The annual SaltStack user conference brought about 600 customers and partners to the Salt Palace in Salt Lake City for several days of training, tutorials, how-to workshops and demonstrations. The general SaltConf18 session began today with the announcement of a new product and accompanying customer testimonials, showing both SaltStack's potency and its expandability.
SaltStack's CEO, Marc Chenn, kicked things off by saying that developers have to deal with, “a constantly changing ecosystem and having to manage these changes effectively.”
Heather Zynczak, Pluralsight’s CMO, spoke about the widening IT skills gap. Her company has a massive collection of various online technical classes, including a few on Salt. She told the audience that, “...technology is your superpower, so try to exploit that.” She recommended that enterprises try to establish an environment where learning is encouraged. She said that management should lead by example and take the initiative by making their workplaces safe for experimentation.
The major announcement of the day was SaltStack for SecOps, a new automated compliance scanning and remediation tool. It will be available in beta later this year. The New Stack covered the SaltStack for SecOps announcement here. SaltStack’s VP of Product, Alex Peay, introduced the product by saying that we have to, “empower people to get out of audit hell.” The term "audit hell" refers to the typical compliance reports that aren’t actionable and to useful guides to help remediation efforts.
“We want to be able to not just tell you something is wrong, but make sure your systems are secure and will stay secure,” he said. “This means taking important insights and turning them into critical automated actions so that you can have confidence in your compliance.” Like other applications of SaltStack, it can check thousands of machines for weak or insecure configuration issues or compliance violations for standards such as PCI, HIPAA, CIS Critical Controls and immediately fix them.
The problem with compliance is in its complexity. As in anything IT-related, there are competing standards, such as the Center for Information Security (CIS), the U.S. Defense Information Agency’s Security Technical Implementation Guides (DISA STIGS), and the National Institute of Standards and Technology (NIST). Initially, SecOps will support these three and make it easier to determine if equipment is out of compliance through various automated mechanisms.
“There are many existing solutions that can assess compliance and some of them can remediate,” said Mehul Revankar, a senior product manager for the SecOps product. “However, many don’t provide the appropriate authoritative content to secure these assets or they don’t scale very well. Almost no one can do all these things and also react to specific situations. That is why we developed SaltStack for SecOps.”
While the product is still being developed, he gave a sneak peek a product demo on how policies were constructed to check for certain situations and benchmarks and then attached to particular remediation actions. The product has an attractive dashboard that summarizes your overall compliance trends, the state of your SaltStack minions, and a list of various security policies.
Like other SaltStack applications, it breaks down security compliance into a series of discrete processes and steps that are easy to automate. The first version of the product will be out in the first quarter of next year, and updates will follow in subsequent quarters that will include vulnerability assessment and remediation, integrations with the Salt Reactor and Beacon and finally at year-end the ability to import data from vulnerability management vendors such as Qualys and Rapid7.
Dave Boucha from SaltStack said in another conference session, “When you make it easy to do the right thing, the right thing gets done. We all are the future of security automation.”
During the morning general session, we also heard from First Data’s VP, Amaya Souarez. She has worked at various infrastructure management roles, coming to the global credit card issuer from Microsoft where they scaled up their server farm from several thousand to several hundred thousand machines.
Amaya said that, “First Data can be a difficult place to work because we have a large mixture of legacy infrastructure here. This means that the fire drills never stop.” Having such a wide collection of equipment places a double burden on her staff, who spend their days maintaining this gear and their evenings teaching themselves about new technologies that they want to implement.
“We created a people first strategy and use automation to free up our staff’s time from drudgery,” she said at her talk. Part of this is to allow people to explore new technologies and have fun doing it too.” In that vein, she mentioned that this year First Data held its first hackathon, which brought 15 different teams from around the world in a virtual event to work on various automation tools. Their purpose was a learning opportunity as well as a chance for various members of her infrastructure team to work together.
The winning team coded Alexa voice front-end to be able to respond to Splunk monitoring events using SaltStack automation. Amaya mentioned that a few of the projects done for the hackathon are being considered for production use. She mentioned that automation plays a key role in this transformation. “You can’t hire yourself out of this problem, we have to automate,” she said. First Data is an avid user of SaltStack, such as to automate event resolutions and notifications. “Many people in my organization were already familiar with Python, so it wasn’t that much of a stretch to use Salt,” she told me.