So You Want To Defend Your Cloud… Agentless or Agent-based, Which Approach Is Better?

Agentless or agent-based? That is the question when it comes to securing the modern IT infrastructure. Cloud environments, and their security needs, are dynamic and complex. A flexible approach to defending your cloud is key.

22 dg 040 agentless vs agent based security

Securing the modern IT infrastructure of today is substantially different than a few years ago. Hybrid environments and hybrid work now include a growing cloud ecosystem alongside on-premise resources, all of which must be protected. Security and DevOps teams are now forced to make choices about what the best approach is to securing this dynamic environment. But why does it have to be either/or when it comes to securing cloud-native apps? Such is the case in the debate over the use of agentless and agent-based protection when defending the cloud.

As the growing cloud ecosystem alongside on-premise resources continues, security teams are faced with a constantly changing environment that must be monitored, scanned, and controlled.

Agent-based security aims to accomplish this by placing an agent on every host. For on-prem environments, having an agent-based approach can provide sufficient coverage of endpoints and enables security teams to monitor workloads without interruption. Additionally, IT and security teams need to prevent unauthorized access to file directories, detect malware, and block suspicious endpoints and images, and agent-based solutions enable this level of protection as well. But what about hybrid environments?

In cloud environments agent-based security is often insufficient and more problematic than on-premises. This stems from a central challenge inherent to today’s cloud environments: the pace and rate of change. Not only are cloud resources routinely spun up and down, but short-lived containers and serverless functions and other resources must be accounted for as they pop in and out of existence.

Complicating matters further is the fact that IT and security teams typically are limited in their visibility and access to, or control over, all the hosts in an environment and therefore can’t deploy agents as needed. This creates security blind spots that attackers can exploit. Preventing these gaps, and gaining visibility into the hosts in your environment, is critical for defending the cloud.

Agent-based security can run smack into significant hurdles in complex and dynamic cloud environments. However, in the era of hyperscale cloud platforms and modern software development, organizations are redefining how they monitor and govern these cloud environments. Agentless security aims to step up and fill in the gaps — but how effective is it?

How effective is agentless security?

Many organizations are looking to agentless alternatives in the cloud because they can support monitoring of the entire cloud estate. Everything from serverless services to data and analytics, as well as VMs, can be monitored through the cloud’s control plane APIs. With the variety of available services and no ability to install an agent, many cloud-native organizations need monitoring solutions that are integrated directly into the cloud control plane and don’t require agents installed on systems.

One of the benefits of agentless security solutions is the lack of management and maintenance overhead. For cloud environments with a large number of assets, managing and updating agents is no small task. Services that don’t allow the installation of third-party security agents will slip under the radar. In addition, constant maintenance will be required to ensure agents can handle changes in a cloud environment. For example, with an agentless approach, there is no need to worry that an agent will not support an updated kernel and crash an application.

However, agentless security has recently surfaced in cloud security discussions following news of the Log4Shell vulnerabilities disclosed in December 2021. Because this issue affected countless assets and organizations, it became clear that the ability to broadly scan environments for the flaws, and ensure they were patched, was crucial in protecting organizations from exploitation.

The downside of agentless security

However, there is more to the story. While some cloud resources can be scanned via the cloud provider’s API calls, many still require endpoint detection and response (EDR) for the cloud to provide full runtime security. For example, apps running in a serverless function such as AWS Fargate need agents to enforce security so that only trusted connections are allowed and any suspicious connections are blocked. Agent-based approaches can accelerate protection as they are deployed directly into virtual machines, containers, or even functions. This provides a level of visibility that simply isn’t possible with an agentless approach. Visibility is critical when it comes to defending the cloud and any security team can tell you that. So, if you need to know what processes are running in a container, you need an agent in order to provide that information.

As workloads evolve into various types such as containers, serverless, containers-as-a-service, and more, some may be scanned using an agentless approach. However, defenders still need the ability to prevent unauthorized access, prevent malware from being deployed, proactively block connections to suspicious endpoints, and block images that fail compliance from running in their prod environment. For this, an agent-based approach is essential to provide proper runtime protection.  

The bottom line is, cloud environments are dynamic and complex, as are their security needs. Modern applications are about mixed workloads, multi-cloud environments, and different runtimes. Why should one security approach be treated as the only answer to the challenges of protecting a complex environment? Sometimes, the answer is finding the best of both worlds.

Why you need a mixed approach to properly defend the cloud

In the face of today’s evolving threat landscape, organizations should look for a cloud-native security platform that uses agentless and agent-based scanning to meet their security needs.

Defending the cloud requires securing a rapidly growing attack surface. IT and security teams must enforce continuous monitoring and security from the development process to runtime. Legacy security tools are of little use here because they don’t provide the granular visibility into cloud-based events that organizations need. To protect hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset — both of which must be rooted in maintaining flexibility, scalability, and consistency across their IT infrastructure.

Some will say agent-based security works best in data center environments where there is less change, but will fail to meet the security needs of modern businesses in the cloud. We know that two things are true when it comes to security. To protect hybrid environments, you need to first understand the adversary, and second, have the data you need to identify and respond effectively. Organizations that understand this know that an agentless and agent-based approach can work together to give security and DevOps teams flexibility to deploy the type of protection they need regardless of their environment.

Agent-based solutions like cloud workload protection agents gather event data generated by endpoints and cloud workloads. This approach leverages agents deployed to cloud workloads and containers, and if done right are bolstered with cloud-native indicators of attack (IOAs), machine learning, and proactive, hands-on threat hunting ensuring you have complete coverage. 

Agentless approaches typically focus on cloud security posture management, providing visibility into potential risks and vulnerabilities, non-compliance, and control-plane protection. These solutions are primarily used in situations where agents aren’t possible to deploy and reduce friction and complexity across multi-cloud environments and accounts.

In addition to cloud resource discovery and identifying misconfigurations, agentless solutions integrate with Security Information and Event Management (SIEM) solutions to gain visibility, prioritize threats, reduce alert fatigue, and respond and fix issues faster. These capabilities are fast and easy to deploy and serve as a foundation to a strong cloud security program. Combining this with an agent-based approach provides security teams the end-to-end protection and insights needed to respond faster and enable DevOps teams to build safely in the cloud.

Having a flexible approach to security bolstered by up-to-date, integrated threat intelligence is critical for giving enterprises the proper level of protection against today’s adversaries. With adaptable capabilities, organizations can adjust their activity to meet the needs of their environment.

To learn more visit us here.          

Connect with the Author:

David Puzas

Head of Cloud Security Product Marketing


Copyright © 2022 IDG Communications, Inc.