Thomas Hatch, SaltStack: Technology Is Not Enough, Communication Is Key

By Gabriela Vatu / October 2, 2019

When you have a problem, you look for solutions. Sometimes, the best solutions are those you design yourself. This is something that Thomas Hatch, the developer behind Salt, found out many years ago.

Co-Founder and CTO of SaltStack, Thomas Hatch agreed to give TechNadu an interview, discussing his company's solutions to a number of problems, his experience over the years, and the things he's learned to be most important.

TechNadu: You developed Salt back in March 2011, and by December you had your own company to back it up. Your business has grown quite a bit over the years, and so has the software. What are a few things that have changed about automation in the years that have passed?

Thomas Hatch: I was once a data center architect and systems administrator in charge of the management and security of the digital infrastructure that underpinned everything from consumer apps to classified government agencies. What I did then is now called site reliability engineering by the web-scale organizations of the world.

Back then, I needed automation built for modern data center infrastructure in order to do my job effectively. That automation didn't exist, so I created Salt to fill a need that was not being filled by the legacy systems management tools. IT automation tools have existed for decades, however, they were built to manage small-scale, homogeneous infrastructures.

So much has changed. Salt automation was different in that it was built in this century to address the data center management and security of this century, namely massive scale and complexity, cloud, and agile development processes.

SaltStack software exists to orchestrate and automate the maintenance and security of modern enterprise IT infrastructure, from core data center systems to the very edge of the network and the Internet of Things (IoT).

The fundamental capabilities of SaltStack are now perfectly suited to address the single most pressing need of any digital infrastructure, namely infrastructure security. CISOs spend more than $100 billion on security software every year, yet every day another company is making headlines after losing customer data. Why is this happening?

Fear compounded by a feeling of helplessness consuming the industry with the potential "what if" scenarios swirling and keeping security operations practitioners and executives up at night. CISOs and CIOs are beginning to truly understand that the problem of security can't be solved without real collaboration backed by action-based automation. Companies with disconnected teams, disparate tools, and never enough human capital must change their own reality.

Automation today is very different, but many of the basics remain the same. It is and will continue to be, a necessity to deliver compliance and configuration automation for all digital infrastructures operating at scale. A great opportunity exists today to reduce cost and risk by considering bi-directional, closed-loop, event-driven automation for continuous compliance and the work of SecOps. Automated security operations help narrow this gap.

TechNadu: Let's go back in history a bit - what drove you to develop Salt? What were some of the problems you encountered over the years and made sure to find solutions for by integrating them in your code?

Thomas Hatch: The core of all of our products is the Salt open source automation engine. We released Salt in 2011 after, frankly, I became frustrated with the speed and limitations of the legacy systems management options, and the Ruby-based open-source configuration management tools available at the time.

SaltStack was designed from the beginning as a high-speed remote execution platform that can be used for web-scale infrastructure and application automation. The result was a massively scalable automation system, easily supporting many thousands of nodes right out of the box, with message queue networking and a multi-master architecture. Salt is now used by tens of thousands of organizations around the world including companies like eBay to automate the maintenance and security of more than 300,000 servers.

IT operations, DevOps, site reliability engineering, and security teams use SaltStack's unique and powerful automation to tackle pervasive IT challenges like configuration automation, orchestration, hybrid cloud management, and especially security and compliance remediation—at a speed and scale that simply can't be matched by other solutions today.

TechNadu: There are many similar solutions out there, so what makes Salt special?

Thomas Hatch: The bulk of the dollars spent on security software goes toward tools that show security operations teams all of the vulnerabilities and security issues found in infrastructure, but do nothing to help fix or remediate the issues. At SaltStack, we are changing what is possible in cybersecurity by bringing a new mindset to the problems facing the industry. We are delivering products to help SecOps teams combat the helplessness created by the crush of the infrastructure security and compliance problem.

SaltStack SecOps harnesses proven event-driven automation to deliver full-service, closed-loop automation for IT system compliance and vulnerability remediation. We believe that security and IT operations teams must work together to keep digital infrastructure compliant and secure, however, efforts are often hampered by disparate toolsets, misaligned workflows, and competing priorities. It's time for a change.

Salt is written in Python, the world's most extensive and popular language, to avoid the inherent technical debt created by tools that leverage Ruby or domain-specific languages. Salt infrastructure as code leverages YAML which is human readable and extremely approachable by even the most junior IT operators.

Whether you need help automating the work of ITOps, DevOps, NetOps, or SecOps, SaltStack intelligent IT automation software is the answer. From day-zero deployment and configuration to the ongoing maintenance and configuration of infrastructure, to the creation of a more hardened and compliant digital footprint, we offer SaltStack Enterprise and SaltStack SecOps products to manage and secure digital business operations.

TechNadu: You've expanded your business with SecOps this year, also hoping to help out the security teams from corporations. What are some of the best features integrated into this tool?

Thomas Hatch: SaltStack SecOps is all about giving security teams the ability to define security compliance scans through a policy-driven approach. However, we don't stop there. The policy is integrated with automated action in SaltStack. This is a major shift from the current capability of security products in the industry and allows for the security and IT teams to get on the same page, speak the same language, then take automated action at scale to actually fix and remediate infrastructure security issues.

With SaltStack SecOps, security professionals and operations teams can work together to define a compliance policy, scan all systems against it, detect issues, and actively remediate them—all from a single platform.

SaltStack SecOps focuses on three key areas:

Define: Build custom policies with industry-standard compliance profiles, such as CIS and DISA STIGS, then apply them automatically across your digital footprint.

Detect: Run continuous, item-level checks to locate vulnerabilities and non-compliant systems or applications anywhere in your environment.

Enforce: Use autonomous policy enforcement to fix violations automatically. Or kick off a remediation workflow so your teams can flag and prioritize issue resolution.

SaltStack SecOps delivers full-service, closed-loop automation for compliance and security. Finally, security and operations teams can effectively collaborate and communicate with each other. From continuous detection to true resolution, SaltStack SecOps is the only cybersecurity product to deliver natively integrated, fully automated infrastructure security compliance and true vulnerability remediation at an enterprise scale.

TechNadu: What are some of the biggest security issues that SecOps can help solve?

Thomas Hatch: Security and IT operations teams must work together to keep modern data centers compliant and secure. However, their efforts are often crippled by disparate toolsets, misaligned workflows, and competing priorities. It's time for that to change.

The unfortunate reality is that the vast majority of data breaches could have been prevented. Vulnerabilities are often known, and patches are available, well in advance of the exploit. The IT operations team is culpable, but the security team must also take shared responsibility for the actual security of the infrastructure. Security on paper isn't sufficient.

Billions of dollars are spent on software to essentially tell you your house is on fire, but these tools do nothing to put the fire out. Tools to scan, analyze, and prioritize vulnerabilities are not enough, just like a fire alarm isn't enough. Action must be taken. There are not enough skilled humans to take the action needed without automation supplementing the work.

All the scanners and vulnerability management tools are useless without a unified, automated and action-oriented approach to last-mile system-level security.

While the era of digital business is delivering faster innovation and better customer experiences, it also requires that the underlying IT systems that support those experiences scale-out and become more distributed. With distributed scale comes complexity and more exposure. As a result, security professionals and IT operations teams must be vigilant about maintaining compliance with corporate security profiles. For most security operations teams, however, the industry-standard tools and processes they employ are siloed, inefficient, and insufficient. Simply put, manual methods to detect, investigate, and respond to threats are leaving companies with waste, frustration, redundancy, and significantly increased risk exposure.

Today, security operations teams are forced to address compliance issues with separate toolsets, vocabularies, and measurements for success. At SaltStack, we provide a platform that allows our customers to solve problems from assessment to completed remediation. SaltStack SecOps can automatically remediate policy violations detected anywhere in system infrastructure. It can also create jobs for review and approval before changes are executed. SaltStack SecOps integrates with third-party systems for change tracking and reporting.

The underlying value that we bring to our customers is that while others can assess vulnerabilities, they can only produce a report or a trouble ticket. This is an incomplete and inadequate way to handle security. System-level remediation is key and SaltStack is the solution. Our business exists to enable true infrastructure security for our global customer base.

TechNadu: You've been in IT for a long time. What are some of the things you've learned along the way and would like to teach others about the industry?

Thomas Hatch: No matter how much technology you throw at a problem, human communication is still key. Effective communication and efficient collaboration fosters action and allows humans to help the business win. The technology alone is not enough. Humans and teams that work together and communicate well are the solutions. Automation that amplifies the intelligence and ability of the teams using it, and that gives them a common platform to collaborate, will result in positive outcomes for the business.

What do you think of what Thomas Hatch has to say? Drop us a note in the comments section below the article and tell us all about it. Share the interview with friends and family online and follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: