Organisations should embrace the philosophy and principles of zero-trust security to keep up to date with modern demands and security threats, AWS’ chief information security officer (CISO) Steve Schmidt has urged.

Adopting the core tenets of a zero-trust philosophy, including accessibility and usability, and ensuring you’re focusing on the core fundamentals of security, will ensure businesses can eliminate needless risks in their IT estates.

Doing so, however, isn’t as straightforward as businesses may hope, according to Schmidt. This is because the term ‘zero-trust’ can mean different things in different contexts, with this ambiguity the product of a diversity of use cases to which it applies.

“Zero-trust is, to me, a set of mechanisms that focus on providing security controls around digital access and assets while not solely depending on traditional network controls or network perimeters,” he explained, speaking at AWS re:Invent 2020. 

“In other words, we aren’t going to trust a user based only on their location within a traditional network. Instead, we want to augment network-centric models with additional techniques, which we would describe as identity-centric controls.”

An example of one such use case that he provided was human-to-application security, which is particularly relevant given the surge in people working from home in 2020. Traditionally, applications sat behind a virtual private network (VPN) front door, but these aren’t compatible with the diversity of devices that workers use to access work-related services. Applying zero-trust principles generates the objective to make the locks on applications effective enough that you can eliminate a VPN-based front door altogether.

Zero-trust principles have become far more popular across the industry of late, with a number of companies quick to adopt and promote this philosophy either as part of their own strategies or in their products. 

BlackBerry, for example, announced Persona Desktop in October, a security platform that uses artificial intelligence (AI) and machine learning to detect user and entity behaviour abnormalities. Persona Desktop works at the endpoint, and eliminates the need to share data back to the cloud before the system acts, and also aims to protect against stolen credentials, insider threats, and physical compromise.

Google, too, launched a zero-trust remote access service known as BeyondCorp Remote Access earlier this year that’s designed to give remote teams access to their internal applications without the need for a VPN.

As part of Schmidt’s outline of AWS’ security strategy, he also proposed a set of questions that businesses and IT administrators should ask about their organisation’s security configuration. Elements such as where the perimeter is, and how large it is, as well as how easy it might be to monitor and audit, should be considered. 

Schmidt also, by way of example, suggested that while VPNs are fine to use for network isolation, it would be best to make the implementation dynamic and hidden from the user experience. This might lead to users not even noticing that network boundaries are being created and torn down as required.

Microsoft has announced the launch of its newest cloud offering: Azure Government Top Secret.

The new cloud service expands Microsoft’s tactical edge portfolio for the US government, including Azure (public cloud), Azure Government, and Azure Government Secret. Microsoft has tailored Azure Government Top Secret for its US government customers that work with classified information.

“Azure Government Top Secret provides the same capabilities as the commercial version of Azure, Azure Government and Azure Government Secret to enable a continuum of compute from mission cloud to tactical edge,” said Tom Keane, corporate vice president of Azure global.

“The broad range of services will meet the demand for greater agility in the classified space, including the need to gain deeper insights from data sourced from any location as well as the need to enable the rapid expansion of remote work.”

According to reports, Microsoft is working with the US government to secure accreditation for its new cloud. In the meantime, it’s already completed the build out of the Azure Government Top Secret regions. 

This announcement comes amid ongoing court battles over the Department of Defense’s (DOD) $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud contract. The DOD awarded the whole contract to Microsoft, bypassing Amazon Web Services and spurring the company to launch a lawsuit. 

Microsoft also announced enhancements to its Azure Government Secret service, authorized and actively used by the US Department of Defense, law enforcement, and other agencies. 

According to Microsoft, Azure Government Secret will now include Azure Kubernetes Service (AKS) and Azure Container Instances. The additions aim to help application developers deploy and manage containerized applications more easily.

Intelligent security analytics services Azure Sentinel and Azure Security Center are also now available in Azure Government Secret, enabling unified security across digital estates and facilitating proactive threat management.

“The consistency between Azure (commercial), Azure Government, and Azure Government Secret is also starting to change the game as software development may happen from anywhere, while the code itself can be promoted to enclaves with higher classification levels. There it can interact with data of higher classification levels. At the end of the day, this means doing more for the mission at a lower overall cost,” said Carroll Moon, CTO of CloudFit Software.

The pandemic has exposed a number of technology gaps in customer service, according to 88% of service professionals, as customers switched from physical to virtual locations during 2020.

This caused many customer service leaders to accelerate digital transformation strategies, according to a report from Salesforce. 

The ‘State of Service‘ report provides a “snapshot” of priorities, challenges and trajectories of global customer service teams. The findings are based on a survey of customer service agents, decision-makers, mobile workers, and dispatchers with over 7,000 respondents across 33 countries.

In response to the pandemic, 85% of service teams said they had changed their policies to provide more flexibility to customers with 60% adding that they had invested in new service technology. 

“Leaders are taking this time to rethink the value of experiences and reimagine engagement with customers and employees alike,” said Brian Solis, global innovation evangelist at Salesforce.”

“It’s not just about technology. Sometimes technology is at its best when invisible. We’re going to see significantly more agile, innovative, and relevant organisations emerge from this crisis that provides modern and sought-after experiences that change the game for everyone.”

According to the report, 88% of service professionals said the pandemic exposed technology gaps, and 86% said the same for service channel gaps as customers flocked away from physical locations and towards digital methods of engagement.

Teams also found shortcomings that went beyond the obvious, with 87% realising that their existing policies and protocols – such as cancellation fees for events that were prohibited by public health measures – were not suited for current circumstances.

In the face of these challenges, service teams were forced to make digital transformations that will endure beyond the pandemic. 78% said they had invested in new technology because of the pandemic, with 32% suggesting they had ramped up their adoption of artificial intelligence systems. 

State-backed Russian cyber criminals are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.

VMware had previously warned its customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager in late November. Although the bug was considered severe, with a rating of 9.1 on the CVSS threat severity scale, a patch wasn’t available at the time and was only released on 3 December. 

Hackers operating on behalf of the Russian state, however, have been actively exploiting the vulnerability to access data on targeted systems, according to an advisory issued by the US National Security Agency (NSA).

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” the advisory said.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

Beyond the wider business community, the NSA has stressed the need for organisations involved in national defence and security to apply VMware’s patch as soon as possible, or implement workarounds until updates are feasible. The advisory also suggests that organisations review and harden their configurations as well as the monitoring of federated authentication providers.

Beyond Workspace One Access and Identity Manager, the products affected include Access Connector and Identity Manager Connector, with specific product versions outlined in VMware’s original security advisory.

The vulnerability, tagged CVE-2020-4006, essentially allows hackers to seize control of vulnerable machines. They would first need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

As such the NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service.

Hackers were able to exploit a serious vulnerability in Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.

The zero-click flaw, which is wormable, can be triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a malicious message which will execute code without user interaction.

This remote code execution (RCE) flaw was first reported to Microsoft in August, with the company fixing the bugs in October 2020. However, security researcher Oskars Vegaris, who discovered the flaw,  has complained that the firm didn’t take his report as seriously as it should have, with Microsoft not even assigning the bug a CVE tag.

Microsoft considered the Teams vulnerability as ‘important’ although described its impact as ‘spoofing’ in its bug bounty programme. As for the CVE element, Microsoft doesn’t issue CVE tags on products that automatically update without user interaction.

“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”

In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. 

The impact is seemingly alarming, with its wormable nature meaning the exploit payload can be spread across other users, channels and companies without any interaction. The execution of malicious code could also happen without any user interaction, given users need to only view the specially-crafted message. 

The consequences of infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

Hackers can also gain access to single sign-on (SSO) tokens for other services, including Microsoft services such as Outlook or Microsoft 365. This will expose them to possible phishing attacks too, as well as keylogging with specially-crafted payloads, according to Vegaris.

IT Pro approached Microsoft for comment.

The cloud now forms an integral part of every business’ IT infrastructure. Increasingly, however, the growth of the cloud market and incredible range of choice of products and platforms on offer has led to multi-cloud fatigue.

The often-haphazard deployment of cloud services from multiple vendors has also created management challenges that have been exacerbated thanks to the coronavirus pandemic. Are we now in a situation where CTOs need to take action to rationalise their cloud deployments?

The latest cloud study from IBM reveals that 64% of executives plan to migrate more mission-critical workloads to the cloud in the next two years. If not done carefully, however, this could easily lead to more cloud bloat and a consequent aggravation of management and service support issues.

While it can be tempting to just throw money and resources at the problem, this can often result in expanding existing cloud deployments or buying new services without the due diligence needed to ensure they can be integrated efficiently and securely with legacy installations. Information technology service management (ITSM), when coupled with cloud management platforms (CMPs), has, in some cases, exposed weak links in existing cloud infrastructures.

Management of large multi-cloud deployments is also difficult to do effectively. According to the State of the Cloud 2020 report from Flexera, applications are often siloed across the cloud architecture, with a third (33%) of respondents to this year’s survey using multi-cloud management tools. 

“Businesses often adopt a multi-cloud strategy to deliver specific applications or services, avoid cloud vendor lock-in, reduce costs, enable flexibility and increase scalability,” explains Paul Stapley, practice director at Logicalis. “However, multi-cloud adoption presents challenges for people and processes, as the more platforms you have, the more challenging it becomes to manage them. CTOs can face security challenges, connectivity reliability (problems), performance issues, and inconsistent service offerings, making it challenging to utilise and operate multi-cloud deployments efficiently.”

Reducing the cloud architecture’s complexity would enable a far more cost-effective, secure, and efficient cloud service to be constructed and then managed. The danger of businesses’ reaction to COVID-19, which saw a rush to implement ever more cloud services, is an unstructured and unplanned expansion with consequent weak security and lack of management oversight.

Is one cloud enough?

CTOs struggling to manage multi-cloud deployments and ‘cloud bloat’ may wonder if moving everything back to a single cloud is the way forward, but that’s not necessarily the best answer, either.

“With a clear strategy and approach for using multiple clouds, businesses can avoid the issue of ‘cloud bloat’,” Maynard Williams, MD of Accenture Technology UK tells IT Pro. “This strategy must cover both the specific use cases for cloud service provider offerings and how transactions work end to end when they may span multiple clouds. For example, a business might put all of a particular type of workload, such as analytics, onto a specific cloud platform, while ensuring that an issue can be traced across multiple stacks. It also needs to consider hybrid options and transitional states as applications migrate to the cloud.”

Reducing the footprint of a business’ cloud deployments can also deliver much tighter security. Concerns about public cloud’s safety remain high, with Cavirin reporting nine out of ten cybersecurity professionals (91%) are extremely-to-moderately concerned about public cloud security. The most prominent challenge organisations face to their security operations is visibility into infrastructure security (44%), followed by setting consistent security policies across cloud and on-premises environments, and with compliance, which tied at 42% each.

Speaking to IT Pro, Anne Hardy, CISO at Talend says: “Cloud security covers various aspects, the most important being governance, network, logical access control, data protection, security logging and monitoring, security incident response and disaster recovery. Every one of these aspects cannot be managed in the same way with AWS, Azure or GCP (Google Cloud Platform). This variation across multi-cloud deployments means a business needs a team of the right people who can understand all of these areas and the security needs of each.”

Whether and how businesses rationalise their cloud infrastructure will depend on their medium to long-term planning. As Logicalis’ Paul Stapley says, each company will react differently. “We know the correct cloud brings many benefits to the correct workloads. The reasons for both adopting and moving workloads need to be right. By no means is it a one-size-fits-all approach, or a set-in-stone process. As technology advances, and business needs change, the cloud is built to adjust accordingly to best manage those variations.”

New normal IT

Is a single cloud deployment the future of IT infrastructure? The Trinity of AWS, Google Cloud Platform (GCP), and Azure offer all businesses – no matter their size – a cloud deployment platform that can be lean and efficient. The one cloud approach seems distant at this point, however, and the propensity to use multiple cloud deployments often from different vendors shows little sign of slowing. Indeed, the pandemic has accelerated the expansion of public clouds to cope with remote mass working demands, with much of this new deployment being fragmented.

“Most enterprises will choose to work with at least one of the public cloud hyperscalers,” Accenture’s Maynard Williams explains. “And there’s good reason for this: There’s a great deal of competition in the market, so they’re investing heavily in areas like streamlining migration, adapting services for private clouds and pushing out to the edge. In addition, they are investing in a variety of industry-specific cloud solutions – for example, GE Healthcare is running its Health Cloud on Amazon AWS. A bespoke cloud deployment strategy can allow a business to get far more out of these investments than they could realistically achieve alone.”

Williams continues: “For most organisations, the optimal way forward is to select a primary hyperscaler for the majority of mission-critical workloads, and then work with one or more secondary providers dictated by the specific needs of the business. This might depend on regulations, industry, concentration of risk or specialised workloads. This enables the organisation to build core skills and experience on one platform but, take advantage of specialised solutions where it makes the most sense.”

All enterprises large and small, understand that in the post-COVID era, flexibility will be crucial to their long-term sustainability in their marketplaces. The cloud will continue to be a foundation all businesses use to deliver the IT services they need. 

Cloud bloat and the management and security issues these bring will be addressed. However, the cloud is a flexible space that can expand and contract as needed. Can one cloud serve all these requirements? It’s an unlikely scenario. But more streamlining and using fewer vendors look set to become the norm.

Cisco has acquired London-based cloud communications provider IMImobile for approximately $730 million (£550m). 

The acquisition, which is the largest Cisco deal in the UK for almost three years, is expected to close in the first quarter of 2021. 

The tech giant is looking to push further into automation to reach out to its customers with IMImobile software being brought in to boost its existing customer relationship management (CRM) offerings.

IMImobile sells ‘customer interactions management’ software that automates a constant connection between businesses and clients through enhanced social media, messaging and audio channels. The firm is based in London, with offices in the US, Canada, India, South Africa and the UAE. 

With IMImobile onboard, Cisco aims to expand its customer services with an end-to-end interaction system that drives faster and smarter interactions in order to orchestrate the lifecycle journey of its customers.

Cisco’s Webex Contact Center will also be able to make use of IMImobile’s artificial intelligence technology for customer journeys. 

“We are excited to join Cisco and become part of one of the world’s leading technology companies as they seek to enable great customer experiences,” said Jay Patel, IMImobile CEO.

“We believe there will be a world of dynamic, always-on connections between global businesses and their customers and the combination of our respective technologies will enable to us make every interaction matter more for our clients.”

When the deal completes in the new year, the IMImobile team will join Cisco’s contact centre business unit, led by Cisco VP and GM Omar Tawakol.

“We look forward to working with IMImobile to help create a comprehensive CXaaS solution for the market – one that gives businesses a platform to provide delightful experiences across the entire customer lifecycle journey,” said Jeetu Patel, senior vice president and GM of Cisco’s security and applications business.

One of the unexpected silver linings to the global coronavirus crisis has been the rapid growth the cloud industry has enjoyed. The shift to remote working during the various lockdowns that have taken place over the course of 2020, was largely, if not entirely, facilitated by cloud services. This has meant that while other sectors have struggled and there has been an overall economic downturn, cloud companies have performed relatively well financially. 

Although they wouldn’t want to characterise the past few months as profiting from the pandemic, the likes of Zoom and Microsoft Teams have surged in usage and revenue, with the latter surpassing 44 million users as early as March.  This period has also accelerated many digital transformation projects, with engineers more than capable of carrying out projects at pace and scale, including the traditionally lethargic public sector. This success, however, has been driven entirely by the effects of the pandemic, forcing the industry to question whether, and how, it can adapt once their services are no longer as highly sought after.

Shifting sands

While we all rejoiced at the news that a potential COVID-19 vaccine may be available for distribution before the end of the year, shares in a handful of companies dropped sharply in response, including at least 15% reduction in the valuation of Zoom. 

Whether things go back to the way they were, or cloud companies continue to play a more pivotal role than ever, is yet to be determined. For independent cloud consultant Danielle Royston, the goal of going ‘back to normality’ in 2021 is misplaced. “There’s no point wasting time and energy trying to return to the halcyon days of pre-COVID,” she says. “Let’s focus instead on some of the positive ‘disruptions’ we’ve seen this year. In all the companies I’ve been at, I’ve promoted – and in some cases fully converted to – remote working. I saw this as the inevitable direction that work and society was going, as the cloud computing tools were already there. And it makes sense: A better quality of life for employees, ease of collaboration, cutting the costs of business travel.”

This is a trend that Tom Wrenn, cloud investment expert and partner at private equity firm ECI Partners, predicts will continue well into next year, telling Cloud Pro that COVID-19 forced many companies into rapidly adopting cloud-based operations. These, driven by government-enforced lockdowns, allowed them to continue operating remotely. “Now, having done a basic shift to cloud-based systems,” he adds, “2021 will be the year of full cloud adoption, with businesses starting to optimise all its benefits; for example, data analytics and AI. If rapid investment was needed in 2020, next year businesses will want to see a return on that investment and will expect to see more from their cloud computing providers.”

Remoting-in

Although the recent transition to remote working is a trend sparked by COVID-19, the consensus is that it’s the beginning of a wider cultural shift. Former IBM boss Ginni Rometty is among the latest to suggest as much, claiming mass remote working will continue in some form as part of a broader hybrid model in future. This may involve companies keeping some physical presence while establishing the infrastructure and equipment to allow workers to work remotely as and when desired.

Cisco CTO for UK and Ireland, Chintan Patel, agrees, telling Cloud Pro that remote working gained widespread acceptance during COVID-19, even in organisations where it was unthinkable before. This means cloud and software as a service (SaaS) tools will continue to remain a crucial part of many setups, even though businesses will mostly return to a form of ‘hybrid’ model. “For remote working, cloud plays a central role; think secure cloud-based collaboration, accessing cloud-based business applications, and extending the security perimeter to thousands of devices,” he explains. “It’s important to note, though, that cloud-based consumption models are not limited to remote working only. As to those returning to the offices, we see technology can help make the workplace more secure and efficient. As and when companies prepare for a return to office, they also need to optimise their space, address worker concerns about sanitation and social distancing and plan how to communicate policies and information clearly.”

Technology will play a major part in instigating the changes needed in future, with a key role to play for many of the firms that have enjoyed success during the pandemic. While demand for software such as video conferencing platforms may not be as sky-high as it was at the beginning of the pandemic, Wrenn argues the next big step is how cloud companies can eat further into the market share enjoyed by the traditional telephone industry. “More and more businesses are using Microsoft Teams or Zoom to interact,” he explains, “when previously they would have used conference lines or even called a person directly due to it being more convenient. Cloud providers need to think about how they can make the most of this opportunity as the way in which people interact changes.”

To infinity and beyond

To some extent, we should all consider ourselves lucky the global pandemic happened when it did, given that cloud computing has only in recent recently become as advanced as it is now. Thus, rather than ‘profiting from the pandemic’, this period has been the making of the industry. After all, “cloud storage, processing, and compute facilities are already set up, and ready to expand easily and automatically, as and when enterprises need,” according to Royston, who claims this wouldn’t have been the case ten to 15 years go. “It would’ve been an epic failure and caused even more disruption and long-term damage to global economies. This year, white-collar workers being able to quickly adapt to working from home in their millions is part of what’s helped many sectors stay afloat.  And it’s because of the investment and ongoing work of hyperscalers over the past few years that’s meant businesses can support workers in doing this.”

Connectivity, too, will continue to grow as organisations’ reliance SaaS tools increases too, Patel adds, with firms expecting more from these companies beyond provision. With cloud infrastructures becoming increasingly diverse, especially with applications adding more layers of complexity, businesses will be looking to strengthen their infrastructure. This will be achieved by gaining deeper visibility across their IT estates, ensuring workloads have continuous access to required resources and running systems that connect and protect at scale – from on-prem to hybrid cloud configurations. This is in addition to using technologies such as machine learning to give customers tools to manage their ever-growing data lakes. This is where providers can step in to guide customers on their migration journeys.

As such, the greatest challenge facing cloud providers, in light of the above, will largely be customer retention, according to Tom Wrenn. “If we take online meeting services as an example, historically businesses would have had to invest in a service, such as [Cisco] WebEx, which is often costly and comes with a lot of equipment,” he says. “Today, however, businesses are using Zoom and Teams for this and can just turn services on and off with little upfront investment. This means that customers aren’t locked into providers in a way they once were. As a result, cloud computing providers will need to over-deliver for their clients, retaining a high level of customer service as well as ensuring that service levels don’t decline as they undergo a huge period of growth.”

Google has announced it will acquire disaster recovery firm Actifio in a bid to boost its Google Cloud business. Terms of the deal were undisclosed.

Actifio provides customers with the opportunity to protect virtual copies of data in their native format, manage these copies throughout their entire lifecycle, and use these copies for scenarios such as development and test.

The company’s technology can deal with data stored in several different environments such as SAP HANA, Oracle, Microsoft SQL Server, PostgreSQL, and MySQL, virtual machines (VMs) in VMware, Hyper-V, physical servers, and Google Compute Engine.

Google said the acquisition would “help us to better serve enterprises as they deploy and manage business-critical workloads, including in hybrid scenarios.”

The company added that it was committed to “supporting our backup and disaster recovery technology and channel partner ecosystem, providing customers with a variety of options so they can choose the solution that best fits their needs.”

“We know that customers have many options when it comes to cloud solutions, including backup and DR, and the acquisition of Actifio will help us to better serve enterprises as they deploy and manage business-critical workloads, including in hybrid scenarios,” said Brad Calder, VP of engineering at Google in the blog post.

Ash Ashutosh, CEO at Actifio said that backup and recovery are essential to enterprise cloud adoption and, “together with Google Cloud, we are well-positioned to serve the needs of data-driven customers across industries.”

“The market for backup and DR services is large and growing, as enterprise customers focus more attention on protecting the value of their data as they accelerate their digital transformations,” said Matt Eastwood, Senior Vice President of Infrastructure Research at IDC.

“We think it is a positive move for Google Cloud to increase their focus in this area.”

​Hands up if you’ve ever encountered this problem: you set up an environment on a server somewhere, and along the way, you made countless web searches to solve a myriad of small problems. By the time you’re done, you’ve already forgotten most of the problems you encountered and what you did to solve them. In six months, you have to set it all up again on another server, repeating each painstaking step and relearning everything as you go.

Traditionally, sysadmins would write bash scripts to handle this stuff. Scripts are often brittle, requiring just the right environment to run in, and it takes extra code to ensure that they account for different edge cases without breaking. Scaling that up to dozens of servers is a daunting task, prone to error.

Ansible solves that problem. It’s an IT automation tool that lets you describe what you want your environment to look like using simple files. The tool then uses those files to go out and make the necessary changes. The files, known as playbooks, support programming steps such as loops and conditionals, giving you lots of control over what happens to your environment. You can reuse these playbooks over time, building up a library of different scenarios.

Ansible is a Red Hat product, and while there are paid versions with additional support and services bolted on, you can install this open-source project for free. It’s a Python-based program that runs on the box you want to administer your infrastructure from, which must be a Unix-like system (typically Linux). It can administer Linux and Windows machines (which we call hosts) without installing anything on them, making it simpler to use at scale. To accomplish this, it uses SSH certificates, or remote PowerShell execution on Windows.

We’re going to show you how to create a simple Linux, Apache, MySQL and PHP (LAMP) stack setup in Ansible.

To start with, you’ll need to install Ansible. That’s simple enough; on Ubuntu, put the PPA for Ansible in your sources file and then tell the OS to go and get it:

To test it out, you’ll need a server that has Linux running on it, either locally or in the cloud. You must then create an SSH key for that server on your Ansible box and copy the public key up to the server.

Now we can get to the fun part. Ansible uses an inventory file called hosts to define many of your infrastructure parameters, including the hosts that you want to administer. Ansible reads information in key-value pairs, and the inventory file uses either the INI or YAML formats. We’ll use INI for our inventory.

Make a list of the hosts that you’re going to manage by putting them in the inventory file. Modify the default hosts file in your /etc/ansible/ folder, making a backup of the default one first. This is our basic inventory file:

The phrase in the square brackets is your label for a group of hosts that you want to control. You can put multiple hosts in a group, and a host can exist in multiple groups. We gave our host an alias of db_server. Replace the IP address here with the address of the host you want to control.

The next two lines enable Ansible to take control of this server for everything using sudo. ansible-become tells it to become a sudo user, while ansible-become-user tells it which sudoer account to use. Note that we haven’t listed a password here.

You can use Ansible to run shell commands that influence multiple hosts, but it’s better to use modules. These are native Ansible functions that replicate many Linux commands, such as copy (which replicates cp), user, and service to manage Linux services. Here, we’ll use Ansible’s apt module to install Apache on the host.

The -m flag tells us we’re running a module (apt), while -a specifies the arguments. update_cache=true tells Ansible to update the packages cache (the equivalent of apt-get upgrade), which is good practice. -u specifies the user account we’re logging in as, while –ask-become-pass tells Ansible to ask us for the user password when elevating privileges.

state=present is the most interesting flag. It tells us how we want Ansible to leave things when it’s done. In this case, we want the installed package to be present. You could also use absent to ensure it isn’t there, or latest to install and then upgrade to the latest version.

Then, Ansible tells us the result (truncated here to avoid the reams of stdout text).

Run it again, and you’ll see that changed = false. The script can handle itself whether the software is already installed or not. This ability to get the same result no matter how many times you run a script is known as idempotence, and it’s a key feature that makes Ansible less brittle than a bunch of bash scripts.

Running ad hoc commands like this is fine, but what if we want to string commands together and reuse them later? This is where playbooks come in. Let’s create a playbook for Apache using the YAML format. We create the following file and save it as /etc/ansible/lampstack.yml:

hosts tells us which group we’re running this script on. gather_facts tells Ansible to interrogate the host for key facts. This is handy for more complex scripts that might take steps based on these facts.

Playbooks list individual tasks, which you can name as you wish. Here, we have two: one to install Apache, and one to start the Apache service after it’s installed.

notify calls another kind of task known as a handler. This is a task that doesn’t run automatically. Instead, it only runs when another task tells it to. A typical use for a handler is to run only when a change is made on a machine. In this case, we restart Apache if the system calls for it.

Run this using ansible-playbook lampstack.yml –ask-become-pass.

So, that’s a playbook. Let’s take this and expand it a little to install an entire LAMP stack. Update the file to look like this:

Note that we’ve moved our apt cache update operation into its own task because we’re going to be installing several things and we don’t need to update the cache each time. Then, we use a loop. The {{item}} variable repeats the apt installation with all the package names indicated in the with_items group. Finally, we use Python’s pip command to install a Python connector that enables the language to interact with the MySQL database.

There are plenty of other things we can do with Ansible, including breaking out more complex Playbooks into sub-files known as roles. You can then reuse these roles to support different Ansible scripts.

When you’re writing Ansible scripts, you’ll probably run into plenty of errors and speed bumps that will send you searching for answers, especially if you’re not a master at it. The same is true of general sysadmin work and bash scripting, but if you use this research while writing an Ansible script, you’ll have a clear and repeatable recipe for future infrastructure deployments that you can handle at scale.

​