Agent vs. Agentless Architectures in Access Management

Agent vs. Agentless architectures is a recurring debate - covering specifics from monitoring to security. But when it comes to Access Management, some key considerations are necessary when defining the scalability of your solution and its impact on efficiency and overhead over time.

Agent-based Access Management: Welcome to the World of Agent++

One of the biggest challenges with using agents for Access Management is they inherently require a 1:1 ratio of agent to infrastructure. In an Access Management context, that means you must have an agent on every piece of infrastructure if you hope to streamline access across your environment. We call this Agent++.

What is Agent++?

Agent++ is the continuous act of adding agents to every piece of infrastructure to provide streamlined access, due to the need to have a 1:1 ratio of agents to systems. That means:

• You need an agent installed on every existing system.
• You need an agent installed on every new system.
• You need to update every agent on every system over time. 

The result is an endless loop: New system. New agent. New system. New agent. Found an old system? New agent.

In Access Management, “Agent++” means you’ve suddenly traded managing access at a system-by-system level to managing agents on a system-by-system level. Sure, you may have gained some efficiencies, but you’ve also introduced a slew of new challenges.

Agents, Overhead and their Impact on Efficiency

When the implementation process for a tool is complicated and time-consuming, that doesn’t bode well for you over time. This is where most people begin to recognize the issues with an agent-based approach to access management, because once you’ve taken inventory of all of your systems, you now have to install agents on every system.

And that’s just the starting point. The challenges associated with an agent-based approach to Access Management will compound over time. For example:

• Due to the agent-based need to be on every single system, the initial implementation may be a lengthy process, delaying your team’s ability to quickly and easily access infrastructure.
• Onboarding new systems will require individual agents to be installed on every one, every time.
• Since agents share resources with the systems they’re installed on, they compete for resources with your critical systems.
• You’ll eventually need to upgrade every agent over time - a process that will only become more complicated and time-consuming with every new system you add.

Relying on agents will dramatically impact the efficiency and productivity of your development and security teams – and not in a good way. 

Access Management: Agents vs. Agentless

Access Management is inherently an additive process. Access must be provided and managed for new, existing, and shadow (assuming you find them) systems in your infrastructure. That means that the ability to easily onboard and manage systems is critical.

Agent-based architectures are detrimental to this goal in a few key ways: 

• There is an inability to dynamically add systems with minimal delay and overhead. 
• Resources are required to manage agents over time. 
• There is higher development overhead. 

Conversely, agentless architectures do not have many of those issues. By going agentless, it becomes significantly easier to add and remove new systems, there is no resource conflict between infrastructure and agents, and you no longer have to be concerned with managing or updating agents on every single system in your infrastructure. 

The combination of agentless benefits ultimately means less overhead, less impact on efficiencies over time, and now you no longer need to worry about Agent++. 

Agent++ in the Wild: One company’s struggle with agents, upgrades, and access

One StrongDM customer in the software development space had this exact issue - the company was using a tool that required agents to be installed on every new system. But because the company was growing rapidly, managing the scale and complexity of the deployment quickly became overwhelming, with one team lead stating, “You’d think a company full of really good engineers could get the solution deployed quickly - but it turned out to really be a burden.”

The organization struggled to keep up with the agents as new systems were added, when new people would join with new machines, and also when it came time to upgrade. “Every time we upgrade, there’s a huge project just to upgrade everything at the same time. We end up having to limp along.” And that was only working with three infrastructure tools, much less delivering streamlined access across the entire environment. This burden drove the company to explore other access solutions, including StrongDM (which they ultimately chose).

Want to see how agentless access management can help your organization? Sign up for a free trial or demo of StrongDM and see. 🙂