darren whittingham - Fotolia

VMware buys SaltStack for security, configuration management

The acquisition of SaltStack will help VMware build event-driven security automation and configuration management into vRealize Automation, as open source Salt gains VMware's backing.

VMware plans to acquire configuration management and security automation vendor SaltStack in a move that boosts its vRealize suite and bolsters open source Salt development.

While VMware's vRealize Automation cloud infrastructure management software already integrates with infrastructure-as-code tools such as Puppet, Red Hat Ansible and HashiCorp Terraform, company officials cited SaltStack's configuration management capabilities as key motivations for the acquisition, which is expected to close in October for an undisclosed sum.

"SaltStack will help us … to extend our automation capabilities beyond infrastructure to the entire application stack," wrote Ajay Singh, senior vice president and general manager of VMware's cloud management business unit, in a company blog post. "This will include the software and packages inside virtual machines and containers."

SaltStack security products will also be integrated into the vRealize suite, Singh wrote. These include SaltStack Protect, which automates IT security vulnerability discovery and remediation, and SaltStack Comply, a compliance policy-as-code tool that competes with Chef InSpec, HashiCorp Sentinel and Pulumi CrossGuard.

While not as widely used as Ansible and Terraform, SaltStack has drawn attention in the last year with the launch of SaltStack Protect and a new modular product development process meant to catch it up with cloud-native technology trends.

Tom Petrocelli, Amalgam InsightsTom Petrocelli

Still, VMware may have had few options for an acquisition of this kind. Ansible already belongs to IBM/Red Hat, HashiCorp Terraform seems destined for an IPO after a $175 million round of funding in April, and Puppet may not be seeking a buyer, said Tom Petrocelli, an analyst at Amalgam Insights.

Meanwhile, newer IT automation companies such as Pulumi still appeal more to midmarket buyers rather than VMware's large enterprise customer base, according to Petrocelli.

"This is a good way to fill out VMware's portfolio," Petrocelli said. "They have the platforms [in Tanzu and Cloud Foundation], they have the deployment toolchain [with Pivotal Cloud Foundry and Bitnami] -- now they need to build up infrastructure automation."

Companies that originally focused on Configuration management have been forced to realign their businesses as Kubernetes usurped much of their products' value over the last four years. But the broader VMware Tanzu platform, especially, will still require SaltStack's configuration management features for components outside of Kubernetes, Petrocelli said.

"You still need something that will configure the broader environments that Kubernetes lives in, and things Kubernetes doesn't bother with, like big message queues," he said.

There's also value in having multiple IT automation tools that function at various layers of infrastructure built into a consistent product set such as vRealize, Petrocelli added.

"These complex toolchains can fall down if they're not well coordinated," he said.

Salt users seek stability with VMware

SaltStack's security and configuration management tools are built on an event bus, which responds in near real time to infrastructure and configuration changes, such as the presence of newly connected or disconnected resources and authentication requests. The event bus responds to these changes as they occur, either with automated functions based on user policy or by invoking a third-party tool.

Nicholas Hughes, EITR TechnologiesNicholas Hughes

SaltStack's competitors have added similar dynamic update capabilities with recent updates and products such as Chef Infra and Puppet Tasks. But Salt embedded the event bus into its architecture from the beginning, said Nicholas Hughes, a Salt open source contributor.

"Nobody's done an event-based automation and orchestration framework as well as Salt," said Hughes, who is also founder and CEO of IT automation consulting firm EITR Technologies in Sykesville, Md., a licensed reseller of SaltStack's commercial product. "That's what makes SecOps the killer app for SaltStack in general -- there are a lot of products out there that offer security visibility, but not the same automated remediation and collaboration for security and ops [teams]."

VMware execs offered assurances that the company will continue to support the Salt open source community post-acquisition but were mum on whether the SaltStack Enterprise commercial product will survive. Either way, longtime SaltStack users say they can fall back on the open source version and believe the acquisition will add necessary R&D resources to Salt development.

"A lot of people are afraid of small, open source-based independent companies," said James Watson, a system operations engineer at NICE Nexidia, an Atlanta-based software company that makes interaction analytics tools for corporate call centers.

James Watson, NexidiaJames Watson

Nexidia primarily uses SaltStack Enterprise for bare-metal Windows infrastructure, but a minority of its environment -- Watson estimated about 20% -- is virtualized with VMware vSphere, and the VMware acquisition will almost certainly broaden Nexidia's use of the tool, he said.

The acquisition may also be key to the sustainability of SaltStack as a vendor as well as the Salt open source community, Watson added.

"This year, with the uncertainty of COVID-19, getting under the funding umbrella of the major player in the virtualization market is really good news," he said.

 Hughes said he hadn't heard SaltStack was seeking a buyer, but he agreed that Salt's product quality and stability will likely benefit from VMware's investment.

"Salt is potentially well-suited to so many things," he said. "If VMware dedicates its resources to the open source community, that will be a win for my customers."

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center