Safet Acifovic

To go or not to go agentless in the public cloud

28/10/2020

An agent-based approach is not the way to go in cloud security. Agents stem back from the pre-cloud time and simply can't handle how the cloud works. Let us explain why agents don't work for cloud.

A long, long time ago we only had physical hosts. Not a cloud in sight. Securing physical hosts oftentimes required the installation of multiple security agents - one for each server. But the world was different back then. It was fairly static. IP addresses where assigned to physical assets and they seldom changed. And even then, agent integration was tedious and coverage never really reached 100% of the assets. Nobody who has worked with security agents will deny that.

 

Agent-based security is the wrong approach.

 

What used to be physical is now becoming virtual. The public cloud is everywhere and its adoption is inevitable. So, how did we secure assets in the cloud? Well, we used what we had - just like with traditional security solutions (as discussed in our previous post). We took security agents that ran on physical hosts and ran them on virtual machines in the cloud. But agent-based security is the wrong approach for securing AWS, Azure and GCP environments. Agents cannot handle how the cloud works.

 

As a wise colleague once said: cloud requires a different mindset, especially when it comes to security. This is also true for agent-based security. Cloud security is evolving and must evolve quickly to meet the needs of organizations with large-scale cloud deployments. In a typical cloud environment, utilization scales up and down frequently - possibly thousands of times per hour across multiple clouds. Agents simply do not scale when you are launching hundreds of (different) hosts per hour. And just think of the operational overhead of agent management!

 

You are left in the dark when it comes to cloud-native services.

 

Also, assets in the cloud are less likely to exist at static IP addresses and different assets may share the same IP address within a short period of time. An agent-based approach tracks hosts by an IP address or network. This does not scale and only covers virtual hosts. You are left in the dark when it comes to cloud-native services and serverless computing. A misconfigured S3 bucket? You won't ever know.

 

Another reason to go agentless is the increased attack surface created by agents. Agents are just a piece of software installed on your virtual hosts. As all software installations, they introduce new risks. Agents may be vulnerable, have exposed ports or contain misconfigurations. New agents have therefore to be tested, evaluated and introduced into the environment, which can take weeks. This creates an unnecessary burden for your team. And what about the unnecessary tax on your cloud environment? Agents need to run in each instance, thus taking a bite out of your CPU utilization and consuming bandwidth.

 

When it comes to agent-based security in the public cloud, we see the following disadvantages:

  1. Agent-based security does not scale
  2. Agents form an operational burden for your team
  3. Agents themselves introduce new risks
  4. Agents are not aware of the cloud and its cloud-native services
  5. Agents-based security never covers 100% of the cloud assets
  6. Agents introduce an additional tax on your cloud environment

Securing the cloud requires complete visibility into all cloud assets, compromised resources, vulnerable software, and misconfigurations without the cost, complexity, and limitations of agents. In our search for a cloud-focused and agentless security solution that can do all this, we came across Orca Security.

Delivered as a SaaS solution, Orca Security uses its patent-pending SideScanningâ„¢ technology to deliver instant and agentless deeper visibility into your cloud environment and ease compliance efforts. The solution works out-of-band and scans the entire cloud estate, down to the data layer to identify malware, vulnerabilities, misconfigurations, leaked passwords, sensitive data (PII) and more.

 

We are excited to announce that we have partnered with Orca Security to help you achieve full-stack visibility across your cloud environments, such as AWS, Azure and GCP.

 

Free trial with our HealthCheck

Each CloudNation HealthCheck comes with a free trial1 of Orca Security to give you the opportunity to experience full-stack visibility yourself. The CloudNation HealthCheck is a security assessment we have developed to help you identify misconfigurations and other security risks within your cloud environment. It's quick, complete and comes with actionable recommendations to help you start fixing right away.

Interested? For more information on Orca Security or our HealthCheck, please leave your contact information below or gives us a call.

 

Contact us

 

 

 

1Terms and conditions may apply