Agents vs Agentless: Choosing the Right Security Approach for Your Specialized Cloud Virtual Machine Workloads

Originally published by Tenable.

Written by John Tonello and Ryan Bragg.

You can scan virtual machines for security vulnerabilities in multiple ways depending on what your instances are running, how long they’re up, and whether or not they can run an agent or be accessed with administrative credentials. Network scanning, installed agents or public cloud APIs can all report findings, but there are tradeoffs. In this blog, we’ll talk about each approach and their appropriate use cases.

What is cloud vulnerability management?

When we talk about vulnerability management and the pros and cons of using agents vs. going agentless, the focus is on scanning the base operating systems – often Linux and Windows – of cloud instances to identify vulnerabilities.

With long-running virtual machines, it’s perfectly valid in certain cases to perform network scans or to install agents or cloud-vendor agents. These methods provide system telemetry that security teams can use to identify and fix problems.

However, in cloud environments where instances are short-lived, using agents can introduce unnecessary complexity and overhead.

Network scanning

Networking scanning is best for public-cloud virtual machines for which OS-level credentials are available to the security team, and where the firewall and security rules permit the scanner to reach targets on all ports and protocols. These tend to be large, long-lived instances.

Network scanning is comprehensive, but it can impact the performance of each target. You need to set up a separate virtual machine to host the scanner application, and this is usually done within each virtual private cloud (VPC) so the scanner has access to the cloud virtual machines within its VPC and virtual network (VNET) yet the VPC/VNET remains an isolation barrier.

The network scanner also needs to have administrative credentials to access each target. Otherwise, scan results are limited to the external view of a system, which mostly consists of the ports on which a system is listening (e.g., 22, 443), the service versions behind each open port, and the fingerprinted OS version.

Agent-based scanning

In cases where network scanning isn’t an option, many security teams turn to agents. Agents run inside each running cloud virtual machine and report findings.

Users may alternatively take advantage of cloud-vendor agents. These, too, must be installed on each target system and can be configured to provide telemetry to your vulnerability management system.

This is a valid approach for larger virtual machines on which security teams allow agents, but not OS credentials. Unlike the network scanning scenario described above, no separate scanner node needs to be deployed, reducing complexity.

Advantages of agent-based scanning include eliminating the need for separate scanner virtual machines, reduced cost compared to network scanning, and no credential management. However, agents require management, introduce system overhead, and necessitate connectivity to an agent manager. They are not well-suited for ephemeral workloads.

Agentless scanning

Today, the evolution of cloud security has led to what’s known as agentless assessment, which uses no network scanners and no agents. Instead, it uses the cloud vendors’ public APIs to gather information about virtual machines’ software bill of materials, then performs an assessment based on the information gathered.

This is a truly cloud-native approach and, unlike agent-based scans, can automatically provide visibility into all the cloud virtual machines and their flaws.

Unlike the agent approach, virtual machines scanned this way don’t need to be big enough to provide resources for the agent. Running virtual machines are never scanned, often just their snapshots. No OS-level credentials or port accessibility are needed either, so this approach scales well and significantly reduces the operational overhead associated with establishing a vulnerability management program in the public cloud.

Advantages of agentless assessment include being cloud-native and API-driven, eliminating the need for scanners or agents, easy scalability, and not relying on credentials. It works with virtual machines of all sizes, does not impact running instances, and reduces costs by eliminating scanner virtual machines. Access is granted via a cloud-native identity, and the method can be used on stopped virtual machines whensnapshot-scanning is available.

Finding the right vulnerability management solution requires understanding the tradeoffs between the three approaches. By carefully considering the use case and specific requirements, organizations can implement an effective vulnerability management program in the public cloud.

About the Authors

John Tonello is a Cloud Security Advocate at Tenable and has worked in and around the IT industry for more than 20 years. He’s the author of "Practical Linux DevOps", a book about setting up a Linux lab for modern software development, and host of Tenable’s "Cloud Security Coffee Break" webinar series.

Ryan Bragg is an Information Security professional with over 20 years’ experience in the IT industry. He has a wide range of experience, including security engineering, vulnerability management, penetration testing, risk assessment and quantification, information risk management, systems administration, network administration, and web application administration.