<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Breaking the Cycle: How access, security, and productivity create a vicious cycle, how this manifests in the real world, and how to break it.
Register for the webinar

Home
Why StrongDM icon
Why StrongDM
Product
Infrastructure Access Platform icon
Infrastructure Access Platform (IAP)
Use Cases icon
Use Cases
How It Works icon
How It Works
We Love Your Stack icon
We h Your Stack
Price tag icon
Pricing
Users icon
Customers
Docs & Resources
Docs icon
Docs Home
Filing cabinet icon
Resources
Guides
Compass icon
Guides
Company
S
About Us
Thumbs up icon
Careers
Lock icon
Security
Partner Program icon
Partner Program
Newspaper icon
Press
ACCOUNT
}
Log in
c
Try strongDM Free for 14 Days
Blog / Access

Agent vs. Agentless Architectures in Access Management

Dominic Garcia
by
Senior Marketing Director
strongDM
Last updated on: May 11, 2022
Found in: Access Identity and Access Management Privileged Access Management
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
Agent vs. Agent-less Architecture

The Problem with Agent-Based Access Management

Agent vs. Agentless architectures is a recurring debate - covering specifics from monitoring to security. But when it comes to Access Management, some key considerations are necessary when defining the scalability of your solution and its impact on efficiency and overhead over time.

Agent-based Access Management: Welcome to the World of Agent++ 

One of the biggest challenges with using agents for Access Management is they inherently require a 1:1 ratio of agent to infrastructure. In an Access Management context, that means you must have an agent on every piece of infrastructure if you hope to streamline access across your environment. We call this Agent++.

What is Agent++?

Agent++ is the continuous act of adding agents to every piece of infrastructure to provide streamlined access, due to the need to have a 1:1 ratio of agents to systems. That means:

  • You need an agent installed on every existing system. 
  • You need an agent installed on every new system.
  • You need to update every agent on every system over time. 

The result is an endless loop: New system. New agent. New system. New agent. Found an old system? New agent.

In Access Management, “Agent++” means you’ve suddenly traded managing access at a system-by-system level to managing agents on a system-by-system level. Sure, you may have gained some efficiencies, but you’ve also introduced a slew of new challenges.

Agents, Overhead and their Impact on Efficiency

When the implementation process for a tool is complicated and time-consuming, that doesn’t bode well for you over time. This is where most people begin to recognize the issues with an agent-based approach to access management, because once you’ve taken inventory of all of your systems, you now have to install agents on every system. 

And that’s just the starting point. The challenges associated with an agent-based approach to Access Management will compound over time. For example:

  • Due to the agent-based need to be on every single system, the initial implementation may be a lengthy process, delaying your team’s ability to quickly and easily access infrastructure. 
  • Onboarding new systems will require individual agents to be installed on every one, every time.
  • Since agents share resources with the systems they’re installed on, they compete for resources with your critical systems.
  • You’ll eventually need to upgrade every agent over time - a process that will only become more complicated and time-consuming with every new system you add.

Relying on agents will dramatically impact the efficiency and productivity of your development and security teams – and not in a good way. 

Access Management: Agents vs. Agentless

Access Management is inherently an additive process. Access must be provided and managed for new, existing, and shadow (assuming you find them) systems in your infrastructure. That means that the ability to easily onboard and manage systems is critical.

Agent-based architectures are detrimental to this goal in a few key ways: 

  • There is an inability to dynamically add systems with minimal delay and overhead. 
  • Resources are required to manage agents over time. 
  • There is higher development overhead. 

Conversely, agentless architectures do not have many of those issues. By going agentless, it becomes significantly easier to add and remove new systems, there is no resource conflict between infrastructure and agents, and you no longer have to be concerned with managing or updating agents on every single system in your infrastructure. 

The combination of agentless benefits ultimately means less overhead, less impact on efficiencies over time, and now you no longer need to worry about Agent++. 

Agent++ in the Wild: One company’s struggle with agents, upgrades, and access 

One StrongDM customer in the software development space had this exact issue - the company was using a tool that required agents to be installed on every new system. But because the company was growing rapidly, managing the scale and complexity of the deployment quickly became overwhelming, with one team lead stating, “You’d think a company full of really good engineers could get the solution deployed quickly - but it turned out to really be a burden.”

The organization struggled to keep up with the agents as new systems were added, when new people would join with new machines, and also when it came time to upgrade. “Every time we upgrade, there’s a huge project just to upgrade everything at the same time. We end up having to limp along.” And that was only working with three infrastructure tools, much less delivering streamlined access across the entire environment. This burden drove the company to explore other access solutions, including StrongDM (which they ultimately chose).

Want to see how agentless access management can help your organization? Sign up for a free trial or demo of StrongDM and see. 🙂

About the Author

, Senior Marketing Director, has held marketing leadership roles for Silicon Valley technology companies specializing in database, data management, and data analytics solutions. As head of content marketing at Splunk, Dominic contributed to boosting the company’s market visibility and its growth from a $100M to a $1.3B company. He brings relentless creativity to the task of connecting people with technical products to improve their lives. Dominic holds a B.S. degree in Public Relations from the University of Texas at Austin. To contact Dominic, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Alternatives to ManageEngine PAM360
Alternatives to ManageEngine PAM360
ManageEngine’s PAM360 gives system administrators a centralized way to manage and audit user and privileged accounts within network resources. However, teams that need to manage secure access to Kubernetes environments or enforce password policies within their privileged access management (PAM) system may want to consider other options. This blog post will cover ManageEngine PAM 360 and some solid alternatives, along with the pros and cons of each.
Machine Identity Management Explained
Machine Identity Management Explained in Plain English
In this article, we'll cover machine identities and address the importance and challenges in machine identity management. You'll gain a complete understanding of how machine identity management works and see the concept in action through real-world examples. By the end of this article, you'll be able to answer in-depth: what is machine identity management?
The difference between SASE vs SD-WAN
SASE vs. SD-WAN: All You Need to Know
SASE is a cloud-based network security solution, whereas SD-WAN is a network virtualization solution. SASE can be delivered as a service, making it more scalable and resilient than SD-WAN. Additionally, SASE offers more comprehensive security features than SD-WAN, including Zero Trust security and built-in protection against Distributed Denial-of-Service (DDoS) attacks.
SASE vs. CASB: Everything You Need to Know
SASE vs. CASB: Everything You Need to Know
In this article, we’ll take a big-picture look at how SASE and CASB solutions fit into the enterprise security landscape. We'll explore the key differences between SASE and CASB and explain how each tool helps ensure enterprise security. You will gain an understanding of how SASE and CASB solutions compare and which might be suitable for your organization.
CyberArk vs. Thycotic (Delinea)
CyberArk vs. Thycotic (Delinea): Which Solution is Better?
In this article, we’ll compare two Privileged Access Management (PAM) solutions: CyberArk vs. Thycotic, with a closer look at what they are, how they work, and which will best fit your organization. We’ll explore product summaries, use cases, pros and cons, PAM features, and pricing to that by the end of this article, you’ll have a clearer understanding of how these PAM tools work and be able to choose the one that’s right for you.