European banking · IBM / Kyndryl

From BigFix to Ansible, at enterprise scale.

Leading the complete transition from IBM BigFix to Ansible across 20,000+ endpoints in 10 countries — cutting execution times by 95% while maintaining compliance in regulated financial environments.

Client Major European bank (via IBM / Kyndryl)
Duration 2017 – 2024
Role Advisory IT Security Specialist
20,000+Endpoints migrated
95%Time reduction
10Countries covered
Recognition awards

The challenge

One of Europe's largest banking institutions relied on IBM BigFix for endpoint management and compliance enforcement across its infrastructure — over 20,000 endpoints distributed across 10 countries including Italy, Germany, Poland, and the Czech Republic.

The organization faced several critical challenges that necessitated a platform migration:

  • Performance bottlenecks: complex compliance checks and patching through BigFix took 2–5 hours, creating large operational windows and delaying security response.
  • Scalability limitations: as the endpoint count grew and compliance requirements grew more complex, the existing platform struggled to keep pace.
  • Modern integration needs: the bank was modernizing with containerization and CI/CD, requiring tighter integration between endpoint management and DevOps workflows.
  • Regulatory pressure: financial regulators increased scrutiny on security posture and remediation timelines, requiring faster, more auditable compliance operations.

Our approach

The migration from BigFix to Ansible required careful planning to ensure zero disruption to banking operations while maintaining continuous compliance coverage. We built a structured migration framework that could be executed progressively across the organization.

Assessment and planning

We began with a comprehensive audit of existing BigFix Fixlets, action scripts, and compliance baselines. Every automated task was documented, categorized by complexity, and mapped to an equivalent Ansible implementation. Critical compliance workflows were prioritized for early migration to demonstrate value quickly.

Architecture design

The new architecture was built on Red Hat Ansible Tower (later migrating to AWX) running on OpenShift. Key design decisions included:

  • CyberArk integration for privileged access management — eliminating credentials in automation scripts
  • ServiceNow integration for change-management approvals and incident tracking
  • Splunk integration for centralized logging and compliance reporting
  • Role-based playbook organization enabling reuse across countries while accommodating local requirements

Progressive migration

The rollout followed a country-by-country strategy, starting with smaller operations before tackling the Italian infrastructure where most endpoints resided. Each phase included:

  • Parallel running of BigFix and Ansible for validation
  • Comprehensive testing against compliance baselines
  • User acceptance testing with local IT teams
  • Full cutover with rollback procedures ready

Technical implementation

Playbook development

A library of Ansible roles and playbooks replicated and improved on BigFix functionality. Modular design held consistent security baselines while accommodating German privacy regulations, Polish banking standards, and other local mandates.

CyberArk integration

Privileged credentials are retrieved dynamically from CyberArk at execution time — eliminating credential sprawl, providing complete audit trails, and satisfying access-control regulations.

ServiceNow workflows

Significant automation tasks flow through ServiceNow for approval and tracking. Ansible callbacks update ticket status automatically, giving compliance teams real-time visibility into remediation.

Performance optimization

Ansible's agentless, SSH-based architecture enabled dramatic gains. Parallel execution across hundreds of endpoints, plus optimized playbook design, cut operation times from hours to minutes.

Results and impact

The migration delivered transformational improvements across the organization:

  • 95% reduction in execution time: operations that took 2–5 hours now complete in 10–15 minutes, enabling faster security response and shorter operational windows.
  • Improved compliance posture: faster remediation cycles let the organization respond to vulnerabilities sooner, satisfying timely-patching requirements.
  • Complete auditability: every action is logged, tracked through ServiceNow, and linked to privileged-access records in CyberArk — full visibility into who did what, when, and with what authorization.
  • Operational efficiency: reduced execution times and improved reliability freed the operations team to focus on strategic work.
  • Knowledge transfer: the client's team was fully trained on Ansible development and operations, able to extend and maintain the platform independently.

The engagement earned consecutive customer recognition awards in 2019 and 2020, and led to my selection by the client to lead the Ansible Tower team.

Technologies used

  • Ansible Tower
  • OpenShift
  • CyberArk
  • ServiceNow
  • Splunk
  • IBM BigFix
  • Python
  • Bash
  • RHEL
  • Windows Server

Ready to modernize your automation infrastructure?

Whether you're migrating from legacy platforms or optimizing existing systems, we can help you get there.