The evolution of technology has resulted in new security application deployment models for organizations to deploy security solutions. One crucial example of this is the growth of agentless security solutions. Agentless solutions circumvent the limitations that are often encountered with agent-based applications, even though the latter tend to be treated as the “default” option by many practitioners.
Why it matters:
Informing yourself about the limitations of agent-based security can help you avoid the shortcomings that come from using legacy security solutions. Ultimately, relying solely on agent-based security applications might introduce significant limitations to your security program centering around:
- Cloud data proliferation, where sensitive information is inappropriately shared or disclosed outside of the endpoint;
- Personal devices / BYOD (Bring Your Own Device) that are beyond organizational oversight and management, usually insufficiently protected and more vulnerable to data disclosure risk;
- Consultants and third parties such as vendors, whose own security practices may not align with the requirements or maturity levels required by your organization;
- Direct cloud access methods such as APIs, where the endpoints could also be unmanaged. In addition, systems and other cloud apps that connect directly via API are outside of any agent-based protection.
Read on below to understand these limitations in detail.
Agentless vs agent-based security
An agent is a process or daemon that must be installed on a device and utilize device resources to run. This is the “traditional” model of securing endpoints such as workstations. Within security, there are a number of use cases where agent-based approaches are satisfactory, like for example, when you need to monitor changes on a specific endpoint over time. Some examples of agent-based security applications include:
- Mobile Device Management
- Antivirus Endpoint Protection/Management
- File Integrity Monitoring (FIM)
While agents have their place, the complexities of modern working arrangements—from hybrid work to remote work—introduce complications that make relying on agents for security inefficient or incomplete at best.
Only agentless approaches work for cloud data security
With more companies migrating to the cloud post-COVID, securing sensitive data, assets, and processes running in the cloud are becoming increasingly critical. One admittedly obvious but essential attribute of cloud systems is that your organization does not own these environments. You cannot deploy agents to secure these systems, because the servers hosting these environments are not yours. This turns the traditional security paradigm of deploying network or endpoint agents to secure a “perimeter” on its head. Thus an agentless approach is one that must be adopted out of necessity, with companies like Nightfall emerging to fill this emerging and growing niche. Bluecore CISO Brent Lassi discusses this evolution below:
Despite this, though, many organizations still rely on legacy, agent-based solutions to secure their data while adopting cloud platforms across their workforce. This provides a false sense of certainty. While it’s true that solutions like CASBs and endpoint managers can see data leaving a device and potentially “block” it from entering cloud environments, this is only addresses part of the problem because:
Agent-based data security applications cannot scan over API
Sensitive data can proliferate from a variety of sources. For example, in Slack, employees can install applications via API that can copy from or write sensitive data into your Slack instance. No CASB or endpoint manager would ever catch this activity, because these tools cannot inspect traffic that is being sent programmatically through systems that they have no ability to sit in front of. There’s also simply the fact that cloud applications and environments can be accessed from any device anywhere, including non-sanctioned devices.
Agentless applications, like Nightfall, circumvent this because they’re able to integrate with any cloud environments via API, allowing for you to effectively instantly set up security controls for cloud services.
Agent-based data security applications are constrained by compute resources
Running as an agentless service means that an application can utilize more computationally “expensive” processes. For example, Nightfall deploys machine learning (ML) detectors to scan for sensitive data in the cloud. While there are agent-based and network-based DLP alternatives, none of these services can run machine learning to scan payloads without introducing large amounts of latency when monitoring data going over the wire from employee devices to the cloud. This effectively results in a less accurate and less powerful form of detection due to the limitation of agent-based architectures not being able to efficiently run computationally demanding tasks without introducing latency.
Shifting left with an agentless approach
With data residing more and more on the cloud, agents are late and last in attempting to protect data. What is required is an earlier “Shift Left” approach that catches the data before it continues to proliferate and multiply the disclosure risk. Additionally, agents contribute further risk to an organization, as an agent on an endpoint would:
- Block end users, whether due to erroneous detection, lack of configurable nuance, or agent inoperability;
- Breach the privacy of the end user through its excessive collection of personal information;
- Require continuous maintenance and updates, in need of intensive testing with all other agents on workstations such as antivirus, mobile device management (MDM), and other security and asset management tooling, as well as OS updates.
The modern security paradigm is to be aligned and enable the business. Blocking or adding more risk and overhead are not welcome in this fast paced environment, and when protecting data, the mandate is to “Shift Left.” This means mitigating the risk earlier in a business process, workflow, or data flow. For data protection, this means protecting and monitoring where the data is initially stored or shared. Today, that is on the cloud - beyond endpoint agents’ reach.
It is always best practice to address data risk earlier in the data lifecycle. This means when it is first posted, shared, or committed. And with the cloud being the hub of modern productivity, cloud DLP should be the primary focus for data protection.