Escape Compliance Hell with SecOps Collaboration and Automation

April 30, 2019 - Alex Peay

Imagine your house is on fire. Your neighbor spots the fire first, walks across the street to tell you your house is on fire, and then takes a seat on his front porch and watches it burn. He doesn’t call 911, doesn’t pick up a hose to try to douse it, and doesn’t help to make sure everybody is out of the house. Unfortunately this extreme example is the extent of what security scanning tools do for enterprise IT teams and the digital businesses they serve. These tools will tell IT teams their house is on fire, but aren’t able to help put the fire out. There is a definite need for more SecOps collaboration amongst the teams working to secure critical infrastructure.

Helping IT and security teams collaborate to automate continuous compliance

Chief information security officers and IT executives working to protect digital business from cybersecurity threats are faced with a daunting task. Is it possible to create a truly efficient SecOps collaboration team? Does a tool exist that can help security teams detect vulnerabilities and non-compliant systems, then automate the work to remediate those vulnerabilities and bring them into compliance with a policy like CIS or DISA STIGs?

This tool now exists. It is called SaltStack SecOps, and it is already gaining substantial industry recognition and customer adoption from the biggest and most advanced IT organizations in the world.

The SecOps collaboration problem, compliance hell

IT operations and security teams are very different, but essentially they both work to create a highly available digital infrastructure that’s secure. Often getting both teams on the same page can result in what we call, “compliance hell.”

I’ve written a full white paper on compliance hell here, or attend this webinar and join me as I dive into the depths of compliance hell then emerge from the other side mostly unscathed.

(Click here for a high resolution PDF of the compliance hell infographic.)

Essentially, the IT team’s goal is to make sure all systems are running and functional. Any outages or updates are planned weeks if not months in advance.

Meanwhile, the security team works to ensure all infrastructure is secure, patched, and compliant with regulatory standards such as PCI, HIPAA, and 800-53. They must react quickly to security threats such as Spectre or WannaCry but they often need the help of the IT operations team to implement changes and updates. Rapid response is essential to effective security but planning often takes a back seat to expediency which can be counterintuitive to the IT team.

It’s common to see security teams run a weekly scan with one tool, export the results with a list of compliance violations, vulnerabilities, and configuration issues into a massive Excel sheet, then hand it off to the IT operations team to fix without any context or a sense of prioritization.

It’s also common for the operations team to take action against issues using completely different tools and working off different objectives than the security team. Too often the result is low-priority issues get addressed first while SEV-1 issues fall through the cracks.

The most notable, recent security fail was the Equifax data breach. In a nutshell, the security and IT teams failed to apply a patch to a database containing sensitive customer data. What’s worse, this patch was available for almost a year before the vulnerability was exploited by hackers.

The security and IT teams were not in sync, or they didn’t have the proper automation to effectively address the massive scale and complexity that is a typical digital business infrastructure. Humans can’t do it alone. We need to automate the work of security. And the humans on enterprise security and IT teams need to coordinate better for the good of the business.

The SecOps collaboration opportunity

SaltStack SecOps not only assesses compliance violations, configuration issues, and security vulnerabilities. It can also be used to remediate across multi-cloud, on-premises, and even containerized infrastructure. It is unique in uniting IT operations and security teams. This being said, they can collaborate successfully and get the work of SecOps done quickly and effectively.

SaltStack SecOps takes a policy-driven approach to security. As a policy can be defined, SaltStack SecOps will ensure an infrastructure adheres to the policy, remains compliant and secure. These policies can be custom or industry-standard like CIS Benchmarks.

SaltStack has been used for years to automate the management of the world’s biggest and most complex digital infrastructures. Our roots run deep in systems management and in orchestrating the enforcement of system configuration compliance at massive scale. Now we’re making it easier than ever for SecOps collaboration teams to work together to secure business.

Escaping compliance hell

Here are a few examples SaltStack SecOps customers escaping compliance hell to automate continuous compliance for their businesses:

IBM Cloud

Stephen Dumesnil, IBM Cloud network engineering governance manager, said, “After applying SaltStack SecOps automation and orchestration to our existing governance processes we are seeing dramatic improvements in team and tooling efficiency. For example, we’ve seen a 75% reduction in the work simply needed to coordinate priorities between our security and IT operations teams. SaltStack SecOps will be the catalyst to helping IBM Cloud achieve the goal of continuous compliance while optimizing collaboration and output between our global security, IT, and governance teams.”

Brian Armstrong, IBM Cloud network executive, said, “SaltStack forms the basis of a comprehensive audit, remote execution, configuration management, patch, and baseline enforcement suite for the IBM Cloud network. This has replaced several disparate legacy tools with a single command and control layer that allows us to automatically roll out new security policies and quickly react to any new security threats. Problem scoping, mitigation, and audit is done in hours rather than weeks across our network.”


Zach Hilliard, Cyxtera director of site reliability engineering, said, “SaltStack SecOps gives our security and site reliability teams the ability to efficiently tackle the difficult task of achieving continuous infrastructure compliance across 55 world-class data centers. SaltStack compliance scanning and automated remediation will help Cyxtera certification processes and ultimately deliver powerful, secure IT infrastructure to our demanding customers.”

SaltStack SecOps helps security and IT teams collaborate better. Effective SecOps is no longer a “nice to have,” it is essential to the security and success of digital business. But easier said than done.

As Stephen, Brian, and Zach demonstrated, it is possible to escape compliance hell. Security and IT teams have to be willing to work together ultimately for the benefit of the company.

And with infrastructure complexity at scale, the reality is humans can’t do it alone. Automation is essential to keep up with the never-ending vulnerability reports. Automation is necessary to actually fix vulnerabilities, and non-compliant, misconfigured systems. It is done in near real time. Stay a step ahead of the bad guys and deliver continuous compliance.

To learn how compliance hell came to be and how security and IT operations teams can work together to escape. Please read this white paper titled, “Escaping Compliance Hell with Intelligent Automation for SecOps,” or join me on this webinar.