The challenge
One of Europe's largest banking institutions relied on IBM BigFix for endpoint management and compliance enforcement across its infrastructure — over 20,000 endpoints distributed across 10 countries including Italy, Germany, Poland, and the Czech Republic.
The organization faced several critical challenges that necessitated a platform migration:
- Performance bottlenecks: complex compliance checks and patching through BigFix took 2–5 hours, creating large operational windows and delaying security response.
- Scalability limitations: as the endpoint count grew and compliance requirements grew more complex, the existing platform struggled to keep pace.
- Modern integration needs: the bank was modernizing with containerization and CI/CD, requiring tighter integration between endpoint management and DevOps workflows.
- Regulatory pressure: financial regulators increased scrutiny on security posture and remediation timelines, requiring faster, more auditable compliance operations.
Our approach
The migration from BigFix to Ansible required careful planning to ensure zero disruption to banking operations while maintaining continuous compliance coverage. We built a structured migration framework that could be executed progressively across the organization.
Assessment and planning
We began with a comprehensive audit of existing BigFix Fixlets, action scripts, and compliance baselines. Every automated task was documented, categorized by complexity, and mapped to an equivalent Ansible implementation. Critical compliance workflows were prioritized for early migration to demonstrate value quickly.
Architecture design
The new architecture was built on Red Hat Ansible Tower (later migrating to AWX) running on OpenShift. Key design decisions included:
- CyberArk integration for privileged access management — eliminating credentials in automation scripts
- ServiceNow integration for change-management approvals and incident tracking
- Splunk integration for centralized logging and compliance reporting
- Role-based playbook organization enabling reuse across countries while accommodating local requirements
Progressive migration
The rollout followed a country-by-country strategy, starting with smaller operations before tackling the Italian infrastructure where most endpoints resided. Each phase included:
- Parallel running of BigFix and Ansible for validation
- Comprehensive testing against compliance baselines
- User acceptance testing with local IT teams
- Full cutover with rollback procedures ready
Technical implementation
Playbook development
A library of Ansible roles and playbooks replicated and improved on BigFix functionality. Modular design held consistent security baselines while accommodating German privacy regulations, Polish banking standards, and other local mandates.
CyberArk integration
Privileged credentials are retrieved dynamically from CyberArk at execution time — eliminating credential sprawl, providing complete audit trails, and satisfying access-control regulations.
ServiceNow workflows
Significant automation tasks flow through ServiceNow for approval and tracking. Ansible callbacks update ticket status automatically, giving compliance teams real-time visibility into remediation.
Performance optimization
Ansible's agentless, SSH-based architecture enabled dramatic gains. Parallel execution across hundreds of endpoints, plus optimized playbook design, cut operation times from hours to minutes.
Results and impact
The migration delivered transformational improvements across the organization:
- 95% reduction in execution time: operations that took 2–5 hours now complete in 10–15 minutes, enabling faster security response and shorter operational windows.
- Improved compliance posture: faster remediation cycles let the organization respond to vulnerabilities sooner, satisfying timely-patching requirements.
- Complete auditability: every action is logged, tracked through ServiceNow, and linked to privileged-access records in CyberArk — full visibility into who did what, when, and with what authorization.
- Operational efficiency: reduced execution times and improved reliability freed the operations team to focus on strategic work.
- Knowledge transfer: the client's team was fully trained on Ansible development and operations, able to extend and maintain the platform independently.
The engagement earned consecutive customer recognition awards in 2019 and 2020, and led to my selection by the client to lead the Ansible Tower team.