One challenge that has been faced by many DevOps teams is the challenge of managing large enterprise environments in a secure and predictable manner. Imagine a situation where there are hundreds or thousands of servers and trying to make certain each one meets a baseline of a minimum-security configuration. All it takes is one misconfiguration to create an unauthorized disclosure or worse – a breach.
Welcome to the world of configuration management tools. Puppet, Chef, Ansible, SaltStack and others present different paths to achieve a common goal of managing large-scale server infrastructure efficiently, with minimal input from developers and sysadmins. All four configuration management tools are designed to reduce the complexity of configuring distributed infrastructure resources, enabling speed, and ensuring reliability and compliance.
These tools, also known as orchestration tools, can be set to automatically check configurations, deploy packages and updates. In these tools you generally have a ‘master’ and that master checks with its nodes. When you deploy an update to the master, it then sees tif he nodes are missing the update and will update them all. Deploy a new server and make it a node and all the same security settings will be updated to match the master.
It’s easy to see why this can help keep the infrastructure secure, but it’s not without any risk. As easily as we can configure things securely with these tools we can (if a mistake is made) expose the entire infrastructure. Also, these tools are code and are likely to have their own vulnerabilities so keeping them up-to-date is critical.
As these tools now have control over our whole infrastructure, controlling who can use them and how they access them is critical. Any access to these tools needs to be treated as privileged access which means following all the same best practices for access control that you take in any other privileged access. Make sure that the accounts and credentials with access are controlled and monitored. Distribute these powerful roles in a manner that a single insider could not cause terrible damage without notice. Each tool has specific documentation on how to configure and manage access.
Which tool is right for your organization? Well each tool has pros and cons and use cases that differ. For example, many say Puppet and Chef are better for developers and Ansible and Saltstack are more preferred by sysadmins. Are you a mixed Linux / Windows environment, or just Windows, etc. These are broad generalizations and each organization should review their needs with their IT solution Reseller to determine the best fit.
Configuration management and orchestration tools are another powerful method of adding to your security posture if properly used and managed.