 Hello and welcome to all my DevSecOps Internet friends out there. It is time for yet another episode of DevSecOps is the way. This is episode 10 in remediation month, November is remediation month and today, we're going to talk Ansible security automation. I've got two great guests, two Red Hatters that I'll let introduce themselves here momentarily. First, if I can find my slides here, I wanted to talk about what the series is all about. Here is DevSecOps is the way. We have a monthly security series where we produce a bunch of content, podcasts, these live streaming shows, you see blogs, and each month this year was a different security category. You can see in March we started with vulnerability analysis, talked about compliance in April, all the way through November's remediation, and December concludes this year's series with platform security. If you've missed any of the shows or want to look back on the content, you can find it. We've got it all posted on our YouTube and Twitch channels, and when the blogs are out there as well. Let's see. This categorization might look familiar to some of you. If not for others, this is part of a framework. This might be a little tough to see, but what we've done at Red Hat is built a DevSecOps framework that helps to categorize security methods, security functions within a DevOps pipeline, and this helps to start discussions around, well, what should I be thinking about if I move over to DevOps in terms of security? Where does security fit? Then we could take our partners, our great ecosystem security partners, and map them along these different integration points to see where they fit and to see where Red Hat fits to provide a starting point for a joint solution. It's been very helpful for a lot of our joint customers. We've got nine categories that you see here, and then there's 34 different security functions underneath these. That's not to say you have to implement every single function at every single integration point. It's more of a guide to say, this is what's out there to help you make a decision. Now, this is streaming on Twitch and Red Hat OpenShift. If you have any questions, feel free to chat us. I see there's already a question. Where are the docs of the DevSecOps framework? I'll shoot a link here out in the chat to show you where to get started. We have a guide, an e-book as well that will guide you along. Please feel free to chat and we'll try to answer those questions along the way I'll be moderating that chat. Let's see. Anything else before I get started? I don't think so. Let me stop sharing here and we can introduce our guests. The one thing I did mention is, yes, we are talking about Ansible. I know this is an OpenShift channel, but if you remember looking at that framework I just showed up, we did have Ansible listed there as a product within the DevSecOps framework. We wanted to bring Emily Bach into the conversation. She's an Ansible product manager. Emily, why don't you introduce yourself to the audience? Absolutely. Thanks, Dave. Yeah. As mentioned, I'm a product manager with Ansible. My main focuses are partner enablement and certified collections, so I'm sure I'll find a way to steer things that way just because that's who I am. But yeah, like you mentioned, Ansible is really a part of everything and has a lot of great synergies with OpenShift, so I'm excited to talk about it a little bit more. Yeah. Thanks for being here and Emily's from Raleigh. She's telling me it's just getting into the perfect weather season with Autumn, with the leaves changing. Yeah. Finally, not well-turning, but it's not late enough to be cold yet, so perfect time of year. By the way, I just noticed something behind you. You've got a little guitar back there. Are you a guitar player? Yeah. I play a few Jack of all trades, Master of None, so I've got guitar, bass, flute, ukulele a bit, so do a little bit of everything. That's awesome. Cool. And then we've got some of our audience members. They mentioned they were from Raleigh as well, so it's good stuff. Oh, my neighbors. Yeah. So we've also got another red-hatter here, my partner in crime with Security ISVs. Ferris, why don't you introduce yourself? Hey, thank you, Dave, and good afternoon, everybody, and thank you for joining us today in our live show. Just like Dave said, I'm his partner in crime. I manage the global alliances in the security segment here at ThreadHad, so I have a few of our close ecosystem partners that we collaborate very closely with to have success at our customers' side. And some of them integrate with Ansible, and they embrace the automation, and they love the security automation story. So here that hopefully we can help Dave and Emily and answer some questions, and maybe post a few questions for them, too. Nice. So what partners do we work with, Ferris? Oh, our tier one strategic partners include CyberArch, Palo Alto, Synopsys, SESDIG, Aqua, and Tegera. And they basically have, like you showed, they work in various aspects of the DevOps and the CI CD pipeline, and they provide a special value to the customer once they deploy their containers in an open shift. And of course, we have the other side, the equation with the automation that they integrate with Ansible, and they provide a lot of value in the automation, especially in the area of secret management and PAM security, like you would see with CyberArch. And we have, like you said, we have a lot of collection of information, a lot of assets, and in fact, we have just finished one solution brief that we did with CyberArch about Ansible and the automation that I would recommend everybody to take a look at it, and we'll include a link to it here. But we also have a full website, actually, dedicated to what we do in with CyberArch and how they're certified in Ansible and so on. Awesome. And you can tell Ferris has got the Southern Charm. He's in one of my favorite places, which is the, you know, central place to make bourbon. So, in Kentucky, right Ferris? I'm in Kentucky, the horse racing and all great drinks. We're actually gonna celebrate thanks, given that next week, and I said to everybody the other day, that's the only place that serves Turkey in a bottle. So that's one of my favorite Turkey in the bottles and somebody said, it's never dry until you finish it. But that's why it doesn't take all day to prepare either. It's absolutely quick. Well, cool. I'm posting a couple of docs here and I'll continue to post some more. Somebody asked where the DevSecOps framework material is that first link is all about the framework and explaining it. It's entitled, How to Deploy a Comprehensive DevSecOps Framework. We also just published an ebook, which has a lot of good information on some of the partners that Ferris mentioned and the work we do with them. Nice. Yeah. So, Emily, let's start with you. You know, this is an OpenShift channel so some folks might not know what Ansible is. Why don't you give us an overview of Ansible? Absolutely, yeah. So if you're not familiar with Ansible at all, it is at its core, no unintended, automation and it specifically enterprise IT automation. So it really acts as a common language between all the tools and apps, everything that makes up your ecosystem as an organization. So to borrow from the Star Wars theme, I'm a big analogy person. So I like to think of it kind of like the Millennium Falcon. If your organization is the ship, you know, you've got your shields, you've got your weapon system to shoot down outside threats, you've got your cargo space to hide your saved princesses and all of your data. And in that situation Ansible would really be like your control console, the thing that brings them all together so that when you jump to hyperspace, you don't have to do all the little fiddly bits to make it work, you just push the lever and you go. If you're a little less Star Wars inclined, it's kind of like a phone call. You know, originally you would call an actual operator and they would manually connect you to the person you wanted to talk to, which is no longer necessary thanks to automation. It just kind of works in the background and you don't have to face the horrifying prospect of talking to a stranger. So that's really what Ansible is at its core, more geared towards enterprise IT, but it's getting rid of all those little fiddly bits that are better left to computers. Awesome. Hey Emily, speaking of Ansible, so is there a new version coming out? There is indeed very soon. Ansible Automation Platform 2, I believe, is what we're calling it should be coming in early December. So that's got a bunch of great new stuff landing with it. There's a bunch of webinars and stuff going on now and that were in Ansible Fest, but kind of the highlights are going from kind of a more monolithic structure to more of a modular setup, making it more flexible. So we've got automation mesh coming and execution environments, all kinds of fun stuff. But I won't talk too much about it here because there's a bunch of stuff out there. Yeah, I was going to say it's coming up relatively soon in December 2nd, so. Yeah, we're pretty excited about it. Yeah, it's a big deal. Yeah, been a lot of work, but I think it'll be well received. You mentioned Star Wars, so I'm totally distracted. Of course, I've got Grogu here, but I had the best thing I can come up with is some Jalas here in this sticker. Obviously, I'm a Star Wars nerd as well. Love that analogy. So if we think about remediation in this month, how can Ansible help with remediation? Yeah, for sure. So remediation, your system found something that could be a problem or you're trying to address something and you want to fix it. Kind of the main areas that Ansible has been the most useful in for people that we've seen is investigation enrichment. So it can pull together all of your logs from all your different tools in your security operation center. So it's in one central place. It can also help with threat hunting. So it can, sorry. So it helps you detect threats by filtering out noise by putting everything in one spot. You can also set it to really look for specific things in terms of what a threat can look like to you. Mostly for remediation though, the benefits that we see are, you can really quickly add to accept or reject lists various IPs that you see. You can also isolate suspicious workloads for further investigations. Those are kind of the big things that we see often with security in Ansible, but since it is a really flexible platform, it's really meant for creativity. So we have a lot of stuff out of the box, but really the sky is the limit if you're willing to put the work in. Yeah, I can imagine all sorts of things you could do if a threat is monitored or alerted on, shut down firewalls, ports, send tickets, everything from that, alert certain people. So it seems like, yeah, it's sort of the eye and the beholder, it's very open to whatever you wanna do in terms of remediating things. Exactly, kind of going back to the Star Wars metaphor, if you've got your command console in front of you, it's where you can see kind of the things that it really looks for to tell you about a threat. It also, you can set up playbooks to restart systems if they crash. You can back to create backups to keep things running. Like there's really a lot that you can do. One thing I do wanna stress is it is not a security operation center in and of itself. It's really meant to streamline what you have already. Like I'm sure you've seen some of the stats around, the average security team can only see something like 5% of the actual logs that come through and Ansible really helps cut out that noise so that they can see the things that are actually threats and then in many cases, automated response to it as well. Yeah, we had a question that Rashid says, anything you can do to prevent the threat, I think it means threat, the threat with Ansible. So are there things you can do to prevent threats? Assuming the same, yeah, absolutely. Remediation is really just a piece of what Ansible can do. It's also really good for provisioning and managing policies and stuff around firewalls, also around certifications and accreditation. So any kind of secrets you have or passwords or user management, you can do a lot of work around there to make sure that they're being rotated in a safe manner to keep some of those vulnerabilities from coming up. It also can help your firewall be more effective by putting a lot of those best practices in place without a person doing it all of the time. And that's just a couple off the top of my head, but yes, there's a lot of things you can do for threat prevention with Ansible as well. Yeah, you mentioned secrets, management. I think Ferris, that's what CyberArk is doing with their Ansible stuff, correct? Yeah, exactly, and that's a great point. So CyberArk puts in this secret management where if you have an Ansible, building your infrastructure, sort of speak after whatever event, whether it's a Cyber attack or whether something happened in your infrastructure rather than going in and manually after you build it, after you have Ansible build everything for you, you go in and manually change secrets into all your applications and all your infrastructure. Basically, CyberArk kind of goes in, integrates with Ansible and then rotate all the secrets for you, put all the secrets in, you wouldn't have to worry about a thing, kind of like cuts your time from however many hours based on your infrastructure to just seconds basically that goes with Ansible. And that link that we posted has a lot of information about that and how this would work. And again, CyberArk has certified an Ansible and they have spoken in Ansible first, which was a very good talk that they had and they showed that reference architecture in it as well. So I'll be sure to put the Ansible first talk as well. Yeah, and we've done joint workshops with CyberArk with the Ansible, we've done some OpenShift CyberArk workshops as well but they also have one for Ansible that I've known they've done as well. So if anybody's interested in getting their hands dirty, we've got a repeatable workshop to have you try it out. And I think you've done some work with them recently, right Emily? On certification? A bit, yeah. So we just finished a partner webinar series that they were a part of as well. So they talked all about a success story they've seen in the security space. So I think they go into that use case in more detail there. But yeah, they've been great to work with. Well, good. Jumping back to sort of Ansible generically, how if I'm a programmer or even if I'm not a programmer, how experienced do I need to be able to start using Ansible? Yeah, that's a great question. Really it caters to pretty much all kind of experience levels. So you can get all the way into the weeds. We've got a huge community in the open source space that works on Ansible as well. It's got a lot of really experienced experts that do really cool things with edge cases and use cases and stuff. But with our still relatively new content collections and the way that Ansible is set up with using primarily YAML for most of its playbooks and modules, it's really easy and readable for people joining the first time. So it makes it really easy to understand kind of what you're looking at and what it will do. So you can kind of get started right out of the box, but also sky's the limit. The more you do, the more experience you get, the more creativity you, yeah. I love that it stands for yet another markup language, a sucker for self-explanatory acronym. But point being kind of anywhere in the spectrum, if you're just starting out, it's really easy to pick up. That's one of the strengths there. But the more you do, the more you can do. Yeah, my personal experience, I've, you know, a year ago I didn't know any Ansible, but I picked it up relatively easy. There's so many examples out there. I've developed a couple of workshops for Red Hat, one of them being CyberArk on OpenShift and the backbone of that automation to deploy CyberArk on top of OpenShift and we're working on a same sort of repeatable workshop with Ansible is Ansible. It's a playbook that runs and deploys things on Kubernetes or deploys things in Tower. So yeah, very, very simple. A lot of good examples out there. Yeah, I was gonna say, I think we have like a combined use case where we use OpenShift and Rackam and Ansible and I think CyberArk as well, kind of managing all those secrets together. So there's a lot of overlap there. The whole benefit of automation really is best when it's invisible. You set it up and then it just works. Very cool. I'm posting Ferris wanted to post the Ansible channel for everything Ansible. What are folks gonna find in there? Except Ansible. Ansible, Ansible, Ansible. So they're gonna find the word map. This is the Ansible channel actually and you can subscribe to it and then you will see everything that happens newly that's been introduced with Ansible. It talks about the word map. It actually has a recording for the word map for the 2.1 that you'll be able to see there and learn more about and you can learn about the certification that some of our partners would do and how they can do it and then how customers would be able to utilize all the new things right off the bat. Now, as some of you know, we are currently in the 1.2 and this is a 2.1 release. So it's a big deal. Has a lot of great new things that are very, very usable that has been done over research of a couple of years now and some of it would apply to edge computing. So this is really all that information you find it in this channel. I'm seeing in chat, it looks like that's only, it's a red hat internal link. What was the internal link? I don't know if that specific one is also external but I know that there's also a YouTube channel. There's ansible.com has a whole mess of documentation and courses and everything you could desire. This is a live show, so there you go. There you go, that's why people like the live show just could go on and let me go. And our audience is not, is just, is other people in red hatters? Yeah, we'll share the external one and also folks were asking this, where's the partner seminar I can watch? So either Emily or Ferris, if you would mind getting that external link as well. And- Yeah, Jeff, Ferris, do you have that one on hand? Yep, I'll use that. Well, as soon as you get to it, have the ansible channel. I know I have it somewhere but it's lost in my forest of tabs. Cool, yeah, we do have an IBMer on here who's related to us but can't get into the internal red hat stuff. So yeah, we'll get the external link for you pretty soon. There is, we've talked a little bit about use cases, right Emily, was that the main use cases or were there others around ansible? Yeah, those were the main security ones. I know most people that would be familiar with ansible already probably think of us in like the infrastructure space. So we've got all those security ones as well. We also have stuff in the network space. So there's a lot of like compliance enforcement, security orchestration, vulnerability remediation stuff along those lines. And we're also going pretty heavy into cloud stuff as well. So there's a lot of provisioning and configuration management and stuff there as well. But like I've said before, you know, it's automation. So sky's the limit, but those are where a lot of like our prepackaged kind of best for beginner collections and content are. Cool, yeah, thanks Ferris. Posted the YouTube ansible channel which has that information that was in the internal link. I just posted the ansible use cases which we talked about. So the three main ones, investment enrichment, investigation enrichment, threat hunting and incident response. There's a couple of good videos actually. I really enjoyed those videos. And then you can see how ansible can work with different tools, firewalls, intrusion detection, seams, pans, EPPs. So that gives you a good understanding. And then you should be able to find a workshop in here somewhere if you're interested as well. Cool, there is another use case that I'm not too familiar with around OpenShift and Rackam. At a high level Emily, could you give us a little bit of understanding what that use case is? Yeah, for sure. I think there was a link published around there. I can see if I can track that down. I found a video. I stumbled across it a couple of weeks ago. That was pretty cool. But really kind of what goes on there. Since I'm ansible, my understanding of OpenShift and Rackam helps you manage multiple clusters at scale across hybrid cloud environments, et cetera. But at its core, that's the focus there. And what ansible helps with the most in that kind of use case is bridging that communication gap between the traditional kind of ecosystem that you have and the cloud native experience so that they're all speaking the same language. I think is really the basis of the most common ones we see there. I'm sure there's more, but off the top of my head, that's the one I'm most familiar with. Yeah, me too. And of course, who would have Kubernetes and legacy software? Nobody has that one. Everybody has one or the other, right? Hybrid cloud, no hybrid cloud. Well, good, yeah. And I think that was announced recently, relatively recent, which I think about six months ago, it's relative. Everything's kind of a blur in the pandemic times, but it's a relatively new offering. And obviously we'd love to hear feedback if folks are using that or if they're interested. Well, cool. Let's talk about partners for a little bit and ansible and certifying, how would a partner become a partner of ansible if they wanted to? Yeah, and I am very biased, but I recommend it. So it typically is the same process as becoming a partner for any other Red Hat product. You start with connect.redhat.com. There will be a fairly basic legal agreement, just making sure that you support any content that you contribute very normal open source kind of stuff. Once that happens, once you're a certified partner in the connect space, then you can email ansiblepartners at redhat.com. We'll help you get set up the rest of the way. For the most part, it's a pretty simple process once you're certified in the Red Hat area for creating certified collections, which are the ones that show up in Ansible Hub. So for Ansible subscribers and customers of Red Hat, you create your content like always. Often it will be on Galaxy, the upstream open source version as well. You run it through my team, partner engineering. We run some basic tests, very similar to what we do in the community. And once it passes, it's uploaded to Hub and any of our joint customers can use them. All right, so what are some of the partners that you've worked with recently? Yeah, I know we've mentioned CyberArk. They've been one of the first partners that actually went through the whole process for real. So they've been around a long time. We've also got collections with Splunk, Syncope, Checkpoint, got a few Cisco ones in the security space as well. I think those are the big ones so far, but I think you can see a list of all of them on Red Hat as well. Or if you're in Hub, you can check out the collection sites. Cool. So Andy said you had one with Cisco security as well. There's a few collections from Cisco. Some of them are in the upstream area. We're working on getting those certified as well. I think we primarily have collections with them in more than networking space, but security is in the mix as well. Oh, cool, awesome. I'm gonna put you on the spot here, Emily, I didn't prep you for this question. If somebody's done with an Ansible collection, how long does it typically take to get that certified with Red Hat? I have graphs, I won't show them to you, but typically once your collection is done and ready, the testing process is pretty simple. So as long as you're responding to emails, typically it's a week or two, kind of at the outside, but if you don't do your part, it will take much longer. But typically it's a fairly quick process. And some of that is because of the way we changed collections, I think a year or two ago, it used to be you had to wait for a major version of Ansible in order to change anything, any of your content. We've separated that out, so now they're in-hub and they're their own thing, so you can upgrade, update, iterate your collections anytime, completely independent of our release schedule. Oh, yeah. So, well, that's a good question. So we can go as fast as you can with the minimum of a week, right? And the certification, and then once you are certified, what do you get out of the certification you get? What do we feature you in our website like we do with OpenShift and things like that? Yeah, absolutely. Co-marketing is one of the best benefits that you get through the partner program. If you have certified collections with us, you have access to all of our Ansible community, all of our Ansible subscribers, see all of your collections. Also, like any of our Red Hat certifications, you get Red Hat support. So any issues that arise with any of your collections, they go through Red Hat support first. So you can be sure that the only issues you get are ones that you actually need to pay attention to. Nice. And you also, if you're a user of those certified collections, you're guaranteed Red Hat support as well. So that's kind of the biggest benefit, like with anything Red Hat, it's your, you got your support, your stability, because things are more vetted and tested and have, you know, a little bit more scrutiny on them. And especially for the bigger enterprise businesses, where it's more difficult to move quickly, it does tend to lag a bit behind the upstream community, a lot like Fedora versus Rel. So you have more time, more support. And the third thing that I forgot that I listed, more stability. Well, that was the second one. I got there. It's done. Yeah, so that's good. You know, I love the fact that they can display, like cyber art, they display the certification badge. So then all of these things, they, by transmission, they go into the customer's mind, but they see that it's a certified, they see we work with our partners and you get this piece of mind that would give the customer, the partner and Red Hat feeling. Exactly. Yes. It must be win, win, win for everyone. Three wins. Cool. That's some good chatter going on. One thing, Ferris posted the Ansible Fest session that we had with cyber art. Actually, you know, Dave, I think that you get the chat. So if you don't mind posting it by proxy, because you- I did. I'll put it in there. Okay. I believe I did, yep. It's right there. And then some good chatting between Rashid and Carlos. Rashid mentioned Ansible has really made OpenShift deployment easy, but it's a little harder to get right on the first run. So have you seen a lot of customers use Ansible for OpenShift deployments? I don't know offhand how many. I do think especially with that feedback, it does make it easier, especially if you're going to do anything in kind of a repeated way. Like with all things automation, it's a little bit of that upfront work for a lot of save time over, you know, the long term. Yeah. Yeah, and Carlos was mentioning, you know, uses Ansible to configure host VMs. He prefers GitOps though to do, to open, to install things on clusters, which GitOps does very good job of it and has its own use cases, because it can, as Carlos mentioned, know about cluster config drift. But he also says that uses, let me show this, for see how you can run Ansible protect on pipelines. Which is cool. Cool. Any other questions from the group? Feel free to add it to the chat. If not, I think we've had a pretty good discussion here. Is there anything else, Emily, that you wanted to mention about Ansible or discussion? Nothing too big. Just like if you're not a partner and you're looking to be, feel free to reach out. We're always happy to get more. And look for more stuff coming with Ansible platform too. Awesome. You'll definitely do that. Ferris, any closing thoughts from you? I think that was pretty good. I really liked the fact how some of the interaction with the group would put an Ansible to deploy OpenChip. Great idea. I actually, I haven't thought of that one, and but I think it would be a great thing because you could put in development and deployment. You can just repeatable actions. I think we covered a lot of things with the certification. The certification is really good. We know where to start, Emily. And with Ansible Fest, looking at the cyber arc integration, this is what I would recommend for you as a customer, as a user to start with. If you're looking at secret management, I know that cybersecurity is in everyone's mind these days, especially with the executive order. If you're looking for a zero trust strategy, you know it all starts with identity management and so on, cyber arc is big and identity management but secrets is a pivotal factor in doing that strategy. So it'd be great idea to take a look at it. So, but I think all in all, we had a great discussion. Just you know who we are. So if you have any questions after the show, please don't hesitate to reach. We'd love to help you, whether you're a customer or partner or even employee with Red Hat or IBM. Awesome. And one thing I do want to plug for my solution architecture team. Anybody's curious, the shirt I'm wearing, it's called Davey Street Enterprises. This is a fictitious company that my team has blogged about. And I'm sure there's definitely a couple of blogs in there about Ansible and about how this company called Davey Street Enterprises has transformed their business using Red Hat technologies. So it's pretty entertaining. There's a lot of neat characters in there. My favorite is Zachary Trudeau. That he's the security guy. He's Trudeau is actually Mr. T's actual name. Anybody cares. But it's a good, it's a good several, let's say about half a dozen or so blogs and we're about to round it out here this at the end of the year. Yep. I'm a reader of the blogs, Dave. Can I get a T-shirt? Yes, I'll try to get you one. I never have too many T-shirts. That's why it's always good. And with that, I just want to post again the, see if I could post this. Oh yeah, there it is. The schedule here. This was the framework, but the DevSecOps is the way monthly series. We've got another one coming in December around platform security. So that's all gonna be about open shift security and things like Linux security, SC Linux, SC comps, really cool stuff. So look forward to that. We've got all this stuff posted from all the content we've done in the past. Check out catalog.redhat.com podcast for our podcasts, live streaming shows. And then I put the Ansible use case security automation. I posted that in the chat as well. But if you want to read more about DevSecOps at Red Hat, there's a lot of material. Just go to red.ht. Ford slash DevSecOps to learn more. So with that, I want to thank Ferris and Emily for joining me today on DevSecOps is the way. Really appreciate the conversation. It was great. And I will say goodbye to everybody. Have a great day. Thank you. Thank you, Emily. Have a great day. You too.