Agents Versus Agentless: What to Use and When
When it comes to extracting information from machines connected to a corporate network, are agents good or bad? The real answer is neither. Each method has advantages and a lot depends on the depth of information needed to make informed decisions. In this post, we will guide you through which method is best suited to the various phases of Software Asset Management (SAM).
Agentless technology is the use of a machine’s native, embedded management functionality to retrieve information. Even if a technology is dubbed as agentless, retrieving data from a device requires a process or processes to run, which consumes resources.
During the discovery phase, several data sources can be used, and for network scanning, agentless is the best method. But, when you are looking to optimize spend and reduce financial exposure, you will need to deploy agents at some point – the question is when?
The advantage of agentless technologies is they remove the barriers associated with installing additional software, which can be a non-trivial process for machines are already in use, and especially for mission critical servers running in a data center. Adhering to security protocols, software incompatibility issues, ensuring the latest version of an agent is installed, and the overhead of updating agents on thousands of devices are just some of the barriers IT departments face when it comes to deploying software. The problem with agentless, however, is these technologies don’t provide enough information to optimize software spend.
The use of software within an organization follows a life cycle – need, procure, deploy, use, and retire – with specific business processes designed to take care of each phase. SAM solutions monitor if the procured software is used, enable automatic harvesting of applications no longer needed and then make them available for reuse – optimizing spend.
Optimizing software spend is a continual SAM process that includes various steps, such as hardware discovery, software discovery, understanding license entitlement and assessing usage of software and hardware. Each part of the process requires information about the devices attached to the corporate network, what applications are installed, and what is used. The best method to retrieve that information varies. For some vital steps, an agent is the best way, whereas a remote scan will suffice for others.
Discovery
Let’s start with discovery. To determine license compliance and what applications are installed on an enterprise network, the Software Asset Management (SAM) process first identifies what entities are connected. This usually includes assets such as laptops, desktops, servers, mobile devices, printers, virtual machines and servers.
More formally, we define discovery step as: interrogating TCP/IP networks to identify the attached physical or virtual platforms capable of running software. Visually, discovery is like the radar screens in an air-traffic control tower. The blips show where you need to dig deeper to understand what applications are installed on your network.
Inventory
The next step in the SAM process is inventory. Once the system knows where to look for information, it scans each platform/device found in discovery to determine what software is installed. More formally, we define inventory as: capturing platform configurations and extracting software information.
There are several methods for retrieving this information, and there are several levels to inventory. Sometimes, you may just want to scan your network for high-risk applications – the expensive ones, with complex licensing agreements. Sometimes, you may want to know everything, or you may only want to scan for applications that require a license.
The methods to extract information from the network include: remote agentless scan, zero footprint and agent-based. There are pros and cons for each method, depending on the required granularity of the extracted information to support business decision making, and depending on the restrictions the network architecture might impose.
Remote agentless scan
This method uses a central management server, securely connecting to remote operating systems, and running a scan to extract raw application information. This method removes the need to install and maintain agents across the fleet of devices connected to your network, but requires elevated privileges to execute the remote scan, and will not be able to determine the usage of any software.
Zero footprint
In this method, a task running on discovered machines and devices periodically executes the Snow Inventory agent from a remote share. The inventory scan is delivered back to the main Snow server. There is no trace on the machine. The challenge with this approach is determining how to get scheduled tasks onto the discovered servers and devices. With Windows this is feasible via Active Directory and with Linux tools like Putty or Puppet can be used. Once scheduling is set up, scan requests are always server-initiated, making this an extremely secure option. Compliance with business critical it operations can be established by ensuring inventory scans only occurs within an approved service maintenance window.
Agent-based
In this method, an agent is installed on discovered devices. The agent runs periodically, usually once a day, extracting information about installed applications, how they are used and the primary user of the machine. The primary advantage of agent technology is reliability. We can be assured the inventory takes place, even if the machine happens to be unreachable on the network. An additional advantage is the ability to capture usage information – essential to determine whether users need installed software for which licenses and maintenance have been purchased.
What to use and when
Determining which technology fits best depends on the constraints posed by the business and the IT environment. For desktop and laptop estates, agents tend to be preferred, as they provide deep data, usage information, reporting when only connected to the internet, and the process to deploy and update an agent is relatively straightforward. There are some benefits to using agentless technologies here, but usage information is typically what is needed for the SAM process to ensure optimal use and re-harvesting of purchased licenses.
When it comes to the data center, however, issues like change freezes and change-control processes impact the freedom to deploy software to a server or a virtual machine, for example. Agents need to be prepared and tested, before they can be deployed into the server estate. These steps are time-consuming, which contributes to the idea that zero footprint inventory or agentless inventory is always better. So, a zero-footprint or agentless solution in the data center is often more attractive.