Agent-based vs. agentless approaches -- how to implement cloud security
Implementing your security approach will depend on how you can translate your approach from strategy into reality. As part of this, you will have to make decisions on what tools you use based on the functions that they cover, how they help you create and use data, and how they work. This latter part is important as all security professionals have their own preferences. One of the big debates here is whether you use agent-based or agentless tools.
Using security tools that rely on agents can be an issue for some security professionals, while others will swear by their agent-based tool of choice, and you would have to pry it from their hands. The challenge here is when you have a combination of complex environments to consider, faster software development goals to support, real-time security pressures to contend with, and more data than you know what to do with. So what approach should you choose?
Agentless security gets you up and running quickly
Getting started with agentless approaches is fast. Because you don’t install anything, you can start getting data through quickly and then use this to improve your security posture in a short amount of time. Agentless security approaches work by getting data from outside the device or service that you are looking at, and then providing that information to you in a way that you can make decisions quickly.
The benefit from agentless is that it is low touch and fast to implement for use cases like cloud security. You can solve the 'low-hanging fruit' problem that exists around periodic cloud security assessment. Side scanning and API-based methods also provide a solid starting point for looking at cloud security visibility around configurations and vulnerabilities. Another side benefit is that it does not increase the workload on the machine or device that you are looking at, which can be important when it comes to running in the cloud.
The challenge with agentless approaches is that they don’t provide as much insight into what is happening inside an instance or device while it is running. Because you have to rely on the data that you can perceive from outside, you may not be able to get the level of detail that you need, particularly for runtime conditions. When you want to protect those running services, otherwise termed 'shielding right,' agentless may not be enough.
The other challenge is that you will rely on the level of data that your tool can garner from its sources, such as cloud APIs. For some workloads where you are 'all in' on the cloud, this might be enough, but for more complex environments it will potentially lead to gaps. It will also struggle with runtime environments and reporting in real time on issues.
Agent, reporting for duty
Agent-based security tools use a small software package per device or asset to get the data that you need. The benefit from an agent is that it can provide that level of detail that agentless models can’t. In practice, this means that you can use the agent to provide information on all the interactions and calls that are taking place on that device or machine.
In the past, this has been where a lot of the hostility towards agent-based tools has come from. Each agent will have its own footprint and overhead on the device, machine or software container that it is installed in, which can affect performance. In the old days of anti-virus, these agents might inflict such an overhead that they would degrade the experience for users while not providing a huge amount of value. However, as computing systems have increased in power and agents have got smarter, the actual level of overhead has decreased to be negligible.
Another bugbear for agent-based approaches was the overhead to build and deploy those systems where they were needed. If you had to install each and every time, then the time was significant. However, this problem has been largely solved by including agents within base images so they can be deployed and installed when they are needed automatically.
For modern assets like cloud instances or software containers, the security agent can be included as standard and implemented when new containers are deployed. This is particularly important where you have applications that might flex up and down based on demand, or where you have serverless infrastructure to support your applications running. Without an agent in place, detecting an issue would depend on scheduled scanning or an alert taking place, which can be delayed by hours or days. In an era where a public S3 bucket or an exposed database is discovered in minutes, static scanning is not enough to prevent attacks.
Combining agent and agentless approaches
In the spirit of having it all - combining both agent-based and agentless security can support a better approach than relying on one or other approach alone. By getting data from multiple sources and putting it in context, you can get a better understanding of your security posture and where you need to take action.
Cloud security has been fragmented from the start. There is a large number of point solutions covering a subset of cloud security, but companies want to simplify their deployments and reduce the number of moving parts that they have to actively manage, including tools. In response to this complex environment, the Cloud-Native Application Protection Platform (CNAPP) market has evolved to consolidate the point agent-based and agentless tools that exist around cloud security postures and workload protection.
CNAPPs combine the best of agent-based and agentless security tools to cover the whole lifecycle for cloud workloads and security, as well as supporting a more complete approach to detecting potential issues. This involves looking at the telemetry data that the cloud services provide as well as carrying out both pre-deployment assessment and production runtime security analysis. This helps security professionals look at the whole lifecycle for their applications and that they remain secure over time.
Getting the most out of your approach
Adopting agent-based and agentless security tools under the CNAPP framework should help everyone get what they need to be as effective as possible around security. The biggest issue for many teams will be around how their operations can work at speed around potential security threats. Getting the right telemetry data in place can help here, as well as providing the right context for that data over time.
Overall, the argument around agent-based and agentless approaches is one that will become less important over time. The challenge that teams will face exists around how to get the right data that will make a difference to their operations, and how to make that data useful and usable to security teams in their work. In order to support modern security goals, like shifting security left earlier into the development process and shielding right so you can cover the running devices or services, you need the right combination of data, insight and speed.
Image Credit: Wayne Williams
Anna Belak is Director of Thought Leadership, Sysdig. Anna has nearly ten years of experience researching and advising organizations on cloud adoption with a focus on security best practices. As a Gartner Analyst, Anna spent six years helping more than 500 enterprises with vulnerability management, security monitoring, and DevSecOps initiatives. Anna's research and talks have been used to transform organizations' IT strategies and her research agenda helped to shape markets. Anna is the Director of Thought Leadership at Sysdig, using her deep understanding of the security industry to help IT professionals succeed in their cloud-native journey. Anna holds a PhD in Materials Engineering from the University of Michigan, where she developed computational methods to study solar cells and rechargeable batteries.