized AMI off a menu, and at any time we could expand disks magically. In a VMWare environment this can be somewhere between that cloud magic and having physical hardware that needs significant downtime to reconfigure. How can you make your platform more closely resemble the cloud by building Ansible playbooks that give you the hooks you need?

In any case, on that project I learned a lot about using Ansible with VMWare. Throughout that time I felt like most of the “cool technology” glory goes to those working in the cloud. However, having spent most of my career working for the Federal government, I know that there are still a lot of VMware centric shops out there, and based on my experience transforming an enterprise SOC, I hope to be able to share that there are still major benefits to bringing new tooling and concepts to these “legacy” virtualization environments.

Innovation is still possible, even in our “traditional ways” of doing things.

I hope to see plenty of people out there. If any of you are Ansible-ers who work in a VMware environment I hope to see you at my talk.


Click this link to learn more about Matt’s presentation at AnsibleFest.

Interested in learning more about our Security Through Automation Services?  Click this link

 

Categories: Cloud, Configuration Management, Engineering and Architecture, ISP Blog, Open Source, Security Operations Center, SOC and tagged , , , , ,
Share: