From the security perspective however, these changes have made keeping up with the cloud all the more challenging. The dynamic nature of the cloud has strained some traditional security approaches to the breaking point. The latest one is agents.
In this post, we’re going to dive into the role and limitations of security agents in the cloud, and put forth a different approach for cloud infrastructure security: agentless deep scanning.
It is time to rethink the role of agents in the cloud. While they still play an important purpose in a cloud world, agents are best served as a last line of defense for threat protection and EDR.
There are multiple limitations and challenges for security teams when it comes to using agents in cloud environments that make them ill-suited for security usage beyond runtime and EDR however. Agents are not the best option for visibility, or risk and compliance assessment. Let’s take a look at why that is.
One of the largest challenges for securing the cloud with agent-based solutions is coverage. Agents only work on machines they’re deployed on, and it’s difficult for security teams to get those agents implemented across the cloud environment. DevOps teams are the ones that need to actually deploy the agents across resources, and with ownership spread across many teams, security teams face a monumental task both in getting visibility into every resource in the cloud so they know where they need to put the agents, and in getting the right developer across teams to actually install their agent. This creates a situation where security teams aren’t even aware of what they’re not covering.
Finding the right owner only matters for resources you can install agents on at all. There are several types of resources that agents aren’t able to handle, such as ephemeral resources that only exist for a few minutes, or marketplace images that cannot be modified. Additionally, agents aren’t able to scan machines that are stopped or paused, leading to gaps in coverage.
With these challenges, it is extremely common for organizations to end up with less than 50% of their cloud environment covered by agents. This makes agents better suited to serve a role as an additional layer of defense for the most critical resources, rather than attempting to cover the entire cloud with them.
Once an agent is installed, that’s not the end of the story. Agents need to be maintained and managed just like any other piece of software. Agents evolve, and each new version of the agent has to be tested and validated before it’s rolled out to the environment, which adds strain on security and DevOps teams.
On the flip side, cloud resources also evolve, so security teams must make sure that the agents they have out there support the latest kernel updates. The risk here is the potential to crash a resource or application if there’s misalignment, or for the agent to become a security risk itself if it is not patched. Some vendors have built-in protections to ensure that an agent won’t crash a resource if it doesn’t recognize the kernel, but even if using an agent with such functionality, the capabilities of the tool will be reduced.
Keeping agents updated and staying on top of the impact of resource changes on agents is a full time juggling job for security teams, and one where it’s easy for a ball to drop and impact cloud security posture.