The End of Agent Technology in the Cloud
Published 02/09/2022
Written by Morey J. Haber, Chief Security Officer at BeyondTrust
One of the oppositions to new technology placed on an endpoint is the need for an agent. In fact, for years, one of the biggest objections by companies has been the need for agent technology at all.
Time and time again, end users resist adding to their endpoint agent stack due to bloat, incompatibilities, resource consumption, and additional management overhead. In recent years, vendor consolidation and multi-discipline agents have reduced this friction. Yet, agent technology remains one of the least desirable ways to deploy and manage an endpoint.
Now consider the cloud. Security problems in the cloud can be solved with agent technology when we cloud wash our solutions. However, as we embrace modern cloud implementations with containers, microservices, serverless processes, and ephemeral assets, we find that agent technology is difficult, if not impossible, to deploy and maintain. In fact, performing basic disciplines, like privileged access management (PAM), vulnerability management, file integrity management, and anti-malware protection require agents—especially when authenticated access is neither available nor desirable due to security best practices for asset hardening.
The simple factor of enabling SMB, SSH, or even WMI to allow authenticated access in the cloud is a security risk. Therefore, end users were left with agent technology to solve the problem, even when the cloud implementation is best optimized without them. This held true until recently.
Consider what the cloud excels at - automation. Cloud service providers (CSP) have created robust application programming interfaces (APIs) to enable automation and to enable machine-to-machine connectivity. These APIs allow for everything from asset creation through deletion, and even running commands and monitoring processes within assets. The APIs accomplish all this without using agents.
Modern security solutions can now inspect assets during runtime and determine characteristics—just like an authenticated scan, or if an agent is running locally all through the hypervisors API. One such technology is called API scanning.
API-based scanning technology leverages the CSP API to enumerate the file system, processes, and services within an asset for vulnerabilities, malware, asset discovery, and account management. This approach succeeds where agents are less desirable since the hypervisor has complete asset access (via the API) to enumerate any contents operating virtually.
API-based scanning requires a translation layer to perform complex functions via the API and map the results into a typical asset inventory, file system list, and runtime anomalies, like malware, that we see from traditional solutions. Since this is an identification process only, API side scanning can use a read only API account (operating use best practices like least privilege) compared to network scanning, with authentication that typically needs administrator or root access.
API scanning does not require any remote access protocols, thus, reducing the asset’s risk surface. This approach is the first step in removing agent technology from the cloud. API-based scanning technology also optimizes runtime in the cloud and costs based on consumption-based pricing.
Now consider that all assets in the cloud are some form of endpoint. While we normally think of endpoints as laptops and desktops used by end users, endpoints in the cloud are more akin to servers operating in a third-party data center where you do not own or manage the infrastructure.
While cloud assets may be segmented, like on premise, exposing any unnecessary open ports is generally a bad idea—even if the cloud implementation is private. This leads us into a discussion on risk assessment. To perform vital asset and security management functions in the cloud, we need to ask—which technologies are the highest risk for cloud asset and security management?
Consider this table:
Technology | Risk | Maturity | Description |
Network Scanning | High | Mature | Network scanning requires authenticated remote access into an asset, typically with administrator or remote privileges. As a best practice, each asset should have unique, ephemeral credentials managed by a privileged access management solution. This type of implementation is typically complex and error-prone in very large environments, while requiring a secondary interface that is private or management-only to process scanning requests. |
Agent Technology | Medium | Mature | While agent technology poses a much lower risk than network scanning, the installation typically uses system, administrative, or root privileges to operate. Its risk is mitigated since it generally does not have any open listening ports, or require remote access. The risk, however, is the management of the agent itself and attacks based on the supply chain, mixed matched versions, and potential incompatibilities with the host. |
API Scanning | Low | Emerging | All access to the asset is API-based via the cloud service provider. Access is granted as read only. It does not require any code to be deployed to the asset to perform the desired functions. There are no exposed listening ports and the API can be hardened to only allow access from the trusted vendor. |
As one would expect, API scanning is an emerging technology based on the capabilities available from cloud service providers. As they continue to provide additional automation, new APIs are being created to streamline services.
When utilized by third-party vendors, the APIs can be implemented to provide new functionality. In many cases, this functionality can replace legacy network scanning and agent technology-based solutions. This may ultimately spell the demise of agent technology in the cloud, something many security professionals and information technology administrators eagerly await.
About the Author
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024