Agents of disruption: Four testing topics argue the case for agentless security

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Let me introduce myself. I’m a set of flaws in your otherwise perfect, agent-based security world. Like all disruptive agents, I derail your best-laid plans with expensive havoc; but in my case I create sticky situations inside your multi-cloud arrangement.

You may be thinking that the premise of this article is bogus, because most cloud-based security systems automate the deployment and management of agents; and any one of those and their kid can microsegment and scale. And you’d be right about that. But. Let’s be honest here about some of the key considerations you should take into account when deciding to put complete faith in physical agents.

Agent-dependent solutions: Worth it?

If any multi-cloud solution claims to be totally seamless, they are lying like a small town politician. From testing to implementation, hardware, maintenance training, policy adjustments, subscription licensing and updates—and any hardware-specific problems that could arise – an accurate measurement of ROI will involve a wide scope of costs.

While agents are capable of capturing in-depth details about a system, they often come with the above concerns and more. For example, they can consume resources (much like a jilted ex with your credit card) when it comes to deploying and maintaining on large scale networks.

Agentless solutions on the other hand, allow for faster deployments, decreased asset management and testing requirements, leading to less resource requirements and an overall lower Total Cost of Ownership (TCO).

Here are four questions to ask yourself regarding agent-based solutions.

1. Are you OK with deploying agents to your workloads before, or goodness forbid, without, testing?

Your production environment is prime-time for extensive security testing. What if you’re the COO of a large bank, for example?

Were you going to wait until your network launched another software image, interacted with tens more operating systems, complex development platforms, and hundreds of trading platforms on a split-second by split-second basis—trading billions per day?

Let’s just say the stakes of any failure are magnified with each step that you didn’t test. In case I didn’t make it clear, the answer to the question above is no, no way. Testing agents is a standard process prior to deploying into your environment.

When using agent based solutions in environments where thousands of applications are deployed, creating quality assurance checks for each software version can become a major burden, extremely time consuming, and in some cases, simply impossible.

2. How many different software images are in your production environment?

Let’s assume one QA test cycle per unique software image. For systems with hundreds of applications deployed to production, thousands of images may be required. Will your team have the time and resources to test each one or be responsible for the decision not to?

Consider the extensive time and resource requirements through the deployment and upgrades process.

3. Who owns those application images?

In other words, whose permission do you need to install that suspicious-looking hardware paraphernalia, and who is on the hook for its testing? If you’re in the majority, dozens of different line-of-business owners own the applications and their images. They are almost certainly not the people responsible for DC or cloud security.

Good luck getting everyone in the office hyped about a timely install when their laptops are at their kids’ ballet recitals or busy on an ‘extended’ working retreat.

4. How often will testing be conducted?

I know you know best practices. Every app owner is obliged to re-test when the application itself changes. What about when the agent changes?

When using agents, functionality testing is not required only when an update is made, but also when the agent is upgraded. I recommend you speak with your security provider about the amount of updates expected for your project’s scale and requirements. But keep a few extra cents for pop quizzes in your overall budget.

Like one anonymous COO who regrets the unforeseen testing requirements that followed his latest agent-based purchase, “This is a tar pit into which no one should stick their arm.”