Thumbs up picture

Securing IT Infrastructure With Automated Patching Using Ansible


A use case for an open-source tool to reduce cost of managing IT infrastructure security

Proliferation of business systems and technology infrastructure

IT environments are often too complex to manage.  They must be protected from malicious and unintended activities at all times.  Managing IT Infrastructure security requires a broad range of software products and services designed to protect enterprises and employees from the loss or damage to data, applications, IT systems, networks, and devices.  Today, however, businesses no longer run on a unified technology stack (IBM or Microsoft) but use various software – proprietary and non-proprietary – from different vendors.  The rise of Open Source server technologies has allowed companies to shift from exclusive IBM or Microsoft server software to open source technologies such as LINUX.

Limitations of proprietary software

Proprietary software comes with limitations.  Microsoft and IBM offer infrastructure management software for only their products.  These software would come with a price tag yet they may not have the flexibility to interface with non-proprietary software.  Thus, to manage Linux servers we need different software.

The Open Source tool Ansible holds the promise

Ansible is an open-source agentless IT automation platform that allows companies to perform configuration management, application deployment, database patching, intra-service orchestration and many other IT requirements.  Owned by RedHat, Ansible allows companies to conduct multi-tier deployments, define systems for security, and roll out enterprise-wide protocols with ease.  Its functionality can be extended through custom routines/playbooks, to include open source and proprietary server Operating Systems.  The Playbook can be programmed using Python or Shell Scripts.  An organization that uses a mash of technologies would benefit from using Ansible.

Ansible as a tool for Vulnerability Remediation 

Ansible is proven at automating software deployments.  Patching being a type of deployment, it can take advantage of Ansible to integrate and automate different security solutions that investigate and respond to security threats across the enterprise, in an orchestrated and unified manner using modules, rules and playbooks. 

Vulnerability Remediation process involves regular scanning of technology systems to identify new software vulnerabilities, classify, prioritize, and remediate and mitigate those vulnerabilities in a timely fashion.  CES recommends Ansible to manage end-to-end vulnerability management and remediation process.

CES has helped customers leverage Ansible for deploying security patches on its server infrastructure which provided the much-needed flexibility and cost savings.

Ansible’s Playbook syntax allows companies to define and setup firewall rules, lock down users and groups, and apply custom security policies.

Ansible – an agentless IT automation tool that is flexible and cost-effective

The best method for patching with Ansible is to leverage WSUS (Windows Server Update Services) and Active directory GPOs (Group Policy Objects) in conjunction with an Ansible controller.  The Windows WSUS server pulls down updates to local storage on the WSUS server.   Active Directory GPOs can be configured so that clients can pull updates from WSUS server instead of external Microsoft sources.  This approach saves a great deal of bandwidth.  Other advantages of using WSUS include its advanced reporting features and the Web interface which allows for selective update approvals.  Once the updates are configured by GPO, the updates are then managed and applied to systems by Ansible.

The below graphic illustrates Vulnerability Remediation and Patch Management process:

The automation process with Ansible for Vulnerability Remediation and Patch Management Services includes:

  • Following Microsoft Patch Tuesday routine
  • Approving updates in WSUS
  • Creating Chocloatey packages
  • Running Ansible playbooks to install updates and packages on test environment
  • Testing and certifying patches
  • Researching unknown issues
  • Creating playbooks for vulnerabilities and configuration changes
  • Tracking long-tail patches and updates that aged more than 30 days
  • Upgrading legacy/out-of-life-cycle software
  • Deploying Windows security updates, non-security updates, service packs, rollup updates, and feature packs on Production environments.

There are additional benefits that Ansible offers.  It automates cloud provisioning, configuration management, package management, application deployment, self-service gateways, intra-service orchestration, and many other IT needs.  Utilizing Ansible, infrastructure security could be seamlessly integrated as part of the overall infrastructure operations and risk management processes. For more information or to have a conversation on how CES can implement Vulnerability Management and safeguard your environment from cyber-attacks, please contact us at  You may also be interested in our other Cybersecurity  blog —