Date Published May 23, 2012 - Last Updated 7 Years, 294 Days, 18 Hours, 40 Minutes ago
You’re considering purchasing a fabulous new driving machine, with some of the most innovative features available in automotive technology today. In order to build and deliver this mechanical marvel, the manufacturer installed an instrument panel in the center of the windshield, creating a significant visibility issue for the driver. However, the enhanced maneuverability, braking, and performance are so persuasive, they overshadow the visibility handicap. Unfortunately, the long-term consequences are clear: numerous accidents, personal injuries, unexpected lawsuits, and excessive mean time to repair.
Likewise, in IT service and technical support, don’t we invest heavily in IT service management solutions that are highly dependent upon agent technologies for the visibility needed to “drive” (i.e., access, secure, manage, and control) the desktops, laptops, and servers that make up the IT infrastructure? Are these applications so compelling that we’ve succumbed to the siren song of functionality and increased our dependency on inconsistent management visibility and traditional agent-based models that are inherently vulnerable to the same risks as the endpoints they manage? Virtually all IT organizations “have security and compliance issues in 10–30 percent of their endpoints,” due in large part to hidden, missing, outdated, or poorly configured agents, which are responsible for tasks like virus scanning and monitoring, inventorying, and patching. With that in mind, can we afford to eliminate agent technologies?
Given the significance of these mission-critical IT management and security applications, the answer is obviously “no.” But, in truth, the answer must include the qualifier that agentless technology is an essential component of any IT organization’s overall service management strategy.
The Agents of Change
What is it about agents that creates so many issues in the management and security of personal computers and servers? The answer is simple, yet the resolution is incredibly complex: change within the infrastructure. Let’s use the business community’s huge investment in Microsoft to demonstrate this vulnerability to change. Even though Windows is one of the key operating systems in almost all IT organizations, it is highly susceptible to configuration issues and security risks when frequent change is introduced into the operating environment.
Windows relies on agent software to discover, track, configure, update, patch, secure, and monitor software, which makes it vulnerable to change when unauthorized processes and services are introduced that make changes to the registry settings. When an endpoint problem occurs, it’s often because one of these key building blocks—processes, services, or registry settings—has been altered, disrupted, or improperly aligned with your business’s policies and procedures. Thus, the managed item (the “problem child” that is wreaking havoc in the IT support community) unexpectedly becomes invisible to the management or security console that is responsible for checking, analyzing, and fixing all target components of the IT infrastructure.
Consequently, the IT organization finds itself providing lower levels of service to the end-user community, jeopardizing contractual SLAs. Furthermore, the cost of support escalates to unexpected and unacceptable levels when IT organizations have to task limited resources (i.e., staff) with finding and remediating IT issues, a problem that is particularly acute at remote locations. And all too often, the endpoint data that is returned is incomplete, outdated, or inaccurate, making highly inaccurate the many decisions that are driven by this data-collection process. Together, all of these factors render visible and suspect the organization’s noncompliance with corporate IT operational and security policies, vulnerabilities in which are inappropriately exposed or, even worse, remain unknown.
The Growing Demand for Agentless Technologies
The rising need for agentless technologies in the IT service and technical support community has been confirmed by an Aberdeen Group survey that identified a 300 percent increase in planned investment in agentless technologies from 2010 to 2011. This trend reflects the need for some type of objective way to measure, monitor, report, and correct how the agents are actually working. The common expectation is that the management or security console provides that information. But how can a console identify and report on a problem if the actual issue stems from a registry key or a process that isn’t working? If your endpoint doesn’t know that a certain key or process isn’t working, how can it notify the console to report on that problem? It’s a genuine Catch-22.
For a Windows system to function properly, correctly, efficiently, and effectively, certain critical applications, agents, and agentbased tools must be deployed to maintain, protect, and secure the computing environment. What has been missing to date is some type of easy, automated solution that functions like a “master of agents,” finding, measuring, monitoring, reporting, and correcting the agents that aren’t working properly, without requiring the agent to identify and fix what it can’t do for itself. In other words, some type of “agentless” approach that compliments and enhances the use of existing IT service management tools so that they actually work as promised.
Only then can IT organizations hope to increase operational efficiency, lower operational costs, and increase operational accountability to their end-user (business) communities.
Multiple Agentless Options
The earliest and most common implementation of agentless technology was Microsoft’s Windows Management Instrumentation (WMI). WMI is defined as “a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification.” It emerged in the late 1990s as one of Microsoft’s approaches to standards-based requirements for IT management, as outlined by the Distributed Management Task Force (DMTF).
Through its adherence to the principles of agentless technology, and through sheer ubiquity, WMI has made significant contributions to the management of distributed and networked systems and applications that are built on the Windows operating system. Unfortunately, there are known complexity and network/system performance issues that preclude its broad appeal for the “master of agents” approach.
A more recent approach to agentless technology is to leverage the administrator privileges of most operating systems, particularly Windows, to implement a subset of requisite endpoint control functions. The negligible bandwidth requirement for networks, low impact on endpoint performance, and minimal end-user permissions associated with this form of agentless technology sidestep the complexity and performance issues associated with WMI. However, such usage also inhibits vendor-specific implementation and maintenance tools for endpoints (i.e., antivirus, patch management, software configuration, etc.), though it complements these existing IT solutions by ensuring that they are installed, up to date, and configured appropriately. By overseeing installations on the endpoints (i.e., what is or is not installed), this form of agentless technology could better leverage what the IT support organization already has in place, from agents to support teams to third-party contractors, allowing such resources to work as intended.
Many vendors and programmers position ActiveX as an agentless approach. The value of ActiveX as a tool for defining reusable software components, including elements of security and manageability, is undeniable. Yet the primary use of ActiveX controls, for code reusability within a web environment, creates nuances that both help and hinder the “master of agents” approach. The similar purpose and successful use of Java applets for non-Windows environments illustrates the unique elements that make the Windows operating system a unique management and security challenge.
Dissolvable agents are sometimes referenced in the context of agentless technology. They are usually Java-based and are frequently installed on endpoints that are not managed by enterprise administrators. These unique agents are delivered on demand and without administrative privileges, and can be used to evaluate and remediate endpoint operational support issues. Again, by design, there are features of this approach that preclude its use for endpoint resolution and compliance issues within the confines of enterprise IT management and security, though these same features are beneficial in noncorporate environments.
Naturally, there are pros and cons to any agentless approach. However, the most critical “pro” is the unique contribution that agentless technologies make to the effective and broad resolution of IT management and security endpoint issues, particularly in the Windows environment.
The Impact of the Cloud on Endpoint Control
These days, you can’t discuss technology without discussing cloud computing. Cloud provisioning is truly one of the major technology shifts of the twenty-first century. Yet, from the perspective of better alignment with the business community, cloud offerings seem to be more the symptom and less the cure. Most current cloud initiatives are driven by the business’s demand for more rapid and lower cost provisioning of infrastructure and applications, reflecting dissatisfaction with IT’s ability to deliver technology in a format acceptable to business decision-makers. Unfortunately, it also reflects a lack of understanding on the part of business users with regard to the critical role of IT operations in delivering, securing, and managing technology for the enterprise. Few IT organizations expect their businesses to fully grasp the nuances, issues, and trade-offs necessary to operate an IT service and technical support organization.
Industry trend watchers have observed that the rapid adoption of cloud computing and cloud services by end users is driving an explosion of interest within the vendor community. The ability to identify the endpoints in various computing environments is a critical factor in the rapid acceleration of cloud services. It is not just that new endpoint technologies are forcing the network perimeter to become more porous; it is also the fragile nature of the Windows operating system, upon which so many of our computing infrastructures (and business objectives) depend. How can we talk about provisioning and managing a dynamic, heterogeneous cloud infrastructure when we can’t even see 20 percent of our Microsoft endpoints?
In a support environment where IT operations departments are expected to do more with less, some form of agentless technology is essential to the success of the IT service and technical support organization. Improved endpoint control can ensure that your organization provides its end users with stronger IT service management: more accurate and timely incident management, problem tracking, and asset discovery; faster problem resolution; more effective change management; tighter monitoring of product and application releases; and more efficient software configuration management. Agentless technology also allows the organization to measure its third-party outsourcers’ endpoint service levels, as well as provide more accurate, complete, and timely data for planning availability, power management, service continuity, security, and software asset management. In short, agentless technology is a very, very good thing for IT support.
Bill Keyworth is a senior consultant at Cutter Consortium and the founding editor of BSMreview.com. As a former VP and research director at Gartner Group, Bill initiated the successful Network and Systems Management (NSM) service. In addition, Bill has served in marketing executive roles at Digital, Peregrine, TCI Solutions, Nexiant, and several software startups.