Enterprise-Wide BigFix to Ansible Migration
Leading the complete transition from IBM BigFix to Ansible for more than 20,000 endpoints across 10 countries, reducing execution times by 95% while maintaining compliance in regulated financial environments.
The Challenge
One of Europe's largest banking institutions relied on IBM BigFix for endpoint management and compliance enforcement across their infrastructure. With over 20,000 endpoints distributed across 10 countries including Italy, Germany, Poland, and Czech Republic, the scale of operations was substantial.
The organization faced several critical challenges that necessitated a platform migration:
- Performance Bottlenecks: Complex compliance checks and patching operations through BigFix were taking 2-5 hours to complete, creating significant operational windows and delays in security response.
- Scalability Limitations: As the endpoint count grew and compliance requirements became more complex, the existing platform struggled to keep pace.
- Modern Integration Needs: The bank was modernizing its IT operations with containerization and CI/CD practices, requiring tighter integration between endpoint management and DevOps workflows.
- Regulatory Pressure: Financial regulators were increasing scrutiny on security posture and remediation timelines, requiring faster and more auditable compliance operations.
Our Approach
The migration from BigFix to Ansible required careful planning to ensure zero disruption to banking operations while maintaining continuous compliance coverage. We developed a structured migration framework that could be executed progressively across the organization.
Assessment and Planning
We began with a comprehensive audit of existing BigFix Fixlets, action scripts, and compliance baselines. Every automated task was documented, categorized by complexity, and mapped to equivalent Ansible implementations. Critical compliance workflows were prioritized for early migration to demonstrate value quickly.
Architecture Design
The new architecture was built on Red Hat Ansible Tower (later migrating to AWX) running on OpenShift. Key design decisions included:
- Integration with CyberArk for privileged access management, eliminating the need to store credentials in automation scripts
- ServiceNow integration for change management approval workflows and incident tracking
- Splunk integration for centralized logging and compliance reporting
- Role-based playbook organization enabling reuse across multiple countries while accommodating local requirements
Progressive Migration
The migration followed a country-by-country rollout strategy, starting with smaller operations before tackling the Italian infrastructure where most endpoints resided. Each phase included:
- Parallel running of BigFix and Ansible for validation
- Comprehensive testing against compliance baselines
- User acceptance testing with local IT teams
- Full cutover with rollback procedures ready
Technical Implementation
Playbook Development
We developed a library of Ansible roles and playbooks that replicated and improved upon BigFix functionality. Modular design enabled consistent security baselines while accommodating country-specific requirements for German privacy regulations, Polish banking standards, and other local mandates.
CyberArk Integration
Privileged credentials are retrieved dynamically from CyberArk at execution time. This eliminated credential sprawl, provided complete audit trails of privilege usage, and satisfied regulatory requirements for access control.
ServiceNow Workflows
All significant automation tasks flow through ServiceNow for approval and tracking. Ansible callbacks update ticket status automatically, providing real-time visibility into remediation progress for compliance teams.
Performance Optimization
Ansible's agentless architecture and SSH-based communication enabled dramatic performance improvements. Parallel execution across hundreds of endpoints, combined with optimized playbook design, reduced operation times from hours to minutes.
Results and Impact
The migration delivered transformational improvements across the organization:
- 95% Reduction in Execution Time: Operations that previously took 2-5 hours now complete in 10-15 minutes. This dramatic improvement enabled faster security response and reduced operational windows.
- Improved Compliance Posture: Faster remediation cycles mean the organization can respond to vulnerabilities more quickly, satisfying regulatory requirements for timely patching.
- Complete Auditability: Every automation action is logged, tracked through ServiceNow, and linked to privileged access records in CyberArk. Auditors have complete visibility into who did what, when, and with what authorization.
- Operational Efficiency: The reduced execution times and improved reliability freed the operations team to focus on strategic initiatives rather than managing lengthy operational windows.
- Knowledge Transfer: The client's team was fully trained on Ansible development and operations, enabling them to extend and maintain the platform independently.
The success of this engagement was recognized through consecutive customer recognition awards in 2019 and 2020, and led to my specific selection by the client to lead the Ansible Tower team.
Technologies Used
Ready to Modernize Your Automation Infrastructure?
Whether you are migrating from legacy platforms or optimizing existing systems, we can help you achieve your goals.