Add Capability, Ensure Security, and Manage Cost with IT Automation

April 21, 2020 - Marc Chenn

About a month ago I wrote about a conversation with Mark Sunday and his approach to achieving the elusive “IT trifecta.” The post was titled, “Our new digital reality and the need for more IT automation and security.” Our world continues to change in ways none of us have ever seen before, but the truisms of Mark’s IT trifecta have never been more essential and relevant. As a reminder, the “IT trifecta” is focused on balancing the following priorities:

  • Adding capability
  • Ensuring security
  • Managing cost

I spent much of the last year, roughly bookended by RSA Conference 2019 and 2020, talking to customers, security vendor executives, and IT and infosec leaders about advancing the objectives of effective security operations. SecOps seeks to find balance between infosec and IT operations and, historically, if you could reduce IT costs and save the company money it is an added bonus.

But that was a month ago. Today the IT trifecta looks like this:

  • Adding capability: Business has been forced to be more digital than ever before. This means even more digital infrastructure and capability. But the business isn’t hiring more IT people, and the existing IT team is less and less productive.
  • Ensuring security: Infosec is as critical as ever, and even more so. But the business demands real infrastructure security these days and not just security on paper. Businesses might be able to survive an economic downturn, or a data breach, individually. But can they survive the financial impact of both.
  • Managing cost: For the first time in more than a decade, managing cost has taken the seat at the head of the adults’ table.

The rest of this post will focus on using IT automation to manage costs in the face of increased business demand for added capability and ensured security.

Automate the work of IT and security operations

SaltStack has been receiving a ton of attention in the last year, specifically at RSAC, for its ability to transverse IT and security silos and automate the work of closed-loop security operations. It is not enough to simply understand security posture. SecOps teams must have the ability to take action and fix security vulnerabilities or else the work of security is meaningless. Better yet, proactively automate cyber hygiene by implementing and automating continuous compliance and vulnerability remediation across production infrastructure. 

This is possible and within reach for well-intentioned teams that have the IT trifecta in mind for their business. But IT and security operations teams need to be willing to work together. Both teams need help that only the other can provide.

On a recent earnings call a financial analyst asked the CEO of a leading vulnerability management software company if they plan to offer vulnerability remediation. The CEO responded, “We are not getting into the remediation business. We are not a patching business. We don’t want to imply that we are. What we’ve chosen is to have a tight integration platform with configuration management tools and enterprise infrastructure products our customers have deployed and selected as best-of-breed solutions and that they are already leveraging in their workflows.”

You can always try a hosted instance of SaltStack Enterprise for a first-hand, self-guided tutorial and a look at how integration with vulnerability management tools would look in your organization.

The SaltStack Protect 6.2 release includes integration with Tenable, and will soon integrate with Qualys, Rapid7, and Kenna Security. This is what closed-loop vulnerability using SaltStack and Tenable looks like. SaltStack is unique in providing infrastructure automation and configuration management purpose-built to secure IT, but don’t take our word for it.

The unacceptable risk of manual IT and security operations

Humans alone are not able to secure and maintain infrastructure at scale. The only way is to automate. In the current economy, when IT and security people have less help and more work, the automation imperative has never been more critical to the security and reliable operations of digital infrastructure.

IT and security decision makers are taught to look at cybersecurity through a risk / reward lens and this, while not bad practice, misses the whole picture. What’s the cost to the business of performing IT and security processes ineffectively? Even if your systems are never exploited (and chances are they will be) how much is innovation reduced, costs increased, and precious human resources squandered by insufficient and unoptimized processes? 

According to Gartner Research, “I&O leaders tasked with justifying the cost of automation initiatives should focus on efficiency gains first, productivity improvements second and cost reductions third. The largest longer-term benefits are predictability, risk mitigation, scalability and accountability.”

SaltStack was built to solve diverse challenges associated with modern IT, but IT organizations can’t hire enough humans to address the growth and scale of digital business. Every enterprise IT function has menial, repetitive tasks often despised by most team members. These tasks drain team efficiency. 

The value of IT automation

With SaltStack many of these tasks can be automated through event-driven automation and orchestration — allowing customers to increase cost efficiencies by assigning high-value engineering personnel to more strategic projects and reducing the likelihood of human error. Customers I meet often tell me that they’re able to improve team efficiency and ability to execute dramatically, in many cases by 80% or more. 

The maintenance and security of production infrastructure can be very expensive if not properly automated. Time and money is saved when the most-expensive IT engineers and sysadmins delegate the power of SaltStack to less-expensive support desk or night ops technicians. SaltStack customers report that by right-sizing the responsibility for data center maintenance tasks, their organizations recoup 50% of engineer time and reallocate it to new, more strategic initiatives.

Automation built for cloud-native, web-scale infrastructure

SaltStack has a decided advantage over legacy tools because it was built for modern web scale and hybrid cloud infrastructure. Results may vary depending on implementation size and data center architecture, but many customers report substantially reduced hosting requirements and internal infrastructure footprint to run SaltStack when compared to legacy tools, or even when compared with contemporary, agentless tools. Reduced system requirements have resulted in hard cost savings of approximately 60%, take a look at these SaltStack customer case studies from companies like NICE Nexidia, IBM Cloud, and Liberty Mutual Insurance to see how they do it.

A new SaltStack customer recently told me, “We selected SaltStack for its full functionality, execution speed, community support, global availability of Salt skills, AWS interoperability, and finally, price. SaltStack was the clear winner for benefits and value.”These days value has never been more important. Fortunately IT and infosec leaders don’t need to compromise value with delivering capability and securing infrastructure. Let’s talk about how SaltStack can help save IT.  Schedule a live demo with us today, or read this white paper to learn how SaltStack customers save significant time and money with IT automation.