DevOps / Security / Tools

How SaltStack Reinvented Itself for a Cloud-Dominated World

16 Jun 2020 3:00am, by

When Robert Dale joined  MAN Energy Solutions, as an IT architect, one of the first things he noticed was that maintaining CIS compliance across one of the world’s largest ship engine and turbomachinery companies was not going to be easy as he had hoped.

For CIS compliance, for example, commands and policies were set for custom scripts. “Only one guy to figure out how to make it work — And he’s not around anymore,” Dale said. “It was expensive to own and to maintain.”

Dale then sought out an alternative system that he said he felt comfortable with for automating a number of security and management tasks across several large environments. The SaltStack configuration and remote execution management tool, aka Salt, fit the bill, he said. With it, Dale said he was able to automate the otherwise onerous tasks, when done manually, consisting of installing numerous pilots and removing or adding CIS compliance checks without the need for extended coding or manual configuration.

“I have a huge environment I need to make compliant and adjust or extend that compliance as new checks arrive and this becomes difficult to extend to all employees of different skill levels without a UI. I also don’t have to re-architect or re-engineer it,” Dale said. “I can just connect it to my enterprise assess, remediate and I’m done.”

While managing such a vast network, maintaining compliance was previously a major challenge, often representing a number of months of work for the IT security team.  Dale now says updating CIS compliance policies can be completed in 30 minutes. “It is a matter of picking this policy in a list and not that one, and then you’re done,” Dale said. “Remediation also became very simple.”

Salt has been criticized for posing challenges to install. However, while Dale noted that Salt’s documentation could be a “little vague,” he claimed Salt’s installation was straightforward.

“You can install Salt on a single node with one script that you click ‘run’ and you’re done,” Dale said.

The Reinvention

Dale’s experience reflects how SaltStack, with last year’s release of SaltStack Enterprise 6.1, has sought to emphasize automation for SecOps, especially for often large cloud native deployments in multicloud and on-premises environments. Through the API, the enterprise version of Salt scans often disparate and remote systems for vulnerabilities, while the automation capabilities serve to remediate most of the vulnerabilities, it says.

The security capabilities and automation Salt offers today also represents a departure from what Salt was mainly designed today as a general distributed management platform provider. Not that Salt was looking at becoming obsolete, but in this day of cloud native tools and direct-to-cloud platforms available, Salt, as well as other competing solutions, was not in demand as it once was. However, particularly with the release of SaltStack Enterprise 6.1, SaltStack added automation capabilities for SecOps, also representing a new direction Salt’s developers were taking. SaltStack has thus, in many ways, reinvented itself.

Among the chief problems it sought to solve was helping DevOps, and more specifically, SecOps teams from uploading in some cases hundreds of vulnerabilities while deploying applications and platforms cloud vendors provide.

“We definitely have reinvented ourselves,” SaltStack Chief Technology Officer and founder Thomas S. Hatch, said. “Our new approach for SecOps is not something that the cloud providers are looking at.”

Hatch saw less of a need for organizations for generalist app deployment and infrastructure-provisioning tools when he opted for a SaltStack change of course. “These platforms are less critical in a modern CI/CD world,” Hatch said. “ When I made the conscious — and I have to say — unpopular decision, especially internally, it’s popular now. I’m like, ‘I’m glad I bet right on that.’”

“Not to say Salt’s core automation capabilities as a distributed management platform have become obsolete. This is because considering that, especially for large infrastructures that make the shift to cloud native, they require the automation of significant components of their infrastructure to provision specific service servers,” Hatch said.

“The large cloud vendors, of course, offer distributed management platforms but the security scanning capabilities they provide are far from safe. It’s really astonishing how many people think that just scanning your infrastructure is enough from a security perspective,” Hatch said.

Essentially, SaltStack enterprise automates SecOps processes. “When we spoke to our customers and a lot of people from the press and investors, they’re coming back and saying that what we’re doing in SecOps is revolutionary because it completely changes how that whole approach to security works,” Hatch said.

The Big Jump

The concept behind SaltStack Enterprise today is largely about providing SecOps teams with the option of automating the discovery and remediation of security vulnerabilities across multicloud and on-premises infrastructures. In doing so, SaltStack says SaltStack Enterprise 6.1 brings automation to SecOps with an API  that scans IT systems for vulnerabilities and then provides out-of-the-box automation workflows to remediate them.

In this way, SaltStack is positioning itself as the “universal automation backbone for NoOps,” Torsten Volk, an analyst for Enterprise Management Associates (EMA), said.

“In today’s world of distributed applications, every time you spin up a microservice in your datacenter or on a public cloud, there is a potential for security and compliance issues to occur. Salt’s decentralized but centrally managed and near real-time message bus seems well-positioned to enable consistent issue responses in these continuously changing and scaling environments,” Volk said. “Focusing on rapid automatic response to security and compliance events seems spot on in today’s world where landing in the news for disclosing customer account data can quickly lead to billions of dollars in fines and PR damage.”

SaltStack also fits into a new and emerging context in which cloud native security tools are becoming more readily available. However, choosing the right toolset, of course, can pose challenges in what has also become a fragmented market consisting of a plethora of both security and open source options.

Operations-management platforms, such as SaltStack, incorporate security use cases, for example, that “reflect the reality that DevOps and teams are more and more leveraging a broader set of tools to achieve security outcomes,” Fernando Montenegro, principal analyst for 451 Research, said.

“This is great for users — security can now be embedded into existing processes more — but does present a challenge to many stakeholders. For end-user organizations, how do you make sure the collaboration between security teams and other teams, such as DevOps, works well to make sure security objectives are being met without too much friction?” Montenegro said. “For vendors, the challenge is that not only is there more competition, but their buying decisions are now more complex: for someone ‘selling’ to security, they may now need to understand how operations management tools may also supply that functionality.”

The need to keep pace with DevOps innovation is “something that affects every vendor, not just SaltStack, Montenegro said. “The diversity in approaches that exist drives a lot of innovation, as does the ease with which teams may now look into open source and community efforts,” Montenegro said. “For deployments on cloud environments, there’s also pressure from operations management frameworks being offered by cloud providers themselves.”

‘POP’ Push

The release of SaltStack 6.2 introduced a component that “allowed us to actually integrate with the rest of the security toolchain,” Moe Abdula, vice president of engineering at SaltStack said. “Today, people have already invested a lot in tools that do scanning or prioritization of vulnerabilities. So, rather than asking folks to throw away something that is already delivering value, we created many, many integrations on the front end with the scanning tools and convert the results automatically with no manual effort,” Abdula said. “And then, right out of the box, we have the benchmarks that automate the remediation, so that a client can choose simply to click a button.”

Similar to how SaltStack reinvented itself to solve burgeoning SecOps requirements as organizations increasingly make the shift to cloud native and more distributed environments, Hatch spearheaded the open source Plugin Oriented Programming (POP) project to solve another problem. Introduced at SaltConf2019 in November, POP was designed to allow developers to create code or modules with Python that Pop integrates into distributed architectures, including, of course, cloud native and Kubernetes environments. Developers can thus create applications and code and rely on POP to handle the otherwise cumbersome tasks associated with configuring YAML, SSH tunnels and other infrastructure-related tasks.

“I haven’t found a Python project POP doesn’t work for yet,” Hatch said. “One of those stupid problems you have with a typical Python Installer is you have to make sure everything is compatible on the infrastructure side. With the Python code inside, everything just works with POP — all you’ve got to do is download it,” Hatch said.

With SaltStack’s new enterprise releases, POP can allow different teams to work on their own projects without “running into or creating coordination overhead when trying to merge their code back into the overall platform,” Volk said. “This means that developers should be able to provide new capabilities, e.g. for implementing security best practices or for addressing a specific type of compliance issue, faster and with less overall effort. It will be interesting to observe how far POP can live up to this expectation,” Volk said.

SaltStack is a sponsor of The New Stack.

Feature image via Pixabay.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.

A newsletter digest of the week’s most important stories & analyses.