Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
In today’s multi-cloud reality, we at Puppet see that perspectives about agent-based security, agentless security, and agent vs. agentless have changed as security needs have grown in complexity and urgency.
Given the changes fact that different architecture models and supporting infrastructure (private & public cloud), the same viewpoint about the best way to keep a business secure is no longer a one-size-fits-all solution.
In this blog, we’ll weigh the pros and cons of agent vs. agentless as it stands today, taking into account the specific needs of your organization.
Agent-based security (also known as endpoint security) is a cybersecurity approach that deploys software agents to individual devices. Endpoints can include computers, servers, virtual machines, smart devices, and other devices that connect to an IT network.
The definition of agentless security is a cybersecurity approach that uses existing infrastructure and controls to secure endpoints, rather than deploying software agents.
Agent-based security deploys software agents to collect data from endpoints and enforce security rules. Agentless security doesn’t require any special integrations or agents to monitor and control endpoints — they simply manage endpoints from the outside and enforce them directly.
Agents are valuable if you benefit from having intelligence at the endpoint itself. Agentless automation for security is a more simplistic approach — endpoints are managed from the outside and enforced from an intelligent single point.
Imagine that humans were built without an immune system, and every time a person was sick, they would have to receive treatment from a hospital. It’s a solution that can work, and in theory, humans might be easier to treat without the complication of having an immune system.
But as the population grew, as diseases became more complex, it would become more difficult for a single hospital location to take care of everyone. In this case, it’s better for humans to have their own immune system that can take care of things that pop up – and quickly. In this example, agents are the immune systems built-in against the threat of external forces.
The debate then between agent vs. agentless becomes contextualized depending on the use case. Context is everything.
Agentless supporters make the claim that there is no need to install an agent on every server, and that avoiding that installation will save time and effort. But they’re giving an answer to the wrong question— the issue is not about the time spent in onboarding and maintenance. The more important issue is resource allocation and overhead, which ultimately impact security and reliability.
Agent-based security offers real-time protection, but it consumes more resources on individual devices. Agentless security uses fewer resources but can be less reliable because it relies on network-based tools for security.
Comparing agent vs. agentless looks different, depending on the use case you’re considering. If you’re just looking at saving time, agentless makes sense. But let’s explore the specific pros and cons for each when the use case is security:
The debate between agent vs. agentless comes down to one thing: how will this be used? The simplicity of agentless architecture makes sense in some context — you install one thing, one time, and it’s able to connect and control the disparate parts and pieces of your organization. Why install an agent on 1,000 devices, when you can install it on 1?
The argument breaks down when we start to talk about security, or even compliance. In this instance, having agent-based intelligence at the endpoint of a specific device can be a powerful tool to act on instructions when there is a loss of connection between that single device and the singular agentless server providing direction.
The stakes for security have never been higher, the threats have never been more severe — there are time limitations between when an outage occurs and when it can be addressed within an organization.
An agent approach might be best if your organization...
With even a minute gap, a system can be infiltrated. And the larger the system, the more likely that there will be parts and pieces that are down. Every step in scale increases instability, which is why system reliability is more important than ever before.
In critical systems that support healthcare, financial services, or even transportation, system reliability is critical to avoid safety and costly downtime. Even for consumer-based systems, reliability keeps customers happy by keeping the lights on, keeping production moving, and avoiding delays due to downtime.
Having an intelligent endpoint makes sense when the risks are so high that you can’t afford to have a break in connectivity, when you’re working with a “sketchy” environment, or when you need infrastructure that will cover you 100% of the time.
The weaknesses of individual agents on each device (time-consuming to install and update) become strengths when stacked up against agentless for security. Agents take time to install, but they'll be able to make intelligent choices during times of disconnect.
When you need systems to run as expected, an agent on the box provides a huge advantage for system reliability and network dependency.
The agentless approach requires network connectivity. These solutions are dependent on the ability to dial to the endpoints or servers on the outskits of the organizational IT ecosystem. This requires Secure Socket Shell (SSH) tunnels and Remote Desk Protocol (RDP) connectivity — often something that security teams shy away from.
With Puppet, you have the flexibility of agent or agentless management — but for security, there is one clear winner. If you want to keep systems running, if you want to ensure that your team can sleep at night, agents are the way to go.
Puppet Enterprise can get you up and running with agents placed exactly where you need them so that you don’t have to worry about a lack of connectivity with endpoints.
Even better, you can try out Puppet Enterprise for free to see how it would work in your environment. With up to 10 nodes for free, and no commitment or time limit to the trial, you can see for yourself if Puppet Enterprise would be a good fit in your environment:
Senior Director of Product Management, Puppet