Many of our customers are talking about using the Venafi Ansible Collection, and some of them are already using Ansible and Venafi to automate their machine identity management. Now that the Venafi Ansible Collection is certified by Red Hat, we will see more usage because a lot of banks and financial institutions have strict requirements for getting something certified internally. So having it already be certified by Red Hat can only help in them getting things through that process.
In many organizations the Ansible Automation Platform is the preferred solution for orchestration because it has the ability to reach to every device in their network. That makes it one of the very few applications or platforms that have wide ranging network access that's been approved at a very high level because it's so important to them. And to fight through that process for your other applications can be very daunting for a bureaucratic organization like a financial services group. So using Ansible allows them to already tie into one of the methods for automation that has the buy in and appropriate with the buy in the access and privileges it needs to perform the operations they want to do.
I would say the most common use case for the Venafi Ansible Collection is where users want to automate the installation of certificates on devices, possibly as part of a larger infrastructure management process. So you want to treat managing your certificates the same way that you are managing other functions on the devices, such as passwords or patches. Putting everything together so that you can have a regular maintenance process.
But there are many other reasons why you may want to take advantage of the Venafi Collection on Ansible. Here are the top 4 ways that Venafi and Red Hat customers will benefit from using the certified Venafi Collection.
Zero Trust with cert-manager, Istio and Kubernetes
1. Standardizing for efficiency and availability
One of the biggest benefits for security teams is the standardization. If you have different teams that are using Ansible and Venafi without the collection, they've probably all written APIs their own way. Instead of having a whole bunch of different methods that people have written just using essentially calls directly to the API, they can have the exact same playbooks that they provide as sort of the templates to everybody. They can use the playbooks with very minimal additional configuration. And it helps them to keep people from potentially writing their own approaches to interacting with APIs that might be suboptimal—which we have seen in the past. So when there are updates or upgrades on the platform side, you could potentially break any custom code that developers have written. And if the APIs change or if there's an issue, security teams are stuck in troubleshoot mode.
But if you are using the Venafi Ansible Collection that shouldn't be an issue. It’s written by Venafi. It’s maintained by Venafi. So it’s all uniform. So if there are changes, those changes are reflected in the collection as well. It just makes it easier to use and to get teams ramped up faster if they don’t have to write their own thing and manage it. Plus, it’s standard. So, if there are changes that are made, we update the collection. And things will continue working as expected. As opposed to refactoring what's fundamentally a custom integration that they might have built, possibly hundreds across an organization every time something changes enough that there's a better way to do it.
2. Automating certificate installation at scale
Most developers and security teams are looking for straightforward, automated installation of certificates. Many customers need to be able to push to an extremely large number of F5 BIG-IP Local Traffic Managers (LTMs), and we're managing all those LTM Virtual IPs (VIPs) that are already using Ansible. So it makes perfect sense to embed the certificate operations into the same framework. Plus, it makes it super easy to scale. For example, let’s say you need to push 38,000 certificates out to 38,000 VIPs on F5. Sure you can do it manually. But it will take a very long time.
Using Ansible and Venafi allows you to integrate the certificate request and management process at the same points that you're integrating a lot of other lifecycle processes for your application or server. So when a server is being spun up, maintained, or spun down, you can use the Venafi Collection to manage all those processes in line with everything else you're doing with the server.
3. Coordinating with existing change management processes
Many of our customers have got change management processes built into Ansible so they can already open and close their changes using Ansible playbooks. And that's much easier than having to have somebody go in and manually create a change process in ServiceNow to run automation. For example, you might run your playbook every week and when you see that a certificate has another ten months to live, there’s no action required. But then once you've reached a certain condition like an impending expiration, it's within that playbook to take action.
One large bank we work with wanted Ansible to be the primary source for change management because PKI or machine identity management teams don't want to be in the business of opening and closing changes on behalf of app teams. That's ultimately the PKI team’s responsibility, but they don't want to be stuck in the middle there because it opens them to a lot of risk.
4. Simplifying security policy enforcement
Granted, most app teams don't want to circumvent security policy or best practices, right? But if those rules aren't compatible with their goals or deadlines, developers will find a way to solve their problem with or without the support of risk and governance and security people.
But if you just give them the already approved way to do things, then normally they'll follow it—as long as it meets their spec. They just want to implement it and move on with their day. Using the Venafi Collection on Ansible helps guard against developers going off and doing their own thing by providing a solution that’s easy for them, while allowing you to be accountable and compliant.
Conclusion
These are just a few of the many advantages your organization will find when you are able to extend machine identity management into your Ansible processes. Not yet a Venafi customer? Learn more about how the Venafi Control Plane for Machine Identities can give you observability, consistency and reliability for machine identities of all types across your organization.
Related posts