Last updated at Tue, 02 Nov 2021 13:35:31 GMT
In our previous blog on this topic, we discussed some of the considerations when choosing between agent-based and agentless cloud security approaches. The following table provides a summary of these considerations.
|Deployment||- Deployed on every asset independently
- Can add potential friction; may require some special access permissions per asset
- Deployment has to scale up with additional assets
- Can be resource-intensive for the monitored asset
|- Deployed externally to assets being monitored, usually at the cluster level
- Relies on the provider's inherent access role schemes and APIs
- Processing and data collection are independent of assets
- Can be resource-consuming at the provider's billing level
|Monitoring||- Tailored for asset specifications (must be aware of and compatible with OS, kernel, and architecture of the layer in which it operates)
- Can be used over a variety of different cloud providers
- Has access to unexposed asset information, but requires elevated permissions, which may turn into a security consideration of its own
- Has a specific view per monitored asset; higher-level correlation has to be done externally
- Missing or malfunctioning deployment may result in blind spots
- May require different inspection methods for different types of assets
|- Agnostic to asset specifications
- Relies on cloud provider's API and its data collection facilities
- No access to unexposed provider information
- Has a cluster-level view of asset activities, usually from a single collection point; easy to make correlations between different cluster asset activities
- Malfunctioning deployment may result in cluster-level blindness
- Unified access to all asset information via a common API and data collection facility
|Enforcement||- Needs an in-band access to medium for taking an action
- May interfere with uncorrelated provider operations
|- Integrates to and correlates with provider's automations and enforcement tools
- Cannot go beyond provider's limitations
Neither the agent-based nor agentless approach is strictly considered better than the other. In some cases, it could be beneficial to join forces and have both flavors of security scooped into the same cone, so each can cover for the shortcomings of its counterpart. For example, agentless solutions are usually shortsighted when it comes to a workload's confined information, such as the activity of processes executed within the workload space. Therefore, you might choose to augment your agentless solution with an agent-based deployment for this purpose.
As a counter-example, agent-based solutions could be disruptive or resource-consuming for network monitoring tasks. You could instead carry out these tasks over the already existing provider facilities by adding an agentless solution, which could then catch all cluster network activity information within a single collection point.
So, what's the right answer?
In this post, we have covered some of the key aspects that differentiate agentless and agent-based approaches to cloud security. We can conclude that neither is necessarily preferable over the other, but each can cover the shortcomings of its counterpart, depending on your organization's needs. Agent-based solutions can potentially provide a more in-depth perspective of a protected asset's internal activities. Provider-integrated agentless solutions are usually agnostic to the containerized internal activities, but they can excel at a broader scale when making correlations between different sources of information, while still minimizing the friction per asset.
Essentially, there's no right or wrong answer for cloud security. To keep your assets secure, just pick the approach — or mix of approaches — that makes sense for you and your organization.