Software agents -- long seen as a necessary evil by those securing and managing servers, desktops and other endpoint devices -- have proliferated to the point of polluting enterprise environments.
IT managers are fed up with their endpoint devices becoming the dumping ground for bits of vendor code that can slow performance, conflict with services running on the machines and cause huge management headaches when upgrades are needed. Vendors have imposed their agents on customer machines long enough, IT managers say, and the time has come to change how servers and endpoints are secured and managed.
"There are risks in putting too many agents on any one device, so I've had to set hard limits on how many agents we send out to our endpoints," says William Bell, director of information security at CWIE, an Internet-based Web-hosting company in Tempe, Ariz. "Some people will tell you agents are botnets waiting to happen, but if you have ever tried to patch thousands of machines without agents, you know agents have their place. It's a judgment call."
Bell is not alone in his efforts to balance the amount of software installed on clients and servers for the sake of securing and managing the machines.
"We are concerned about the performance of endpoints, and the more agents you put on them, the more you take away from performance," says Michael Gruen, IT project manager for Bernalillo County, Albuquerque, N.M. "When you are talking about one tiny agent on one machine, it's not an issue. But when you have many tiny agents across many machines, they add up quickly."
Agent change is afoot
Now that IT managers are getting smarter about agents, vendors are scrambling to accommodate them.
"More vendors are looking at ways to consolidate features or architect their agents in such a way that one agent can handle the tasks of multiple software applications," says Jasmine Noel, principal analyst at Ptak, Noel & Associates. "Vendors are responding to customer complaints that they simply won't deal with so many agents."
Security vendors such as McAfee have been consolidating many features onto a single agent, and management-software makers, such as BMC Software, have developed agentless variations of their monitoring products. IBM and CA are working separately on a common agent architecture across their products that lets customers install just one agent to handle client and server tasks.
Such acquisitions as PatchLink's bid to buy SecureWave also could result in fewer agents for securing endpoints. "As they merge, I have been guaranteed that the client agent will merge as well. I'm looking for just two agents from them within six months," CWIE's Bell says. He also uses Symantec antivirus software on his endpoints.
After evaluating products from multiple vendors, Bernalillo County's Gruen decided to go with start-up Xangati to help spot performance problems and bottlenecks across his network. Xangati requires customers to install an appliance that spots anomalous traffic to root out problems, but doesn't mandate a software agent. "It was important to us to have nothing installed on the client. It would have been more effort than we could put forth," he says.
Most agree that software agents must be installed to adequately secure endpoints, but the ideal number of agents required on each device is up for debate. According to Gartner vice president John Pescatore, every endpoint today typically has at least three types of agents installed: "anti agents" (antispyware, antivirus and so forth); vulnerability-management or patch-management agents, which scan desktops to make sure they are configured appropriately; and systems management agents from companies like BMC, CA, HP and IBM. The latter type often causes the most "agent fatigue" among customers.
Even with Symantec acquiring BindView and Altiris, or McAfee picking up Citadel Security Software, customers should be aware they still could see the same number of agents from the consolidated vendor, Pescatore says.
"The 'keep the bad guys out' agents have to change whenever threats change, but the configuration-management agents want nothing to change, and if there is a change, they will push it back," he says. "The acquisitions are good, but don't always mean a single agent. Combining these types of features can be just plain complicated from an engineering standpoint."